Mahantesh Pattanshetti

Author Profile


Last updated date:

April 28, 2023

Subscribe to Our Newsletter

Keep up to date with Privileged Access Management (PAM) and other Cloud Identity topics.

Just-In-Time Access?

Just-in-time (JIT) access is a security approach where access to resources is granted only when needed and for a limited time with Just Enough Privileges (JEP). JEP is a synonym to Least Privileged Access. The goal is to ensure that a user, when granted access to a resource, has as minimal permissions as possible to perform the task at hand. Example use cases that require JIT access – a database administrator to patch a specific database in production or an Okta administrator needs to reset a user’s password or a Kubernetes administrator needs to update a cluster.

Why JIT?

Long-standing privileges refer to permissions or access privileges granted to a user or account for an extended period. The long-standing privileges pose a significant security risk, increasing the attack surface for cybercriminals seeking access to critical systems or data. We periodically hear about data breaches where a DevOps user, administrator, or support engineer based in Southeast Asia is compromised.

Gartner recognizes JIT as an essential feature of Privileged Access Management. Today, most enterprises seek JIT solutions.

Challenges in JIT implementation

JIT is still a pipe dream for most enterprises. There are many challenges in implementing JIT. IT environments have become complex with SaaS and IaaS platforms. There is an API for everything, and the number of APIs enterprises consume is still on the uptrend. While each SaaS application provides hundreds to thousands of API endpoints and permissions, cloud service providers have 10K+ API endpoints and permissions to manage. Automation is necessary, but this is still an overwhelming magnitude of permissions & API capabilities for an enterprise to manage when consuming “as-a-service.” There is no universal solution, but a multi-faceted approach can help.

Check out cloud permissions: AWS, GCP, Azure

Digging deeper into APIs & permission sets provided by Cloud Service Providers (CSPs), one can see that AWS, GCP, and Azure each provide more than 10K+ permissions & API endpoints to manage. Each CSP has 1000+ roles to manage. A role, in essence, is a set of preconfigured permission sets. Further,one can create custom roles on a demand basis through APIs. As you think harder, you will realize that APIs hold the key to implementing the JIT solution. Many enterprises have implemented DIY JIT solutions. DIY solutions are harder to build and manage (a separate topic for discussion).

Challenges with JIT for cloud infrastructure?

1. Precut roles vs. custom roles: Each cloud service provider (CSP) has 1000+ precut roles. These roles provided by cloud service providers may not meet an organization’s specific needs. Custom roles can provide the granularity required for Just-In-Time Access. The life cycle of custom roles with JEP is a challenging task. Most enterprises don’t fully utilize the potential of custom roles because it’s too cumbersome to manage.

2. Cloud syntax: Each CSP offers its own permission sets and policy language. To effectively use the potential of the tens of thousands of permissions & policy language offered by CSPs, a cloud IAM administrator & user needs to master the policies & permissions provided by the CSPs they use. This is challenging because both users (say, a developer) and administrators need to understand the cloud-specific linguistics required for JEP. Different cloud resources have different sets of permissions. For instance, the permissions required for SSH are different from Kubernetes access. Further, there can be nuances (EKS vs. GKS) that are cloud service provider specific. Understanding what permissions one needs to perform the task can be a science in itself. Further, developers need to master cloud-native tools such as cloud-cli.

3. Access approval processes: JIT access requests must be approved quickly and efficiently to avoid unnecessary delays or disruptions. Centralized approval systems used by most enterprises aren’t designed for JIT. Internal communications between different teams: owner, requester, reviewers, and approvers – can stop JIT from becoming a reality.

4. Compliance: JIT access would require compliance and audit requirements for various checkpoints – who, why, how long, what resource, and need evidence for access revocation when time-bound access expires. The dynamic nature of the cloud makes it more difficult to track and monitor access requests and approvals.

5. Integration & Automation: JIT must be tightly integrated with existing Identity & Access management solutions and other communication channels, such as Slack, for quick approvals. Automation is required to free up both developers’ & administrators’ time in the JIT process.

Related Posts

Workload Identity in Security 2.0 Stack

Workload Identity in Security 2.0 Stack

Image credit: Unsplash In the previous blog post, we discussed how to protect against the compromise of highly privileged human users. In this post we will discuss how to protect against compromise of highly privileged non-human users or workloads. As we discussed in...

read more
Privileged users in Security 2.0 Stack

Privileged users in Security 2.0 Stack

Image credit: Unsplash Protecting highly privileged users is at the heart of security 2.0 stack. Easiest way to become the  source of a software supply chain attack is to have a compromised privileged user who has access to the code, build or deploy pipeline....

read more
Security 2.0

Security 2.0

Image credit: Unsplash We are a mid-sized startup and our code base is little over a million lines of code. If we include all the packages we import into our code base, it is tens of millions of lines of code. If we include all the tools we use in our development...

read more


Privileged Access Management

Out of the box Multi-Cloud Privilege Access Management (PAM) solution for AWS, GCP and Azure.

Identity Analyzer

Visualize, detect, prioritize, and remediate identity risks.


Connect Procyon with the tools you already use and love.

Self-Service Portal

Minimize your organization’s attack surface and secure your sensitive data by limiting who gets access and when.

Passwordless Access

Scale faster and stop credential sprawl by eliminating shared accounts and static credentials that are challenging to track.


Visibility into every resource, every user, and the policies that define and govern access in today’s dynamic multi-cloud landscape.

Cloud Identity Governance

Protect your cloud infrastructure by automating risk analysis for all permissions granted to all resources across multi-cloud.

Kill Switch
Kill Switch

Terminate sessions immediately if suspicious activity is detected to stop any user, anywhere, anytime.

How it works

Secure, cloud-centric privilege acces management platform provisioning acces to user through a self service portal.


All Resources
Press Realeases
News & Articles