Welcome, everyone, to our KuppingerCole Analysts webinar "Navigating Identity Security, Integrating SAP into an Identity Fabric". This webinar is supported by One Identity. And the speakers today are Robert Kraczek, who is a field strategist at One Identity, George Cerbone, who is chief security architect for the BTP platform, and SAP and me, Martin Kuppinger. I'm principal analyst at KuppingerCole Analysts. Before we start with our webinar, some quick information about housekeeping issues. So audio control, we control this. You don't have to do anything around that.
We will run two polls during the webinar. There will be a Q&A session. You can enter your questions at any time on the right-hand side of the app or the screen in the Q&A session. So feel free to submit your questions. The more we have, the more interesting the discussion and Q&A session will be. And last but not least, we are recording the webinar. And we'll make the recording and the presentation slide available shortly after the webinar.
Having said this, when we talk about identity management and how identity management is running and how to move forward with identity management, looking into the concept of identity fabrics we have released a couple of years ago already, which is gaining more and more traction, then I'd like to raise one poll first, which is about the other side of it. So what, to your experience, makes IAM projects, let's say, stall or fail?
Is it an insufficient stakeholder management, a lack of proper and comprehensive requirements for gathering, is it too technology-focused approaches, lack of proper expectation management, the wrong tool chosen, or lack of skilled resources? I know there are more options, but we had to limit it a bit. So I'm looking forward to your responses. And we will leave this poll open for a few, very few minutes, so you can respond to the poll. And in the meantime, we will continue with the webinar. And in the first step, I'd like to have a look at the agenda of today.
So in the first part, I'll quickly talk about identity fabrics and SAP and some considerations to take. In the second part, then, George will talk about the SAP Business Technology Platform and modern IAM and how this relates, with the Business Technology Platform being one of the very strategic initiatives and elements in the SAP domain. And then Robert will look at one identity and SAP in an identity fabric. So how do these things fit together?
After that, and that's why I said, OK, I'd like to have a lot of questions from your side, we will have a fireside chat, which will sort of continuously go into the Q&A session. So we will pick up your questions. We will also exchange our own perspectives, our own viewpoints on these topics. And this will be what we do over the next little less than one hour. So let's get started. And where I'd like to start is with a perspective I brought up the slide on the one hour occasion in the past. And it looks at the change we are really seeing in the world of line of business applications.
So line of business applications, all that ERP and CRM and HR and PLM, et cetera, stuff. So with these business applications, they are changing. And there are a lot of things that are happening. And two very important ones are they are very closely related. This is the shift towards SaaS and towards multi-vendor strategies. And so SAP will continue and continues to play a very, very strong role in this market. But we see more sort of diversity in the world. Because the one thing is clearly the SaaS trend. And the SaaS trend impacts also conversions from SAP ECC to S4HANA.
It impacts new applications from SAP and from many, many other vendors that are out there. So it's a change, which means we see more of these applications. We see different types of architectures. We see different types of integration options and possibilities. We will see other deployment models take the business technology platform, which allows to launch, in effect, solutions in a different manner. So we see quite a number of different ways how this is changing. And this is a journey. We need to be very clear.
You don't quickly usually replace your existing ERP system, because this is really a tremendous effort. And usually it also involves revisiting some of the things you did in the past and thinking about, can we do it better? So there's a business process angle. There's an optimization angle in it, et cetera. So it's a long journey. But it's a journey that's happening. And with the SaaS services, there's also a bit of the tendency to say, I have a challenge. What is the right tool for that particular aspect? Which brings some advantages and some challenges.
The advantage that you can potentially easier go for a best of breed. The disadvantage or challenge, you still need to integrate, because a lot of business processes don't exist in a singular area, so just within CRM or so. But they span processes. Take integrations of Ariba, success factors, and other components into the more traditional SAP world or things like that. It is a reality. And so we need to clearly face, there's an evolution. There's a change. And as with every change, at least for quite a while, things are becoming more complex. Because we have traditional work.
We have new SaaS applications. And so we are somewhere in between. It's hybrid. And that is the world we need to deal with. And this is clearly one of the things we need to look at when we look at it also from an identity and access perspective, which is the theme of today's webinar. How do we handle that well in our IAM world? Managing the identities across applications, today and in the future. Managing access, managing segregation of duties, all that stuff, today and in the future for an increasingly complex world. And that world is not only LOB applications, line of business applications.
There are a lot of other systems and applications out there, the ones which are sort of more in the traditional identity management domain, the Active Directory, the databases, all the other systems we also need to look at. And this is, I think, what is a very important and sort of impactful factor. And then there's the second thing we need to be aware of, which doesn't impact every organization, but quite a number of organizations.
And that is what I put together from the statement from the SAP Community website, which is about sub-identity management, or SAP IDM, where the maintenance, the regular maintenance period for this on-premises IAM solution will end in 2027. And SAP describes some strategies around how to move forward here, how to deal with that situation. There's an extended maintenance, which gives you another, I think, five years, at least, if I have it in mind correctly, or three years. So it gives you some more time.
But it's very clear, at some point, if you have sub-identity management, you will need to migrate somewhere. Partner identity management. Solutions is the term SAP uses in addition to what they have in their own portfolio. And this is what it means, why we also need to look at the role of SAP in identity fabrics. How do these things fit together? And this is then one of the things which are really very important to understand. And after me, George, and then Robert, we look at this from more the SAP perspective, and B2B-related perspective.
And we look at this from a sub-partner perspective, one identity, and their perspective. So giving you some insights on how this potentially can look like, which are options you have, which are ways to proceed on it. So there's the term of identity fabric. And for the ones who are not that familiar with this, I'd like to quickly revisit this concept. So when we started with the idea of the identity fabric a couple of years ago, we looked at, what does it mean? We have a situation where we have a growing number of identities.
And we have seen this evolution of, OK, there was an enterprise or workforce identity management, and we had a consumer identity management. Or then we thought about business partners, other things. And we had a growing number of different types of applications. So we have, yes, the legacy applications, typically back-end services. Then we had SaaS, et cetera. And we had also different needs. We have digital services. And we have increasingly also modernization needs. And basically, the idea of the identity fabric is to say, we must not end up with a lot of different IAM solutions.
But we should look at it more from a holistic perspective at the beginning. The perspective of a fabric that delivers the identity services that allow every identity, be it a human or a silicon identity, to connect to every service seamlessly, but in a secure and controlled, well-governed manner. It could also be seen as a mesh that brings together different pieces you have in your identity world. Because you usually have some existing components. You have tools from different vendors.
You need to bring them together to orchestrate them, to work with them, which commonly, then, should be, nowadays, delivered as SaaS. So identity as a service. It should expose APIs to enable other digital services to consume the capabilities, but also provide a way forward to migrate and modernize your existing identity management infrastructure at your own pace, as seamless as you can do. Which I believe is very important, for instance, in the context of what I said before. When you look at sub-identity management, it is nothing you can do by a simple rip and replace big bang approach.
It will take its time. And again, when you look at the bottom of this graphic, this also allows you to say, hey, maybe I add something. Then I transition at my own pace by moving more and more systems over to the new solution, until I finally retire the other one. So this is something which the Identity Fabric allows. There's a lot of research at the Cooking and Core Analysts website. So when you go to the research section, you will find a new leadership compass on Identity Fabrics.
You will find more fundamental research in the Identity Fabric, and our IAM reference, architecture, all the tools that help you in understanding this and going a bit deeper into detail. Basically, what we do with the Identity Fabric is we look at all identities. We look at delivering an identity API layer, legacy IAM transition, SaaS support delivered as IDaaS, but also still supporting the hybrid IT. Because yes, I think many of you are hybrid IT shops. So when you have your on-premises SAP, then you anyway are. So this is the way to look at it, the way to think about it.
And so it's an essential element also for Zero Trust. And this is what the Identity Fabric basically provides.
And this, I believe, is an extremely valuable model. When you think about how does SAP fit in, because you also can bring in very specialized components, SAP Access Control, SAP Cloud IAG, as one element in the fabric. To say it's not in the silo, it's in the fabric, it's in the central concept. And we think about what we can do best, with which element in our solution portfolio. And this is where the Identity Fabric and the methodology behind will help you. Don't hesitate reaching out to me and my team on any question you have around this.
And I also quickly want to like the opportunity to hint at the European Identity and Cloud Conference, which will run in mid-June in Berlin, early June in Berlin, the 1st to 7th, where we will also discuss all these topics, including the talk I, as far as I remember, will give myself around the transition, the options from SAP Identity Management. So meet me at EIC in Berlin, early June. And with that, I run one more poll. And after that, I'll hand over to George and then to Robert. Second poll is about budget change for Identity Management, Identity Security.
So what or how will your, is your Identity Management budget this year changing in comparison with the previous year? So significant growth, slight growth, relatively stable or will it decrease?
Again, you have a couple of minutes to respond to this poll. By the way, when going back to the theme of Q&A, you also have the option to vote for the questions that are coming in so that we then can focus on the questions that have the highest number of votes and pick them first. Having said this, I want to hand over right now to George, who will bring in the SAP BTP plus modern IAM perspective here.
George, it's your turn. Great.
Thanks, Martin. And thanks to OneIdentity for having me. My name is George Sorbonne. I'm the Chief Security Architect inside of the BTP foundational plane. So our organization builds all of the security features kind of within the BTP platform, including the identity services and the provisioning services. We also own, oddly enough, SAP Identity Management, which is sort of the legacy on-prem kind of product. And I don't want to spend a ton of time. I'm really more interested in getting questions from the audience, but I did want to kind of frame the conversation a little bit.
SAP, as Martin mentioned, SAP has announced the end of maintenance for the SAP Identity Management platform. That's kind of our legacy on-prem platform used for managing on-prem SAP systems. So that is going to end. That end of maintenance has already been announced. The end of regular maintenance is in 2027 and the end of extended maintenance is in 2030. And that sounds like a long time, but anybody who's been around identity management for a while knows that these projects are big, they're complex, and there's a lot going on.
And so now's the time to start thinking about how folks will migrate to a new, more identity fabric kind of centered approach. It's a really interesting inflection point inside of the SAP ecosystem, because we're also moving toward this cloud-based approach. As Martin mentioned, BTP is going to become more and more important inside of the SAP ecosystem as we migrate from R3 to S4. As we look at programs like RISE, as we start to think about how do we keep that core clean, BTP is going to become the point of integration for a lot of this stuff.
And so as you're looking, or as customers are looking to replace SAP Identity Management, our advice of what we're doing is we're adopting this partner-centric approach. So we're really looking toward strong partners who can provide great support for the existing on-prem, whether that's a physical on-prem or a logical on-prem with a RISE type situation, but also provide that view toward the cloud-based future. And so as you're looking at solutions, I really encourage everyone to look at both of those options.
You want to have a strong on-prem support footprint, but you also need to know kind of what's coming forward with BTP and cloud in general. I wanted to put one quick slide together just to take a look at folks who aren't necessarily familiar with the SAP Cloud Identity Services. So there are really three pieces that are part of this. There's what we call the SAP Cloud Identity Service. There is the SAP Identity Authentication Directory. There's the Identity Authentication Service and the Identity Provisioning Service. And all of these three services provide...
The critical thing to understand is they're all standards-based. So we're leveraging things like SCIM. We're leveraging things like OAuth. We're leveraging things like SAML. And they're really kind of the cloud services that are focused toward what is going to be the future. So everything that we're doing inside of SAP focused on leveraging these cloud identity services as the focus for authentication, provisioning, and then the common integrated directory. I'll put just one more quick slide together, just kind of a reference architecture.
The problem, not the problem, but one of the benefits of working with SAP or being part of the SAP ecosystem is we have customers at every stage of their journey. So we have customers who are in very mature industries that are focused on operational success, not very cloud-focused at all, all the way to the other extreme, customers who are moving at light speed and very, very cloud-focused. And as a company, we have to support customers wherever they are kind of in that journey.
And so the important point there, the salient point here is our focus is to be able to support, as Martin mentioned, that idea of the identity fabric, that for customers who have no existing identity provider, we can become that identity provider. If customers have existing IDPs that they want to leverage, we're going to support that as well.
And so, you know, kind of the key takeaway is wherever you are in your journey inside of SAP and moving toward the cloud, we're going to be able to support those pieces kind of going forward. So again, just one last one, and then I'll stop and hand it over to Robert, but what makes a good IDM partner?
Again, good support for on-prem ABAP landscapes, whether that's logical, whether that's physical, using certified connectors and methodologies for integrating with the SAP infrastructure, good support for the BTP and cloud, good support for industry standards, support for GRC and access control and being able to leverage those pieces of the SAP ecosystem and then finally, you know, and I think this is an overlooked one, Martin touched on this a little bit on his earlier poll, a really good network of partners who have experience in leveraging that solution and being able to leverage in particular in SAP workloads.
SAP is a very rich ecosystem as we know, and there's nuances in how we do things. And so having that experience and that support is sort of pretty critical. So with that, I will stop my sharing and I will pass it over to Robert. Thanks George, that was a good summary. And of course, Martin's presentation is always interesting, particularly when it comes to fabrics, is that it's something that we at One Identity are definitely very attuned to and are trying to build on our portfolio to match those requirements.
So I'm Rob Krawcheck, I'm a field strategist at One Identity, I've been working in this identity security field for quite a while. And I thought we'd put together a quick deck that just gives you a summary of who One Identity is and what functions we perform in an identity security landscape. So One Identity is comprised, for those who don't know, we have four major product groups of which we're gonna be focusing on identity governance administration today. But we also have an access management solution, we have active directory management, we have privilege access management.
So we're very focused on identity security, whether it's people or whether it's a silicon-based identity, we focus strictly on that area. Obviously, we're not the vendor that's going to solve all your problems with ITDR and other things. But what we're focusing on primarily is the identity and verifying that identity, which Martin mentioned at the end of his previous slide, was that verified identity is key to securing your environment.
As we see landscapes evolving, being distributed through multiple SaaS and on-prem platforms, we're seeing a kind of a dilution of that identity security landscape. And so we're tailoring our products to ensure that we can protect not only on-prem, but also hybrid and pure SaaS environments in ways that make sense with open standards and with processes that allow us to complement security models like SAP. So if we look at what we do with SAP, it's primarily first open standards.
So we do have some customization we perform, but for the focus of this session, we're focusing on our identity manager product, which is our primary IGA solution. And as you can see from this slide, we support SCIM, and we have an approved ABAP connector, which is what came in very handy during the POC process when we worked with SAP to provide our technology to them. And I have to say that we've had a relationship with SAP for many years.
We've had an approved ABAP connector for at least a decade, and we have a lot of shared customers, particularly through a lot of DSAG customers are both One Identity and SAP, as well as in North America, we have a number of them as well. So when SAP approached us to talk about how we could help them migrate their IDM customers as a vendor that could potentially do that, we proved out a number of use cases using the ABAP connector to show, demonstrate the deep security model support that we have.
But on top of that, as Martin and George have spoken about, we can also then take that connection and that security model, and then we can now expose that to the broader world through SCIM and open standards. And that includes the BTP cloud solutions, as well as of course, exposing that security model to a broader identity security fabric by also supporting hundreds of other applications and sources of truth that are identity centric.
So if we look at, take a deeper dive into this quick model, you can see we support GRC, we support SuccessFactors, Concur, of course, S4 HANA and R3, we're on-prem as well as HCM and others. And we have a very strong network of partners that actually work with SAP and our solutions to provide that ability to say, for instance, migrate an IDM customer into Identity Manager and then building that identity security posture past that migration.
And again, if we look at some of like a sample diagram that I have here, this is an example, just in a very quick block diagram of some of the ways that one identity manager can be utilized. So if you were to look at the top left block here of one identity manager, that would essentially be your starting point where you've already moved, say SAP IDM data sets into Identity Manager along with other integrations that you probably have within that product.
And now you can use Identity Manager as synchronization engine to then drive out SCIM calls and other connector calls and set up your SOD violation checks and your attestations or access reviews in a way that makes sense to your business. Just like Martin and George said, there's a lot of different, customers are on a, everybody's on a different path. There are certain commonalities between customers when it comes to technology, but everybody's business is a little different and everybody's approach to performing that business is different.
So then if you take those differences and then apply that to an identity security fabric, you have even more nuanced changes and modifications you need to make to a system to make it make sense for your business security. So with Identity Manager and coupled with a partner products as well as our other solutions that we offer and coupled again in an SAP environment with BTP and IPS and other solutions, we can deliver a modern environment, identity security environment to your business. And so that's a real quick slide deck before we get into the conversation.
I just wanted to put this URL for anybody who's interested. We have a landing page that talks specifically about how we support SAP solutions across our portfolio, as well as some use cases and reference accounts. So it's just something I wanted to put up here in case you're interested. Obviously you can go through Cuppanger Coal for even deeper information on solution building and that we can provide as a vendor, some references on how we've done it with our solutions and partner solutions. So with that, I'm gonna turn it back over to Marco.
Thank you, George. Thank you, Robert. And with that, let me quickly share my screen again. It looks like I can't yet share it. So I think Robert, you still need to stop sharing.
Okay, great. So I can quickly share it. Back to the agenda, as I said previously, right now we are about to enter our sort of fireside chat together with the Q&A. I think we have already eight or 10 questions here. So quite a number of interest in this topic.
And yeah, that's what we right now will do. Let's dive into the conversation. And I think, yeah, not surprisingly, there's really a huge interest in the market. So I go a bit from top to down with the higher ranked, higher rated ones with more votes first. The one I'd like to start with is, there's one question, George.
George, can you elaborate a bit more on what SAP BTP is and which role it plays or will play in the SAP ecosystem? Sure, yeah.
So SAP is, BTP is the business technology platform. And so it is the easiest way to conceptualize it is it's the cloud-based services in the SAP ecosystem. So that can be everything that's something that's very vertical, like Concur or Ariba or SuccessFactors, you know, very, very mature, very complex kind of business-focused solutions all the way down to integration and runtime with existing SAP on-prem infrastructure. So we provide an infrastructure as a service, we provide a platform as a service for doing integration with the platform.
And so what customers are leveraging, well, as customers are migrating to the cloud, they're leveraging BTP in different ways to be able to compliment their existing SAP implementations. That's sort of a, you know, a three sentence description of something that's this wide. So it's a bit, you know, it's a bit more, but it's essentially the cloud-based ecosystem around SAP. That's the easiest way to think of it. Okay.
So it's, in fact, the platform, the orchestration, integration platform for a variety of services. Exactly right. Yeah. So we provide, again, we provide everything from low-level microservices for things like transactions and payments and things all the way up to, again, these big sort of horizontal cloud applications. Okay. And customers then can build their own applications based on that, consume the services. Probably other can publish, again, solutions on the platform. That's the way of thinking. Exactly right. Exactly right.
Okay, great. And maybe to follow up on that question, because we're talking about identity management. So where does identity come in for the BTP? Good question. So historically, when we've looked at it in particular, I'm going to talk about the SAP ecosystem. When we've looked at identity, we've thought about users sitting in an SAP client somewhere, right? So you have a username, password, you're authenticating to a standalone kind of infrastructure and you're going from there.
In the cloud universe, things are very different because for one thing, we're typically looking at more decomposed infrastructure. So we're talking about microservices, we're talking about lots of little components that are being orchestrated kind of across various bits and pieces. And so cloud identities are fundamentally different. Customers typically come in in one of two flavors.
They either have an existing identity provider, something like one identities, one login, where it's a cloud-based identity provider and they're going to get a token and a credential and they're going to authenticate to an application, typically over one of two kind of standards-based protocols, either something called SAML, the Security Assertion Markup Language, in which the easiest way to conceptualize it is you go to your IDP, you get an authorization token and you take that back to the application and that's how you get authenticated.
The other is a slightly different standard called OpenID Connect, OIDC. But the quick answer is that on the BTP side, we support both of those technologies. And so when you integrate with the BTP platform, you're either going to take your existing corporate IDP, like one login, for instance, and you're going to integrate that with the Identity Authentication Service that I mentioned earlier, or for customers who don't have an existing IDP, we can also provide that user management inside of the Identity Directory Service. Inside of BTP.
So there's multiple ways of integrating depending upon where you are on your cloud journey, depending upon how you want to integrate, whether you have an existing mature IDP that you're bringing to the table, or whether you're going to be more SAP-centric. So again, once you're in there, managing the identity is typical, managing any identity and any identity source you've got.
The critical things from a BTP perspective are making sure that whatever identity management solution you choose has good support for SAML, has good support for OIDC, and has good support for SCIM, which is the other standard that we're working with, the System for Cross-Identity, System for Cross-Domain Identity Management. There we go. But the critical thing is remember SCIM and make sure you have good support for SCIM. Yeah.
Okay, great. So one of the questions that I'm curious, I think for also the response was also by Robert. So there also has been, when you go to the SAP community blog, there has been a post around the end of life, which also amongst other partner solutions referred to Entra ID. So maybe Robert, to you first. So why should someone use One Identity's solution? So Entra ID is a great access management solution and it has complimentary capabilities to allow you to do some governance, particularly within its ecosystem.
But when you're looking at broadening the scope of your identity governance footprint beyond the capabilities of Entra, you need to introduce a solution that can connect to multiple sources of truth in a way that makes sense. So for instance, in a hybrid environment, you have a lot of on-prem solutions as well as multi-cloud. So I would say to that question, Entra is very analogous to our OneLogin product and how it functions. It's an access management solution primarily. It does have some capabilities for governance in a limited fashion.
And we compliment it very well with our Entra ID connector within Identity Manager. So we can actually take that identity security posture and expand it beyond what Entra can support natively. So George and I are actually releasing a blog soon to add to that conversation on the SAP site and that will talk specifically about Identity Manager fits into that announcement and those vendors that they're selecting as recommended. I don't know, George. I think when we look at the idea of an identity fabric, it's not necessarily a single vendor. That's right.
You have to one and the other for different purposes with different tasks and more around that from a holistic perspective, depending on where you stand, what you have, what you need. Yeah. Yeah. It all comes down to use cases, right? So what's your use case? How are you delivering that capability? If you have a very cloud centric environment, it's very Microsoft focused, it's very limited. Entra may be your top choice, but in the real world, it's a hybrid environment. There's many, many people and they're all on a different stage in the security model. Yeah.
And I think one of the things you must not underestimate, so I'm working with customers on this conceptual aspects for probably more than a decade right now. The SAP world of entitlements is not trivial. So when you think about business roles and association objects and transactions, then it's a relatively complex world, which is not that easy to handle. So maybe to which extent can you do that? So do you take the one identity mantra as the piece for the access governance side? Do you understand all these elements, all these levels?
Yeah, absolutely. So our ABAP connector is very, very deep level. We can go down to individual attributes delivered from multiple sources, as well as adding customized attributes on top of that. So we can actually, it's gonna be in the blog, but we can actually extrapolate that entire security model per client, and then we can map it over to identity manager attributes. And then we can expose those for via role, entitlements, attestations, all sorts of functions within the product, and then create SOD checks around that information as well.
So when you're looking at building a security model around SAP, you have to understand the, what's your overall posture within those clients, and what are you trying to expose? If you're trying to expose very simple things, that's relatively easy to do, but most SAP customers that we work with, they have a very, very deep level security model with a number of different attributes that they have to map in very unique ways. Okay.
Maybe related to that, again, to charge, I think you touched it on your final slide, but when SAP sort of looks at a, let's call it the sense preferred partners for the future of what identity, SAP Identity Management or SAP Identity Management customers use in identity management, what are your criteria for that? That's a, so yeah, that's a very good question. So I think I highlighted some of the things that I think are very important for customers that are looking at an identity management product. We're in this really weird, not weird, we're in this inflection point, right?
As customers, we've got, SAP customers in the main are very large enterprises. They're very complex. They're migrating from kind of this old, single three-tier environment, moving to the cloud. And so the important points are making sure that whatever vendor customers look at can support all of those components. You can't really sacrifice one for the other. It's very easy to look at kind of the SAP ecosystem as being kind of a one-off and being a special thing and not really necessarily needing to be part of the broader enterprise fabric.
But again, good support for ABAP and the on-prem. Again, whether that's a physical on-prem system or whether it's a logical on-prem system in a rise situation. Could be in your data center, could be in SAP's data center, but it's still kind of a single standalone system. Great support for industry standards. That's kind of the tent pole that our team is looking at going forward. We're adopting this kind of multi-vendor, multiple partner kind of approach.
The support for the industry standards is gonna be the critical thing because that's what's gonna allow you to deal with the cloud piece in a really, really rich supported way. While at the same time, being able to leverage your on-prem. And then again, I highlighted this and I think it's very important. Customers who have a strong partner base of folks who know how to implement these things. SAP systems tend to be very customer specific. They spend a long time with them. They build them around their business processes.
Being able to take what you've got today and migrating it to a new solution requires very deep understanding of both tent poles and both solutions. So those are some of the things that I think are critical as you're looking for vendors to support you. Okay. So we have really, really a lot of questions and I'm getting more and more of these questions. You probably will not be able to cover all of them. Feel free to vote for these questions because it helps me to pick the questions which sort of raise the biggest interest here.
So again, one question to OneIdentity and others. How would your solution fit into SAP Identity Management customers migration paths? So that's a great question. And we actually have been speaking to a number of our partners to actually do that. To understand what they're seeing in the field because obviously as a vendor, we get exposed to, I would say, a microcosm of the overall spectrum of customers and what they're trying to do with migrating. So the way I would envision it fitting, say, let's say I take a sample SAP IDM customer who has a relatively populated footprint.
They're using it for some joint removal labor functions and they want to take that data and its existing form and they want to move it into Identity Manager. We have a, through the ABAP connector, we can connect to that data model and we can bring it over through a migration process, expose it into Identity Manager in a way that makes sense for their business today. Because as you both know, what was designed five years ago may not apply to your business anymore.
So we would typically take that, connect to that data source, bring it into Identity Manager, and then structure it in a way that makes sense for your business today. And from there, then you have the full gamut of connectors that we can provide, particularly SCIM, so we can connect at BTP, or we can go back to ABAP and populate another client, or we can do a lot of things with that data from there. So normally in that migration path, we'd use Identity Manager as the primary source, connect it, bring the data in, and then build out from there.
And I think it's very reversible from my own practice to think about potentially for an interim in that transition to use, I still say sometimes that you write Identity Manager. I'm around too long, obviously. That's the same, sometimes it happens that I talk about Novell or so in a different context. So things happen, but I think the point I'd like to make is you have, anyway, SAP Identity Management, and it's connected. So for the transition, you can also use, from one Identity Manager, SAP Identity Management as a target system. That's right.
And then step-by-step, shift the connectors over, which allows you really to work at your own pace, and I think this is something which customers, specifically with the more complex infrastructure, should carefully consider as a migration approach. Yeah, absolutely. It's a complex, as George said it, IGA is not a trivial matter. There's a lot that happens. There's a lot of, I view IGA as a, it's essentially a software representation of your business process in a lot of cases.
So there's gonna be a lot of different nuances to each implementation you have to take into consideration when you're moving connectors over. Yeah, so a ton of other questions. While SAP has its own Identity Management strategy with Cloud Identity Services, Cloud Identity Access Governance, the partners strategy around SAP Identity Management replacement, what else does the question, and I think probably move to George first, maybe Robert, you want then to add, what else should SAP customers be considering as they move off SAP Identity Manager and onto SAP Identity-related cloud solutions?
That's not enough. I mean, that seems like a lot, it seems like a lot of, a lot of full hours. You don't have a full hour for that. You need to record in two minutes.
Yeah, I mean, I guess the quickest answer I would say is that, you know, I made a joke about it, but that's already a lot, right? So there's a lot sort of going on.
I mean, if you look at the, those are the three big tentpoles, right? The transition from kind of on-prem to RISE or, you know, R3 to S4, the end of life of SAP Identity Manager, we start to look toward the cloud and to think about kind of the cloud use cases. And we're moving from an era where all of our data and all of our identities lived in one data center to this hybrid kind of environment. Support for that hybrid is the critical thing. And being able to, to your point, Martin, to be able to flex where you need to, because again, it's not a destination, it's a journey.
And that's, there's quite a bit going on as we go down there. So those are the things I focus on.
Yeah, I think, you know, the blog, you know, the blog that came out around Microsoft Entra, back to your point or that initial question, Martin, was really around federation and how you expose that access model. It wasn't necessarily about heavy governance. So being able to, being able to take the B2B model and then expose that and federate it with other access management solutions like Entra's, I think a very important part of it. Okay. So what is the effort to migrate from SAP Identity Management to One Identity Manager?
Has everything, roles, processes, et cetera, to be built new in One Identity Manager? Thousands of users, et cetera, or what can you convert? What can you import? What do you understand? So we have a deep level understanding of the underlying security model. We currently at this point have some practices through partners to migrate it. But in our conversations with partners, everybody's SAP IDM instance is a little different. So what we've developed is a methodology to take the highest level data points and bring them in.
And then from there, it's currently a customization that needs to happen at the implementer or at the consultant level to take it the rest of the way. But again, it's going to really depend on how you've implemented the product and how you're utilizing it, whether it'll be a very easy process or it's going to take some time and you're going to have to phase it out. So I'm sure that's not a direct answer. I can't say I have a connector that'll fix everything, but we have the basic building blocks to ensure that it'll be a lot easier than starting from scratch.
So that's all I can say at this point. Yeah. And I think it's also interesting when you go to my LinkedIn, recent LinkedIn posts, I wrote one article that also looked at or hinted on blog posts I wrote about this SAP Identity Management transition which received really a lot of comments and discussions. And I think one of the things that came up there also is that a lot of these existing SAP Identity Management implementations are customized to a lower or sometimes a very high degree.
And this is also the point and where it's, I think, a good opportunity to think about how must this look in the future in a modern identity fabric? How to do things for the future? Because it's not only that your identity management changes, that as Charles said, the systems you serve change. You should think probably more from a BTP perspective than from an ECC perspective in that sense.
Saying, okay, what's the future of everything? And then also use the opportunity to reconstruct things and surely importing users from A to B, easy. The tricky things really start when you think about how should the processes look like in future for a hybrid world, for a different environment? And there are so many new things that I think an excellent point as well to spend a bit more time of conceptual work first before you go into the technical migration. I agree. How are you going to orchestrate the identity movement?
I mean, how is it? So let's look for...
So, yeah, a very good question here. Do you have native integration or do you have integration between One Identity Manager and SAP Access Control? And so how does this work? Surely there are some overlap features but customer has SAP Access Control, One Identity Manager. How do these things fit together? How do they work together?
Yeah, so we have the ability to tie into SAP Access Control and either consume or deliver information to it depending on the use case. I don't have a lot of experience with that particular solution set. We do have a number of white papers around it but because we can see the underlying data security model we can actually grab that data and then utilize it say for just simple requests if that's what's needed or if we need to modify the data set in some way through triggers from other systems that SAP may not be aware of, we can do it that way.
But I'm not really familiar with Access Control and how we would completely integrate with it and I'm certainly wouldn't replace it. I want to compliment SAP products. I don't want to replace it. I don't want to be in that business. So we can actually follow up and have more discussion around that I can probably add some color here.
I mean, so Access Control is a strategic product for us. So SAP views it as something that's strategic. It's going to continue to exist in the ecosystem. It's not going to go away. And typically once customers have implemented kind of their governance processes it's easier to leave them where they are than to try to migrate them. And so we provide, we have a set of web services interfaces to allow products like One Identity to integrate with Access Control as part of that component.
And so, and I know One Identity has some good capabilities around being able to call out web services interfaces for approvals and things along those lines. And so we have customers who do that today where they're leveraging identity management systems that are then calling into Access Control, calling into GRC, calling into IAG in the cloud environment to be able to compliment that governance kind of component. I've done conceptual work on this, I think already a decade ago or so.
So yes, it can be done. It is done. And there surely are quite a number of One Identity partners as well that have some best practice around it that have done it a couple of times. So based on the interfaces, you can construct these things.
And yes, it's basically, it's doable. And I think there, aside from me, a lot of people who know basically how to do it.
We do, I'm just not one of them. Sure. Surely in your team there are also enough people who do it. I have an entire team of excellent engineers on my side that I just call and help, I need to know about this.
So yeah, we've done it. I know I've spoken to partners particularly at our last Unite in Barcelona or actually Madrid. They approach us with a number of different use cases around Access Control, around GRC, around SAP IDM. There's a huge knowledge base out there within our partner ecosystem around that. Okay. So I think we go for one more question. We have a lot of questions we couldn't pick. We'll think about how we follow up on these questions. So it's really a very long list, which means, yes, it's a very hot topic.
The one, the final question I'd like you to respond relatively shortly, concise. What do you mean by certified connector and methodology, George? Yeah. So the easiest way, there's multiple ways to integrate with the SAP ecosystem. Some of them are not so good.
Like, you know, pulling data directly out of a database and trying to manipulate things directly. I've seen implementations doing that. And SFI. Yeah. A nightmare, a nightmare. It's frightening. The next upgrade, latest. Yeah. And so that is not a recommended approach.
Maybe Rob, I'll throw it over to you to see if there are alternatives. Yeah. So we've had an approved, SAP approved about connector or ABAPI for a number of years. And we've spent a lot of time and effort making sure that it meets all of SAP's past and current requirements for communicating with the SAP system. As we all know, that's a very, very complete, I won't say complex. I'll say a very complete security model. And so making sure that we integrate in a way that is not only upgradable, but supported by the vendor who provides the underlying security model is very important to us.
So that was one of the criteria when we were approached to prove out a lot of the use cases that we did around SAP IDM and connecting to the SAP system. The primary one was, is your connector certified? Let's work up from there. And I think that's important, particularly to Martin's comment, upgradability. So if you have an SAP ABAP connector that's approved and you upgrade identity manager from one version to the next, that data model is gonna follow that connector. It's not hard-coded by calling tables and calling indexes.
It's actually supported through the SAP security model and system so that we can continue to improve upon it in a way that makes sense for both vendors. Yeah, and to be clear, specifically in that case, we're talking about R3 and S4. On the BTP side of the house, it's a little more standardized. And so we leverage standards like SCIM in order to be able to leverage things there.
Right, yeah, we fully support that as well. I have to interrupt you really at the end of the time. So we could probably talk for hours about it. There will be a subset of session at the SAP European Identity Conference on this subject. We will also do more around this. We see this very huge interest in the market. Our advisory team was always happy to support you. I really liked that information. I'd like to thank you to all the attendants of this webinar with all the questions we received.
I'd like to thank you, George, and you, Robert, for all your insights and One Identity for supporting the Scoping Call Analysts webinar. Hope to have you soon back at other webinars and EIC. Thank you. Thank you.
Take care, everybody.
