Recently I had the opportunity to chat with two of the more knowledgeable people in the Privileged User Management (PUM -- sometimes called Privileged Identity Management, PIM) space -- Phil Lieberman, CEO of Lieberman Software and Shlomi Dinoor, vice president of emerging technologies, Cyber-Ark Labs.
Lieberman has a new version of its Privileged Identity Management Suite coming out shortly, so I'll get into more of the interesting things Phil and I spoke about when that occurs. Today we'll examine what Shlomi had to see about his new gig with Cyber-Ark.
I've known Dinoor off and on for many years, since he spearheaded R&D for Business Layers and (in effect) the entire provisioning industry. He's recently gone to Cyber-Ark where he'll be probing "interesting things" to find new and better ways to handle IdM, security, privileged assets and more.
In regard to provisioning specifically, he wondered if -- given the still difficult and labor-intensive methods we use to design, implement and maintain the workflow needed -- we might be better off focusing first on provisioning high-risk operations (i.e. privileged users). I'm not sure if that would help a corporation's bottom line or improve security since -- given human nature -- it seems to me that either some high-risk operations would be overlooked or, vice-versa, too many would be labeled "high risk."
I did, though, like his suggestion that because of the complexity (roles, rules, policies and such) of defining an all-encompassing provisioning system for all new employees we might be better off with a system that would provision basic capabilities and relied on a robust entitlement self-service system for employees backed by strong approval (workflow) process. I'd like to see some vendors consider that approach.
Finally, Dinoor noted that it isn't just users we should be looking at, either from a provisioning perspective or a privileged user perspective.
Shlomi thinks the definition of "user" should be expanded even more to include non-human users as well. Most applications today, he noted, interact with other resources (such as databases or user stores). There are similarities between the life cycle of a human and a non-human user. He thinks that the onboarding process of an application should include provisioning to ensure it is granted access to the right resources. And he feels that while provisioning is one example there are additional controls that can be applied such as frequent password change for proxy/system accounts.
All in all it was a far-ranging provocative discussion. I'm sure we'll have more.