Overview
Just-In-Time (JIT) Access is the antithesis of "Standing Privilege." In a traditional model, an admin is a Domain Admin 24/7/365, even when they are sleeping. This means if their account is compromised at 3 AM, the attacker has instant access.
In a JIT model, the user has zero privileges by default. When they need to perform a task, they request access. Access is granted instantly (or after approval) for a specific time window (e.g., 2 hours). Once the window closes, access is automatically revoked.
Architecture
Reference Pattern: Ephemeral Access
JIT can be implemented by creating temporary accounts, adding users to groups temporarily, or issuing short-lived certificates.
Diagram
Key Decisions
| Decision | Options | Recommendation | Notes / Gotchas |
|---|---|---|---|
| Mechanism | Temporary Group Add, Ephemeral Account, Vaulted Credential | Temporary Group Add | Adding a user to "Domain Admins" for 1 hour is cleaner than creating/deleting accounts. |
| Approval | Manual Manager, Auto-Approval | Auto-Approval (for Standard) | If the user is authorized for the role, auto-approve to reduce friction. Use manual for exceptions. |
| Agent vs Agentless | Agent on Target, Central Directory | Central Directory | Managing JIT via AD groups is easier than installing agents on every server. |
| Protocol | SSH Certificates, Kerberos, Password | SSH Certs / Kerberos | Issuing a short-lived certificate is more secure than rotating a password. |
| Audit | Log Request, Log Session | Log Both | You need to know why they asked (Request) and what they did (Session). |
Implementation
Phase 1: The "Break Glass"
- Implement JIT for emergency accounts (e.g., schema admin).
- Require manual approval.
- Goal: Eliminate permanent use of the most dangerous accounts.
Phase 2: Server Administration
- Remove admins from the local "Administrators" group on servers.
- Implement a self-service portal where they request "Admin on Server X for 4 hours."
- Automate the group membership change.
- Goal: Zero Standing Privileges (ZSP) on servers.
Phase 3: Cloud & SaaS
- Use AWS IAM Identity Center (SSO) or Azure PIM.
- Users request "AWS AdministratorAccess" for a session.
- Goal: Native cloud JIT integration.
Risks
- Latency: If the JIT process takes 15 minutes, admins will hate it. It must be near-instant.
- Revocation Failure: The script to remove the user fails, and the user remains an admin indefinitely. Monitor for this!
- "Always On" Requests: Users requesting access every single morning for 8 hours. This defeats the purpose.
- Emergency Block: If the JIT portal is down during an outage, nobody can fix the outage. Always have a physical break-glass fallback.
KPIs
- Standing Access Reduction: Percentage reduction in the number of users with permanent privileged assignments.
- JIT Utilization: Percentage of administrative sessions initiated via a JIT workflow vs. standing access.
- Approval Time: Average time to approve/grant a JIT request.
- Revocation Success Rate: Percentage of JIT sessions that were successfully revoked/expired automatically.
