Exclusive: CyberArk’s Feldman outlines the four forces shaping identity security
Barak Feldman, Senior Vice President for Solutions Engineering at CyberArk, says the future of identity security will be shaped by four powerful forces and has shared how organisations can respond to them.
Speaking to TechDay during a visit to Melbourne for CyberArk's IMPACT World Tour event, he outlined what he sees as the defining pressures facing the industry and the changes required to meet them.
"There are three major forces, and I'll add a fourth," Feldman said.
"The first is the proliferation of human privileges. Now we are delegating a lot of the admin and privilege access to any user. Roles in human resources, finance and other areas are increasingly entrusted with powers once reserved for IT. The second force is the rise of machine identities as automation spreads across industries."
"There is more and more programmatic access, machines accessing sensitive data as opposed to human users," he explained. The third is artificial intelligence, particularly generative AI agents performing complex tasks on behalf of humans, which introduces new risks.
"The fourth element is user experience and adoption," he added. "People want to make sure that any control we add does not add any complexity to the business."
CyberArk, long known for its expertise in privileged access management, is evolving to address these challenges.
Feldman said the company has always focused on the highest risk users accessing the highest risk assets, but the scope of that work is expanding.
"It is no longer just a Windows admin or a Linux admin logging into a system. We have now developers and machines and all these other factors, bringing the PAM mindset into the broader identity space is where we feel right."
While established practices such as credential and session management remain critical, new approaches are required. Feldman pointed to the increasing use of just-in-time access, or zero standing privileges, which grant temporary access for a specific task and then remove it immediately afterwards.
During his meetings with Australian customers in Melbourne, Feldman found Australian organisations grappling with the same issues as their international counterparts.
"Even this morning here in Melbourne, talking to a few customers, you hear the same theme, aligning with the business and speaking business outcomes." He said organisations are under pressure to link identity security initiatives to tangible results such as greater resilience, improved service delivery and stronger compliance.
"More and more organisations are saying I need to be able to show that the investment I made actually moved the needle."
Boards, shareholders and customers expect clear evidence of impact, and resilience has become a top priority.
"The whole reason we are doing this is to make sure the business is resilient, that in case of an attack taking place, I am still operational." Efficiency and consolidation are also on the agenda, with many organisations seeking tools that integrate seamlessly without duplicating functions.
Feldman believes security teams should embrace innovation rather than resist it. "Leverage AI, do not see it as clashing forces," he said.
He emphasised that measuring success is essential to ensuring this balance is maintained. A lack of focus is, in his view, the most common hurdle to successful integration.
"Prioritise correctly, define what good looks like." Using the wrong control in the wrong context, particularly in dynamic cloud environments, can hinder progress.
He is also keen to dispel the notion that identity security is simply the convergence of existing disciplines. "I think it is a new thing," he said.
For CyberArk, identity security means ensuring that every identity, whether human, machine, third-party or AI, has the right level of control. This involves discovery, understanding the context of each identity, managing its lifecycle, applying governance and automating policies where possible.
Feldman sees cloud and hybrid environments accelerating the move toward automation.
"It is going to be all automated systems, we need to make sure it only has the right entitlements on the fly." He expects long-lived secrets to be replaced by short-lived certificates that expire as soon as the work is done, reducing the risk of compromise. The same principle applies to machine identities.
"We have got to discover them, give them short-lived certificates so they can access systems."
When asked about best practice for keeping security in step with innovation, Feldman highlighted two priorities. "Security teams need to evolve and have AI embedded into their practices," he said. "If there is a new problem, we need to have a trusted ecosystem we can go to."
He said CyberArk's approach combines continuous research into emerging threats with a focus on delivering measurable business outcomes. "We have this mantra of thinking like an attacker and trying to think what's the next thing attackers will go after. Moving into measurable, clear business outcomes is going to help us focus and prioritise, let us be clear on what we want to focus on."
Feldman said this mission is as relevant for Australian enterprises as it is globally.
"Our mission is to help our customers secure against cyber threats so together we can move fearlessly forward, making sure that every identity is secured with the right level of privilege controls, with the right level of security controls."