Abstract: Access to secured items in a computing system is requested instead of being persistent. Access requests may be granted on a just-in-time basis. Anomalous access requests are detected using machine learning models based on historic patterns. Models utilizing conditional probability or collaborative filtering also facilitate the creation of human-understandable explanations of threat assessments. Individual machine learning models are based on historic data of users, peers, cohorts, services, or resources. Models may be weighted, and then aggregated in a subsystem to produce an access request risk score. Scoring principles and conditions utilized in the scoring subsystem may include probabilities, distribution entropies, and data item counts. A feedback loop allows incremental refinement of the subsystem. Anomalous requests that would be automatically approved under a policy may instead face human review, and low threat requests that would have been delayed by human review may instead be approved automatically.

Abstract: Methods, systems, and computer storage media for providing escorted-access management based on an escort-admin session engine are provided. The escort-admin session engine approves an external administrator's access to a resource instance based on a service team policy, while approving an escort operator to escort the external administrator in an escort-admin session that provides access to the resource. In operation, an external administrator's request for access to a resource is evaluated based on the service team policy that is managed by a service team. The request is approved with access rights to the resource identified in the policy. An escort operator is identified for the external administrator. The escort operator is approved to escort the external administrator for access to the resource during an escort-admin session. The escort-admin session includes an escort operator context referring to the escort operator having access rights based on the access rights approved using the policy.

Abstract: A JIT service in a cloud computing environment manages just-in-time access to resources in the cloud computing environment for an external device. When JIT access to a resource is requested by a device, the JIT service retrieves a JIT policy for the resource that includes geolocation criteria limiting the geolocation from which JIT access can be automatically granted. The geolocation of the device is evaluated against the geolocation criteria. If the geolocation criteria and any other criteria of the JIT policy are satisfied, the JIT service provisions JIT access to the resource for the device.

Abstract: A JIT service in a cloud computing environment manages just-in-time access to resources in the cloud computing environment for an external device. When JIT access to a resource is requested by a device, the JIT service retrieves a JIT policy for the resource that includes screening criteria limiting automatic granting of JIT access to users who meet the screening criteria. Screening information for a user associated with the request is evaluated against one or more screening requirements set forth by the screening criteria. If the screening criteria and any other criteria of the JIT policy are satisfied, the JIT service provisions JIT access to the resource for the device.

Abstract: Various methods and systems are provided for autonomous secrets management for a temporary shared access signature (“SAS”) service. Input for a temporary access request for an account resource, is received from a client. The temporary access request is validated, based on communicating a validation request to the secrets management service (“SMS”) that can be utilized to store, renew and distribute secrets in a distributed computing environment. Validating the temporary access request is based on determining a storage account location path for SAS keys that provide temporary access to account resources. An access policy associated with the temporary access request is accessed. An SAS key request, associated with temporary access request, is communicated to the SMS. The SAS key request includes at least a portion of the access policy. An SAS key is received from the SMS. The SAS key, for access to the account resource, is communicated to the client.

Abstract: A JIT service in a cloud computing environment manages just-in-time access to resources in the cloud computing environment for an external device. When JIT access to a resource is requested by a device, the JIT service retrieves a JIT policy for the resource that includes geolocation criteria limiting the geolocation from which JIT access can be automatically granted. The geolocation of the device is evaluated against the geolocation criteria. If the geolocation criteria and any other criteria of the JIT policy are satisfied, the JIT service provisions JIT access to the resource for the device.

Abstract: A JIT service in a cloud computing environment manages just-in-time access to resources in the cloud computing environment for an external device. When JIT access to a resource is requested by a device, the JIT service retrieves a JIT policy for the resource that includes screening criteria limiting automatic granting of JIT access to users who meet the screening criteria. Screening information for a user associated with the request is evaluated against one or more screening requirements set forth by the screening criteria. If the screening criteria and any other criteria of the JIT policy are satisfied, the JIT service provisions JIT access to the resource for the device.

Abstract: A JIT service in a cloud computing environment manages just-in-time access to resources in the cloud computing environment for DevOps personnel who do not have persistent access to restricted data or the ability to modify the cloud computing environment to gain access to restricted data. When JIT access to a resource is requested by a DevOps device, the JIT service retrieves a JIT policy for the resource that includes screening criteria limiting automatic granting of JIT access to DevOps personnel who meeting the screening criteria. Screening information for the DevOps personnel is evaluated against one or more screening requirements set forth by the screening criteria. If the screening criteria and any other criteria of the JIT policy are satisfied, the JIT service provisions JIT access to the resource for the DevOps device.

Abstract: A JIT service in a cloud computing environment manages just-in-time access to resources in the cloud computing environment for DevOps personnel who do not have persistent access to restricted data or the ability to modify the cloud computing environment to gain access to restricted data. When JIT access to a resource is requested by a DevOps device, the JIT service retrieves a JIT policy for the resource that includes geolocation criteria limiting the geolocation from which JIT access can be automatically granted. The geolocation of the DevOps device is evaluated against the geolocation criteria. If the geolocation criteria and any other criteria of the JIT policy are satisfied, the JIT service provisions JIT access to the resource for the DevOps device.

Abstract: Various methods and systems are provided for autonomous secrets management for a temporary shared access signature (“SAS”) service. Input for a temporary access request for an account resource, is received from a client. The temporary access request is validated, based on communicating a validation request to the secrets management service (“SMS”) that can be utilized to store, renew and distribute secrets in a distributed computing environment. Validating the temporary access request is based on determining a storage account location path for SAS keys that provide temporary access to account resources. An access policy associated with the temporary access request is accessed. An SAS key request, associated with temporary access request, is communicated to the SMS. The SAS key request includes at least a portion of the access policy. An SAS key is received from the SMS. The SAS key, for access to the account resource, is communicated to the client.

Abstract: A JIT service in a cloud computing environment manages just-in-time access to resources in the cloud computing environment for DevOps personnel who do not have persistent access to restricted data or the ability to modify the cloud computing environment to gain access to restricted data. When JIT access to a resource is requested by a DevOps device, the JIT service retrieves a JIT policy for the resource that includes geolocation criteria limiting the geolocation from which JIT access can be automatically granted. The geolocation of the DevOps device is evaluated against the geolocation criteria. If the geolocation criteria and any other criteria of the JIT policy are satisfied, the JIT service provisions JIT access to the resource for the DevOps device.

Abstract: A JIT service in a cloud computing environment manages just-in-time access to resources in the cloud computing environment for DevOps personnel who do not have persistent access to restricted data or the ability to modify the cloud computing environment to gain access to restricted data. When JIT access to a resource is requested by a DevOps device, the JIT service retrieves a JIT policy for the resource that includes screening criteria limiting automatic granting of JIT access to DevOps personnel who meeting the screening criteria. Screening information for the DevOps personnel is evaluated against one or more screening requirements set forth by the screening criteria. If the screening criteria and any other criteria of the JIT policy are satisfied, the JIT service provisions JIT access to the resource for the DevOps device.