Just-in-Time (JIT) access

What is Just in Time IAM?

Just-in-Time (JIT) access provisioning grants a user temporary, on-demand privileged access to IT. It’s a form of identity access management that is meant to address scenarios in which a user who may not typical need to use certain applications or services can receive timely access to those resources when they need it, but only for a short period of time. Just-in-Time access provisioning can be viewed as an alternative to the concept of standing privileges, in which a user has broad, “always-on” access resources. Just-in-Time access also follows the principle of least privileged access, which is one of the core philosophies of the Zero Trust framework.

How is Just-in-Time Access Delivered?

One of the most effective ways to deliver Just-in-Time access to users is to use ephemeral certificates.

Ephemeral certificates are a type of limited access security token that is automatically created on-demand, automatically expires, and requires no installation, configuration or updating.

In ephemeral certificate-based authorization, the target systems are accessed without the need for permanent access credentials, explicit access revocation or traditional SSH key management. For each session, the ephemeral certificate:

  • is issued from the Certificate Authority, which serves as the trusted third party

  • is based on various industry-standard methods, the chief example being the short-lived X.509 certificate

  • encodes the target user ID for security

  • has a short lifetime (5 minutes) after which it auto-expires

The access is also called ‘credentialess’, since on establishing the connection the user does not handle access credentials at all. Instead, the user logs in to the Certificate Authority each time he or she wants to establish a remote connection without having permanent authorization to the environment.