Welcome to our KuppingerCole Analysts webinar, Beyond Just SAP, The Need for Cross-Line of Business Application Access Controls. This webinar is supported by Pathlock and the speakers today are Keri Bowmann. She's a Senior Director of Product Management at Pathlock and me, Martin Kuppinger. I am Principal Analyst at KuppingerCole Analysts. So before we start and dive into our topic, a bit of housekeeping. We are controlling audio centrally, so you don't need to do anything here. We will run two polls during the webinar and if time allows, we will look at the results during the Q&A.
There will be a Q&A session by the end of the webinar, but you can enter questions at any time and at the right hand side of the screen of our events app, there is the option Q&A, where you can enter your questions so that we can pick them. As usual, the more questions we have, the better, the more interesting, the more entertaining the Q&A session will be. And we are recording the webinar and we'll make the recording and the presentation slides available usually the day after the webinar, at least very shortly after the webinar. So before we start, I'd like to begin with a quick poll.
And this poll is about responsibility for application access control. So who manages the roles, the X entitlements, the critical entitlements, segregation of duty rules, etc. for the line of business applications? So are these different departments depending on the applications of Salesforce, for Salesforce, SAP, for SAP? Is it the SAP department only? Is it the IAM department? Or do you have another solution here? So looking forward to your responses and as usual for these polls, the more people participate, the more interesting and the more relevant the results will be.
So looking forward to your responses. Thank you. And let's have a look at the agenda. The agenda is split into three parts as for most of our webinars. The first part, I'll take a look at the markets specifically under the aspect of why do we believe that solutions that support a range of line of business applications are of increasing relevance. And we also will look at results from our recent grouping called leadership compass on the subject. In the second part, and Kerry Bowman will look, talk about delivering on the need of SAP and cross line of business access control.
So how do you, or how must the solution look like? What must the solution do that works so to speak for, well, both for the SAP world and for other line of business applications. And then as I've said, we will do our Q&A session. So I'd like to start by talking a bit about the, so to speak, LLB change, the changing world of line of business applications. And when we go back over and look at the past couple of years, I think there were two trends that came together. The one is that, and the hours in a certain respect, they are related to each other.
So we had on the one hand, we have the shift from on-premises to SaaS, where I would say most organizations currently are in some hybrid state. So having still some on-premises solutions in place, having usually several SaaS solutions in place. On the other hand, with the sort of growth of the SaaS LLB market, we have over the past actually already two decades plus seen more and more specialist vendors arrive. Some of them growing the bigger and covering a range of areas. Plus we also have seen truly established vendors for a lot of business applications coming up with new solutions.
So like SAP moving to S4HANA and stuff like that. But what was this sort of set of new vendors, whatever, Salesforce targeting CRM and related areas, or a workday coming in historically from an HR perspective, et cetera. We have seen more vendors in the space. And we also have seen an evolution where customers tend to go a step away from really a single vendor approach to the traditional SAP on-premises world, to a world where they have a couple of other solutions for different use cases and where they have a mix of deployment models.
And we are convinced this trend is here to stay, to continue. So this world has changed. That also means that when organizations have multiple line of business applications in place, and even in the SAP world, it's not a homogeneous world. You have the traditional SAP ECC world, you have the HANA world, but you also have a success factors or Ariba and others concur. So even there, you have different types of line of business applications. These applications are connected in many cases. There are sometimes processes spanning multiple of these applications.
And that also means that the perspectives we take on creditor risks, on segregation of duty controls and all the other stuff are increasing, plus regulations mandate us to look way beyond financial data nowadays. So there's a need for really expanding our perspectives. And that means that we are in a situation where this application risk management or application access control must emerge and support a broader set of solutions. So then when we look at the market here, we did just recently and published two leadership compasses, which are overlapping.
The one has a very strong focus on sort of SAP and SAP First. So solutions that are strong and supporting SAP environments. There's a lot of specific capabilities that are related to this environment, such as whatever rollout support and a lot of other things. And the support, then the second leadership compass, which really looks at support for sort of cross vendor line of business applications. So supporting the heterogeneous world of line of business applications. This is the one I'd like to give a shadow light a bit on and look at some of the details from this report.
And so when we look at the capabilities, then we have baseline capabilities. You will see that there's always also SAP appearing quite a bit, because SAP, even organizations that have solutions for many vendors, for many of these organizations, means SAP still is there, plays a vital role. Several systems are for SAP.
Yes, for sure. There are also customers, customer organizations that don't have any SAP. But supporting SAP surely is when you look at the overall market, something that is important. But in this case, our perspective was about beyond SAP. So SAP and beyond, I would say, would be the right way to phrase it. And so when we look at these capabilities, one of the important things definitely is that we look at the deployment models. So support also for modern service deployments, support for a wide range of systems, SAP and other vendors.
Then the capabilities of managing entitlements roles, doing access risk analysis, supporting the assignment of entitlements, doing super user management for different types of solutions, firefighter for different types of solutions. Yes, it decontrols management and surely strong reporting capabilities as well. So this is, I would say, the baseline, which we see as key capabilities in this market.
And then there are, so to speak, the advanced capabilities, which we specifically measured and which also, for instance, impacted the innovation rating a bit stronger, which go into other types of ratings. So here, also hybrid deployment models, for instance, are important because, as I've said, a lot of customers, to my perspective, to what we see in the market are sort of stuck somewhere in between. Things like role optimization. So how do you deal with roles? How do you optimize this?
As everyone involved in this type of solutions knows, this is a sort of a recurring challenge for virtually every customer. So managing roles is definitely one of these areas that are challenging, that are difficult. Then we look at this entire press.
So the ABAP systems, the non-ABAP systems, the SAP cloud solutions, the non-SAP cloud solutions, on-premises, and SAS, expanding into other areas like enterprise service management solutions, such as ServiceNow and Jira, et cetera, which also play an increasingly critical role for a lot of business processes, being an important platform element for many, many organizations. But also the integration to cross-platform IGA solutions, be it part of the product or be it something where a strong integration is given.
Because IGAs are the identity governance and administration as a market, which is more managing your AD accounts, managing your, managing other types of accounts, and the access of that. Overlapping, definitely overlapping with line of business application, application access control solutions. But the IGA solutions are definitely stronger when it comes to the breadth of applications. Also more at the system level database and all the other stuff. And so both usually exist. And this must be integrated.
At least there must be interfaces so that customers have the option to decide on how to roll it out, what to do, where unless it tends to, this is a bit of a trend, come increasingly integrated. Auditor supports runtime executions where you don't need to deploy a complex system, could be an important feature. Some of the specifics for sub-platforms.
And again, so super user management, firefighter stuff, things like that. These are things we look at. We see as very important capabilities. And based on that, when we do our leadership compass, we create our rating. So it's a lot of data we gather, a lot of interviews we run, etc. And then we take the step and say, okay, what, so to speak, what is our rating? And I want to look at only very few ratings here. Don't go into every detail. And these reports are published, as I've said. So this is the one for SAP.
So this was the one leadership compass that looked really at the SAP specific capabilities. And one of the areas we look at is product leadership. So basically we have four leadership categories to give a very detailed and differentiated perspective. The one is product leadership. The second is innovation leadership. The third is market leadership. And then we have an overall leader. So product really focuses on technical capabilities and product capabilities, but also interoperability, deployment, support, and stuff like that.
Innovation looks very much at sort of innovative features, new features, more capabilities that came out more recently or that are still rarely seen. But we, as analysts, believe they are important.
Notably, also Pathlog takes a very strong position there. Then we have the market leadership, which is about number of customers' presence across the globe, so across various geographic regions, but also the partner ecosystem and a lot of other capabilities that this combines. So I picked the product leadership. And I think this gives a perspective on that, where, as you can see, Pathlog has a very strong place here.
And we did the same then for, as I've said, for the cross-line of business application perspective, where then the support for a lot of different applications, for a lot of different systems, well beyond the SAP world, counted very significantly while the highly SAP-specific features were of lesser relevance. So again, this is a key impact and factor.
And when you compare this to previous chart, and you see that following Pathlog, there were several changes on that rating, because vendors that are really more cross-system, cross-platform scored and better than the very specialized types of vendors. As always, maybe a bit of a disclaimer, never trust any analyst's market comparison, say, okay, I go for the ones, and the upper right edge always goes through a thorough product selection process. That definitely makes sense, because this is a generic perspective, and you need to pick the right tool for your environment.
But I think there's a reason that analysts do these things, to help at least to focus on who should you look at, and the ones who are more in the upper right edge, potentially are the ones that definitely should be included. But as I've said, this is not something which fits to everyone. It's a generic perspective, where Pathlog scores very well, because they have a broad set of companies and an excellent support for cross-line of business applications.
We also have done these spider diagrams, for instance, per vendor here, for Pathlog, which look at a couple of capability areas, like support for SAP itself, and their older and newer applications, so to speak. Now SAP LLB support, which is an area of excellence for Pathlog. And then also the functional things like role entitlement, risk SOD, emergency access, et cetera. So it is really a very strong rating here. So I think it's very clear in spider trial, the more you are towards the outer area, the better your score. And so it shows that Pathlog really comes with a rock solid solution.
So I think the important thing is when you look at your role of line of business application, the first thing is you need to think about, do you want to have something, do you need something that covers everything? Or are you still looking more at siloed approaches? I think there's a tendency in the market with this shift in the line of business application world to go broader. And that is the way, I think, which changes the perspectives we have on the tools that help us managing access and staying compliant with these applications.
Also, as I said, with the fact that we have more of these for more vendors, but also need to protect more areas, not just financial data access to that, but definitely more. So this is from my end. And before I hand over to Kerry, I'd like to bring up the second poll. And this is about identity management on one hand, and then the application access control for the line of business applications, be it SAP or non-SAP. The question is, is there a common ownership for this application access control on one hand and sort of standard identity management in your organization?
Simple answer is yes, no. I hope that a lot of you join that poll and provide their response.
Okay, thank you. Then I think we can close the poll as well and go back to our agenda. So I gave a bit of an insight into how we see the market, where we see the market, where we see vendors in this market, and specifically, surely looking at PassLock in this recently published leadership compasses. And with that, I want to hand over to Kerry Bowman, and she will talk about delivering on the need of SAP and cross line of business application access controls. The stage is yours.
Thank you, Martin. What I would like to start with is, I'm not sure where my floating controls are hanging out here, but we'll hide those. So I'd like to start by saying, you know, who PathLock is and what we do. And as Martin mentioned, I really want to speak to why there's a need and how we deliver on that need for SAP, as well as cross line of business access controls. And to do that, I typically like to start with, you know, who we are as a company, and then talk about why we see the need that exists today to level set how we came to our company vision, right?
Our company vision is to provide full access controls and beyond functionality, and to do that across a breadth of applications and at the right depth so that we're properly supporting compliance for access controls. So with that, I will just jump right in. So who is PathLock? PathLock is a market leader in application governance, risk and compliance. We have a team of certified auditors, so CSAs, like myself and others, and application experts, subject matter experts for multiple different applications. And we provide a comprehensive suite. So that suite includes application access governance.
That's a lot of the access controls that Martin was discussing the feature functionalities for. Continuous controls monitoring. So the ability to go beyond access controls and actually manage your controls themselves, as well as quantify your risks. And then cybersecurity application controls. So when you're looking at vulnerability management and securing your environment, things like that, we do have more than 1,300 customers globally for our compliance solutions. And that covers, you know, companies of all various sizes, right, from your mid-market to very large customers.
The point there just being that we support a lot of customers for multiple applications. And so no matter where you are, maybe in your journey or in the breadth of applications that you're looking to secure, we have solutions that can assist you. So why does PathWalk exist, right? What are we trying to do here? We saw a need in the market.
You know, we've been around for, you know, 15 years. We saw a need in the market, right, around not just access controls, but how we put all those pieces together. So 75% of controls are still tested manually today, even though the average company has seven plus tools and service providers on average, right? A significant number of companies report at least one material weakness. And that's due, again, to complexity of our applications and our landscapes, as well as what we're having to manage in terms of ever-growing compliance requirements, right, ever-changing and evolving regulations.
What does that result in? A growth in audit costs, right? If we're having to manage more regulations, more controls across more applications, we're going to have that growth in audit costs. And that cost comes from not only our audit team that's performing the audit, be that internal or external, but also our IT and business resources that have to support those initiatives, that have to gather that, that evidence and data and coordinate with audit to maintain that compliance. So what does that all come down to?
Pathlox customers are automating their controls, testing, automating their access controls, and reducing their cost and seeing that ROI through that, that automation. So that's high level what our goal is, right? Martin's spoken to, you know, the various things that they're looking at for solutions, and we think that there's a significant need there that we're looking to help customers address. So how do we do that? We have three different products within our Pathlox Cloud Suite.
And again, just trying to level set here, you know, what we offer in totality and how this may help you fill your needs. So application access governance is what we think of as access controls. So that access risk analysis, your cross app SOD and critical access, being able to level set your risk environment within your individual applications, as well as any risks across those applications. Compliant provisioning, so the ability to provision access while running SOD or those sensitive access risk checks in advance, and being able to mitigate those prior to provisioning that access out.
Certifications. Certifications are more than just a user access review, right? Does this user have access to this role? It's are you recertifying your risks? Are you recertifying your controls? Are you recertifying your roles that you've designed within the applications?
So and doing all that within the context of risk, again, if we have the ability to run an access risk analysis and see what risks are in our environment, we should be bringing that contextual information into our certifications to allow our reviewers to have all that information available as they make decisions on what access should be retained. Elevated access management, that emergency access that Martin was talking about, you know, the ability to grant users access that's temporary and time bound for that sensitive access where we don't want them to have standing privileges.
And then role management, the ability to manage the access that's defined within our applications. And again, layering in the context of risk. As we make changes to the access in our environments, are we introducing any risk into the environment within those individual roles or within the access that's assigned to users? So that's the application governance suite. So that's mostly what I'll focus on today. But just to round out what we do offer to give context to whenever I say we offer three different products within our PathLock cloud suite.
Continuous controls monitoring, as I mentioned, this is your risk quantification. When we move beyond access controls, what can we tackle? How can we have a more complete solution? Risk quantification allows us to do that. It says not just what can you do, what access and risks do you have potentially, but what have you actually performed? Have you actually paid that same vendor that you created?
And if so, when did you do that? What was that time and date stamp? What was that amount? Which vendor was that for?
So again, if we're going to be monitoring more controls so that we can increase our regulation and compliance, if we can quantify those risks, we can now ensure that we're not just covering the scope of potential risks across our environment, but reporting on actual risk that are occurring. So we are encompassing more of that compliance that we want within our environment. Configuration change monitoring rate, are there set configurations that are highly important that we monitor in real time to ensure that they aren't being changed? And if they are changed, that we're notified.
So again, when we think about the capability and maturity model of any organization, we think about defining our processes and procedures first, and then automating those where we can so that we can ensure compliance with them, and then we look to optimize. And so we see a lot of these features is that optimization, whereas access controls is automating our policies and procedures to ensure that we are provisioning access, maintaining and recertifying access, and monitoring our risks. Continuous controls monitoring is a lot of optimization. It's saying, let's quantify all of our total risk.
Let's do real-time monitoring for configuration changes. Let's monitor our business process controls and our manual process controls so that we can automate, for example, sending out of various reports that need to be reviewed, because we can have a control all day that we say mitigates a risk, but if that control is not operational, then we're not being fully effective and compliant. So by automating the operational aspect of those controls, we can ensure better compliance. License management. We have a lot of different applications.
SAP is one, right, where we have to manage licenses that our users are using, and that can be at a great cost to our company, the licenses that we're using. So being able to enable management of those can help us recoup and manage those costs.
So again, just holistically how we're managing our systems. And then cybersecurity applications. As I mentioned, this goes into the concept of where are we vulnerable? How are we doing threat detection, data loss prevention? Are we doing dynamic data masking?
So again, when we move into that optimization conversation, what are we doing that's beyond access controls to further secure our systems? So again, this is kind of the scope of who we are as a company and what we're doing.
And again, our vision is to provide full access controls, that full application access governance suite, and beyond functionality. So the CCM and the CAC functionality that goes beyond that. But this is only as useful as the applications we can do it for and the depth at which we can pull those details out of the applications to ensure that we're properly supporting compliance. And I'd like to spend a little bit of time about talking about why that's important.
Why, when we say that's our vision statement is application breadth and depth, why we say that. And the reason is because we know that cross-application risks exist. Martin talked about this, right? We've got SAP, Oracle, Ariba. We've got Salesforce. You may have BOSS or LFS. There are multiple applications out there that we're using to run our business, right? So we need a breadth of applications that we can support because it's no longer just what is your main monolithic ERP that you're housing 90% of your functionalities in. Now we're seeing these parsed out into various applications, right?
We may be doing part of our business process is within one application and then that is integrated into multiple other applications. So, you know, the example here, right? We may be doing part of our procurement in SAP, but then we're doing goods receipts and invoice processing in Ariba. And then we handle payments and accounts within Oracle, right? Or this could be any other set of applications. So when Martin talks about the need to do access risk analysis and, you know, how we provision access or how we handle emergency access in applications, it's not just one.
It's all of those applications that are interconnected, those line of business applications that are also connected to our major ERPs like our SAPs, like our Oracles, because we're trying to address the full scope of risk in the environment. Now, that's application breadth, right?
Basically, we need to be able to do these access controls for a lot of applications. But why is application depth also so important to our company? It's because of the complexity and the differences between all of these applications.
So, you know, I mentioned in the last slide, SAP ERP, Ariba, and Oracle. If we just take those three, for example, here, along the left-hand side, we have the access that's defined within a system, right?
Users, roles, actions, and permissions. Within SAP, those are users and roles. Our actions are transaction codes. Our permissions are authorization objects, fields, and values. If we look at Ariba, it is similarly a user and a role, but the actions are roles and the permissions are activities. And then when we look at Oracle, again, we have users, but we also have roles and responsibilities. And our actions are called functions and our permissions are functions.
We also, if you look into Oracle Cloud, have privileges, right? So, what this means is that the security permission structure for each of these applications varies based on application. They were not all built with the same security structure in mind.
So, that's why depth is so important, because if we're only looking at those top two layers, the users and the roles, we're missing the nuance and the difference between the access being provisioned to users at that action and permission level. So, that's why depth is so important. We need to get down to that permission level within each of the applications that we want to properly report on for access controls.
So, our SOD and our sensitive access risks, the way that we provision emergency access, if we're provisioning emergency access, we want to be very certain about exactly what access we're granting to users. So, understanding at the permission level what access is granted is vital.
Similarly, for certifications, if we're going to recertify access, yes, we may pull that access and report on it for certification at the role level, but is that a role? Is it a responsibility? Is it a user group or a security class?
And then, you know, the risks that are resulting from that are the risks at the permission levels. So, again, this is just trying to set the context, set the idea for why we're so focused in on both breadth and depth for applications that we support, because we feel that to be able to accurately meet the requirements that analysts like Martin are seeing a need for in the marketplace, we really need to be able to go down to that level of detail.
And now, why are we doing this? I mentioned we've been around for a long time, right? And a lot of us, you know, are very familiar with, again, SAP and Oracle and how those started out as our major ERPs that we focused on, but why have we as a company focused on expanding further beyond those? And the way I like to talk about it is, you know, from an audit perspective, why has audit evolved?
You know, where have we been, where are we going, right? Ten years ago, primary ERP systems. This is what we were focused on, right? And I know we have international audiences listening.
You know, here in the States, we're all very familiar with Sarbanes-Oxley and and that's been 20 years ago that that major regulation was introduced. And when that was introduced, we were really focused on primary ERP systems, the PeopleSoft, the SAPs, the Oracles of the world, where the majority of our functionality was sitting. And it was really vitally important that we put access controls around those applications.
But then, you know, when you've had 15, 20 years to audit those applications, what does that mean? It means that we've gotten good at understanding the access within those applications. And now we start to broaden our base for what we're looking at. Where are we concerned about potential risks? Where do we need to be focused? And that's why in the last five years, what we've seen is a shift towards what Martin's talking to here today, which is line of business applications in addition to our primary ERP systems.
So, what are the applications that are connected into our primary ERP systems? That example that I used earlier around Ariba, your NetSuites, you know, your Manhattans, your BOSSes, your LFSs. What are the applications that are interacting directly with those ERP systems where we're sharing data back and forth between them? We have users that are operational in those multiple applications.
And so, we now need to say from an audit perspective, okay, what are they doing? Is someone creating a vendor in one application and paying invoices out in a different application? Do we have visibility to that? Are we exposed in terms of risk?
So, that's really come up within the next five years. And then where we really see things going from our company's perspective and what we've seen analysts, you know, like in the Cup and Jerkle reports, is this drive towards where are we headed, say, in the next five years? It's all line of business applications, right? Because any application within your environment that users can have access to may have risks involved, right? And then any interplay between them may involve risks for users.
So, again, it's just as we globally wrap our hands around the risks that are potential within our companies, we continue to expand that scope, right? And I always refer back to the capability maturity model, right? First step is define your policies, then automate where you can, look to optimize, right? Make things repeatable. That's applicable, too, for how we look at the applications that are in scope for us to want to regulate and want to monitor and want to manage our risk and compliance around. We start with our major crown jewels, right?
And then we look at the applications that are interacting with our crown jewels. And then we start to look at all the other applications that we have out there.
So it's, it's the same concept of baby steps. We start with one piece, we add on to it, and we build from there. So this is, you know, where the concept of PathWalk came from, what our goal is, and why we think it's so important. So whenever I say, I want to speak to, you know, why there's a need and how we deliver on that need, this is what we see it as, right?
A need for application breadth and depth and for the zero risk concept of managing risk across our environment, within each application, across applications, so that we can provide the access to users that they need to do their job without excessively exposing our company to risk. So I will wrap up with just a slide or two on, you know, how we do that.
So again, PathWalk offers our main access controls product, which is called Application Access Governance. It has five different modules that meet those key needs, so Access Risk Analysis, Compliant Provisioning, Certifications, Elevated Access Management, and Role Management. And these are all a cart, right? You can utilize any of these pieces that you need. I like to think about them in the way that I would typically implement them. So in my prior life, before working in software, I was a subject matter expert.
I was a SME for SAP, and in particular, role design, redesign, and GRC solution implementations. So the way I kind of tend to look at things is consultative. I like to provide users with takeaways in terms of how to think about how to implement. We've talked about a lot of applications, a lot of feature functionalities. Realistically, where do we start? Where do we go? In the last slide, I talked about starting with your major ERPs, expanding to the line of business apps that integrate with those ERPs, and then looking at the rest of your scope of applications.
I would take the same approach here. Start with the baseline functionality and then add on to it, right? And so we kind of think about it in terms of get clean, stay clean, optimize, right? Access Risk Analysis is how you can get clean. That's your baseline step, right? Baseline your risk environment. What are the SOD and sensitive access risks in your application or applications, and who has those risks, right?
Run that report, see where you stand, and work towards getting to that zero unmitigated risk status where you have addressed all the risks within your environment, either through remediation and revoking that access or through applying a mitigating control that acknowledges we're aware this user has the risk. Here's the control that we're using to manage that, and now we have no risks that we're unaware of in our environment. That's a great first step. And then compliant provisioning is exactly what it sounds like.
Risk reporting, if you're just running static reports, those are exactly as they sound static. So they're out of date as soon as someone gets new access within the application. So compliant provisioning allows us to stay clean, right? We've done all the work to clean up our environment to manage all of our risk. Compliant provisioning ensures that as we provision new access out to users, we're preemptively doing that risk analysis check and mitigating or addressing those risks prior to provisioning. So we're keeping our environment clean.
Certifications say we're doing a good job of being compliant when we provision for that, you know, join or move or leave or process, but certifications allow us to revalidate standing access and ensure that nothing stale is sitting there. We have people who back others up. We change jobs and we get the new access for our new job, but we're supporting our old position for a set period of time. Certifications are just a great way for us as a company to revalidate the access that's still needed.
So again, users have access to do their jobs and nothing additional. And again, certifications build on what you've already done. The same way provisioning, we want to be compliant by pulling in that access risk analysis as we provision. Make your certifications compliance focus. Pull in those risk results to those certifications so that you're giving that contextual information to your decision makers. If I allow this user to retain this access, is it providing a risk to them that they can perform, right? And then moving on to elevated access management.
Access risk analysis are not just SOD risks. They're sensitive access or critical access risks.
Well, once we baseline our environment and we're aware of the full scope of users that have access to perform a sensitive access risk, now we can look at elevated access management as a way to revoke that standing access for them so that when it's needed, they can request the access, check it out, have it for a time-bound period. The usage of that access is monitored and reported on and then revoked at the end of their period of time that was pre-approved, right? So we're still supporting the business initiatives.
They can still use that access when necessary, but we have less exposure to risk because they have less standing privileged access, right? So again, marrying all the pieces together. Elevated access management can play off of those sensitive access risk analysis that we've done in that first step. And then role management.
Again, I mentioned my background is in, you know, role design and access provisioning. Role management, basing it off of our access risk analysis. If we don't build risks directly into our individual role design, we can reduce the number of risks that we're exposing our users to when we assign access to them. It's going to simplify the cleanup as well, the remediation of it because it's just taking a whole role away versus a role just automatically granting risk to a user when it's designed.
So taking that concept into account and, and building that through our, our full design of our access so that we have cleanly designed roles, right? So again, you can use these products in any order. That's just would be my tips and recommendations for the quickest ROI and a way to build, again, starting out small with one step and building on that success to be able to implement access controls across your, your suite of applications and to use it effectively. And in my last two minutes here, I will just wrap up with what is the value here?
Martin spoke, you know, very eloquently to what exists out there, what products, you know, consist of access controls, why it's out there, why it's needed, what users can use it for. I kind of mentioned this in my previous slide, like the value of it, but I like to leave you with some tangible benefits and how it benefits each of the various teams in your environment.
So, you know, if you are looking to assess for a different tool, as Martin said, you know, don't just take an analyst's word for it. Don't just take my word for it as someone who is telling you about what our product can do, but actually, you know, speak to existing customers or ask for use cases, right, and case studies for how others have seen value when they've implemented an access controls tool. And these are some of the numbers that we've seen in our case studies with customers and clients, right?
So, we look at it as IT, our business, and our internal controls, our audit, how can each of these groups gain value? With IT, you're talking about a 50% task reduction. That comes from things like if you're automating provisioning and you're automating your certifications, those are no longer manual tasks that IT is having to perform, just managing the tickets, sending emails for approvals, going in and manually provisioning the access or deprovisioning access.
Additionally, whenever we're performing audits, IT is not having to manually gather the audit trails from all those different places, the ticketing system, the emails, et cetera, change logs in the tool. An access controls tool will have an audit trail within it for provisioning for certifications, et cetera.
So, there's a standardized place audit can grab that data from. That 50% task reduction is so valuable to IT because they can move beyond keeping the lights on, and they can really start to focus on business impactful items that the business is requesting in the applications to be worked on.
So, we're really freeing up IT time to do that. Similarly, with the business, you see a significant reduction in time to provision whenever that's automated. Same thing for certifications. If all the contextual information like when they got the access, when they last used it, if it's causing risks, if all that's included in the certification up front and no matter what the application is, it's presented in the same format, that really simplifies their job to be able to complete those reviews and do it more quickly.
So, they're saving time doing that. And again, they're not having to gather audit data because it's all of the audit trails in a centralized tool for audits to begin with.
So, we're taking that burden off of the business, and that's where you can see that cost reduction in the time that they're spending performing these compliance initiatives. And then internal controls and audit and 80% risk reduction. This goes back to that concept of not just what can you do, what did you do. If you have a centralized tool where you can manage not just one application, but multiple applications, so again, that breadth of applications, what we're allowing us to, our audit and support team to do is to manage more applications.
Because again, the more that we automate, the more that we can do, it simplifies for us. And so we can cover more with the same amount of resources. And because we can cover more with the same amount of resources, we can reduce our risk exposure. Because now we're covering more applications, we're seeing where our risk is, and we're managing it and monitoring it for compliance.
So, we're reducing that risk for the business. So, with that said, Martin, I will hand it back over to the group for Q&A. But I hope this has been valuable for everyone to just get a little bit of an understanding of who PathLock is, what we do, and how we can deliver on this need that has been identified for, you know, SAP in line of business access controls. Thank you very much for all the insights you gave. Right now we are at, so to speak, part number three of the Q&A. We have a couple of questions here.
So, if there are any further questions, please enter them. The first question I see here is about, I think it's a question that goes to you, a question that goes to you, Kerry, because it's a bit of a focus on the part I talked about.
So, how do you see the access governance landscape evolving, especially with respect to line of business application, and given the rapid pace of digital transformation and the growing emphasis on hybrid work environments? So, what's your take on that evolution?
Yeah, I think I spoke to that a little bit, but I think the hybrid working environments is important, right? I think that goes to, we don't just have monolithic ERPs anymore. We have cloud applications that are interacting with those ERPs.
We have, you know, fully hybrid environments that are on-prem and in the cloud. And even as a lot of our on-prem things transition into the cloud, we're still operating. I think the statistic that came out a year or two ago was something like 30, on average, a company has something like 34 SaaS applications, and 96% of companies have applications that are both in the cloud and on-prem, so they're operating in a hybrid environment.
So, I think that's a very common issue that we run into, and I think it goes back to thinking about your path to compliance, you know, starting with your main applications, your main ERPs, and then looking at the main line of business applications that are interacting directly with those, and that's what comes in scope next. And then, like I said, after that, it's the additional applications that will come into scope, and I think that's where it's going. That's where we're seeing it going for audit purposes, right? As soon as you lock down one application, they say, this is great.
Now, let's make sure we don't, we aren't exposed to risk in our other applications that are interacting with this one. Then, you lock that down, and they say, okay, this is great. We've locked down the major ERP and what's interacting with it.
Now, what other accesses do users have in your system? What are they doing in those applications?
Are, you know, are you monitoring that? Are you managing it? Are there risks present there?
So, that's kind of the progression that I see that continues to happen, and I think that is applicable because, like we said, so many companies have hybrid environments that it's just, there's no way around it today. We have to find a way to address it. And talking about hybrid environments, there's another question, which seems to be one that is popular amongst the attendees.
So, I was voting for that question to be asked, and it's, we are in the midst of our migration to S4 HANA, but still have some on-prem SAP after the migration. What recommendations do you have for us as we consider how to get a combined view of access risk for both cloud and on-prem based ERPs? And I think this is a perfect question for Paslap with your two parts of the portfolio.
Yeah, absolutely. So, I think that, not to oversimplify, but whenever you are transitioning, you know, if it's SAP ECC to HANA to S4, or if it's an Oracle EBS to Oracle Cloud transition, again, not to oversimplify, but I would look at it as the same concept of what we just talked about, about hybrid environments. If the application that you are, you have in the cloud is another SAP instance, or if it's an entirely different application, the risk is the same, and the approach is the same, right? We want to take risk into account for both of those.
So, we want to connect our access control solution to both of those applications, both your on-prem and your cloud application, and then make sure that you define your rule set. So, your rule set should define risks for both of those standalone.
So, whatever is existing within your on-prem environment still today, you want to look for SODs and sensitive access within that, but then also, is that on-prem environment in any way passing data back and forth with your cloud, with your S4 instance? If it is, you're going to want to look for cross-application risks, right? And to do that, you will need to update your rule set so that your rule set is looking for the, you know, when we build a rule set, it's various opposing functions, right?
So, we're going to look for the function in our on-prem solution and the function in our cloud solution, that may be conflicting to cause the risk, and then we want to report on that. So, Martin was mentioning we have a broad solution tool.
So, PathWalk Cloud is something that we would offer that would connect to both of those within a singular system. We do also have SAP native-type solutions that can connect directly to that, or if you already have, for example, SAP access controls, we can extend that for you. We are a partner with them, with SAP, and we can extend your access controls to additional applications, be that other SAP applications or non-SAP applications.
So, again, that's a lot of me talking just to say that, to simplify it, take the same approach you would regardless of if it was SAP S4 or if it was Ariba or Salesforce or anything else. Look for your risks within the applications themselves, on-prem and in cloud, and then look for your cross-app risk between the two. Okay. We have one more question, and that is one which you touched a bit, which I touched a bit of, and I can probably elaborate a bit more on.
So, I probably would start and hand over to you. So, how would you suggest to evaluate vendors for cross-application governance capabilities? Which areas should carry the most weight? I would say, as someone who's an analyst and who also supports organizations in finding the right tools, there's no fixed answer to that because the weight depends on your requirements. The most important thing is really looking at your requirements.
So, which requirements do you have in your current world? This is also sometimes impacted by what are things that are lacking, where do you have challenges, et cetera, but also all the baseline stuff. And then there's also this perspective on what do you know will change and what could change.
So, also look at where is this market heading? We talked a lot about where is the market heading today and the landscape you need to support. And it is very important that you say, okay, so even while I maybe am in a traditional on-prem world today, I know that this will change because there's whatever it is, the strategic direction given by our CIO to go in that direction or so. And these are things you need to incorporate. And then you really need to build a good, strong requirements list and think about what is most important. Figure out the few, very few must-have criteria.
So, if you have too many and too many, I would say, is everything which is north of 10 in must-have, then better go to a high priority in should-have and also define what is could-have, which would be nice to have, but it's not so relevant. And from that, you can then go really into a tools choice. This is also where, across the entire process, but it's specifically also when it comes to looking at who are the vendors to pick for the shortlist, et cetera, where reports such as the one that we talked about today can help.
Carrie, anything to add here? I don't know that I can articulate it much better than that, but I would absolutely say, know what your key needs are and find something that is going to meet your needs today, but also support where you want to be tomorrow.
So, you know, an application and access controls tool can offer you everything in the world, but if it doesn't do the one thing that you need, that's not helpful. So, find something that does what you need today, but then, like Martin said, think about where you're headed tomorrow, what, you know, today you may just need an SOD report, tomorrow you may want to do certifications, and the next year you may want to be able to do that provisioning.
So, you know, think about what can meet you where you are and what can grow with you as you, you know, continue to improve on your, you know, your compliance approach. Okay.
So, that means just to say now, thank you. Thank you to you, Carrie, for all the insights you've provided.
Oh, thank you, Martin. Very, very interesting presentation. Thank you to Passlock for supporting this Cochrane Coal webinar. Thank you to all the attendees for joining our Cochrane Coal webinar. I hope to have back soon at one of our virtual or physical events. Thank you.
