One of the simplest, most secure ways we’ve found is to run your network entirely over a zero-trust mesh—no open firewall holes, no VPN appliances, just authenticated, encrypted connections between the devices that need to talk. In practice, that looks like this:

1. Integrate every user and device with your identity provider (Google Workspace, Okta, Azure AD, etc.).
2. Run a zero-trust agent on every endpoint and server (for example, the Tailscale client).
3. Use fine-grained ACLs so that services are only reachable by the specific users or groups you choose.
4. For occasional “admin” or emergency access, use just-in-time (JIT) sessions:
   • Instead of permanently granting high-privilege network routes or ports, you request a time-limited credential via an API or CLI.
   • That credential automatically expires after a set window—say 30 minutes—so you never leave doors standing open longer than necessary.
   • All requests and approvals are logged centrally for audit.

Tailscale’s new JIT Network Access (now generally available to Enterprise customers) automates exactly this workflow. You simply call their API to “check out” a temporary access token scoped to the resources you need; those permissions vanish the moment your time’s up. No more flipped firewall rules, no extra bastion hosts, and no second-class VPN tokens floating around. It’s just identity-driven access, when you need it, for exactly as long as you need it.
Link to Article