Welcome, everyone, to our KuppingerCole webinar, Effective Application Access Controls in the Modern Business IT Landscape. This webinar is supported by Pathlock, and speakers today are Carrie Curry. She's VP Product Management at Pathlock, and me, Martin Kuppinger. I'm Principal Analyst at KuppingerCole Analysts. Before we go into the main topic of our webinar today, a little bit of housekeeping, first of all. So audio control, we are controlling everything. You don't have to care about it.
Pulse, we will run two pulses, actually, during the webinar and discuss the results if time allows during Q&A. There will be a Q&A session by the end. You can use the app, the tool you have, to enter your questions at any time. And last but not least, we are recording the webinar. Recording and presentation of SlideX will be made available for you to download, same place where you have to register for the webinar. So with that, join the webinar and become active directly now. Because I want to start with a poll.
And that is, who in your organization is responsible for application access control for line of business applications, such as SAP, such as Salesforce, and all the other types of applications? So is this split across different departments, depending on the application? Is it the SAP department, maybe because you're really an SAP shop? Is it the IAM department, which is responsible for other types of access control for other types of applications? Or are there other solutions? So looking forward to your response. And we'll leave this poll open for some 25 to 30 seconds, maybe a little bit more.
So please become active and enter your responses here. OK, so let's directly dive straight into the subject of today's webinar. As most webinars, this webinar is split into three parts. In the first part, I'll talk a bit about application access control and how this relates to or versus IGAs, or the Identity Governance Administration, which is the Distinguished Identity and Access Management, where we look at managing users, their access, their entitlements, and access governance across a variety of applications.
In the second part, on Kerry, we'll talk about the benefits of a holistic application access management, so across everything a bit. And in the third part, we will have a sort of an answer. The more questions we have for you, the better it is. This makes it more lively. So please enter your questions on the computer. And where I want to start is that this world of line of business applications is really changing. It's changing for since a couple of years.
And it's changing away from a frequently, relatively monolithic, single vendor, on-premises approach to an approach which is more hybrid, which is more vendors. It's probably more a few vendor than a multi-vendor approach in most cases. But it's increasingly a SaaS approach. So for a reason, I painted this arrow a bit more up to SaaS and lesser to really multi-vendor. But there's a trend, clearly, towards SaaS and multi-vendor, but also frequently built on one main supplier for certain elements. Frequently, it is SAP, not always, but frequently it is.
And we expect this trend to continue, because SaaS, it also means that there's a tendency to have smaller chunks of line of business applications which can be implemented rather quickly. It's the common deployment model. And so this is really changing. I dare to say that from the research we do and the insights we have, that still the majority of organizations are somewhere in a hybrid line of business landscape. Not everything is SaaS, but parts of it are SaaS.
This is, I believe, a very important change. And when we look at it from an access conglomerate, from an access governance, from an access risk perspective, it means we need to figure out how we deal with that. So how do we manage that? And there are two aspects to look at. The one is depth, so one is direction. The other is breadth, with the various applications. But we obviously need to give a bit of a special care to line of business application, because they are business critical.
And when we look at what is happening in the audit space, I think it becomes more and more clear that auditors take and must take a broader perspective beyond just purely financial data, financial relevant data. So the perspectives are getting broader when it comes to aspects like critical entitlements, legacy controls, where do I need to have it. But we also have this situation. We need to manage, let's start with users first, before I go into the governance.
We need to manage users in more applications now, including support for legacy specifics, such as the SAP Central User Administration, integrated with commonly HR and HCM systems. But also, I think we need to look at how does the standard IGA user management and user lifecycle management play into this. Then we have the entitlements. And I think we know all who have been involved with line of business applications, that some of these have rather complex, and certainly also some have a bit ever-changing models. And it can be quite complex.
They need optimization to be manageable, to remain manageable. We need approaches on how can we generate entitlements, all that stuff. So we need a lot of capabilities when it comes to managing these entitlements. And unfortunately, in a multi-vendor, even in usually a multi-product environment, these models are not necessarily consistent. So even from the same vendor, when you take the traditional on-premises acquired SaaS applications, there frequently are a major difference between these models. But we need to manage all of these models well.
Also because we need depth in the SAD controls management, in the critical entitlement management. We need to integrate potentially the enterprise risk management, et cetera. So we need to give special care to that, because these applications are important. And we need to be good at managing these controls.
Notably, we also need to give special care to SharePoint, Teams, Windows File Service, whatever else. So it's not that we can't avoid going into the deep details of these solutions. But for line of business applications, it's still something which is of specific importance. And we also need the breadth here. So we need to look at how do we manage all these different applications. As I've mentioned, one of the challenges we are facing is that we have more of these. And we have IGA on one hand.
We have the application access control, application risk management, or access control for line of business application, however you name it. These areas are overlapping. And I'll go a bit more into detail here in a minute.
But basically, IGA focuses on user lifecycle management, so joiners, movers, leavers, provisioning them, creating accounts and target systems, and access governance across a wide range of applications, which frequently support some of the line of business applications, but depending on the vendor, maybe only some, not too many, and also depending on the vendor, it's more or less than that. The application access control world, on the other hand, focuses primarily on line of business applications and going very deep into detail.
Some of them, some of the players in the market really just do SAP, some even primarily do SAP and the ABAP world within that. It's a bit about breadth and depth, but we also see that there's some increasing overlap. And also from, again, when you go back to controls, and we need to have in place, when we look at the regulatory compliance of what audits are looking for, that it does become clear that the intersection is growing. And we need to think about how we deal with that. And for our environments, really have a look at what is the best approach to do it.
So I changed the wide range of applications beyond all of the application access control tools, which come with rule books, the rule optimization for these tools, et cetera, frequently very specific features for certain types of tools. When I go further, another bit here, and come up with really a feature comparison. And this is really a very average IGA versus very average AIC, not in the sense of very average negative, but when I look at multiple tools in the market, and then some are stronger, some are weaker. So it's not that all these tools are exactly the same.
It is just that we have some that are probably better than the error indicates, some maybe less or weaker than the error indicates. But we have things like provisioning to AD, Azure Active Directory or no, and try the Linux, et cetera. Clearly a domain of IGA, application access controls frequently, relatively limited. So find a bit more ADA and try the less of the rest of it, even more extreme potentially for Exchange SharePoint.
But on the other hand, when we look at SAP, we see that both types of solutions are relatively strong while IGA comes to its limits, the more line of business applications we are looking at. For the industrial analysis, we have some which have quite some good technology in IGA, but it's clearly more of the application access control. The main better workflows tend to be in IGA. Role management, even more sophisticated, especially your role optimization will be more sophisticated in the AAC side. Both have this access review, access analytics things, but for instance, IGA commonly is lacking.
So for rules, standard sets of SAD controls, et cetera, would apply in certain types of line of business applications but can be quite good when it comes to cross system approaches. There's that service, emergency access, not a common domain of IGA, there's access management, which has a bit of an overlap. Continuous controls management, we see a bit more increasingly in the AAC world. So it becomes clear there's an overlap, even when we go really a bit further into the details, but it's not yet, at least not yet the same.
So I think that there is some conversions we see, we expect to see more conversions, but it's still are, to a certain extent, different domains. So we need to think about what is the right approach to deal with, this also depends on the solutions, because clearly if we have one solution, that it's a tendency, an advantage over two solutions, if it serves what we need. So what you definitely should look at is at least teamwork. So getting away and getting rid of having different teams that do little with each other. I think this is a very, very important aspect.
So what you should look at is at least a certain level of unifying your organization. This is not a specific model for this world, this is a standard target operating model for advancing access management. But these models help you to structure your organization. There might be one team, there might be two, but there might be even more, if you look at multiple line of business applications, I mean, you think back to the poll, that should be erased. But define a target operating model where you look at the entire space of identity management, or in this case, IGA, the application access control.
And to understand who does what, who's responsible for what, which things are better done in common, which things are maybe better done separately. Define the responsibilities, define also where the interfaces are between different teams, so that they can collaborate and doing things in an ideal way together. But this is a bit provocative, I know. I think it's time to break down silos. I think we need to think more in a unified perspective.
With the world of line of business applications changing, we still can discuss line of business applications versus other parts of IT, versus the more individual parts of IT, et cetera. Totally fine with that. And I think there are reasons for that. But I think we should get rid of product specific silos, at least, and then focus on functional and organizational organized silos that are looking at this more holistically.
This will really enable you to better deliver to the business, also to make a split according to a target operating model between, for instance, the business services, the business responsibility, and the technical responsibilities. All that is in such a target operating model. But we definitely need to tackle that.
With that, I'm already done with my part of the presentation and I'd like to hand over right now to Kerry, who will be doing the second part of the talk. Kerry, it's your turn right now. All right. So let's now talk about the benefits of holistic application access management and what they mean to your organization. So for those of you on today's call not as familiar with Pathlog, I'll provide a quick intro and then we'll get into today's content.
Pathlog helps over 1,300 customers worldwide automate their application access governance processes by providing a comprehensive suite of tools to limit risk, automate controls, and reduce fraud. Our approach is to offer a complete platform to automate the most challenging aspects of access governance. We do this by focusing on areas which offer the most impact when it comes to efficiency gains and cost savings. Access risk analysis, which is automating the reporting and mitigation of segregation of duties and critical access risks across the business and IT.
Client provisioning, which is automating the process of role and user provisioning to ensure compliance with business and regulatory requirements. Access certification, which is automating user access reviews to continually refine entitlement assignments and reduce risk. Emergency access management, some might know as PAM, which is managing temporary granting of privileged access with a domain-specific workflow. And role design, which is designing compliant roles compatible across all of your business applications. Our value proposition can be distilled into a few simple statements.
Our advisory product and solution teams are led by certified information system auditors with a broad experience across business applications we rely on today and may rely on in the future. As I mentioned before, our approach of offering a complete access governance solution is unequaled in the industry. Our solution is able to demonstrate on matched ROI by leveraging our prebuilt rule sets, connectors and controls content for rapid deployment.
So you see immediate positive impacts from the efficiencies of automation for provisioning, simplified access certification activities and end-to-end audit reporting. And lastly, our unparalleled TCO value, our ability to integrate with other vendors as well as support significant numbers of applications for fine-grained analysis and reporting enables you to move beyond multiple silo tools and into a singular comprehensive solution.
Okay, let's get into today's presentation. As Martin already discussed, business needs are evolving quickly. And with that comes a rapid expansion of line of business applications. Those applications require access strategies to be effective. We typically encounter three common situations when we engage with organizations to discuss access governance.
First, due to the proliferation of a line of business applications, organizations are dealing with a scale of distributed processes. All of which need fine-tune access to be effective.
Second, attempting to manage the controls for these applications and interconnected systems is often done manually via spreadsheets and often requires outside consultants to help untangle. And lastly, we've often found is that a lack of transparency and alignment across functional teams. When it comes to designing, enforcing and reporting on access, which in the end often creates a friction in compliance and audit reporting. Let's take a look at how we got here and how this has framed our point of view here at PathLock.
As Martin mentioned, access requirements and the controls auditing along with it have evolved in just the last 10 years. 10 years ago, it was typically the ERPs that saw focus of access control audits. This made sense as many organizations had the bulk of their processes operating within their ERP. As specialized applications for human resources, finance, supply chain started to gain popularity, those applications were then added into the audit mix. But mostly only so much as they were connected to the individual ERP.
What we expect to see within the next five years is that the majority, if not all of the line of business applications will be in scope as the new normal for access analysis and audit reporting. That's quite a dramatic shift and one that organizations need to start planning for now. Just consider the advantages or advancements of AI and large language models, which will exponentially increase the processes that need controls. And include generated from these tools may have a greater risk profile that could slip through legacy identity tools.
This table represents how the challenges of trying to manage across applications manifests itself within IT, audit and application teams. Across the top, you see the names of common ERPs and line of business applications. And on the left-hand side, you will see the common access relevant objects that need to be considered. The models don't line up, which can cause gaps in scope of access, which is needed. It can result in bloated privileges and inefficient processes. Where the real challenge lies is with the actions and permissions within these applications.
It's highlighted in the red box on your screen. It is one thing to have a wide range of connections into applications. It's another thing entirely to have the breadth into those applications, to deeply understand and be able to administer the core activities within those apps. Your IGA vendor may have rule sets for a handful of applications, but without fine-grained visibility for the actions and permission levels within those apps, there may be unseen segregation of duties violations.
Now multiply that against the number of applications we're assuming will be in scope soon for access analysis and auditing. And that should really highlight the issues with attempting to meet these challenges with your traditional IGA technology. This brings us to a point of view here at PathLock. As I mentioned in our introduction, we offer a complete platform to automate the most challenging aspects of access governance. Our advice for organizations is to build for the future, not for the past. That includes being risk-focused by design.
Legacy identity vendors built their solutions to speed up the process of creating to speed up the process of getting users onboarded and productive more quickly. They didn't begin with the concept of risk. This risk-focused design also includes modernizing and automating controls, so that we've aligned with business requirements. And this includes the ability to leverage best practice rule sets across your application ecosystem. Getting away from the piecemealed and manual approaches to access analysis.
Another key plan for the future concept we talk about a lot is to highlight the foundation to be able to mature beyond risk identification and into the mitigation of risks. And for example, prioritizing mitigation with things such as risk quantification. And lastly, something that both Martin and I have talked about earlier in this presentation is the need to empower cross-functional teams of unifying that organization, surfacing the data and insights needed for them to reduce risk in their day-to-day roles.
This would typically be my summary slide, but I also wanted to take the opportunity to introduce you to PathLock's approach to application access governance. For those of you on the call that may not be as familiar with PathLock. Our application access governance solution is a comprehensive set of modular capabilities, all designed to work together to offer a far greater reduction of risk than the traditional identity management or joiner mover lever type of offerings. Access risk analysis.
This is our ability to analyze and report on access risks across segregation duties, data privacy and cybersecurity in one view at a more granular level than any other solution. The first step to a more secure environment is depth and breadth, as Martin mentioned, and visibility of our risk landscape. We need to be aware of our risks in order to clean up our environment. Compliant provisioning. Here we are automating access provisioning with risk scoring and policy-based workflows.
This goes beyond just provisioning access and includes the ability to perform preventative segregation of duties and critical access risk checks. So risk is addressed prior to provisioning, keeping our environment free of unaddressed risk. Access certification. We review user access roles, risks and controls across your business applications. While automated provisioning enables faster user access, certification ensures we are reviewing and removing any stale access and continually monitoring our environment and keeping it up to date. Elevated access management may also be known as PAM.
This is the ability to request, approve and monitor temporary privileges users throughout your collection of usage data, changelog, enforcement of controls and automation of the review process of elevated accounts. And finally, role design or role management. We support the building of risk-compliant technical and business roles with risk simulation analysis. So how does Pathlog drive value and transparency throughout the organization? For IT users, our automation capabilities drastically reduce IT overhead and workload.
This is true for everyday activities such as provisioning as well as reporting requirements. This reduction allows IT teams to move beyond keeping the lights on mode and enables them to have bandwidth to address the ongoing enhancement and support requests from the business. The security side of IT sees the risk of breach reduced due to having continuous change monitoring in place. IT can see as much as 50% of their access related tasks reduced with Pathlog. Once again, opening up their capacity to support business critical requests that are beyond keeping the lights on.
Business users get up to a 70% reduction which largely comes from the automation of controls testing but also in the reduction of time it takes for provisioning requests and user access reviews. Granting a user's access in two days instead of something like two weeks significantly impacts the business user's experience and ability to continue performing their job in a timely manner. For internal controls and audit, our customers have seen up to an 80% risk reduction when it comes to negative audit findings or the need to report material weakness.
Another tangible benefit is we allow controls and audit teams to become more strategic. The ability to shift from a transaction-based audits to risk-based audits increases the coverage and benefit audit brings to your organization. Ultimately, Pathlog enables IT, the business and audit teams to work better together. Before I hand it back over to the Cuppinger Cole team, Martin, I just wanted to say thank you for your time today and I hope you enjoyed the presentation.
If you'd like more information on how Pathlog can help on your access governance journey, more information can be found at www.pathlog.com. Now, I'll turn it back over to Martin and team for some Q&A.
Terry, thank you very much. I hope everyone can hear me now again. Just go straight forward to the Q&A and as I said, we are happy to take questions from the audience. The more questions you get, the better it is. But we already have a couple of questions here as you also can see in the tool. The first question I'd like to look at. So if you as an organization say, okay, I want to make such a step, I want to move forward from a sort of non-holistic approach to a holistic approach, however you'd like to phrase it. How do you do that?
What are the key steps and items to be aware of as part of such a process? That's a great question. So moving from siloed approach or individual ERP holistic or individual approaches to a more holistic approach. Our customers have found success when moving from that siloed approach to a more holistic one with the help of application and audit experts.
So whether that be through PathOps implementation services, for example, or one of our partners, we bring experts to the table to help build a strategy that is not only compliant, but maximizes efficiency and cost savings and provides for longevity as your organization grows. So one of the keys there in moving from that siloed approach to a more holistic one is engaging in experts alongside a platform that will allow for that longevity and growth in your organization.
I think those are the two key pieces or key elements is having experts on side so that you can move and understand granularly SAP versus Oracle Cloud versus EBS and bringing that together into one approach. You're gonna need some experts on side. Some out of box content is really helpful in terms of rapid deployment and approach, but then as well, the platform, which will enable you to actually have a holistic approach.
Okay, great. Thank you. And maybe before we go to the next question, let's do the second poll here, which is a bit related to the first poll, but not exactly overlapping. This is really about ownership. So who owns application access control versus who owns identity and access management? Is this a common ownership combined one in your organization or not? Yes or no.
Again, I'm looking forward to your participation in this poll. I'm looking forward to your results. I'll give you another, whatever, 30 seconds, 40 seconds here.
Okay, I think we can close the poll as well and let's proceed. So the second question I have here is, I think it's again, it's a bit related to the first one, but I think it adds another angle. So how does a holistic approach to access or application access control affect an organization for a maturity level and for a maturity model? So does it mean you have achieved a certain level of maturity for that one tool, and then you say, okay, I would cross everyone and you go down to a way lower baseline right now. So what is your experience here?
Can you sort of transform your achievements from the past? In terms of maturity and being able to expedite maturity or transition maturity from one platform or tool to another, there's a couple of thoughts here. One around achieving sort of maturity in general. So we're not mature, we're starting off. There's things that can help in terms of rapid deployment and using that certified and validated content, for example, especially within those access governance main staples of audit. You can audit different types of rules.
You can audit more rules, covering more modules of your ERP or more business processes within and across your ERP and really ensure you're doing so at a more fine grain level. So a really rudimentary level of maturity is being able to leverage content, validated and certified content through rapid deployment. That'll get you far greater ahead than starting sort of fresh or new.
Secondly, being able to leverage a modular platform approach. So implementing something like risk analysis and starting with segregation of duties or critical access risk checks and getting clean and then implementing other modules to stay clean that are critical to application governance such as provisioning, access certification. That'll ensure you're covering more controls than ever with one platform and you're leveraging what you're using in segregation of duties. For example, that rule set, you're able to leverage that in provisioning.
You're able to leverage that with access certifications, for example. And thirdly, in terms of where you're sort of mature already and really mature in your access governance, choosing a platform where you're able to grow, that's able to grow with your organization and offers continuous controls monitoring, for example, where you can start to optimize compliance is going to be key.
Okay, great, great, great, great answer. And I'd like to continue directly with, I think a related question, which is about the RRI metric to use when you look at these projects also in comparison to other projects. So when we talk about maturity, we also talk about matrix. RRI is a bit of specific metrics, but that's directly related to maturity, as we know, but it's an important metric. So what would be your suggestion here?
Sure, so the metric I would use is one of efficiency gains via automation, key in this area. So that can lead to, can be tied to hard dollars of external consulting costs when we look at gaining via automation, efficiency via automation. It's related to the accurate testing of controls and reduction of false positives. That's less time that your risk owners in your organization are having to review false positive information. It can create inefficient work streams, and that really adds up. Keep in mind, we can also work with existing IGA solutions and enhance or extend their capabilities.
So overall, I would say the ROI metric to use in an access governance project, if you're trying to leverage that in your organization, is one of efficiency gains through automation is the key. Okay. Interestingly, there came another question, which is really about what are the common metrics can be used to measure an organization's IM maturity level. What I'd like to do here is to hint on, because we're just showing in the background a bit of related research. There is also an advisory note of Coping with Cold, which looks at identity management maturity levels.
And I think this is a good one to look at when you look at what are good metrics you can use to, or what is your maturity at? So that might be something which is worth to look at. And I believe that last year's EIC meeting, I've been, or this is EIC, I'm not sure, at least one of our European Identity Conference events, I've been also giving a talk about the maturity levels and which metrics I would use and how to implement this. So there's some material available that's in our research to look at. And what I strongly believe is you need to spread these maturity levels.
So you need a couple of metrics there because you have different areas you need to look at and you need to measure. But obviously when you look at the metrics, there are some very common ones around the numbers of a going down number of orphaned accounts, the number of managed systems you have included, also the number of incidents when it go more to authentication password reset, the help desk calls and stuff like that you can use. So there are definitely a lot of these, you'll find some material here already on our website.
And what I would like to pick is the results of the second poll which were about the ownership question. It's interesting that it's really close to evenly split between a bit more than 50% saying we have a common ownership and a bit less saying we have a split ownership of identity management application access control. What we observe is that more and more, at least the CISO becomes the one where the ownership comes together and have a responsibility also for the line of business application world shifted over.
Okay, so let's look at the remaining questions. I think we have at least one here.
Oh yeah, that's a good one. So you have your standard line of business application, you may also have some custom applications here. How to deal with this if you not only have commercial line of business applications to carry? A great question, because most organizations will have some custom applications in some ways. I think here that you'll want to partner with an organization or a company such as Pathlog that has an expert in-house team that specializes in building these connections for custom applications that can then be integrated into our products.
A specialized team can assess the feasibility and the benefit and the value of incorporating that custom application alongside your other commercial line of business applications. You'll also want to do that alongside an experienced implementation team as well to ensure that you're steered in the right direction in terms of the overall strategy and ensuring those compliance and cost savings.
It's a little bit of benefit value that you'll have to assess going through that, but you'll wanna do it with an experienced team that has a common connection framework that they're building and really leverage that to see if you're gonna get value and benefit of bringing that custom application into the platform alongside your line of business applications. Okay, great. So thank you for all your insights and all your responses. Thank you very much for being part of the webinar. Thank you to everyone listening to this Google Call webinar.
Looking forward to have you as attendees at one of our upcoming webinars and other events. Keri, thank you very much for your presentation.
Thank you, Matthew. Thank you very much, Aslak, for supporting this Google Call Live webinar. Thank you.
