KuppingerCole's Advisory stands out due to our regular communication with vendors and key clients, providing us with in-depth insight into the issues and knowledge required to address real-world challenges.
Unlock the power of industry-leading insights and expertise. Gain access to our extensive knowledge base, vibrant community, and tailored analyst sessions—all designed to keep you at the forefront of identity security.
Get instant access to our complete research library.
Access essential knowledge at your fingertips with KuppingerCole's extensive resources. From in-depth reports to concise one-pagers, leverage our complete security library to inform strategy and drive innovation.
Get instant access to our complete research library.
Gain access to comprehensive resources, personalized analyst consultations, and exclusive events – all designed to enhance your decision-making capabilities and industry connections.
Get instant access to our complete research library.
Gain a true partner to drive transformative initiatives. Access comprehensive resources, tailored expert guidance, and networking opportunities.
Get instant access to our complete research library.
Optimize your decision-making process with the most comprehensive and up-to-date market data available.
Compare solution offerings and follow predefined best practices or adapt them to the individual requirements of your company.
Configure your individual requirements to discover the ideal solution for your business.
Meet our team of analysts and advisors who are highly skilled and experienced professionals dedicated to helping you make informed decisions and achieve your goals.
Meet our business team committed to helping you achieve success. We understand that running a business can be challenging, but with the right team in your corner, anything is possible.
Organizations are increasingly under pressure to deliver security, identity, compliance, governance, and risk management for all types of business applications. This challenge is exacerbated by the fact that most organizations have a heterogeneous landscape of business applications both in terms of vendors and deployment models.
Organizations are increasingly under pressure to deliver security, identity, compliance, governance, and risk management for all types of business applications. This challenge is exacerbated by the fact that most organizations have a heterogeneous landscape of business applications both in terms of vendors and deployment models.
Welcome everyone to our KuppingerCole webinar "Access risk management for SAP and beyond". This webinar is supported by SailPoint and the speakers today are Jody Paterson, who is senior director for product at SailPoint and Britta Simms, who is managing director at Accenture, and me, Martin Kuppinger, I'm principal analyst at KuppingerCole. Before we start some, some quick information about upcoming events about housekeeping, and that'll go directly dive into the content.
So far, the webinar or for the upcoming events. We have a series of KC live events over the course of the next couple of weeks. So next fall, it would be around cloud strategy optimization and secure collaboration on cloud. And then we will do one around the access management playbook and where the access and also education it's moving as if read the trends are where these are changing MFA, many of these other topics. So this is what we will do in the upcoming KClive events. We have mid-September our European identity and Cloud Conference in Munich, which you shouldn't miss.
This will be a hybrid event. So you can come to Munich. You can attend remotely. We have various ways to participate in this event. For the today's webinar, we are recording the webinar and we will make the slides available relatively shortly after the webinars. So kind of as a podcast recording of the webinars so that you can relate a webinar whenever you need it, that you have access to the content which has been displayed at the webinar. We will do a Q&A session at the end, so you can enter questions at any time.
The more questions we have, the more interesting, the more likely the Q&A will be as usual and last, not least we do polls. We have prepared two polls over the course of the webinar. I hope that that you will participate actively in these polls so that we can gather some data, which we also did a little pic during the Q&A session. And these polls then hopefully give us a little bit more insight about the current state of the market and where, where customers our customers are heading.
So without further ado, I'd like to directly go to the first poll before we done come to the first part of the webinar, where I will talk about my perspectives on how does this market are from access control for business applications as evolving the first poll, which will be displayed in a second is do you have separate solutions in place for SAP access control for excess risk management for other business applications, such as whatever Salesforce. So I was now Workday and SuccessFactors, et cetera, and just success factors being from SAP, but technically different and IGA.
So the identity governance and administration, which also delivers sex conclusive, you view different loans in place, or always the same, take a little bit of time right now and provide your answers. Okay. Another 10 seconds. And then we'll close the poll. Okay. I think then we are done with that pulse. Thank you. Let's proceed from here. The agenda for today is split into three parts as usual for our webinars. The first part, I'll talk about a future of access control for business applications, then Jodi Patterson, and pre-test Sims.
We'll look at the business benefits off ex risk management and the use cases for excess risk management. So this is what we have intended as the flu followed and close by our Q&A session.
And again, the more questions we have the better it is. So let's get started. And the point I'd like to start with is you are not alone in the sense of there's some more in business applications and business services to an SAP ERP. There's more from SAP and there's more from others. And I think this is, this is really essential.
When we, when we look at access risk management today in the future, this world has changed and we see more and more cloud services, evolving Wenders picking here, Workday picking dare that's, hula, and that's who, and it's not as homogeneous anymore as it has been even in the SAP environment. It's not this homogeneous pop-up based world anymore. It's a way more heterogeneous world. And this is something we need to understand because it also means we need to discuss excess risk management with other people that is out of partisan or other stakeholders in our organization.
So we need to think it broader. So, so when I look at trends that are affecting this, I think the first trend is that we, we, we, we, we implement our business applications, but also the way we implement X control is changing. It's always about delivering well, you and also GRC you and access control and access risk management must or must get better in delivering well, you so beyond the checkbox compliance, it's not enough anymore to have checkbox compliance. It's about helping delivering business insights and actionable controls. It's also about an hour touches in a minute.
Really the actions you take plus saying, okay, I got my compliance check will not be sufficient anymore. We have this and that touched us already. We have this changing systems landscape. So we need to sync access, risk management. X's control broader than we did before. And you know, when we, when we shift workloads to enterprise service management platforms for enterprise service management platforms start connecting HR was identity management with the vendor risk and other platforms. Then it'd be also need to get more control about that.
It's the heartbeat coming as central business applications and things can go wrong because flows are built to also implement business processes. And then it's about business activity. It's about controls for this activities. So we need to broaden our focus. We also need to do it in a way that the business teams really can work with that. And the more heterogeneous we gets, the more, the bigger is that need because there's a common language of the business, but there are very specific languages of the different types of applications.
When you talk with someone that has experience that says first, the language is different than someone who has experienced an SAP ERP and FADA systems. Again, there's a different language. We need to come to the common. Then when they don't mean nature here from a business perspective to translate into sort of common business terms. And last, at least the world is changing and we need to keep up in pace with that change.
We need to be fast and that child, and if there are new critical business applications, if critical business workloads are shifting to SAS solutions, then we need to be ready. We can't wait with our access. Risk management is our GRC approaches. We must be there when it's needed. So there's a need for tools from that perspective, for various reasons, to be fast, to automate and to translate. So translation automation is important because business doesn't really want to deal as artifacts such as T codes. That's not really fun, and it doesn't make any sense.
That is a technically perspective, but a business needs to look at it always from the business. And don't try to drive your business and understanding these technical details of systems. It doesn't, it's not the right way to do it even while it has been done in many organizations for many, many years, we need to change it. And we need to ask to understand, it's not just about compliance, compliance, doesn't equal audit. Doesn't equal security. It's about the actions.
So compliance is trusted fear in compliance that we fulfill the requirements of laws and regulations in an audit, we can improve that. We are doing what we are claiming that we are doing. Are we do it really that good? It'd be a different question. The actions are what you really do. That might be something different than we tell the auditor and need to understand these things are related. So we need to take an holistic approach because only Dem we will be secure if you trust compliant. That doesn't mean that we are secure.
If you take the right actions, we will be secure, but you also need to take action steps, help us pass and the audits. So these things are all related to each other. And for that, we need technology. We need GRC. We need access control, access, risk management, whichever term, whichever, whichever Basford, whichever perspective you take here. And it's more, it's about really supporting the agility, supporting you tools, helping to provide insight into processes and the business processes and help optimize this process. Why do we look at, look at this?
And I look at who's allowed to do what about the access risks? Then we also look very deeply into which processes do we have and how today mapped to each other. Who's doing what in this process. This is a very important foundation for, for optimizing process. It's part of information security. As I've said, it's not just compliance, it's security. How can we secure that information? How can we secure the ground tools and be critical business applications we have?
And yes, it's about audit and compliance and there's a lot of complexity. And as we know, so each of the systems is taking some different perspective, taking different terminologies and so-so system EMR. It's think about user columns and rows on the title then since the outer systems as well, but they also might use terms groups, key codes, and then rules. Yeah. Business roles and system roles and whatever else in some of these terms, then have a totally different meaning different applications, which makes it even worse.
But each system is in some way, a little different and none of these perspectives. So if you ever did a role project, a road project hasn't anything to do with, I would say the, the standard way people are, it is talking about artifacts and trying to translate reality into it is it's not the sort of good humans answer or role. It is something very artificial.
And so, so we need to get better on that. We need to simplify things and ease the life of people. And what are we looking at? We have so many different perspectives in what we are doing here and the business applications beyond the business applications, into everything we do in business. So we have business activities that are something, what someone understands. I have to verify at the incoming invoices I have to do that I have to approve certain things was in a
Let us the specific activity stand in a business process. Things get more complicated. I think many of you have seen business process projects, business process management projects that were prominent in writing, not as smooth as they could be and as expected because defining the business for us is maintaining the business processes. It's not easy and that's, but that's where things come together. Still. It's a business perspective. The business looks at business processes.
That's their perspective, rolls them in, in some way, are, are a business perspective, but they already start getting artificial because it's about who does which activities within a business process and how can S groups similar people, but we already start getting artificial here. And then we have the technical artifacts, like I mentioned, T codes, also forestation objects and many other stuff. So we've got an really more, more artificial here.
And that is frequently driven by the, the applications by their technical implementations, by something, someone at a large software company or a small software company has invented, and we need to bring these perspectives together. And, and then there's the data. And at the end, we want to protect the data. So we want to ensure that no one performs action on data that are not allowed. So pace money, and that affects the data average, which they end our account. So at the end of this data, and we usually don't have a perspective on the data.
So we look at the process who is allowed to do what we look at static access control systems, but we don't look at the gate data governance piece, which we should add here as well in the future. So we should think beyond that. And so there there's a need for, to, to is because we have business artifacts that we have technical system artifacts on one axis, and we have a business perspective and a technology perspective. So business understands the business artifacts, but rarely the technical details.
It is not able to define the business artifacts like projects, where it tries to define business roles that I've seen. A lot of these have a strong tendency to come into trouble. When it comes to the technical perspective, you might have so many thoughts. So you true numbers of these that still for the tech people, hard to manage that. So what we need is we need a translation. We need a mapping.
So translation from technical to business artifacts, the mapping of the views from a business view to a technology view, have you need automation and insight into what is happening of technology, not just to not deal with too many details here. So what is the key to the success? The key to success is understanding broader scope of modern CRC or modern access, risk management, or model access controls for business applications.
So taking a business perspective, having a modern user interface that is built for the users and not derived from silencing that has been invented many, many years ago, we need the business technology mapping. We need the automation. We need to insight into details. The broad system support. And I'm a strong believer in that access risk management needs to get broader. It needs to cover and take our perspective. What do we have as workloads? That is our focus.
It's not per Wender flexible operating models and integration, as I've said, beyond, beyond even ERP, because there are more critical business workloads. We need to have a look at. So what we need is a breast and integration. So we need to connect to what we have cloud, whatever we need to death. So we need to be able to drill down. We need to be able to be able to manage the details. We need to do it in an efficient manner. There's a lot of automation and doing their things right, and doing the right things.
So what I believe is the foundation for getting better is something which goes well beyond our topic of excess risk management. And that is we need the right organization for that. And that is my call to action for a CIO is break down the silo. If you still have a department that has the SAP department and the title then starts thinking about, is this the right way, or put very something which is business application, or shouldn't even shift into the business organization, at least partially to have way broader power than today.
But if there's the SAP department, I think it's really time to rethink because we have more in debt, we are more heterogeneous and we need to how we structured it. That will be a very separate topic of well beyond for do today. But I think it's the point to really start rethinking that. And I know not everyone likes that, but it's our job as analysts to also tell the truce people, maybe sometimes doesn't like to hear that much.
So that is my point on Vista that before we switch over to the two to Jody and Brita, our second poll, which will pop in, pop out in a second, is there a common ownership for access, risk management and identity access management in your organization? So are the same people, the same stakeholders responsible to say managers for the access control, the access risk management, the GRC tools on one hand and the identity and access management tools. So the access governance Xs review tool as a debt space or different stakeholders, let's give another 20 seconds or so.
Okay, Tim, so please enter your questions. Okay. And then I would say we are done with tadpole and that's the point where I stopped with my part and hand over to Jody Patterson and print out Sims. Thank you so much. That was very insightful. And I appreciate everyone taking the time to join us today. So welcome to this webinar on access risk management. And increasingly we, as practitioners are dealing with the more complex heterogeneous environment as Martin was talking about, and these business processes span multiple applications.
Now we need to have visibility into our risk landscape and address the risks that they actually present to us and also report compliance to our board and auditors. I surely this must have been solved before and surely there's something that we can really do about it. And that's what I'm going to preview be presenting on today. I'm Jody Patterson, and I've been focusing on this problem for the last 20 years of my career.
I wasn't director of, of GOC at that of the GRC advisory practice at KPMG us for about 10 years, I think created and ran an automated solution, which access control solution called Yorkie Maestro. And after SailPoint acquired the solution earlier this year, we now have access to leverage SailPoint's breadth of application connectivity, and we're enabling a pretty powerful marketing offering that solves real world problems that we're all facing.
And with me today, we have Britta Sims from Accenture and we worked together for, for many years and I value her insights and real world experiences pretty. You want to just do an intro? Thanks
So much, Jody. Yes. Nice to meet you.
And with the ERP Maestro team for many years, utilizing Bolan and trying to help our clients with the SAP security dilemma. So a recent research study from the identity defined security Alliance shows that 94% of organizations reported they've experienced and that density related breach. And they also reported that about 99% of those breaches were actually completely preventable.
So likely likewise, when, when, when looking at insider threats and typically fraud and loss of sensitive data attributes to employees who already have access to these systems, a recent cost of insider threats, global report stated that malicious employee acts and employee mishaps or negligence combined made up about 86% of insider threats. So it's not enough to simply manage what business apps and systems your workers can access. It's essential to also be able to control what information they're entitled to see and touch within the absence systems.
And without this, you leave yourself open to risk. Now the high rates of fraud and loss of sense that data either by an, the fairest means or even employee errors or almost use really can be attributed to several factors.
And, and Martin went over quite a number of them and each of them can really be webinars of their own. But so I'm going to provide a very high level overview on some of the important ones related to controls for access. So some companies continue to manage separation of duties, access provisioning, the provisioning, access reviews, risk monitoring that they do. All of these controls manually. They also may not have user roles with designated access levels, clearly defined or rules properly identify that in place.
And this all leads to increased risk manual processes are known to be inefficient in their approach and really allows you risks and detected audit deficiencies to, to, to creep in. And, and, and generally this gives you no or low visibility into what the problems are and how to fix them. But now the problem that we're challenging ourselves with today is this issue of expanded number of applications that companies are using.
It's this explosion of technology and cloud applications it's really simplified the way that we work, but at the same time, the business systems that make companies run better and contribute to digital transformation, they also complicate security and they lead to that siloed data. And as these silos mean that access is decentralized. It complicates this goal of visibility into the risk. So how do you know if a simple a person creating a vendor is not actually the same person that is actually paying those vendors from another system? How do you know this?
And this all leads to significantly higher audit complexity. How do you prove completeness and accuracy for access controls across your vast application landscape? Certainly you can't do this manually, but we all know that, but even automated systems right now have a challenge with this. And this is where connectivity comes into play.
Now, did you know that on average organizations use approximately 700 different cloud applications per month and that access to business systems poses the security threat that we're talking about, whether that access is obtained by an unapproved user, or if an authorized user is not monitored for inappropriate privileges. And that's where identity and access controls together is valuable now for successful implement.
Now, the successful implementation of adequate controls is really essential, a full cup for systems like SAP and mentioning SAP being one of the most pervasive Europeans with this challenge is where I actually grew up and made my career. However, Oracle NetSuite in four, they all have these same challenges. Now just looking at SAP, it starts to get even more complex after the release of S four HANA and the myriad of cloud applications that connect to it.
The capability is that once we're housed within ECC, such as success factors for human capital management now reside outside of that
It's related to all the business applications that are part of the business processes that you execute business tasks on to get your value chain to, to, to execute on your value chain. So Brita from the field, what are you seeing? Absolutely. So the dilemma really is this is access risk management in SAP and beyond, and digital transformation change. The way SAP has been operating and how our clients are using SAP, right? It's not just the pocket of the core ECC product anymore. It is truly a very, I guess, diverse portfolio of systems, whether they are on prem or in cloud.
So I think very important to remember SAP as a leading ERP out on the market is really cool to the wider enterprise. There is a lot more than just your SAP solutions. So your core ECC or core four system. And that's what historically has been the focus of the audit teams and, or the business has SRD as a minimum standard has really gone way beyond that. There are a lot more key financial and or sensitive system out there that have relevancy from a access risk management standpoint and, and really consolidate in this complexity and centralizing. This complexity is really the big challenge.
Now with SAP, you've got the uniqueness of that intellectual property as well, SAP within the suite of products, right, has already much diversity in the intellectual property. They bring to the table when it comes to authorizations and risk. So being able to have tooling that identifies that intellectual property and helps defining what is even risk and what to look for is, is very significant benefit.
So, so what is, what goal are we really trying to achieve and what are clients really trying to achieve as getting to that enterprise access risk management, cross-platform centralizing, centralizing enterprise access, risk management. Again, it's not just the one ECC or as full system anymore. It is the wider enterprise across a very complex architecture, more or less, depending on the client. It is being able to achieve detailed compliance, audit, reporting, and monitoring.
Again, that's where the intellectual property comes in, right? SAP again, is very unique and that intellectual property and defining what risk really is. And our audit teams and compliance teams are obviously very interested in diving into the detail of what these risk components are being able to report on. And as well as being able to see that central access certification process, who's got access to what, and then again, having limited complexity as well as cost to them enterprise, right?
How can we make sure we're again, stepping back, looking at the wider enterprise, not having too much complexity, we see many clients historically having separate identity systems, some focus just on SAP and then the rest focused on the enterprise. And that's where Martin mentioned earlier, very important. We need to step away. We need to make this an enterprise topic. We need to look across again, the systems and the enterprise that we have and address access risk management in that way. If you go to the next slide and, and that's really again where we get to the goal, right?
Centralizing unified, completely cloud and all agile, right? We mentioned, those are some of the key words that came out of Martin's presentation as well, right? Centralizing, automating, being agile.
I, all, those are really the drivers that our clients are having and following to gain this enterprise access risk management goal.
And that's where we see this as a very interesting SailPoint opportunity to, to the SAP audience as well, to bring in a tool that has the capability of going enterprise wide from a connectivity standpoint, being agile from a cloud standpoint, as well as bringing a lot of the sod, the, the SAP sod specific intellectual property to the table, the detailed reporting capability to the table to allow the business to better understand what is risk and my organization, not just on SAP, about what is risk across my key financial systems, my sensitive systems and all the wider enterprise.
And how do I manage that? And Martin mentioned earlier as well, you know, being compliant doesn't necessarily mean you're secure, right? But giving your teams and your business, your compliance teams, the right tooling to understand what are these risks impact and, and building on that I think is a huge benefit.
So being able to get and use this tooling across the enterprise yet having intellectual property, that allows you to really dive into that detail and help define what risk is to you, what risk definitions or from a industry standard leading practice is a huge benefit and, and bringing it together. Thanks for that.
So, one thing that I've really noticed when we're working a lot with your teams is the theme of getting clean, staying clean. So you bring in, you mentioned the, the fact that automated access controls is the minimum standard nowadays for four controls and then SAP and ECC.
And, and really these controls are brought in to address the fire of, you know, rampant access control risks, and you come in and you fix them. But then when you implement the identity strategy, the identity management application, right behind the automated provisioning, preventative controls to predict risk before they occur. That's when you put in the real preventative controls to stop this from ever coming back again, and that's the get clean, stay, clean type theme. And I've really enjoyed working with your teams on pushing that theme out and helping customers to do that.
So I want to just talk a little bit about the way it's architected and by having a cloud-based access risk management application at the Santa's arm has actually architected to be system agnostic and something we complete. We completed shortly before the acquisition by SailPoint.
Now, then by integrating these, the pretty extensive connectivity library that SailPoint is affording us. We get an access to non SAP systems, both cloud, and on-prem now this data is transformed. And then the rule book libraries passed this information, providing the results back in the same reporting fashion that our customers have enjoyed for the last 10 years. And they're built to be actionable and, and information radiates so that you can actually fix the issues and not just report it in a technical where it's it's business really reporting.
So this in essence provides multisystem cross system reporting capabilities, and that souls one of the most complex problems in this space. Now we're onboarding beta customers in Q4 of this year and releasing to the general market in Q1 of next year.
Now, when you combine this, this cross system vision and GRC platform with the identity. So I mentioned before, so then that's when things get really interesting, the card based identity security platform provides identity management for all user identities, entitlements systems, data, and cloud services. It that's the holistic approach that we're talking about. You get to enable access anywhere and at any time while ensuring that you comply with confidence, and that was the vision behind these two companies merging.
So this is an example of the type of reports that, that we enable a lot of Britain's teams. Brett, do you want to chat about how you use it?
Yeah, so we use it in a couple of different ways is one, is we help clients better understand their risk posture and, and understand where risk is, what the level of risk is. And then go into the detail of really remediating, mitigating these risks and help the business, how to have this awareness understanding of why is this a risk and really then addressing the, getting clean and staying clean methodology. What we also work as is implementing these solutions again, for the purpose of staying clean and making it easier for the business to really prevent new risks from occurring.
So it's really both of these sides that we address the, the picture here shows the, the dashboard view, right? And this is, I would say a very easily read dashboard from, from a executive level even, right, but it gives you good business information to right away. See where, where am I at risks wide? What processes are impacted, how high are these risks and, and gives you good as well for the folks that are more interested in the detail, right? As a very easy way to drill into that detail.
And I think the, the thing that's been very interesting for us and our clients is the ability to understand this data very easily without prior knowledge of the tooling. So that's always been very, I guess, fun to see the reaction of a business team that generally doesn't work with the system all that much doesn't understand, I think, technical terminology, security terminology, and being able to do that. There are reports in the detail of this that will not showing showing today.
I think that, that I generally very like for the security professionals that then really dive into the detail of assessing well, where are these problems? And, and those are again also very easily read and understood and, and, and that's intellectual property. I think that's also really driving the success of getting things, saying thing for business in the space. So I wanted to chat about a recent case study for a company called cascades. There were about 11,000 employees, about 90 production facilities in north America and Europe.
They had a requirement for compliance and they needed visibility into their risks and the means to fix them effectively. They already actually owned SAP GRC access control module, but what they found was that it was complex and costly to configure a news. They had to hire multiple full-time employees and a team of consultants.
And then when they discovered access risk management, that they were up and running on the same day and w after they actually watched the demonstration, they also have the identity that they also have access to the identity in our platform, which allows them to permanently fix the reoccurance of any issues in the future through automated provisioning. Now they avoided these high costs and they were, they were actually fully remediated within a couple months.
They integrated the, what security simulation feature into their provisioning workflows, which allowed them to write within the provisioning itself, identify if there are any risks that were going to be created. And then they could in the workflow, assign Madigan controls, refused to grant the access, or actually just accept the risk and accept, except the risks going forward. So it allowed them to proactively manage their risk and, and ensure that the, the issues just don't come back again.
So I mentioned this in, in, in, in, in the case study, actually Britta, did you have any other peer studies that you wanted to chat about as well? I think real quick, very generic. We've got a lot of clients that are going on that digital transformation roadmap, right?
And, and often identity and identity access management is forgotten in this space. And I think you've got a huge automation opportunity here with respect to cost savings are operationally arrived, but also risk reduction. And being able to address this early on in your transformation roadmap is a huge value to clients being able to use.
Again, Judy of cloud products is a huge value to come in and address again, access, risk access, risk management provisioning early on in this journey, OVC clients really succeed. And again, in, in, in cutting costs. So that's really, I think, a very generic case study that we see where clients are good at getting on that next transformation, stepping stone. And I think a huge success factor.
Yeah, it's definitely the whole theme of fix the fire, get clean, but then if you don't implement some type of identity strategy, you're not going to stay clean. That that's the thought behind it. So I mentioned this actually in, in that case study, but I thought I should just call it out separately. Then one of the deterrents for, for a lot of access control solutions is long and costly deployments. Now with access risk management, you can actually deploy in minutes or hours, not weeks or months.
Now, many companies can actually implement in 60 minutes or less and be running with their first reports. And a constant theme that I see in the field is, is even companies that have been given an on-premise solution for free as part of a bundle can actually avoid massive costs by implementing a cloud-based system. The agility and scalability are just unmatched and Martin was mentioning that's one of the requirements and the need of the market today is having that agility and being able to see your risks without massive implementation projects and investments.
So also another question that I often get, and especially since this is a largely European audience, is where does the data reside? Now? I thought it worth mentioning that the data centers are in Ireland and no data leaves the EU. If European data centers is actually selected. Now you have a choice. We have multiple data centers around the world. You just select which one you want. And the data is in tiny capsulates within that region.
And this was designed to satisfy many European data privacy requirements for the, for any of the audience members that are actually based in the us or, or in Azure pack, same, same deal applies. Now, Britta has been key in many decision-making projects, helping organizations select actually the right solution for these challenges. So I thought it would actually be good for you to close this presentation, orphan, you're a bit from you on what are some of the considerations that our audience should, should walk away with. Thanks Jody.
So we, we, we work with these well, what are the best fit considerations? What are some of the things our clients should be thinking about in the selection of tooling and the definition of architecture, and again, get clean and, and, or really be clean out of the gate, right? Where a lot of our clients, aren't going into Greenfield and transformations, they have no opportunity to be clean out of the gate and then stay clean. So that concept and vision I think is very important to the state early on that know what your vision is.
Again, consider the enterprise Martin talked about that we really need to step out of our SAP bubble and look at the wider enterprise. Look at the more complex architecture that really is at stake. Now we have to drive our maturity goals, right? Where do I want to be from a maturity standpoint? And where do I want to be next year and three years to really understand what tooling, what processes is best fit for me again, considering those key financial and or sensitive systems, they will be likely more than just SAP.
And that's very important to consider again, when you look at your system selection, your tooling selection, your architecture, also very important by that's that's. I would say one of the critical components is integration because that's from an implementation standpoint where things always come to a bit of a screeching halt as do V half a standard connectors to be half certified integration components into that application inventory, because that is what makes the implementation easier, faster, successful intellectual property is always a big component. A lot of our clients.
And I think the industry in general is going to, how much can we do out of the box, right? How much are we bringing to kind of limit the design activities, the impact on the business and, and that's where the intellectual property is huge. Being able to already bring a lot of that knowledge to the table of what does risk really mean and, and helping the business really, to refine it to their organization is a big step forward implementation costs operating costs. I think we've all talked about the agility, right? Being agile.
We're not in the, you know, the what the hard five, 10 years ago, right, is long implementations. We want to go to market quickly. We want to implement those systems. We want to run our operations and being able to do that fairly quickly, doing it securely.
And again, reducing over-arching costs is a huge component. And again, the ability to automate and, and reduce operating costs is a big piece that need to be looked at in the solutioning and the product selections that clients are doing. Stakeholder needs is another one.
Again, when you look at identity governance solutions, you do have more than just your identity teams as the stakeholders, right? Look at the audit guys, because they will need to do reporting for audit purposes to are there toolings that support the requirements that they have. So you don't end up with multiple tools that potentially do some of the things and things. So you've got a lot of opportunity there to really bring in a wider stakeholder team, bring in the business, right, and, and get ownership there as well, because that's how these tools are in the end. Successful.
Again, automation, automation, you've got a huge opportunity to automate and reduce costs, take advantage of this opportunity because that's, you know, building that out of the gate and, and then respectively, you know, managing your risks, reducing your costs as a huge advantage. We still see clients looking at security as a cost ride. Look at it as a, an opportunity again, to reduce operating costs, reduce overarching risks.
And, and like the, the, the saying here is right. It's like adding brakes to car. It's not about stopping really. It's about being able to go fast and think that's sort of that concept. Our clients are learning and understanding and appreciating what we do is security. So great. Thank you. And just for the time sake, I think we're going to close the presentation and open the floor to questions. Yes. Next part of our agenda is to Q&A session. So that's what we will do right now. So we will look at various questions we already have received. We will also look at the poll results.
If questions remain open, which might be due to the time we have left, we will answer them directly after developing our, or separately after the webinar in a direct communication. So, so let's, let's look at it a little bit at these questions. And sorta the first question I have for here is here. It's red. If it's small to look at, give me one second, in terms of security of our data, what data fields does, excess risk management access. I'll take that one. So it really depends on which system we're accessing, but let's just assume that you're asking you about SAP. That data focuses.
The data are focused entirely on nonsensitive security tables. When I say nonsensitive, there is no PII contained within them, other than your actual user names, it goes in and is restricted by the security that you set. You create a user ID in your, in your environment, the system user ID that it uses to access very targeted, specific data. It grabs the tables that it needs in order to perform its analysis and then shuts connection to, to the target SAP system. Not that answers your question. It wasn't my question.
Well, the question from the audience, but hopefully yes, since I I'm, I'm trying to reading the questions so to speak, maybe before we shift to the next question, maybe it let's have a look at the results of the first of the two polls. The poll has been.
So look, we pick the right one. Do you have separate solutions for SAP access control for either business applications for ITA in place? And roughly gads are roughly was two sorts versus one serve, which means that acute maturity has, has various solutions in place as of today. I think next time I'll, I'll ask for ITA on the one side, and then I'll ask, how is it just for business applications? Because IGS we know frequently is somewhat separate. So it's not a surprise to me. Maybe it's more surprised that at least one, sir, it says, okay, we have, we don't have, we have it integrated.
Hopefully the answer is based on, we have it integrated and that we trust Teflon tool and are lacking support for the others. But I think it's still a way to go, to have a more consistent and a broader perspective on that. So we can switch back to, to, to the view of the speakers as today. And then let's go to an out of question. So why do I need it? So DX is controls in a different, That actually is a great question, which relates to the poll.
You just showed Martin the power of actually having one single integrated access control solution that integrates directly into your IGA solution is that you can implement preventative controls to stop the issues from ever coming back again. That's the power.
I mean, so we're going to go a multi application and address the breadth of connectivity and that's what
You, you, you, you, you get yourself clean and then you stay clean and that's the power of a combined solution. And this is where the industry is going, because this is going to quickly become the minimum standard in a few years. Okay. Pretty much anything you'd like to add.
Yeah, I think it's been interesting seeing sort of the, the clients in north America versus Europe. And we see a lot more, I think sod as a base standard and north America and Europe, I feel is not quite there yet. Right. Where there is a question of why, why do I need to worry about sod?
And, and I think the bottom line is it is important because you want to know who is, you know, creating and to approving those purchase orders, right. You'd be done. We can't just rely on the business for, to magically happen by itself and people ordering the BMWs to their front door. Right. So I think it's very important to have that visibility, be able to address that risk and, and making it a standard in your business. And I think when we are realistic, that goes beyond it.
I think, well, one of the dark hidden secrets maybe of it is that it doesn't sink or doesn't sink in business process themselves. So, so at the end, if it would define the, it processes as business processes and understand them, they would come up with a lot of sod fellowships here. So between admins and data owners and other things. And so DSOD seamless from my perspective, way bigger than it's usually seen on blessing. Maybe the best thing would be to the ITP of start sort of in their own domain and, and look at, and I think we're getting closer to this.
When we look at the evolution from it, service management to enterprise service management, w w w we, we are closer to, oh, we need it as a D controls for a lot of things here. And I think this is really essential that we take broader perspectives and understand, yes, that is something we need to get a crib on, because as I've said, admin to data owners to be lesser, deconflict needs to be managed. And why should we have a ton of tools instead of very few perspectives? Yes.
There are technical reasons, but this a little bit, my take here, but let's look at an even broader perspective because I have one question here from the audience I'd like to pick how important is Xs governance for a successful zero trust architecture. Anyone, if you'd like to pick it up, You still have the concept of zero trust, right. As interesting, because you're looking again, you're looking at a much broader view across the infrastructure and you, but you still have access management as a component of this bigger zero trust model. Right?
So, so I think it, it does a component of it. It has to be a component of it in order to manage the applications, the day-to-day tasks of a business of an it organization on the application.
And again, with extending the zero trust model beyond just the application, but the infrastructure that's really what allows you that broader zero trust, I guess, model. But yeah, I mean, this is segregation of duty is on, on the application, managing identities and access on that application and the risk on that. And then again, expanding to zero trust beyond just those applications. You have, you have this, this balance that you're trying to find, right? Like zero trust and also enabling the business to get their job done, right?
You can't, they fight each other. So how do you enable the business and give access in a quick, efficient way, but at the same time, manage the risk associated with ramp and access being granted to your organization. And that's why you implement these types of controls. That's why you implement access controls. That's why you implement the IGA. And that's why you have the workflow to prevent and predict issues as they occur. That's why you have business actionable reporting. That's why you have access reviews.
It enables you to get to a zero trust state, but not stop the business from doing what they need to do to actually get goods out the door and make money. That's why we're in business. Yeah. And I think that there's something to that. And I think I also wanted to look for instance, at the sale point product portfolio, there's a new product for footie. You also have this, I don't know the exact product names, at least I don't have to have in mind a more D D AI powered to look at what is happening, looking at things increasingly at real time.
And I think we also have this tendency when we look at access risk as a side of the static, pop, moderate, continuous controls, monitoring perspectives. And I say these even more ads to the NTSC or dress team, because that is looking at what was actually happening. How does this relate to Otter to, to Otter data you, you get and, and do, do you need to react on that?
As I said, I think all these things come together and if you use this telemetric, we, we, we can gossip riots. Then, then we can really get better by having a lot of controls, a lot of verifications in what you're doing.
Okay, great. Thank you. Maybe two clues that have a quick look at the other Paul we have, which was about, is there a common ownership for access for risk management and identity management in your organization?
It's a 60, 40 thing here. So I'm honestly, I'm surprised because I would say for reorganizations, I know it's maybe a 20, 80 thing at best, but we really have a common ownership, but hopefully the rural is changing here because I believe we need to at least understand and integrate it. Maybe not necessarily a couple of ownership, but at least a well-integrated one. Thank you for displaying the polo results. And with that, I think we are coming to the end of this webinar. We are at the end of the time we have. So thank you very much. Thank you.
