Tackling Cloud Access Risks with Just-in-Time (JIT), Just-Enough Access (JEA), and Smarter Identity Security Strategies

TechNadu interacted with Rom Carmel, Co-Founder and CEO of Apono, to explore how cloud access governance is being reimagined in an era of escalating cyber risk. Carmel brings a blend of elite technical expertise and startup leadership. After serving in Israel’s Unit 8200 and leading cyber research teams in the Intelligence Corps, he went on to co-found Apono.

He offered deep insight into the hidden dangers of overpermissioning, the growing complexity of multi-cloud environments, and why traditional access controls no longer scale in modern architectures.

This discussion also unpacks the role of Just-in-Time (JIT) and Just-Enough Access (JEA), automation, and DevSecOps in mitigating access risks at scale.

Whether you're navigating the challenges of cloud permissions or seeking clarity on how to strengthen access controls in dynamic environments, this conversation offers grounded insights shaped by real-world experience. 

Vishwa: You served as a security course instructor with the Israeli Intelligence Corps’ elite Unit 8200 and have worked as a security software engineer at the Israel Defense Forces. You were also selected from a competitive pool to join the FedTech Startup Studio. Can you tell us more about yourself—your skills, passions, and character traits that make you an ideal fit for such high-stakes, innovation-driven roles?

Rom: I'm Rom Carmel, and I'm the Co-Founder and CEO of Apono, a cybersecurity company dedicated to transforming cloud access management. We're proud to serve Fortune 500 giants such as American Airlines and Hewlett Packard Enterprise. 

My journey in cybersecurity began almost a decade ago in elite Israeli cyber operations, where I led cybersecurity research teams within the Intelligence Agency. After that, I pursued my MBA from Wharton and Tel Aviv University. I'm a passionate entrepreneur and cybersecurity leader, and I've successfully raised $20.5 million for Apono. 

Our mission is to bridge the gap between security and operations in cloud environments by redefining identity and access management. This work has been recognized by Forbes, who named me one of their "Top Cybersecurity Founders to Watch in 2025.

Vishwa: Recognized in Gartner’s Privileged Access Management reports for both 2023 and 2024, Apono has quickly gained traction in the cybersecurity space. What can you share about the journey, particularly the process, challenges, and key lessons in building brand awareness and expanding its reach?

Rom: Building brand awareness for Apono has been a great journey filled with both successes and valuable lessons. Since our start just over three years ago, we've focused on tackling a critical problem: bringing access management capabilities up to speed with the rapid pace of cloud adoption, where they've significantly lagged. 

Securing $15.5 million in Series A funding, for instance, wasn't just a financial milestone; it was a powerful validation of our vision and technology, significantly amplifying our market presence. This funding allowed us to further build the team we needed, accelerate innovation and reach out to the market.

The process has involved a relentless commitment to product excellence, ensuring our platform genuinely solves complex cloud access challenges. We've leaned heavily into thought leadership, sharing our insights on the evolving security landscape and the importance of just-in-time access and continuous discovery. 

This consistent output, coupled with active participation in industry events and strategic partnerships, has been critical to our success. We've certainly faced the struggles common to any startup – gaining initial traction, differentiating ourselves in a crowded market, and educating potential customers on a new approach. 

Our strategy centers on demonstrating tangible value and building trust, one customer at a time.

Vishwa: Can you tell us about the team behind Apono? What key competencies or qualities do you most value in your colleagues, and what do you look for when building a strong cybersecurity team?

Rom: At Apono, our team is truly the foundation of our work, and we've thoughtfully brought together a group of individuals who embody our core values. We believe in cultivating an environment where innovation, collaboration, and continuous learning thrive. 

Among our colleagues, technical expertise is a fundamental strength. Technical expertise in cloud security, identity and access management, and AI development is a fundamental strength.

Beyond technical capabilities, however, we particularly value the character traits that drive our collective success. This includes strong problem-solving abilities, a proactive mindset, and a genuine passion for securing the cloud. 

Given the nature of cybersecurity, we look for individuals who are adaptable and thrive in dynamic environments. Crucially, we emphasize exceptional communication skills and a collaborative spirit. The complexities of cloud access management truly benefit from seamless interaction across our development, security, and customer-facing teams. 

We seek colleagues who are not only experts in their respective fields but also empathetic, supportive, and committed to empowering our customers. Ultimately, we value those who are intrinsically motivated to make a significant impact and contribute to our shared vision.

Vishwa: Can you walk us through the complexities of managing cloud permissions in today’s rapidly evolving security landscape? What challenges do organizations typically face, and how does Apono approach them?

Rom: Managing cloud permissions today is incredibly complex and fundamentally different from traditional on-premises environments. The core challenge lies in the dynamic and distributed nature of cloud infrastructure. 

Unlike static network setups, cloud resources, services, and identities are constantly being spun up and down, making it exceptionally difficult to maintain comprehensive visibility and control over who has access to what, and when.

Manual identity and access management processes, which often suffice on-premises, are simply overwhelmed by the sheer scale and fluidity of cloud environments. Human error becomes a significant risk, leading to misconfigurations, overlooked permissions, and the accidental granting of excessive access. 

Furthermore, the prevalence of multi-cloud and hybrid cloud strategies adds another layer of complexity. Organizations are juggling multiple platforms, each with its unique policy frameworks and interfaces, leading to fragmented visibility and inconsistent security practices. 

Ensuring uniform enforcement of security policies across these diverse ecosystems is a daunting task, leaving organizations vulnerable to escalating attacks in the event of a breach.

Vishwa: What are your observations on the hidden risks of overpermissioning, and how can it impact an organization’s overall security posture?

Rom: Overpermissioning, often a byproduct of manual access management and a lack of visibility, poses significant hidden dangers to organizational security. It’s essentially the granting of more access rights than an identity truly needs to perform its job functions. While seemingly innocuous on the surface – sometimes done for convenience or to avoid operational delays – the impact can be severe.

The primary danger is a vastly expanded attack surface. Every unnecessary permission granted becomes a potential entry point for attackers. If an account with overpermissions is compromised, the attacker gains far greater lateral movement capabilities within the cloud environment than they otherwise would. 

This can lead to rapid escalation of privileges, unauthorized data exfiltration, or even complete system compromise. Moreover, overpermissioning complicates compliance efforts and makes auditing incredibly difficult, as it becomes nearly impossible to accurately determine an individual's effective permissions at any given time.

This lack of granular control and visibility creates a fertile ground for insider threats and can turn a minor breach into a catastrophic event, severely impacting data integrity, confidentiality, and availability.

Vishwa: What innovative strategies or solutions do you believe are most effective in mitigating the risks associated with overpermissioning and cloud access mismanagement?

Rom: Effectively mitigating the risks associated with managing cloud permissions and overpermissioning requires a paradigm shift from traditional methods to innovative, automated strategies. The cornerstone of this shift is the adoption of Just-in-Time (JIT) and Just-Enough Access (JEA) principles. 

Instead of granting standing elevated privileges, JIT ensures that users receive the exact permissions they need, precisely when they need them, and only for the duration of a specific task. JEA complements this by ensuring those permissions are the minimum necessary. This drastically shrinks the attack surface by eliminating unnecessary standing privileges.

Automation is crucial for implementing these principles at scale. Automated tools, like Apono's platform, can continuously monitor cloud environments, discover all existing identities and their permissions, detect anomalies, and enforce policies in real-time. This reduces human error and ensures consistent application of security measures across dynamic cloud infrastructures. 

Furthermore, integrating security into the DevOps pipeline, known as DevSecOps, fosters a shared responsibility between engineering and security teams. This approach embeds security practices throughout the development lifecycle, allowing engineers to move quickly while maintaining robust security. 

By leveraging automation, JIT/JEA, and DevSecOps, organizations can achieve continuous discovery and remediation of standing elevated permissions, dramatically enhancing their security posture in the cloud.