When it comes to Google Workspace security, many businesses overlook how much power sits inside admin accounts. Attackers know this too, which is why administrator privileges are often their top target. A smart approach is to use Cloud Identity and Just-in-Time (JIT) access to reduce risks while still maintaining control.
In this guide, we’ll explain what Cloud Identity is, how to configure JIT access in your Google Workspace admin panel, and why these steps are essential for securing your business.
What is Cloud Identity?
Cloud Identity is a free Google account that lets you create users who aren’t tied to Workspace services like Gmail or Drive. Instead, they exist purely for identity and access management.
This means you don’t need to consume a paid Google Workspace license to create an extra admin account. For example, you might set up a unique identity like:
This account should:
- Be suspended until needed
- Hold Super Admin rights or other admin roles
- Be used only for granting JIT access to other admins
Because this account has no resemblance to an employee or your business, attackers are less likely to guess or target it.
Setting Up Just-in-Time Access in Google Workspace
Here’s how you can set up JIT access for administrators:
- Create a Cloud Identity Account
- Log into your Google Admin console.
Go to Users > Add new user. - Select Cloud Identity instead of a Workspace license.
- Log into your Google Admin console.
- Give Admin Privileges
- Assign the Super Admin role or other admin roles to this account.
- Immediately suspend the account after creation.
- Grant Access When Needed
- When a new admin needs elevated permissions, temporarily re-activate the Cloud Identity account.
- Allow it to approve and delegate permissions to the working admin account.
- Once tasks are complete, suspend the Cloud Identity account again.
- Apply Least Privilege
- Never keep full Super Admin rights enabled.
Ensure day-to-day admin accounts have only the permissions necessary for their role.
- Never keep full Super Admin rights enabled.
This practice ensures there’s always a “break-glass” account available for emergencies, but it’s not sitting active for attackers to abuse.
Why This is a Best Practice for Cybersecurity
Cyber attackers target administrator accounts because they control your entire Google Workspace environment: email, files, users, billing, and integrations.
By implementing Cloud Identity with JIT access, you:
- Reduce the window of opportunity for attackerEnsure admin permissions are only live when necessary
- Avoid burning paid Workspace licenses for non-employee accounts
- Maintain clear visibility and control over admin actions
This aligns with the principle of least privilege, a cornerstone of modern cybersecurity.
Securing Partner Access with JIT Controls
If your business is managed by a Google partner, you need to be even more careful. By default, partners often have continuous access to your Workspace tenancy.
While convenient, this creates a huge risk: if the partner is compromised in a cyberattack, your environment could also be breached. In fact, we’ve seen cases where entire customer environments were exposed due to this setup.
How to Secure Partner Access:
- Go to Admin Console > Account Settings > Partner Access.
- Disable default partner access so they cannot log in at any time.
- Instead, only grant temporary access when support is required.
- Revoke the access immediately after work is complete.
This ensures partners only enter your environment through controlled, JIT approval, keeping your organisation safe.
How Sentry Cyber Can Help
At Sentry Cyber, we’ve been working with Google Workspace customers for over 17 years. We specialise in security for Google environments and can help your business:
- Set up Cloud Identity and JIT admin access correctly
- Review your partner access policies
- Perform a Google Workspace security assessment to identify risks before attackers exploit them
👉 Book your free Complementary Cyber Security Workshop today to get started.
Frequently Asked Questions (FAQ)
Q1: Do I need to pay for an extra Workspace license to create a JIT account?
No. You can create a free Cloud Identity account that functions solely for security purposes.
Q2: What if my admins already have Super Admin rights?
You should reduce their permissions to the minimum needed and use the Cloud Identity JIT method for elevated tasks.
Q3: How often should I review partner access?
At least quarterly, or whenever you change service providers. Always keep this access disabled by default.
Q4: Can I monitor when the JIT account is activated?
Yes. Google Workspace Admin audit logs allow you to track account activity, including when suspended accounts are reactivated.
Q5: Is JIT access only for large organisations?
No. Even small businesses benefit, as attackers don’t discriminate based on size. JIT reduces your risk footprint significantly.
Conclusion
Implementing Cloud Identity and Just-in-Time access in Google Workspace is a simple but powerful way to strengthen your organisation’s security. It reduces risk, enforces least privilege, and ensures partners only access your environment when absolutely necessary.
Don’t wait for a breach to rethink your admin strategy. Contact Sentry Cyber today and secure your Workspace the right way.