惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

N
Netflix TechBlog - Medium
Microsoft Azure Blog
Microsoft Azure Blog
罗磊的独立博客
博客园 - 三生石上(FineUI控件)
aimingoo的专栏
aimingoo的专栏
B
Blog RSS Feed
V
Visual Studio Blog
P
Proofpoint News Feed
云风的 BLOG
云风的 BLOG
博客园 - 【当耐特】
大猫的无限游戏
大猫的无限游戏
Application and Cybersecurity Blog
Application and Cybersecurity Blog
C
Cyber Attacks, Cyber Crime and Cyber Security
The Cloudflare Blog
B
Blog
D
Darknet – Hacking Tools, Hacker News & Cyber Security
Apple Machine Learning Research
Apple Machine Learning Research
M
MIT News - Artificial intelligence
Know Your Adversary
Know Your Adversary
I
InfoQ
T
The Exploit Database - CXSecurity.com
V
Vulnerabilities – Threatpost
C
Cisco Blogs
Spread Privacy
Spread Privacy
钛媒体:引领未来商业与生活新知
钛媒体:引领未来商业与生活新知
P
Palo Alto Networks Blog
Simon Willison's Weblog
Simon Willison's Weblog
月光博客
月光博客
博客园 - Franky
Project Zero
Project Zero
G
Google Developers Blog
S
SegmentFault 最新的问题
博客园 - 聂微东
P
Privacy & Cybersecurity Law Blog
The GitHub Blog
The GitHub Blog
阮一峰的网络日志
阮一峰的网络日志
P
Privacy International News Feed
T
Threat Research - Cisco Blogs
S
Schneier on Security
Microsoft Security Blog
Microsoft Security Blog
G
GRAHAM CLULEY
S
Security @ Cisco Blogs
Martin Fowler
Martin Fowler
A
Arctic Wolf
T
Tenable Blog
L
LINUX DO - 最新话题
TaoSecurity Blog
TaoSecurity Blog
Hugging Face - Blog
Hugging Face - Blog
有赞技术团队
有赞技术团队
让小产品的独立变现更简单 - ezindie.com
让小产品的独立变现更简单 - ezindie.com

Forbes - Innovation

Why Do Humans Have Fingerprints? Hint: It’s Not What You Think Booking.com Confirms Data Breach, Reservation PIN Codes Changed Why Major News Sites Are Blocking The Internet Archive’s Wayback Machine iPhone Fold Release Date: New Report Details Frustrating Apple News Comet Tracker: How To See Pan-STARRS And Three Planets On Wednesday NYT Mini Crossword Today: Tuesday, April 14 Hints And Answers Today’s NYT Strands Hints, Spangram, Answers: Tuesday, April 14 (It’s A Little Unclear) Today’s Wordle #1760 Hints And Answer For Tuesday, April 14 Most Of The Microplastics In Urban Air Come From Tires Today’s Wordle #1759 Hints And Answer For Monday, April 13 NYT Mini Crossword Today: Monday, April 13 Hints And Answers NYT Pips Today: Hints, Answers And Walkthrough For Monday, April 13 The YC Chief Who Codes 10,000 Lines A Day Has A Simple Secret Samsung Expands One UI 8.5 Beta To More Galaxy Owners Why You Should Stop Using Your iPhone If It’s On This List Chamath Says Firms That Treat AI As A Strategy Hand Rivals Their Edge 3 Unexpected Habits Of Secure Couples, By A Psychologist The First Lamp That Folds Your Clothes Samsung’s Disappointing Price Update For Galaxy Phone Buyers 3 Subtle Signs Someone Is Falling In Love With You, By A Psychologist Do Mantis Shrimp See More Colors Than Humans? A Biologist Explains NYT Connections Answers Explained For Monday, April 13 (#1,037) NYT Connections Hints Today: Monday, April 13 Clues And Answers (#1,037) LEGO Luigi & Mach 8 (72050) Review: 2026’s Best Set Yet? Marc Andreessen Says AI Productivity Will Trigger A Hiring Boom 3D Printing Is The Ultimate Hack To Reduce Household Spending Apple iPhone Fold: Striking Design Revealed In Leaked Photos Apple Smart Glasses: New Leak Reveals A Major Design Twist To Beat Meta Tested: The AI Coming To The Rivian R2 Quordle Hints Today: Monday, April 13 Clues And Answers Companies And H-1B Employees Endure Immigration Waits At Consulates 3 Easy Ways To Turn Anxiety Into Sustained Focus, By A Psychologist Here’s The Most Affordable Humanoid Robot You Can Buy Now UFC 327 Results: 5 Biggest Takeaways From A Wild Night In Miami UFC 327 Results, Bonus Winners, Highlights And Reactions Dana White Announces Huge New Fight For UFC White House Today’s NYT Strands Hints, Spangram, Answers: Sunday, April 12 (Get Ready) Tesla ‘Model 2’ Rises From The Ashes Today’s Wordle #1758 Hints And Answer For Sunday, April 12 NYT Pips Today: Hints, Answers And Walkthrough For Sunday, April 12 Tyson Fury Vs. Arslanbek Mahkmudov Results: Highlights and Reaction NYT Mini Crossword Today: Sunday, April 12 Hints And Answers How Shadow AI Culture Is Destroying Your Business Venture Capital Funds That Market Like Startups Win More Deals Conor Benn Vs. Regis Prograis Results: Highlights and Reaction Samsung’s Disappointing Price Update For Galaxy Phone Buyers Artemis Reached The Moon. The Grid Can Reach The 21st Century A Biologist Explains How Archerfish Shoot Down Prey. Hint: Their Aim Rivals Human Throwing Is It Time For Apple To Forget About The MacBook Air NYT Connections Hints Today: Sunday, April 12 Clues And Answers (#1036) Trump’s 2027 Budget To Reshape U.S. Environmental And Energy Policy CDC Delays Reporting Of COVID-19 Vaccine Benefits—Here’s What To Know Oura Has Designed A Solution To A Big Smart Ring Problem Netflix’s Best New Show Has A Near-Perfect 95% Rotten Tomatoes Score Coachella 2026 Is Being Taken Over By Creator Streams Quordle Hints Today: Sunday, April 12 Clues And Answers This Startup Wants To Use AI To Help Digitize History How To Get The Best Shield In ‘Crimson Desert’ Microsoft Venom Attack Targets C-Suite Executives ‘Maul: Shadow Lord’ Sets Even More Star Wars Rotten Tomatoes Records 3 Ways Happy Couples Argue Differently, By A Psychologist Success For Leapmotor Might Have Negatives For Stellantis New Names Surface As Potential Rogue And Wonder Woman In The MCU And DCU 4 Reasons Artemis Mission Matters Even If You Think It Is Wasteful Fast ‘Crimson Desert’ Patch Adds New Moves, Shield Hiding And One Great Feature Why Do Humans Blush? An Evolutionary Biologist Explains The Signal We Can’t Control Apple iPhone Fold: Striking Design Revealed In Leaked Photos Adobe Attacks Underway—Windows And Mac Users Given 72 Hours To Update iOS 26.4.1 Release: Crucial iPhone Feature Update Arrives, But No Security Fix Fury vs. Makhmudov Full Card, Ring Walk Times and How to Watch Can’t Stand Liquid Glass? This New Hidden iPhone Setting Is A Game-Changer Test-Driving The 2026 Changan Deepal S05: Italian Style Made In China NSA Warning—Reboot Your Internet Router Now Ways That Human-AI Collaboration Slides People Into ‘AI Brain Fry’ And Cognitive Downturns Stop Using These Networks—Google, NSA And TSA Warn NASA Changes Moon Plan: Landing Now Depends On SpaceX Or Blue Origin Samsung Expands One UI 8.5 Beta To More Galaxy Owners The Evolution Of Programmable Hardware At Xilinx NYT Mini Today: Saturday, April 11 Hints And Answers Today’s NYT Strands Hints, Spangram, Answers: Saturday, April 11 (You’re Putting Me On) Splashdown! NASA’s Artemis II Returns To Earth After Moon Mission Attention Is All You Need. The Human Kind Is Still The One That Counts Today’s Wordle #1757 Hints And Answer For Saturday, April 11 NYT Pips Today: Hints, Answers And Walkthrough For Saturday, April 11 Android Circuit: Galaxy S27 Pro Emerges, Honor 600 Pre-Order Offers, Pixel 11 Display Leaks Apple Loop: iPhone 18 Pro Leak, Urgent iOS Update, MacBook Neo Issues Morgan Stanley Has Mostly Positive Outlook On Tesla Robotaxi, FSD V15 Running Out Of AI Tokens Faster Than Ever? Here’s Why CoreWeave Shares Pop 13% After Anthropic Deal ‘Euphoria’ Season 3’s Rotten Tomatoes Score Crashes, Has Lost Key Player People Don’t Agree On What AI Can Do, But They Don’t Even Use The Same Product ‘Overwhelming’—Google Issues Gemini Update For Gmail Users NYT Connections Hints Today: Saturday, April 11 Clues And Answers (#1035) Quordle Hints Today: Saturday, April 11 Clues And Answers The Costly Dream Of Space-Based AI Infrastructure Can You See The Watcher In This ‘Daredevil: Born Again’ Shot? Adobe Attacks Underway—Windows And Mac Users Given 72 Hours To Update You Just Watched The Backdoor Pilot For ‘The Pitt: Night Shift’ Are Nicotine Pouches Like Zyn And VELO Safe To Use? A Doctor Answers Human Resources (HR) Is The Key To AI Success Per WalkMe ( SAP)
The JIT Paradox: Why Ephemeral Access Is A Trap Without Zero Trust
Itzik Alvas, · 2026-05-13 · via Forbes - Innovation

Itzik Alvas is the CEO and cofounder of Entro Security.

getty

​For the past few years, the security industry has been chasing a holy grail: the death of standing privileges. We've realized that leaving static API keys and long-lived service tokens sitting in our environments is a recipe for disaster.

The widely accepted solution is just-in-time (JIT) access. The logic is sound: If an access token only exists for 15 minutes to execute a specific task, the window of opportunity for an attacker drops to near zero.

However, as organizations rush to deploy JIT across their cloud and CI/CD pipelines, a new, hidden risk is compounding. We've successfully shortened the lifespan of the secrets, but we've blindly trusted the machinery that mints them.

JIT is a massive step forward, but without applying zero-trust principles to the non-human identities (NHIs) requesting that access, JIT's a trap.

The Factory Versus The Product

To understand the trap, look at the architecture. To generate a temporary token, you need a broker, a centralized engine, a pipeline runner or an identity provider that possesses the authority to create that access on demand. We've effectively replaced scattered, long-lived keys with a highly centralized "token factory," which requires persistent, overarching privileges to function. It needs "God-mode."

Hackers, as rational economic actors, have already adapted. They aren't trying to steal your 15-minute token; the window is too small, and the effort is too high. Instead, they're targeting the system that mints the tokens. If an attacker can compromise a workload, spoof a machine identity or hijack a CI/CD runner, they don't need to steal a secret. They can simply ask your JIT broker to mint them a brand-new, perfectly valid ephemeral token whenever they want.

When JIT is deployed without strict guardrails, you haven't eliminated the risk of unauthorized access. You've just automated it for the adversary.

What We Tell Enterprise Security Teams

To prevent ephemeral access infrastructure from becoming the ultimate attack vector, security leaders must evolve their approach to machine identity. In working with enterprise customers navigating this shift, what we've seen consistently is that the hardest part is rarely the technology but the organizational work that comes before it.

Map the trust before you touch the tooling.

The first thing we tell security teams is to resist the urge to deploy controls before they understand what they're protecting. Most organizations have no clear picture of which NHIs carry implicit trust in their environment. We start by helping them build a complete inventory—which machine identities can request tokens, through which pipelines, how often and who actually owns them.

In most cases, nobody has ever mapped these relationships end to end. Without that visibility, any enforcement layered on top is guesswork. That mapping exercise alone has changed the internal conversation for many customers, giving security teams something concrete to bring to engineering and platform leadership.

Assign ownership or nothing moves.

One of the most common stumbling blocks we see with enterprise customers is that no one owns the machine identity layer. The developer who created a service account two years ago has moved teams. The platform group manages the pipeline but not the tokens it generates. Security sees the risk but has no authority over the workload.

We advise formalizing ownership early, treating it as a governance requirement rather than a security nice-to-have. Until every NHI has a clear human owner accountable for its behavior and life cycle, zero-trust policies stall in committee. This is a governance problem before it's a security problem.

Overcome the fear of breaking production.

Security teams we work with often stop at visibility because enforcement feels too dangerous. They can see that an NHI is overprivileged or behaving abnormally, but the risk of revoking access and taking down a production workflow is paralyzing.

We guide these teams to start small. Observe baseline behavior first, then introduce narrow restrictions targeting clearly risky actions rather than broad revocations. Confidence builds incrementally. If a team is afraid to enforce, the controls available to them are too blunt.

Embed into existing workflows, not around them.

A pattern we see repeatedly is security introducing a new gate in the CI/CD pipeline and engineering routing around it within a week. If JIT and NHI controls feel like external checkpoints, teams will treat them as obstacles.

The customers who succeed are those who integrate verification into the pipelines developers already use, making secure token requests and lineage tracking part of the default path rather than something bolted on from the outside.

Expect cultural resistance and address it early.

Perhaps the most underestimated barrier is human. Developers and platform teams often view new access controls as friction or a loss of autonomy. The enterprise teams we've seen succeed invest early in explaining not just what is changing, but why. Framing this evolution as enabling safer velocity rather than slowing teams down is critical. Without that narrative, adoption becomes a fight.

The Next Evolution Of Access

JIT access is necessary for the future of cloud security, but it's an action, not an architecture.

If you build JIT on top of an implicitly trusted network of NHIs, you're just building a faster, more efficient way for attackers to move laterally. The goal isn't just to make access ephemeral. It's to make access mathematically impossible to exploit.

The next time your team proposes rolling out JIT access, ask them one question: How are we verifying the machine asking for it?​


Forbes Technology Council is an invitation-only community for world-class CIOs, CTOs and technology executives. Do I qualify?