Full Report
Traditional approaches to cloud access rely on static, permanent permissions that are often overprivileged. Learn how just-in-time access completely changes the game.The access challenge in modern cloud environmentsAs cloud adoption accelerates, organizations are grappling with a fundamental security challenge: How do you grant people the access they need — such as on-call developers needing to debug problems, site reliability engineers (SREs) needing to repair issues with infrastructure, or DevOps engineers needing to provision or architect resources — without opening the door to overprivileged accounts and breach risks?Traditional approaches rely heavily on static, permanent permissions. Human users often receive more access than necessary simply because it’s hard to predict specifically which permissions they’ll need. These permissions rarely get revoked, leaving organizations exposed.This is where Tenable Cloud Security changes the game. As a powerful cloud-native application protection platform (CNAPP) solution, Tenable Cloud Security doesn't just identify access-related risk — it actively helps you solve it.In this blog, we explore how you can address the excessive permissions challenge using the just-in-time (JIT) access capability in Tenable Cloud Security.Just-in-time access: The elegant solution to human identity riskJIT access enables organizations to dramatically reduce their exposure from compromised identities by providing a substitute for permanent access. Instead of being granted standing access, which may be exploited if and when an identity is compromised, users are provided with the eligibility to request temporary access based on a defined business need.Here’s how it works:All (or at the very least sensitive) standing access is removed.Users are assigned eligibility profiles for specific resources or roles.Users request access and are optionally required to provide a reason when access is needed.If required, the request can be approved by an assigned approver or simply be automatically granted, which still has a huge security benefit compared to a standing permission.For highly sensitive cases where more than one person needs to confirm access, several approval levels can be enforced if necessary.Access is granted for a limited time (measured in hours), then automatically revoked.JIT access dramatically reduces the attack surface tied to human identities, ensuring that elevated privileges are used only when necessary and only for as long as needed. Fig. 1: Creating an eligibility to request just-in-time access to a cloud environment instead of standing permissions User experience: Where security meets usabilityTenable understands that even the best security solution won't succeed without adoption and cooperation from its target audience. That’s why JIT access in Tenable Cloud Security is designed with a seamless user experience in mind.Access requests and approvals can be managed directly within messaging platforms, such as Slack or Microsoft Teams, which meet your teams where they are. Users and approvers stay in their native workflows while benefiting from a secure, auditable process. Fig. 2: Filling out the access request form directly from Slack Fig. 3, below, shows how the request, approval and access link are all grouped together on the same thread for a simplified, clean and simple experience. Fig. 3: The request generated, approval granted and connection link to the cloud environment all in one thread in Slack And speaking of audits, Tenable Cloud Security doesn’t just log access. It provides a clean, intuitive activity log interface for every session. Unlike the often fragmented logs from cloud providers, these are tailored for easy auditing, compliance review or incident response. So, if you want to apply more scrutiny and review what happened during sessions, or if you are compelled to do so in the event of an incident, it’s extremely easy to open up the session log and review it. Fig. 4: The intuitive activity log for events generated in the cloud environment during the JIT access session; easy to review and filter to perform scrutiny / investigate incidents Expanding the reach: JIT access in Tenable Cloud Security now extends to SaaS applicationsBased on customer feedback, Tenable extended JIT functionality to cover identity provider (IdP) group memberships. This is a big deal.In many organizations, access to software as a service (SaaS) applications (such as secrets managers, observability tools, ticketing platforms, etc.) is governed through group memberships in identity providers like Okta or Microsoft Entra ID. With Tenable Cloud Security, you can now provide temporary group membership through the same JIT access model — effectively controlling and auditing access to SaaS apps with the same granularity and automation as cloud resources.This means Tenable Cloud Security customers now have unified control over cloud infrastructure and SaaS access through a single solution.Simplified procurement: JIT access is now included with Tenable Cloud SecurityPerhaps the most exciting news: JIT access no longer requires a separate purchase. As of today, it’s included with Tenable Cloud Security.Billing is simple. Just as Tenable Cloud Security charges based on the number of cloud resources, JIT access treats each eligible user as a billable resource. If you're a Tenable Cloud Security customer, you already have access to the full power of JIT — no separate contract, no additional platform. For example, if you have a team of five developers eligible to request elevated permissions, these would count as an additional five billable resources, no matter how many eligibilities they have.Why JIT access makes Tenable Cloud Security the CNAPP of choiceTenable Cloud Security doesn’t just identify problems. It solves them:It prioritizes identity risks with real-world context.It provides granular, real-time controls for both service and human identities.It offers native integration with your daily collaboration tools.It simplifies auditability and incident response.It extends protection beyond the cloud to the SaaS layer.It streamlines adoption with an intuitive UX and frictionless billing model.Conclusion: Access management, reimaginedThe best security tools blend into your workflow and quietly eliminate risk before it becomes a problem.Tenable Cloud Security's JIT access capability is more than a feature — it's a philosophy shift. It reduces identity-based risk without sacrificing agility. It simplifies compliance without adding overhead. And it empowers teams to move fast, stay secure and maintain clarity over who has access to what, when and why.If you're already a Tenable Cloud Security customer, there’s never been a better time to start using JIT access. And if you're evaluating CNAPPs, ask yourself: do they help you fix the problem, or just show you where it is?With Tenable Cloud Security, the answer is clear.Visit https://www.tenable.com/announcements/provide-access-just-in-time to learn more about how JIT access capabilities in Tenable Cloud Security can help you reduce your exposures.
Analysis Summary
# Best Practices: Just-in-Time (JIT) Access Management in Cloud Security
## Overview
These practices focus on leveraging modern security solutions, specifically Just-in-Time (JIT) access capabilities within Cloud Native Application Protection Platforms (CNAPP), to reduce identity-based risk in cloud environments. The goal is to shift from standing, overly permissive access to temporary, context-aware access without sacrificing organizational agility or compliance.
## Key Recommendations
### Immediate Actions
1. **Enable JIT Access for High-Risk Identities:** Immediately deploy and activate Just-in-Time access controls for human and service identities that possess administrative or sensitive permissions across cloud environments.
2. **Integrate with Daily Collaboration Tools:** Connect the JIT access solution directly with existing team collaboration tools to streamline access requests and approvals, ensuring seamless workflow integration.
3. **Prioritize Identity Risk Context:** Ensure the JIT solution is capable of assessing and prioritizing identity risks by leveraging real-world context (e.g., required task, current exposure score) before granting elevated access.
### Short-term Improvements (1-3 months)
1. **Implement Granular, Real-Time Controls:** Configure fine-grained access policies that apply automatically in real-time to govern both service (non-human) and human identities, limiting their scope exactly to operational necessity.
2. **Establish Auditability Trails:** Verify that all granted JIT permissions are logged meticulously, creating simplified auditability trails for demonstrating adherence to security policies and facilitating rapid incident response.
3. **Extend Visibility to SaaS Layer:** Configure the cloud security solution to extend JIT protection and monitoring beyond the primary cloud infrastructure (IaaS/PaaS) to cover critical SaaS applications hosting sensitive data.
### Long-term Strategy (3+ months)
1. **Adopt an ML/AI-Driven Approach (If Available):** Integrate advanced analytics or Generative AI capabilities within the exposure management platform to continuously refine access rules dynamically based on evolving threat landscapes and behavior patterns.
2. **Standardize on Integrated Exposure Management:** Move toward a unified exposure management platform (CNAPP) that inherently links identity risk management (CIEM), vulnerability management, and JIT access, eliminating siloed security tools.
3. **Develop Comprehensive Risk Communication:** Utilize built-in reporting features to translate granular access controls and identified risks into clear, actionable metrics understandable by business leadership to support informed risk acceptance or mitigation decisions.
## Implementation Guidance
### For Small Organizations
- **Focus on Frictionless Adoption:** Select a solution (if purchasing a CNAPP) that offers an intuitive User Experience (UX) and a simplified, usage-based billing model to keep overhead low.
- **Start with Infrastructure Access:** Prioritize implementing JIT for manual access to core cloud infrastructure (e.g., production environment consoles) where security oversight is paramount.
### For Medium Organizations
- **Automate Workflow Integration:** Leverage native integration capabilities to embed the JIT approval process directly into existing IT Service Management (ITSM) or collaboration platforms to manage increased request volume efficiently.
- **Define Role-Based Temporary Access:** Develop standardized temporary access profiles tied to specific job functions (e.g., "Database Debugging - 2 Hours") rather than granting generic elevated roles.
### For Large Enterprises
- **Enforce Policy Across Multi-Cloud:** Ensure the JIT solution provides consistent, centralized control and visibility across heterogeneous cloud provider environments (AWS, Azure, GCP).
- **Formalize Service Identity Lifecycle:** Implement automated procedures for onboarding and de-provisioning temporary permissions for automated service accounts and CI/CD pipelines using JIT principles where applicable.
## Configuration Examples
*(Note: Specific vendor configurations were implied rather than detailed in the text. The focus here is on the *principle* of configuration.)*
**Principle of Granular Policy Enforcement:**
Configure access policies to enforce the principle of least privilege by default. For example:
* **BEFORE JIT:** User has `arn:aws:iam::*:*Access` (Wildcard access).
* **AFTER JIT:** User requests access. System verifies request context. User is granted `arn:aws:s3:us-east-1:12345:bucket/prod-data/*` read-only access for 60 minutes only.
## Compliance Alignment
- **NIST CSF:** Aligns strongly with the **Protect** function (Access Control and Data Security) and the **Detect** function (Continuous Monitoring).
- **ISO 27001/27002:** Supports Annex A controls related to access control (A.9) by ensuring access rights are reviewed and restricted based on business need and timeliness.
- **CIS Controls:** Directly supports controls related to **Account Management** and **Access Control Management** by minimizing permanent administrative rights.
## Common Pitfalls to Avoid
- **Viewing JIT as an Isolated Feature:** Do not treat JIT as a standalone tool; it must be integrated with overall vulnerability and configuration posture management (CNAPP) to provide necessary context.
- **Ignoring Service Identities:** Focusing only on human users while ignoring standing, excessive permissions granted to automated service accounts or roles, which often represent higher risk.
- **Overhead Friction:** Implementing a JIT system that adds significant bureaucracy or complexity to the day-to-day work, leading users to find insecure workarounds.
## Resources
- Tenable Announcements regarding JIT Access Capabilities
- Documentation/Guides for Cloud Native Application Protection Platforms (CNAPP) focusing on Identity and Entitlement Management (CIEM).