Improving Your Cloud Security Using JIT Access for Sensitive SaaS Applications

Using just-in-time controls to secure access to your SaaS applications will reduce your cloud attack surface by avoiding permanent access and enforcing least privilege.

By granting permissions on a time-limited, as-needed basis only, just-in-time (JIT) controls are an important security mechanism for protecting access to cloud resources. JIT access is becoming a popular cloud security practice, with enterprises applying it innovatively in real world scenarios.

It turns out that another excellent cloud use case for JIT has evolved. For easier security scaling, many organizations are using their identity provider’s groups function (IdP groups) to grant and manage access to software-as-a-service (SaaS) applications, such as those from Salesforce. By applying JIT to IdP groups, organizations can apply the best practice of role-based access management to their SaaS apps and ensure access is granted only as needed. Adopting this new use case is a simple next step for security teams already using JIT for cloud resources.

Specifically, by applying JIT to IdP groups you can create an access-request flow in which users request either one-off access or permissions elevation, and requests are evaluated or granted either automatically or by a designated approver. Access is limited to just hours and becomes process-driven, with the granted privileges revoked upon expiration. JIT prevents the risk posed by permanent access to SaaS applications by narrowing the window of opportunity for malicious use of compromised credentials and vulnerabilities.

Why is JIT access for SaaS applications important?

Social engineering (including phishing), credentials compromise and malicious internal users are common beachheads for penetrating a cloud environment. Once bad actors gain access, excessive permissions such as permanent access - aka standing permissions - open your environment to compromise. Placing time-bound limits on permissions helps prevent exposure to such attack vectors. Using JIT to engineer temporary access for cloud resources and also for sensitive cloud applications not only makes your cloud environment more secure, it also enforces the least privilege practices required by compliance regulations. 

It’s important to note that the SaaS user is typically a business user. So using JIT to control access to sensitive SaaS applications extends security beyond development and IT users to the organization’s business environment. Security leaders have an organic opportunity to capitalize on existing use of JIT for cloud resources to drive adoption of JIT for SaaS apps – scaling security and improving their enterprise’s cloud security maturity.

What to look for in JIT access for SaaS 

For future proofing your JIT investment, make sure you consider a JIT access capability that supports your current cloud identity provider and others. You’ll want to evaluate JIT tooling that is part of a comprehensive cloud security solution, namely, a cloud native application protection platform (CNAPP) that includes strong capabilities for cloud identity entitlement management (CIEM) and data security posture management (DSPM). CIEM makes it easier to detect where you have the most significant identity risks that warrant mitigating using the JIT approach. DSPM helps you understand which resources are more sensitive than others. Overall, JIT implemented as part of a CNAPP provides insight into multi-cloud risk and context across your infrastructure, workloads, identities and data that is inherently lacking in standalone JIT tooling.

Be sure your JIT solution for cloud provides full reporting on access requests and denials, changes in eligibility and user activities during temporary access.

How JIT for SaaS applications works

Here’s an example of how Tenable Cloud Security, our CNAPP solution, has implemented JIT for SaaS. The process is straightforward and takes just a few minutes. First, security personnel and/or system/applications administrators, working with the IdP groups function of their organization’s IdP, create an eligibility for the business application for which they want to enable temporary access. Next, any user in the organization seeking access to the business application uses a collaboration tool like Slack or Microsoft Teams, or Tenable’s cloud JIT portal, to submit a temporary access request. Approval is granted automatically or by the designated approvers, as specified within the eligibility. Automatic approvals are according to the permissions defined for the group or groups for which the user is eligible.

Step 1. Security teams create eligibilities with time-bound access

In a few clicks, security personnel or the relevant admin create an eligibility. This involves specifying the group that has permissions to the application, the principals (user or group) that can submit requests, maximum session duration and designated approvers. 

^{Tenable Cloud Security enables security teams, system admins and application admins, using the IdP group function of their identity provider such as Microsoft Entra ID, to define eligibilities to easily manage temporary access requests to SaaS applications.}

Step 2. Users request temporary access 

In Slack, Microsoft Teams or the Tenable Cloud Security self-service JIT portal, users specify the desired permissions, access duration and start time, and provide a brief business justification.

^{Tenable Cloud Security enables an organization’s users, via Slack, Microsoft Teams or its self-service JIT portal, to request temporary access – access they don’t yet have at all or elevated access – to the desired application.}

^{When temporary access is approved, the user can see, within their IdP, their assigned access to the requested application.}

Nothing good lasts forever -- and that’s the raison d’etre of JIT. When the session expires, Tenable Cloud Security automatically revokes the user’s permissions. Depending on the case, the user will no longer have access to the application or access will be based on their original permissions. 

In short, Tenable Cloud Security’s JIT for cloud helps organizations protect both cloud resources and SaaS applications across AWS, Azure, Google Cloud Platform and Oracle – and seamlessly expand their familiar use of JIT to cover SaaS apps, as well. Tenable’s cloud JIT is AWS-validated for IAM Identity Center.

To learn more, check out our Tenable JIT for IdP recorded demo below – or request a live demo on Tenable Cloud Security overall or on Tenable CIEM and JIT in particular.

Using JIT Access for Sensitive SaaS Applications