KuppingerCole's Advisory stands out due to our regular communication with vendors and key clients, providing us with in-depth insight into the issues and knowledge required to address real-world challenges.
Unlock the power of industry-leading insights and expertise. Gain access to our extensive knowledge base, vibrant community, and tailored analyst sessions—all designed to keep you at the forefront of identity security.
Get instant access to our complete research library.
Access essential knowledge at your fingertips with KuppingerCole's extensive resources. From in-depth reports to concise one-pagers, leverage our complete security library to inform strategy and drive innovation.
Get instant access to our complete research library.
Gain access to comprehensive resources, personalized analyst consultations, and exclusive events – all designed to enhance your decision-making capabilities and industry connections.
Get instant access to our complete research library.
Gain a true partner to drive transformative initiatives. Access comprehensive resources, tailored expert guidance, and networking opportunities.
Get instant access to our complete research library.
Optimize your decision-making process with the most comprehensive and up-to-date market data available.
Compare solution offerings and follow predefined best practices or adapt them to the individual requirements of your company.
Configure your individual requirements to discover the ideal solution for your business.
Meet our team of analysts and advisors who are highly skilled and experienced professionals dedicated to helping you make informed decisions and achieve your goals.
Meet our business team committed to helping you achieve success. We understand that running a business can be challenging, but with the right team in your corner, anything is possible.
For many enterprises, SAP systems are an essential part of their corporate IT infrastructure, storing critical business information and employee data. SAP systems have traditionally been a major focus area for auditors. It is therefore essential that all existing SAP systems are covered by an effective solution for managing risks, including managing access controls and SoD controls, and implementing adequate Access Governance.
For many enterprises, SAP systems are an essential part of their corporate IT infrastructure, storing critical business information and employee data. SAP systems have traditionally been a major focus area for auditors. It is therefore essential that all existing SAP systems are covered by an effective solution for managing risks, including managing access controls and SoD controls, and implementing adequate Access Governance.
Welcome everyone to our KuppingerCole webinar "Application access governance for SAP environments and beyond". This webinar is supported by Saviynt today. The speakers are Yash Prakash, who is COO of Saviynt, and me, Martin Kuppinger. I'm principal analyst at KuppingerCole. And as I've said, we'll talk about how access governance for SAP and beyond should look like.
Like, so really focusing on all the business applications and maybe even beyond the business applications, before we dive into the details of today's webinars, let me quickly do some, or provide you some information about upcoming KuppingerCole events and do some housekeeping. So we offer theories of upcoming events and to just pick a few, we have, for instance, next week
We will have our customer technology as an online event in the second powerful October, which is around consumer identity and related topics. And we will run our cybersecurity leadership summit as an hybrid event in around mid November. So you can petition paid onsite in Berlin, but there's also the online part. So sort of, so to speak of food free, free, free choice on how you intend to participate regarding the housekeeping.
Doris, not that much to say, so audio control is automated. We control everything. And so you're muted centrally, no need to care about that. We will record a webinar and we will also provide a slide X for download. So you don't need to take extensive notes. You will be able to download the webinars slides afterwards, and that will be, there'll be a Q and a session by the end of the webinar. So usually I forget the right side of your screen. You have a go-to webinar control panel and their city area questions, and you can enter your questions at any time.
So we usually pick them by the end of webinars. Occasionally we might also pick the questions during
And what is the interplay or overlap on when to use what? And the second part, then Yash Prakash will provide insights into the options and the offerings of Serbians application, access governance products, and the capabilities these provide for both SAP and other types of business applications. And he will look at going so to speak ERP vendor agnostic versus being fully integrated into a specific ERP environment, and then how you can detect crust environment, excess risks and help permeate the aiding DS.
And then that's part number three, we'll have, as I already mentioned, or a Q and a session. So that will be done. The closing part of our today's webinar. Okay. So let's get started and let's look at some of the market trends we see in this area.
So for, for many organizations, the core business system is provided by SAP, but we see also a lot of trends which are affecting this environment. And so the one thing is that even for, for, for diesel fusions, Hocus must be beyond checkbox compliance. So it is really thinking about how should this look in future and see, how can you sort of stay ahead of the audits. So not that fixing some of the findings, getting your check, and then a year later, starting again with new findings.
So how can you really deliver business insight and actionable controls as well to unders to improve what you're doing? And so to speak, to stay ahead of the auditorium and deliver really to the business, the probably most important trends from my perspective to changing system landscape. So when you look at such an environment, so we see more and more thisness solutions being delivered as SAS services, and then it is not the one large platform from whomever where you run a lot of capabilities like finance, like CRM, like per of life lifecycle management or auto stuff on a single platform.
But it is really that you say, okay, there's a special. So usually for certain aspects of HR, for certain aspects of accounting, for CRM and so on. So you might have a range of SAS services from different providers. So we are moving into a more heterogeneous landscape for business applications, triggered, driven by it on one hand, the cloud first strategies. So shifting to the cloud picking services. And on the other hand, by just the, the fact that the cess offerings for, for business applications for business solutions usually are more granular than the traditional on-premise.
So you can have been, we also need to tackle the challenge that business needs to understand what is happening with here in Denny, to understand what they are doing. So we need to get close enough to business process. We need to go beyond the pure technical level where we talk about T codes and other artifacts from a technical perspective, but really delivered the interfaces to solutions, the translation for the business teams.
And last, at least we also need to be able to, to deliver such solutions fast, which means at the end of the day, we are shooting for SAS solutions. When it's about what is the access control for our business application environment and the future. So these are some of the major trends we are observing. And as I've already said, there's a need for these solutions. And it's a neat to go beyond the checkbox compliancing. So we must support a business agility.
So when we onboard a new type of business application, when we paint services, when we change processes and these days with digital transformation, with changing work styles, with the cloud, first strategies, a lot of things are changing fast. And that means our solution must be as agile as the rest of the business is it must support us. I was also an understanding the business processes and optimizing business processes. We might support the information security requirements at the end of the day.
So it's again, something which is modern checkbox compliance, checkbox, compliance, trust us you're compliant, but it doesn't mean that you're secure. So that might help you in getting secure, but security might require more than the Shaq checkbox compliance for itself.
So, but at the end of the day, lasted least we must pass the audit. So we must fulfill the audit compliance, regulatory compliance requirements. That is also important. And so we have challenges in that. We need to do that. We need to do it for different landscape than before, and we need to do it in a way that a business understands what they need to do, and that we also can serve to the technical underlying infrastructure.
Well, and that, by the way, it becomes some we'll touch on that later on. It just becomes increasingly complex because when you have, let's say SAP, then you have relatively, so traditionally as a people, or do you have relatively consistent structures of entitlements of frozen? So when you look at critical SAP versus access factors and others, outer elements to provide a base P and when you look at whatever sales force and Workday and others, then all these models are different.
And that makes things even more complex because a translation becomes even more important because you can't expect from a business person that they really understand all the specifics of the system. So it's important to map them to understand that more. So we have different perspectives and business, but what that's business at the end understand this is understand what is the activity someone needs to perform the task. These are the things they are regularly doing, and they have some understanding of the business process.
So the flow, so this it's really a little bit of a perspective single for perspective. So the, the, the neutral might be really more focused on his task or her tasks, but there are enough people at the business side who understand the entire business to business for flow. They even might understand some, some business roles, even while we all know that constructing roads can be a really a tremendous challenging task. And we really just think about how can we do it better and better transform what business does into such type of artifacts. You might eat it.
Then we have to technical artifacts, the system controls, which RSF already mentioned. We're also different from SAS service to SAS service.
And last, at least we have data by the way, it doesn't slip for your you're are looking for at the end, we don't, we want to protect data. We also want to protect the transactions, so invoicing and other stuff, but at the end very much about also protecting data. And so we have different perspectives and we need to understand also how these relate and we need to get a Crip on derived level of these. This is area, and that I've said, challenges is the technology and business are taking fairly different perspectives here.
So business use or business, they are able to handle the business artifacts. They understand the activities, dams and processes, maybe rules. A technology view is really more focused on the specific details of the system. So T codes or authorization objects, or roads, system roads or whatever. And when we look at the business businesses, well to, to understand business artifacts, but not the technical artifacts and to eat people usually don't know enough about the business itself to really understand what is happening there. So we need to translate between different levels of artifacts.
So between technical and system level and the business level, we need to map the perspective. So business role to an it role or whichever type of artifact you need, if you need to map these and we need to automate and deliver a deep insight into what is really happening at a system level for, from a technical perspective. So complex analyzes of these potentially millions of objects you're looking at when it comes to security, it doesn't extend to the next step we need to do so we need need solutions, which are on one hand complex.
On the other hand, also able to serve the different needs and to translate stuff into business view, which is not a simple thing. So the question is, can we, can we work with one access governance for all? Or do we need a lot of different things? I believe that we at least can do the lot was the certain central solution. So when we look at technology, we have identity governance, we have access governance, we have structured versus unstructured data about VCs that some of these things are coming together and in solution. So identity access anyway, but also more structural and structure.
Sure. Yeah, we got them in different types of deployment models. What we need really to do is be flexible in these things. We need to also to, to be able, able to provide processes, to adapt to the organizational needs too, to create this enterprise TRC and to, to integrate, implement consistent roads. But what is really important from my perspective at the end is also that we have efficient processes. So think about the complexity of excess reviews.
Many have, so we need to streamline that and we need to deliver it through as fuel interfaces as we can ideally to one interface. So if you need to look for access and here and Darren, Darren, if you need to do reviews here and here and dare that this is cumbersome, this doesn't make much fun for the users. So we'd need to look at these. And as I said, we have to complexity. We need to refuse because systems are different. So let's try to make these things better.
Again, is it a one size fits all thing? We have the breasts and we have to deaf thing. So we can't have death into various systems. We can't have to breath in the sense of, we cover a lot of different systems and we might then provide more system view, going very much into detail. Or we look at the enterprise view, is it as always, there's not a single solution, which is in, in all aspects, but I believe we are. We are getting closer to being able to control more types of systems.
So, which is having more breasts in a more depth. So having boost breadth and depth and providing insights as well for tech as for business people. So when I look at the things which are happening, we see a trend towards that which supports different perspectives. Bridge provides both staff. And clearly it isn't always a balance, but I think there's also logic in the changing landscape to start a central system, which you might compliment maybe with certain specific aspects for some assistance, if required on the outer hand, we can do a lot, right?
These days with a w which is really cross system and delivering insight into a relatively broad set of systems is a pretty high theft. And so this is what I really see also as a, as a trend in this market, as things are changing. So at the end, what do we need? We need the breasts. We need integration for all the applications, all the deployment models. We need to connect to them. We need to be able to, to provide insight to a required level. And I think that's for a cloud level thing, it's one thing which is really important, what is what you really require. So what do we really use?
What does it really help us mitigating security risks? What do we need for compliance? It needs to be effective and efficient. So it needs to do the things you really need, which is the, the effectiveness and the D needs to do it efficiently so that people really can deal with that. So we should take this into account and really think about what is what we need.
And so Devon be looking at Dennis, the, the world of the business applications, but there's another world of access governance and PRC in the broader sense, which is the parts of the identity governance administration, where we have more than X it's control level, really across system with a certain level of depths, but a relaxed level of press. And so it doesn't sweat where access governance and I, the anti provisioning come together.
And what do you guys should consider as to which extent should this really integrate with what we are doing in the business application, GRC space, because at the end, there's also sot controls. There's also access controls, tariffs, a lot of things that are a lot of things, which are similar.
And so there's a logic and saying, why not having this as a starting point where we really have a good level of staff really, where we really have breasts, where we help having one interface for the business users and, and looking at how far do we really come with the requirements we have to that a no brainer without any doubt, but there there's an option to, to rethink the entire landscapes. We have the way we do it for a successful GRC for the future, which needs to deal with different landscape as, as subset.
And it might be that you say, this is really more my, my, my, my core for breasts and some level of tests. And maybe you add something for very specific scenarios, but I think it's time also, Theresa, how do we, you do it right in a changing environment. So to come to an end, what are key requirements for successful GRC?
The number one is take a business perspective, support the business perspective, have a modern UI because if business people should use it, they need a different type of UI and one-on-one map business and technology automate, whatever you can automate, deliver insight into the details to the level. You really need support more systems because it's modern trust the traditional SAP today, make it easy to install and configure and deploy, which means potentially as a service, which draws leads to support flexible operating models.
What's that we are changing to the second part of the webinar and I'll make Yeshua moderator who will right now talk about, in fact, I would say how to do it. So Yash, it's Your time. All right.
Thanks, Martin. I hope everybody can hear me. And it was, it was quite insightful and definitely provided a guidance in terms of how the practitioners and architects have to really look at and model their business as they continue to evolve.
So, first and foremost, I hope everybody is doing good. And then what I'm going to do in the next 15 to 20 minutes is focused on, you know, doubling down on what Martin talked about and frame my discussion around the SAP applications and how basically how SAP ecosystem has changed over the period of time and it's continuing to evolve. So let's quickly look at the, the hybrid idea, right? And I think when we see this things have evolved quite a bit in the last five years, the idea that we used to know before is not what it is.
You know, even last five years, things have changed quite drastically. So we use to deal with, you know, mostly the SAP on-premise applications.
And again, as I said, framing with the SAP ecosystem in mind, but as Martin was highlighting, this is much broader. So SAP. So we used to deal with more of the SAP, different types of applications, whether it is HR, ECC, CRM, and so on, but things changed. And obviously everybody's started working around the cloud-based offerings. SAP has offered, you know, a number of different cloud solutions, which are bell adopted.
And again, this is just a short list of what those applications are, but it's, you know, the IP ecosystem is not just limited to this, right? It is definitely a very heterogeneous landscape that we see here. And you can, you can see that there are a number of non SAP, both on premise, as well as cloud applications. There are obviously various types of applications in your data center.
You still have a lot of either legacy or older technologies are home grown applications on the, on the SAS pass and be infrastructure as a service side, a number of solutions and services have come up and as Martin was pointing out, you know, businesses are adopting this very heavy and we see in these are more specialized services and you tend to go with one application for a specific business function and so on.
So if you really look at the modern ID, I think you have this combination of on-prem cloud, which is one specifically around SAP, but then there is a whole other ecosystem of different applications. Now, what did, what it does is it creates a unique challenge and that is each application brings its own, you know, security model access model. And even if you really look at the SAP ecosystem, that itself is quite different.
So I'm going to show as an, as, as a, as an example, three or four different security models in Martinos alluding to this in terms of how these technical constructs access models are big. So if you look at SAP, you have, you know, quite a bit of hierarchy there. SAP HANA itself brings a number of new, you know, video patients to the martyr. And if you, and if you look at, you know, the other applications such as the ribeye and concur, both are cloud-based applications. You see that each application has its own access martyr.
And now it's, it's very natural that each application has grown in its own way and brings its own security model. But from, from a practitioner standpoint, it creates a couple of unique challenges. One in terms of risk visibility, right? Until you want to have that single pane of glass view of all these applications and, and one to see where my risk is and how risk is changing and be able to apply the controls in a very, very efficient way. But what happens when you have these different and disparate applications and access models is that, that you don't have that visibility.
Even if you have the visibility, the set of very core screen level. So first and foremost, to be able to uncover a lot of risks, you need to understand the access model at a much granular level. So you need to be in a position to bring that, that hierarchy of access. If you will, into a platform, to be able to understand the risk.
Second, you need to also apply and enforce security controls across all these applications consistently. And that's when you are, you are confident about the risk management that you have put in place. And ultimately, you know, as Martin pointed out, it's not just checkbox compliance. You just you're, it is a more improved security posture and better security for the organization. What it also shows when you, when you look at those complex access models, is that you, as an organization is dependent on, on individuals, the SMEs to configure the right security policies.
It's, it's not managed at a, at a organizational level and more holistically. So you are dependent on individuals who may or may not be competed enough to send the right security policies.
So you'll, you know, now, now that you understand the challenges, you also see how the, the workforce, and especially with the COVID, the entire business has changed quite dramatically. So what has it done is it has opened up the attack surface even more. Not that it was not there before, but given the adoption of new services, given the accessibility that is required from all over the place, right.
You know, it's, it's no longer people are going into office and restricted within the boundaries are confined. So the, the perimeter or the network you are now working from everywhere. So in that case, when you are accessing these critical business applications, you need to have even more, you know, amplified security control. One thing I, one statistic that, that, that stood out for me as I was putting this deck together was the breaches that we have seen. And that has become a very regular occurrence.
The 80, 80% of those breaches are due to either privileged, compromise or privileged abuse. So we need to put an even more emphasis on people who not only have access to these business applications, but more specifically privileged access.
Now, you know, in, in the bars, there have been a number of buzzwords. You know, we have talked about zero trust. We know zero standing privilege is the least privilege model in the past. They have been, you know, buzzwords, that industry is throwing and, you know, organizations are not necessarily incorporating them. But what I see is it is it has become more mainstream and it's readily adopted across all organizations.
But bear in mind that when some of these principles came out, they were more focused around a Berry meter centric model or in a, in a, in a, in a modern where you still have those boundaries where you still have organizational constructs. So that has, that has disappeared, right? So you need to look at from a new lens. And the best lens from our perspective is to really look at how identity and access can control and, and secure your most critical systems. The other aspect is, you know, you can't, you need not have to, or you should not be just focusing on a bunch of applications.
When you really look at the ecosystem, it comprises of a number of business applications as Martin was alluding to as well. So just focusing on a bunch of applications and leaving the door open for other business applications is not going to help you, right? So the attacks are going to come. And it's only a matter of time that with privileged access and lateral movement hackers are going to get access to your most critical assets.
So couple of things that I, I would like you to take away from, from this slide is that one unit to think identity, identity, centric, security model, and apply those zero trust principles to a much broader set of applications just don't just limit to a handful of applications. So if you adopt that security paradigm, I think as organizations, you will be much better prepared to handle, eh, any, any, any adapts in the future. So let's look at no, let's look at the solution, right? So in terms of how do we approach this? We understood the problem.
We, we know things are evolving. There are a number of different applications across the board, you know, SAP specific applications, non SAP applications, and even within on-premise that are a number of SAP and non SAP applications. Martin was alluding to, you know, a number of different solutions we have in each goers at the, at different breadth and a different depth. So what we see in the market is a much a fragmented approach to addressing this problem, right? So there are solutions which are specifically focused on identity management while it provides that bread.
It's only doing the user life cycle management and some of the, some of the connectors and the provisioning aspects of, right. So it, it's only focused on applications and systems, but at a very core screen level. Now you also have the GRC or the access control solutions. Now there are some which are focused on SAP, focused on Oracle.
So again, it's a very siloed approach. And if you have to go beyond SAP to other applications, be it in the cloud, or even across other systems on premise, you would have to augment that access control with other, other products. Now coming to the access governance, which is the third area you would also have to look at, and you have to look at from a certification from an sod management and things like that.
Again, you are looking at, you know, connecting to various systems. So basically what has happened is, you know, it has created a very, very disparate and siloed solution space. Whereas you have to look at a more holistic solution approach, which we are going to get in a couple of minutes. What it also means that one, you don't have visibility. These systems that are typically put in place are, are not interacting with the teacher that are not sharing the risk insights or signals.
So that one system knows what the other system is doing and takes into account some of the decisions they can in the other solution and factor in, into the decision making process of this business process, right? And more importantly, from an it perspective, you are spending a lot more time in terms of, you know, deploying this, implementing the solution, integrating with different set of applications, and more importantly, maintaining all these stacks in a, in a siloed manner. So you essentially are increasing the DCO for your organization, right? So this is, this is a real problem.
And if you really look at some of the cloud applications, it's in the other challenge that you will face is one, the existing solutions are not capable of connecting or bringing data. So if you recollect what Martin talked about, so it's about collecting all the data connecting. And in terms of the breadth, being able to look at the granular level of access within each of these applications. So that is not going to happen with this, this siloed approach where solutions are not connected.
And if you really look at it, I tried to create this graphic and you'll see that there are lines going at different boxes, different applications, and it's just a mishmash, right? So it's, it's not giving you a homogeneous approach in terms of one, understanding the risk in second applying those security controls required both from a compliance standpoint, as well as trauma security standpoint.
So it, which brings me to the, you know, the next, the next stage of a solution that you need to be thinking about, which provides that 360 degree of visibility keeps identity access, and also UCH in mind, that's where we as an organization thing, that there is a, a sense of, and the need for convergence. So there is that identity governance, which primarily deals with ensuring people have, right. People have the right access to the right assets, right? So you need to make, make sure that people get that right access. You need to have the business process workflows in place.
You need to be in a position to model the access using whether it is through roles, whether it is through rules and be able to use intelligence to drive some of those decisions in terms of how to assign that access. The second aspect of the solution is the, is, is what we call us application GRC.
And, and, and it, it primarily deals with ensuring that you have the right controls in place for, for those applications, as well as across the different, you know, regulatory constraints that you have, the, whether you have the GDPR, the salts, the HIPAA, or a number of different regulatory requirements that you have. So being able to apply those controls across this breadth of applications, being able to assess risk across applications, right? So if you look at some of these in silos, you probably are not able to identify the risk that that could emerge when you see this side-by-side.
And finally, the sod management, which is an important aspect from an audit and compliance standpoint, being able to identify those toxic combination of access and be able to effectively remediate them and the current aspect. And I did talk about the zero trust and privileged access in the past, the whole emergency requests and emergency access management, right?
We, we call it as privileged access management, being able to provide your administrators or application owners just in time access elevation, being able to avoid that the standing privileges are the standing accounts, which continue to have, and, and can be that door for the hackers to come in. So being able to restrict that and apply those fundamental principles of zero trust in zero standing privilege.
So what we see is this combination or converged solution that provides you with the, with, with the need to be agile, be able to extend the breadth of your coverage, but at the same time, go into the depth of these applications to identify the risks and manage those risks effectively.
So what I'm going to do in the next couple of slides is to, again, put some, you know, these screenshots of the solution itself in explaining how these three different components come together and to, to Martin's point earlier, one from a UX standpoint, you need to think of business users having that frictionless experience at the same time, not having those sign on applications, but bring all of them in one single interface. So let me, let me show that.
So this is, you know, this is our interface, a modern interface that, again, alluding going back to Martin's point, it's very easy for business users to navigate and request any type of access, right? Whether it is the role you're looking at an entitlement request. So being able to do that in an intelligent way, Sabian provides the option of, you know, recommendations and many other intelligence features baked into the product, into the access requests interface.
And from, from my approval standpoint, we are looking at gliding and we provide that additional insights in terms of helping approvers, understand what they are approving. Are they commuting additional risk, or whether this individual needs to have this access or not. So being able to provide those decision points and be able to simplify the whole experience and bringing information from other risk elements, right?
So as, as, as a solution we provide, what, what is the, what is called the identity risk exchange? And it brings risk signals across the different systems, whether it is your SIM solution, whether it is your CMDB or weldability management, you should bring that risk information and combine it with the, with the inherent or the user risk. So you are combining different types of risks together in helping managers or approvers make that decision moving to the, the, so application GRC side of it be able to provide, you know, easy to consume dashboards.
This is a view of what, what we call us the control center, which provides persona specific insights. So in this screenshot, you see that the compliance owner has logged in and is able to see the trends of sod violations. How has it varying, you know, whether it is enter enterprise S sod controls that are failing, or the ITGC controls that are failing and be able to take action right. From this instance, right? So the actionable controls that Martin was referring to.
So it's, it provides you that view into a very easy view and finally the privileged access standpoint. So being able to provide privileged access in not just the assignment of emergency access, but more importantly, being able to launch the applications from within the browser, right? So the idea of privileged access monitoring and user usage monitoring is that you're able to, you you're able to see and measure and monitor what administrators are doing.
So one to be able to seamlessly launch this, and second, be able to see individuals, our administrators are doing over the shoulder monitoring and be in a position to terminate or acts revoke access in real time. So provides that 360 degree view of access governance. And I was talking about that single interface, right?
The, that provides the frictionless experience provides the, you know, there are a number of different ways in which we can simplify the access and provide a very frictionless experience. So there are activity streams, the action cards that help users navigate to their modern interface.
And, and finally, you know, if you can see here, it's, it's, it's a single interface to do all the different things, right? From the data access governance to identity governance, to privileged access management. So what we need to do is, and from a, from an interface standpoint, you need to really look at different personas. So you need to be in a position to tailor the solution to different personas.
You might have a risk and compliance officer who comes in and looks at how am I doing from a risk and compliance standpoint or an application owner who is interested in ensuring their own people have least privileged taxes. So being able to tailor the experience of individuals to different personas and ultimately, you know, you're working on key priorities, B whether it is digital transformation cloud, first initiatives, or compliance, be able to deliver that business value with the solution is extremely critical.
Let me, and I'll, I would like to close out the session by providing, you know, proof in the pudding, right? So we have our customers who have implemented and gone down this journey and not just delivered the business outcomes that I was referring to earlier, but actually getting, you know, recognition from the analyst such as you know, KuppingerCole. So with that, I'll turn it back to Martin.
So, so that we can open up for Q and a. Yes. Thank you very much. I'll make me the moderator again. So give me one second. Here we go. So we already have a couple of questions here, and as I've already said, I want the audience to enter additional questions. So the more questions we have, the better it is, and the more we can do it within the Q and a session, but maybe let's start with the question we have received four for you. Yes. So for those who have already deployed GRC, do you provide a way to integrate and extend the tool to cloud and other enterprise systems effectively?
How do you deal with existing? I am exiting GRC deployments, Absolutely market. I can take that question. So we do provide that, and we understand that organizations are in this journey of modernizing their ID, and we know that there are existing investments. So we do understand that and provide a very seamless integration with some of the existing GRC solutions, whether it is SAP, GRC, or other existing solutions that might be there.
We do provide, you know, the ability to, you know, share the risk in terms of the sod risk evaluation, whether it happens in the SAP GRC platform or, you know, the request approvals happen in the, you know, the Sabian platform. So we do share that information in terms of leveraging a rule set provided within, within the SAP GRC framework, but also, you know, share that information, the risk information, the approval, or the mitigating control information between the core solutions. Okay.
Well, thank you for that. That's a great answer. A question of which is more targeted in my presentation is I spoke about, or the case, the question you spoke about, but I spoke about bras versus deaths while choosing a tool. And so the question is, do we need to compromise between the two and or could we have the best of both worlds? I would say this is an interesting question on it is, you know, we are guiding a lot of two straws processes, various areas if it's in our domains, identity management and cybersecurity.
And I would simply say, so there are a lot of very strong tools in various domains, but there's not the perfect tool, which is perfect in every single area. So every tool is, trust is a little bit of a compromise. The question is how big is the compromise? And I see it from that perspective saying the first thing is, look at realistically at your requirements. I have thought to frequently see far too many math requirements.
I always say, if you have more than 10 must requirements, you should be very careful because you hardly will find tools that, that, that don't fail at least one of the must requirements. So be realistic with your expectations, really rethink what it is. And it's not looking at the tool that is perfect in every area. It is the tool that fits best to you. And if you have that, then the compromise might be very little and was an infrastructure.
They say, okay, I really need to really be compliant to metric regulatory or Tory compliance requirements. And I need to support a growing number of solutions. Maybe even integrators IGA, there's compromise might be relatively small. And then there's still the option to say the answered on, on how to integrate with the highly specialized tools. There might be suing scenarios various, and for certain capability, which is not necessarily for a certain environment. It might be also certain capability. I need something in addition or whatever.
So the first thing is I would really prefer elect, what do you really need? And so w what, what can you, what, what really helps you solving your challenges? And if you were realistic at that end, the compromise will be smaller. Most likely then you might feel at the beginning.
So that, that is my, my advice here. And, and as, as, as I've told you there more and more tools, including what Savian does that support really a range of systems that are fairly good level of theft, if that has ever seen you need, or if you need more debt assumption, you need to look at carefully what's that let's switch to the cert question, unless you'd like to add something on that Question I just answered.
No, no, I think thanks Martin, for covering that. And yeah, it's, it's becoming increasingly necessary and essential that we cover both depth and, you know, breadth of applications. That's the only way to go in this changing economy need to reduce the TCO and increase the ROI and for in, in, in businesses, on interest that they need to take a hard look at it.
But yeah, I completely agree with what you just explained and advised organizations to look into it. Yeah.
So, so another question, which is for you, do you proactively identify risks, was access around an access request and provide that information to compliance owners? Oh, absolutely. Absolutely. Martin. So we do know that in, in a number of different ways, we basically have intelligence into every single process.
So it's, it's not an afterthought. The intelligence or analytics is not an afterthought. It has to be in our opinion, veered into and woven into the business processes and the request being one of the business processes. You are basically looking at, you know, how, why the user is requesting, whether they should be requesting in the first place or not, should we, should it be delivered through a role or should it be delivered through some other means and whether their peers have access to these are not.
So, and, and, and more importantly, to the question, the sod risks or other controlled risks that are emerging, or that might come up because of assigning that access. So all of these are evaluated in run time, in real time, and delivered as insights to both the parties, the people who are the users who are requesting that access, as well as those who are approving that access to their data, into the solution.
So a broad set of integration capabilities and was a lot of detailed as you can deliver, I think was that we are through the questions we had, which means it's time for me to thank you for all the information you've provided. Thank you to all the attendance of the scope of the on call webinar. And hopefully I see you soon again in one of our upcoming virtual events, or maybe even at some time than all the onsite events, which hopefully will be more again in 2021. Thank you very much. Thanks Martin. Thanks everyone for joining. Thank you.
