Event Recording

Expert Chat: Interview with Denny Prvu


Log in and watch the full video!

KC Analyst Paul Fisher interviews Denny Prvu, Global Director of IAM at Royal Bank of Canada.

Log in and watch the full video!

Upgrade to the Professional or Specialist Subscription Packages to access the entire KuppingerCole video library.

I have an account
Log in  
Register your account to start 30 days of free trial access
Register  
Subscribe to become a client
Choose a package  
Okay, well, welcome back. Yeah, you too. I was just explaining what we're gonna be talking about. So let, let's get straight into my first question, which is, you know, what, what Pam challenges would you say are unique to banking and financial services given us obviously your expert area?
I, I think my favorite is I'm. I'm so glad you touched on that. One about thinking big security for most organizations is I hate to say it's still sometimes an afterthought. And when they think of privileged access management, they think of locking systems down, or it's just a checkbox to make the regulators happy that they don't realize that there's, there's a lot more, more to it than that. So we have a number of challenges and, and we never want to call ourselves a snowflake, but, you know, we have a lot of legacy systems that are not direct interactions that all, not all part of a common platform. So that's definitely a big challenge. You know, we, the number number of the banks still have mainframes kicking ground. We have legacy systems written in code that was done 15, 20 years ago. Another challenge, and, and this, this ties into your comment about the vendor space is we have a number of lines of business. So, and it's not just capital markets or consumer banking or wealth management, it's individual groups like a marketing group or an infrastructure team. And they all have very unique requirements. And sometimes they don't always see the value of the what's in it for me. So my role in the enterprise architecture group is sometimes it's a selling feature of yes, you need this. And here's why, and here's what happens if you don't. So those, those are two of the big ones that I saw both as a vendor and definitely in the, in the I space.
Okay. Is this is perhaps a bit more esoteric perhaps, but, you know, could we extend privilege access management to banking customers? I mean, banking has a long time been very reluctant to, to bring customers anywhere near the, the production as it were, but is that one option so that banking could improve services or introduce new services by adding some form of privilege access management for customers.
And, and it was interesting that the, the question that, that someone typed in the chat window ties right into this. I think now providing a username password to log into a service is one thing, but giving someone additional rights to be able to, to see your content or see your data, you'll start to see banks now provide services. I think I started to mention file sharing or document sharing places where we can store digital copies of our passports, our wills, our legal documents, and I need to give privilege to access to people. So a way that they can check in and check out an account the way I can audit it and track it. So those, those documents are stored deep inside banking systems. I call 'em digital vaults. So yeah, we're starting to give access definitely through those types of technologies.
Yeah. I mean, things have certainly I feel with mobile banking or mobile banking apps that were a lot closer than perhaps, you know, we go all the way back to the, the physicality of actually withdrawing cash back in the old days to now sending an instant payment and you know, things like that. So I think that, but that'd be another step further on literally allowing customers into the sort of the infrastructure, but you you've seen, like you said, in your presentation, you've worked on the vendor side and now on the client side. So what, what have been some learnings from that? What are the differences between the two and do the two sides understand each other? Because that's something that I've struggled with sometimes is, is connecting vendors with, you know, with what clients wants and vice versa. So yeah. What, what's your view on that?
I think we still have a long way to go. And, and I, and I say that joking because I, I think vendors tend to speak in using terms and buzzwords that are industry terms, applying to how to protect something or regulatory requirement. And now as the client looking for a service, I wanna know how it's going to benefit me what it's going to do to me. So when, when, when you talk about a password rotation or a check in checkout service, why is that? Why is that relevant? People do that today. I log out of a system. So it it's more than just the buzzword. So the understanding, I think has a way to go and it's not vendor specific. It's more of a personality trade. I think people in the field need to do a little bit of work on that. Focusing on what is offered, I think is something else that they need to do. So don't go in guns, a blazing saying, it's so many dollars per seat, and this is the infrastructure you need. And this is how we're going to give you the silver bullet that, that solves all your problems. Maybe give them small examples and quick wins so that the clients understand what they're getting into.
Yeah. I think pricing actually is one of the most confusing areas of privilege access management. I mean, it's hard, I think for the vendors to, to cost it, but it's even harder sometimes for the, the buyers to understand, well, what am I paying for? Am I paying for each user? Am I paying for identities? Am I paying for things access to, and that can be very confusing.
That that identity one was interesting. I was with one vendor and asked the same question, is it per user? And the response was carbon based life form. So they didn't care how many accounts that Paul had or how many systems he logged into. But if it was Paul and he needed access to our tool that counted as, as one license and it made me chuckle
Well, that's one way of doing it. I guess, look thinking about the future and this I'm sort of playing devil's advocate here, but you know, maybe privilege access might disappear altogether and we'll simply move to some form of just in time access for everybody, all identities. Do you think that's viable so that, you know, there would, there would no longer be privileged access or any other kind of access. It would just, everything would be so fast, so dynamic that you could make a decision on whether that identity gets access, like, you know, clicker the finger, is that realistic?
It it's coming. When we look at how it's, it's, it's far further advanced in, in the UK than it is in north America. But if we look at open banking transactions are, are API based. Now I want a real time reaction to gain access to data, to user information. And I need a password immediately for my Hunka code or my access. So I, I can see that the backend systems that will provide that. I think you, you mentioned it earlier will need to step it up. So whether it's a Pam tool or an identity management tool, I think the lines are gonna get blurry within the next couple years.
Yeah, it's interesting. I think in a, in the United States, at least maybe not Canada, but people still commonly use checks to pay for, for rent or pay for various goods. I can't remember the last time anyone used a check in, in my world anyway. So yeah, I think that, yeah, you're right. Things are a little bit more advanced over here in that respect. So just to end then, if you could do one thing to progress and you kind of answered it really throughout this session, but one thing to progress the evolution of Pam, what would it be?
Oh, I wish I had one of those magic wands every morning. If, if I could split it into two, I think one way I would like a common interface for, for tools to react so that whether it's just in time provisioning and creating management, managing accounts or entitlements in the cloud or 40 year old mainframe sitting in the basement of a data center, if I can talk to it in one common way and then manage a policy, that would be wonderful. And then some way that while it's being managed, if I can have a common standard to audit record it, track it that'll make everyone happy. So they know who did what when and create that segregation of duties. That'd be a selling feature for me.
Yeah. I, I, my, my dream is probably even more far fetched in that we would, one day have an identity that can be used by, by individuals for virtually every piece of access that they want, but that identity would be based on other activities. So that be the way of legitimizing the identity, but the, the user or the individual would be in, would have agency over there rather than the other way around, which is, I think at the moment, all identity management systems are top down. So yes, they, they, they look down at the thing that wants access and then decide what identity they have rather than the other way around. So that's something that I've been thinking about quite a lot recently,
If, if there was a self sovereign Pam identity, I'm all in
That. Thanks for saying that. I was trying to think of the, that the sovereign word there, but that's exactly where, where I'm going. Yeah.