Welcome to our KuppingerCole Analysts webinar, Transforming Access Management Strategies for the New Digital Landscape. This webinar is supported by Saviynt, and the speakers today are Vinit Shah, who's Vice President of Product Management at Saviynt, and me, Martin Kuppinger. I'm Principal Analyst at KuppingerCole Analysts.
As usual, for our webinars, we will have a sort of a threefold agenda, where I'll, in the first part, will talk about various aspects I see in the emerging markets when it comes to access management, especially also in the context, and this will be the main theme for today, of business applications, and then Vinit will follow up on this. We will do a couple of things here.
So, we will talk about this presentation, but we need a presentation by me. We will have a Q&A by the end, but we also will run a couple of polls. From a housekeeping perspective, by the way, you don't need to do anything here. We will record the webinar. We are recording it. We will provide the SlideX for download. This usually happens by tomorrow.
Also, the recording will be available then. Audio is muted, and there is a Q&A function in the application you're using.
So, on the right-hand side of the screen, you find the Q&A part, and you can raise questions at any time. I always like a lot of questions because this gives us the opportunity to share our thoughts with you in the Q&A session, and we will have a very lively Q&A session here, and I believe there are a lot of questions when we look at this. What we also do is we run polls.
So, in this webinar, we have two polls. One will be right after this intro screen.
The other, by the end of my part of the presentation, and if time allows, we will look at the results of these polls during the Q&A session then. So, having said this, let's start with this first poll.
So, the poll is about responsibility for application access control or application risk management, however you phrase it. So, who is really responsible for managing the access to the business applications?
So, for all the different types of line of business applications, be it SAP applications, Oracle, Salesforce, SuccessFactors, whatever else. So, are these different departments depending on the application? Is it the SAP department?
So, very common for SAP shops, so to speak. Is it the IAM department, or are it others?
So, is it in some other responsibility? So, we leave this poll open for a bit, so you can then respond to the poll, and I'm looking forward to your participation here. The more responses we have, the more relevant and interesting the results will be. And with that, again, a quick look at the agenda.
So, I will talk a bit about the change in landscape of application access governance before I hand over to Vineet, who will then look at specific challenges organizations are facing with their governance programs, the experience, but also clearly how, from a SEVIM perspective, this can be addressed. And then we have the closing part of our Q&A session.
So, no further ado, let's jump into the content. So, one of the polls we did a bit ago, but not that long ago, was about how is the line of business application landscape changing? And there's still a portion of organizations that are stuck into the sort of traditional SAP world, so to speak, the ECC world, but more organizations have sort of a mix.
So, there are in this conversions from traditional to modern solutions, while also quite a number have a mix, and 41% especially, there are definitely a lot which also have the sort of the success factors, other solutions, for instance, from SAP or some of the other line of business applications, or SaaS solutions in place. But we also see a tendency that more and more organizations adopt a wider variety of SaaS-based line of business applications by SAP and by other vendors, or primarily have solutions from other vendors in place.
So, we have a relatively mixed landscape nowadays, and only have a small part of the landscape as, so to speak, the traditional SAP landscape only. So, at the end, all the three pillars marked to the left, to the right, require solutions that are broader than the ones that originally and historically have been used for what a traditional on-premises SAP landscape. And this is basically also what I've reflected in this slide, that we see this change towards more vendors, not very frequently really a multi-vendor approach for line of business applications.
So, it's really more a few vendors, one or two types of core application providers, plus a couple of add-ons. But we see more of this using whatever specific solution for human capital management, using a specific solution for the CRM part or so, where other vendors come in play around sort of a nucleus core set of solutions in the space of line of business applications. And we see this tendency towards hybrid.
So, a lot of organizations really are still in this transition phase because it's not a simple project, as everyone knows. So, moving from one line of business application, one ERP system, for instance, to a new one, this is always a complex project.
So, we see a tendency, it's a move, and this will not change anymore. So, we will see a tendency towards more vendors, but not too many. But over time, more and more from hybrids to full-size. But this also is something which is a long journey. With this change, the question about who can do what in which of these applications comes to the table. It comes also to the table because there are end-of-life scenarios. There are other situations where organizations sometimes must act beyond the fact that they need to support all applications.
Additionally, we also see this tendency in the audit space to expand the scope from financial risk to sort of overall technology risk, which also means that more and more of this line of business applications are irregularly in the scope of what auditors are looking for. So, we see this both in the U.S. and we see it in Europe. And this also means we need to broaden our perspectives when we look at the tools that help us managing the access risks and related risks in that world of line of business applications.
And finally, it's not that it's only these applications, we have this risk everywhere. So, the question is also, how do we act here when it comes to the full breadth of applications?
So, not only line of business, but also whatever our intra-ID, our active directory, other types of systems, databases, etc., etc.
So, what impacts this decision? And this is, I think, what is important to understand. You should look at, where do you stand? How will your world look like in the future? And what then are the options you can potentially take? And the one part, for instance, is are you very much SAP focused? Is SAP a preference, but you have quite some other elements in place? Or is it really a very hybrid approach from a vendor's perspective for the different types of applications? And then also the deployment perspective.
So, is it still that you're more on the on-premises side or have you a very clear SaaS-first strategy? And then it depends on this mix. What is the preferred approach? And always keep in mind, there are options available. Even if you reside in a very strong SAP environment, there are other players out there, including Savian, but others that provide solutions that can support these environments.
And so, depending on that, you should, and I will not read out the entire slide, you will have access to the slide deck, you will have access to recording. You have different options, and I try to outline options here that you potentially can take here.
And also, then the question is, do you want to integrate the IGA, the Identity Governance Administration part, more strongly with the Application Risk Management, Application Access Governance, or not? Which also depends on aspects like organizations.
So, do you have organizations that insist on owning, for instance, the SAP-related parts of Application Access Governance or not? And so, these are the questions you should ask yourself.
So, I use these terms of Application Risk Management or Application Access Governance or Application Access Control quite interchangeably because we don't have really a defined and really fully established terminology in the market. So, you will find all of these terminologies when you look at the market. There's another aspect, and this is, so, which questions should you ask yourself from a standards perspective on how to move forward?
So, this, for instance, what SAP provides is the right choice, is what should you do? I think we also have this end-of-life scenario for the current SAP Access Control. We have the options. You will hear quite a lot about this in the next part from Vineet.
So, ask yourself the questions, is what you have the right way to move forward in a changing world? This is basically the question you must ask yourself.
So, where do you stand on, is this the right thing for the way forward, especially with changing requirements, with changing environments? What is the tool, what is the approach you should use in the future to serve what you expect to have? Because I think the other point, which I feel is very important, when you have this situation, this scenario, then we're thinking about time frames of many years.
So, decisions you make are not decisions for now, for the next couple of one or two or three years. We're talking about relatively long timelines for how long we will use the solution.
So, what you consider now should be considered with a time frame of 10 or even 15 years in mind and saying, okay, how will my entire landscape of applications change, my requirements change, and how can I best serve them? What is the right type of investment? You also have the overall complexity of your IT.
So, how does your environment look like? What is your overall strategy towards the, on one hand, the LLB applications, on the other hand, also the other types of applications?
So, how will this change over time and what is the right way to support these environments? Again, I will not read out the entire slide in the interest of time, but there are different options you should consider when you think about what is the right way forward for managing access risks in your business applications. And what I would say adds to this, and I've touched it already a bit, what adds to this is we have IGA, so the Identity Governance Administration, and we have the Application Access Governance, and they are the same, at least not yet.
So, we see overlaps. We see vendors sometimes going more into a convergence. Savint had this converged approach from the very beginning.
So, this is where they have, I would say, a sort of part of their DNA is really in this converged approach here. But basically, IGA is really focused on, specifically on the support of a wide range of applications beyond line of business applications, while Application Access Governance has things like predefined rulebooks, for instance, for SAP, role optimization capabilities for a line of business applications, frequently SAP-specific features.
And then we have some overlap in the provisioning of user and their lifecycle management, the access reviews and handling SOD controls where we see the overlap. Basically, IGA is a bit more about breadth, and AAG is more about depth.
So, there are things that overlap, and the question you also need to ask yourself is, do you need something specific, especially on the AAG side? Or is there something where you can say, this is really a very good combined solution? And I think we're coming closer to the point where this overlap is growing, especially by some of the vendors in the market. And that gives you a potential to have a different strategy, which is much more integrated than it has been maybe 10 or 15 years ago when the entire sharding into Application Access Governance started.
When you look at capabilities, then for Application Access Control, there's quite a list of things we expect to see. Nowadays, these solutions for SAP and beyond SAP.
So, for most organizations, SAP plays an important role. For the ones it doesn't, it's anyway a bit differently, because then you need to look at how does it primarily support my other leading line of business application.
So, aspects like deployment models, support for different line of business application of SAP and others, the ability to help you in analyzing your entitlements and roles at all levels. Line of business application, we all know, tend to have their own very complex concepts on time. And then you need to really support these concepts across the entire press down to the transaction and SAP, etc.
The management of roles and entitlements, super user management, potentially an option, usually a very important option, and firefighter capabilities, lifecycle management, the SOD controls, the reviews, the reporting, all these things are required baseline capabilities.
But we also see that a growing need to support additional things like integration with enterprise service management, like integration to IGA solution, unless it's anyway an integrated solution, runtime execution for audits, specific platform support, broadening the support for other business applications and SaaS applications that are relevant to your organization. So, there's a relatively broad list of capabilities that we see. And when we take a rough comparison, then it is that both IGA and AHE in their traditional forms have their strengths and weaknesses.
And as I've said, we see an increasing overlap. But what is very important is, I think, for everyone to understand what is really needed, which applications must be supported, which features are needed in which depth, and what is the right type of solution. It's a single tool, it's a combined tool. It's something where you say, this is covering most of what I need, but for very few areas, I may have something specialized. This is what you need to look at.
What really is important is, for all the decisions that you need to make, and virtually every organization needs to make decisions in this space now. Think thoroughly, not just pick a tool for the platform you've been using the past years, but think about what is the right way to proceed for the next decade and more. Because this is the time frame you need to think about. This decision is more complex, and we need to go even further into detail here and also outline how this could look like very concretely with, in this case, surely the Seveon platform.
But before we start a second poll, and here, it's about what is your main application access governance challenge. Manual processes, too many different security models, and we all know these can be very complex and very hard to align. Long audit cycles and maintaining compliance, unknown risk or managing cross-application segregation of duty controls. Especially the more different SaaS applications you have, or whatever, you have supplier management on a different application than your finance system, then you have a cross-application SOD requirement.
So, because creating the supplier, approving the invoices still must be handled as a conflict, the potential one across different applications. So, looking forward to the poll here, again, and the results you provide here. And with that, I hand over to Vineet. It's your turn. Good morning, good afternoon, good evening, everyone, depending on where you are. My name is Vineet Shah, and I am the Vice President of Product Management at Seveon.
I look after the identity and application access governance suite of products at Seveon, and it's really a pleasure to be here sharing some thoughts, some best practices, et cetera, on how we are seeing organizations navigate the landscape of the modern digital landscape in a way. So, let me get started with just quoting some of the voices or what we are hearing from our customers, from the prospects, from the market in general.
So, as you can see over here, there are a variety of different aspects that the market is really talking about, starting with visibility, you know, not having enough identity context, you know, compliance, or increasing compliance cycles to be the problem, cross-application risk to be the problem. So, you know, what we've done over the next few slides is we've consolidated some of these challenges that we are hearing from the market, and you talk about some of the key challenges and how we are addressing from a Seveon standpoint, right?
So, the first and foremost is, you know, what we are observing with our, you know, customers and prospects is that the nature of application is evolving very fast, right? So, these applications, especially the business-critical applications like SAP or Oracle, have a very complex and unique security model to manage access and compliance.
You know, for these, many organizations have relied on point solutions like SAP GRC or Oracle GRC, and many organizations have custom-built certain utilities in combination with some manual work that has happened, right? So, why would these products and these techniques have served to be effective at the time in that specific environment? They create significant challenges as well, right? They work in silos.
So, for example, the SAP security team, at least based on what we've seen, is often limited to that ecosystem of SAP and really lacks visibility into other connected applications. Or another critical issue here is that with this approach, it also misses the broader identity context. It does not provide a complete view of all the identities that have access to these sensitive ERP applications, nor does it track, you know, key events like joiner, mover, reaver in a more, you know, unified way.
So, as a result, what we have over here is fragmentation. The problem of, you know, fragmented governance, which increases the risk and increases the operational inefficiencies across the organization.
So, you know, the lack of integrated identity governance approach to fine-grained application governance, especially for these key ERP applications, creates, you know, blind spots that could leave organizations very vulnerable to attacks in a way. The next key challenge, you know, that we are also observing since past few years is, you know, a strong market trend in terms of, you know, platform consolidation and modernization, especially in the ERP space.
So, you know, major players like SAP, Oracle, and more recently Microsoft have announced that, you know, all their existing on-prem implementations or the on-prem products are moving towards an end of life and the customers have to transition from the on-prem solutions to the cloud. Obviously, this shift is driven by, you know, the added benefits that the organizations will realize from the perspective of intelligence or scalability and the business value that these cloud platforms in general can offer as a service.
But what we are also seeing and what Martin also alluded earlier is organizations are realizing that moving to cloud isn't just another upgrade, right? It is obviously a necessity to unblock more advanced capabilities but also to have better security control with the agility of how the business is evolving, right?
So, with this shift, companies are dealing with a lot of end-of-life announcements, especially for, you know, the legacy IBM products like more recently we are seeing the trend in the market at least in terms of, you know, SAP IBM announcing the end-of-life or the current platform of SAP GRC coming towards the end of that maintenance cycle or Oracle GRC, etc. So, these announcements, you know, particularly in the domain of identity and application access governance space, they create, you know, challenges but I also look at it more from an opportunity standpoint, right?
So, on one hand, there is, you know, there is that potential of, you know, organizations for them to consolidate these various, you know, disparate products, you know, disparate identity management or access control products into a more consolidated, you know, converged platform that provides efficiency more and it drives more, you know, efficient behavior in general from an identity security platform standpoint. On the other hand, this introduces, you know, key considerations for organizations.
So, for example, some of the questions that we hear in the market is, you know, should I place all my trust into a single platform or am I risking vendor lock-in, like how customizable or, you know, extensible the platform is going to be in order to meet their evolving business requirement.
So, these are critical questions that organizations are grappling with today as they look into future proofing their landscape from identity access control in general security and compliance standpoint, you know, while also, you know, making sure that the platform that they are selecting is also evolving alongside their business requirements, right? So, some of the key considerations that we hear that organizations are thinking about.
The next trend, another critical one that we are seeing in the market is the exponential growth in both, you know, the SaaS application adoption and the type of identities that organizations are managing. So, traditionally, organizations have dealt with human identities like, you know, there's obviously the end users, the managers, the application owners, etc. And then you have power identities or, you know, system administrators, IT admins, bases, DevOps. But in recent years, we've seen a surge in non-human identities.
These include, you know, APIs or app-to-app communications or devices and machine identities. All of these different types of identities have significantly grown in volume, introducing new complexities to the landscape, right?
So, with this proliferation of identities and access points, manual governance techniques are no longer sufficient. They cannot scale to handle the volume and the complexity that it creates in the environment. And to better kind of augment this thought process, at Saviant, what we recently did was we conducted a survey because we manage one of the largest identity and security warehouse on the cloud with over 55 million identities that are under governance and more than 2.5 billion identity associations that we are managing on a day-to-day basis.
So, through this recent survey, we identified some key challenges that organizations face while managing the identity access at scale. So, first and foremost, obviously, all companies looking for more compliant processes have a certification or access review campaign that they are running.
So, what we observe on a typical scale of organization with 20,000 plus identities, on an annual basis, when a customer is running certification, our customers are handling approximately 500,000 identity access line items that require reviews across various certification types, right? So, with such high volume, we observe an average revocation rate of less than 1%. This is primarily due to certifiers becoming overwhelmed by the number of reviews leading to bulk approvals or rubber stamping rather than thoughtful revocations or approvals, et cetera.
So, it's clear that the revocation rate has to be increased. It cannot be 1%. And what is required today is some intelligence to aid these certifiers and help them take decisions more effectively, keeping compliance and security in mind. The other thing that we are also observing in the landscape today is the rapid adoption of applications, primarily with SaaS applications that are coming under governance, which also adds another layer of complexity.
So, on an average, a typical end user has access to approximately 140 to 150 different applications that they can request access for. So, with approximately 150 different applications that are requestable in nature, across these applications, there are approximately more than 200,000 entitlements that are requestable. This itself creates a significant friction for a regular end user or a new joiner who struggle to identify the right access that they need in order to do their job.
It often leads to incorrect access requests, more segregation of duties, more risks in the environment, and in general, add unnecessary delays in getting the work done. So, with such complexity, the user experience is crucial over here. Certifiers and end users face unnecessary friction, leading to inefficiencies and errors.
And so, there is a need for better, more smarter access reviews, governance processes with more intuitive user interface, aiming to simplify and streamline the entire identity governance landscape. So, with these key challenges in mind, in the next slide, what I'm going to walk you through is some of the key criteria that any organization should think into before buying or before investing into a new platform as they get into this journey of modernizing their landscape with all the identity management products or the access control products, etc.
So, the problem that we are trying to solve over here is application access. So, basically, all the right users should have access to the right application at the right time, and you need to monitor and manage that on a continuous basis.
So, the application access has to be managed at the level where the security really matters. You cannot have a traditional IGA system manage critical business applications at a coarse-grained level where the security is really at the fine-grained level. It's more in the depth.
So, the first thing as you think about getting onto this journey in terms of modernizing, you need a platform that has the capability to manage the breadth and the depth of applications. It can connect to a host of different applications, be it on-prem, be it on-cloud, be it an ERP application, on-prem, on-cloud, directory services, infrastructure platforms, etc. Companies cannot get into the trap of point solutions as they tend to introduce more silos.
So, in today's world, companies need the context of identity for true security and compliance controls that have to be executed at any given point. We envision a world where everyone has access to everything. And by everyone, I mean all the types of identities, whether they are human or non-human, whether they are internal workforce identities, external identities, machine identities, any non-human identities. And by everything, I am referring to, like I said, all the different target applications that a customer may have in the landscape.
We need to protect, we need to basically think about the scenario where everyone is having access to everything and that landscape needs to be protected. So, this protective layer needs to be context aware. It needs to manage and govern who has access to what, like I said, at the granular level. The higher the risk, the more controls that should be put in place.
So, for the highest risky access, you enforce that via emergency access management or privilege access management. But the current challenge, as we see more and more different types of applications that are being adopted, is the current or the traditional approach of traditional identity management, products, etc., that does not scale to this problem of everyone and everything. All of these are primarily focused on process automation.
So, to scale, we need to add a layer of intelligence. We know that our customers need AI, they need analytics to manage this at a digital scale. They need visibility to all of those identities and what they are doing with those identities and monitor them and manage their access on the fly. And all of that can only happen with intelligence. And lastly, our organizations need to be risk aligned and they need to be set aware of all the times. We are in an age where the attack vectors are changing rapidly.
So, controls should be put in place to detect critical transactions that are occurring, align it with risk and threat positioning of those attack vectors, and it should be able to orchestrate a swift response in order to protect their landscape. So, these are some key considerations that any organization should think about as they are getting into this journey of modernizing the landscape and the identity management platforms, etc.
So, at this point, I would like to introduce you to Sabian Identity Cloud. It's a true purpose-built platform. We've built it grounds up and it's a converged platform designed to protect all your assets and all your identities. This converged platform provides the full suite of capabilities where products like identity governance and administration or privilege access management or application access governance.
These are separate products on the platform, but we are so interconnected and they're so intertwined because at the end of the day, we are looking at it from an identity security standpoint and we are trying to solve a bigger problem of the right users having access to the right data and monitoring it on a continuous basis and managing that access. So, the core problem that we are solving today for our customers with this integrated approach is also giving them an ability to not just connect to a variety of different applications, but to also connect with these large application ecosystems.
And when I say ecosystems, I mean all the different products that SAP has, the S4, the Aribas of the world, the SuccessFactors, the Concurs, the Analytics Cloud, etc. And similarly, with other ecosystems and with other vendors like all the Oracle products and all the Microsoft products and all the AWS and Azure products, etc.
So, what we are trying to do is again go back and address some of the challenges that we are hearing from the market in a way addressing the problem of silo because the platform is designed to have the context of identity at all times. We are the first ones in the market who provided an identity centric application access governance or access control kind of a product that is offered as a service on the cloud. This is not a point product. It's not a point platform. It caters to all these different types of applications.
And again, these are just the few ones that I called out because the security model of these applications are very different from each other. They are very complex in nature because they deal with so much in general from an ecosystem standpoint for ERPs and HRs and CRMs and SRMs, etc.
So, to have a platform that is able to connect to all of these different products at the level where it really matters from a fine-grained standpoint, bring usage and provide a host of different capabilities in order to simplify the experience that it's offering to all the different personas that are interacting with the platform with an intelligence layer and making sure that the platform is extensible enough in terms of catering to the different requirements of organizations as they evolve in this digital world.
So, at this point, let me take just one more minute and double-click a little bit on the SAP aspect of it. With this, my intention is to just double-click on our solution that the Sabient Identity Cloud provides for the SAP suite of applications.
So, as you are seeing over here at the bottom, Sabient Identity Cloud is able to connect to all of these different products of SAP. It could be an on-prem product of the traditional HR, LPCC, and ABAP-based applications. It could be the S4, which is hosted on-prem or on-cloud, or the new experience clouds like the Analytics and the Marketing Cloud, Ariba, all of them.
Again, the intent is that the platform is extensible enough from an integration standpoint to connect to each one of these different applications, either directly or via BTP or CIS platform, depending on what SAP is exposing. And it is able to ingest all of these different data that you are seeing over here.
So, we are able to ingest all the users who have access, getting the right level of security information or access information in terms of roles, key codes, authorizations, field values, security configurations, bringing logs, whether it is usage logs or the T-code usage or the audit logs with SM20 or the change logs or the business transactions that are actually getting executed in the platform, and build a true identity and security warehouse with an intelligence layer on top of it that provides all these different capabilities.
So, across these products that I mentioned, which are there on the cloud that we are providing, these products really, if you breast them down, then it comes to these modules in a way, which is access request. We give full-blown access request management module for end users requesting access to the roles, to the entitlements, creating new user requests, etc. Access reviews or certifications, again, different types of certifications that we are handling from an intelligence standpoint as well.
Emergency access management or privilege access management, full-blown segregation of duties management and remediation capabilities. Role entitlement management governance, where we take the customers through the lifecycle of creating intelligent roles, and this becomes more relevant as you are embarking on this journey to transform the on-prem application to the cloud, the security has changed.
So, your role design and the role modeling has to evolve as well. There are new entities like WebinPro and the Fiori apps, etc. that have to be taken into account and monitor them continuously via continuous controls monitoring and the life cycle of it that needs to be managed.
So, at the end, I would like to invite you to visit our website to know more about how we are solving this problem for some of the biggest and the most complex organizations, embracing their complexity via our platform and providing a whole suite of capabilities in order to protect your landscape from an identity and access standpoint. We provide one of the top solutions in the market as an alternative as you are looking to modernize the IBM and access control landscape.
So, with that, I would like to end my segment and hand it over to Martin and Sanu. Thank you.
Thank you, Vineet. We are right now going into the Q&A session. We already have quite a number of questions in the Q&A and some of you have already figured out that you can vote for the questions.
So, please use the opportunity, enter your questions, vote for the questions. We will pick the questions with the highest number of votes first before we then go into the ones which have less votes. And that is also the starting point.
So, the first question I'd like to pick is, how do we best deal with the complexity of different entitlement models and LOB applications? And these entitlement models even sometimes changing with major releases like we have seen in some of the applications in the past.
So, Vineet, I think this is a very good question for you to provide some a bit more detail here. Absolutely, Martin.
So, just to kind of paraphrase the question, how to best deal with the complexity of different entitlement models, correct? Yes.
Yeah, absolutely. Again, so, like I was alluding in my segment as well, that the best way to deal with these different entitlement models or the security models of these different business critical applications is to really manage them at the level where security and compliance really matters.
So, what I intend to say with that statement is, manage them at the fine-grained level. You choose a platform that is able to integrate with these different set of applications in just their complete stack of access and have an identity centric view to manage those application access at a fine-grained level. And further down the road, you have to deal with access modeling.
So, you have to create the right level of roles, application roles, it could be the business roles, and you do that with the power of intelligence. So, you provide the right level of access to the right person at the right time, and you take it away as well.
So, the continuous management and monitoring of these accesses for the identities that really kind of is the most important thing. I hope I answered. Okay.
Thank you, Vineet. And I think, yes, we need the depth in the insight. This is very important.
So, at the end of the day, it's really about having tools that help us mapping different models into a more consistent view. This is clearly hard for the vendors. I had discussions with many vendors. And this is clearly the thing which really needs well-thought-out solutions and experience from the vendors to deal with these challenges. The second question I'd like to pick is, that's an interesting one. I don't have a simple answer, honestly, from my end to that.
Can we go to a cross line of business application access governance approach if the CIO isn't willing to break up the SAP silo or SAP kingdom? I think this is an interesting point. Maybe I should start first. We see a lot of organizations that there's a very powerful SAP organizational unit. And it's definitely not easy then to have solutions in place that are covering multiple approaches. I think there's a lot of work on ownership, processes, interfaces, etc. There can be solutions, but it's then it requires a lot of work.
I personally, I'm a big believer in that it doesn't make sense for an organization to structure itself along products. It should structure itself along organizational aspects around business processes, around tasks. And then it's not about saying there's an SAP department, but there's a department that cares for certain end-to-end business processes and the technology behind. So the technology is in the supportive thing. And then it looks very different because then the governance is a different thing. This is something which is independent of the technology.
And so that's the way we should probably treat it. We need anything from your side to add?
No, I fully resonate with your thought, Martin. I fully agree with you that the strategy cannot be around products. It has to be around the best strategy to secure landscape.
And again, in the past, there are things that have been done, maybe rightfully so, because of how the security landscape and the compliance landscape was. But the nature of security and compliance has evolved so much over these years. And we are seeing more evolution as we go. So the bigger context over here is to make sure that identity becomes the key control, keeping security and compliance in mind across all of these different applications.
And therefore, in my view, we have to provide more power to the CIOs and try to break these silos in order to meet the needs of today's security challenges. And I think that's a fair point. So in some sense, application access governance was a bit of an afterthought because it came in later, and then it was also needed for a more narrow part of the world. So primarily financial data, which means it was a bit of a different story back then. And this is, I think, really changing. And also the role, I think, IT plays for business also has changed again.
So I think we should just take a different thinking here. So next question. And I think this is also very good one. We will not be able probably to answer all the questions in the interest of time. We have only a few minutes left.
Also, let's try to keep our responses short. With the end of life of the current version of SAP Access Control approaching, what is the recommended approach on moving forward here?
One, if you're very SAP heavy, and one, if you have a very hybrid environment. My general perspective as a neutral analyst is step back and look at really where you, how your world will look like, and what the requirements are. And then start analyzing what is really what will serve this best. So do it open-minded and look at the different options you have in this market, but never go just for replacing one tool by another tool. It's more than just a tool decision from version A to version B. It's something way more strategic.
And this is the way, and I think there's a lot of guidance in my deck and also what we need to provide it to take. We need anything to add here?
No, no, I think you kind of rightfully summed it up, Martin. So yeah, let's move on to the next question. Okay. Also very good one. Can you provide some examples of where non-human identities are relevant when it comes to access to line of business applications? So you stressed the non-human items a bit. So where do they play a role in the world of access to line of business applications?
Yeah, like, you know, one of the recent examples that comes to my mind is with utilities companies or with an energy company where, you know, they are providing access to SAP applications via devices.
So like devices have access to the SAP applications, especially in the downstream world, you know, for such companies where, you know, a person on the rig who has a device has access to, let's say, a SAP application, or they are using RPA environments or the RPA products where they have created, like, you know, a factory of bots to monitor and manage access and monitor, you know, the ecosystem of SAP, etc. So you don't even know how many non-human identities are there.
So the biggest problem that we are facing over here is visibility, you know, for the customers, how many non-human identities are there? What are those types of identities? What access do they have and how to manage them?
Okay, great. So I think we have some questions here, which are all a bit about what can Savian serve? And maybe you can give a short, a bit of combined answer here. So you have Cloud IAG, potentially you have access control for SaaS, for on-prem. You have the end of life of SAP identity management, but you also have scenarios where it's not easy to replace SAP access control due to all the customizations. So any considerations to take here in the way forward? So can you replace everything? We will say yes. But what maybe should be considered and how should customers think about it?
You know, it's a pretty loaded question. Yes, it is.
You know, like, I would... There are three questions from the audience, but in the interest of time, I...
Yeah, absolutely. So what I would urge is for them to look at your deck in detail, because you have, you know, very nicely articulated the strategies in terms of how the customers should think about and really it boils down to what you said earlier, right? It boils down to the requirements and where do customers see how they are evolving moving forward. But in general, Savian, yes, provides all the capabilities that a traditional identity management product or an access control product is providing today.
The best part of Savian is it is modular enough where, you know, if you choose to replace a portion of, you know, let's say, capabilities with Savian, it can do that or it can also help you in modernizing the entire landscape. You know, we're helping you through modernizing SAP IDM and if required, access control as well, right? It really kind of boils down to the requirements, like you said, Martin, and what are the strategies that the customers are really thinking about?
In many cases, it will be anyway a staged approach because you won't replace everything at the same point in time, but it will be that you say, okay, what is my target? I think you should really start with understanding where do I need to be in for the next five, 10, 15 years? And then how can I move forward in the best way with the required level of flexibility because over the next five years, also a lot of changes will be there in the market, in the technology.
So really look at where do you want to go and think beyond just, oh, I need a new tool towards how does my strategy look like and how can I proceed on this? With that, we are at the end of the time already. It's time for me to say thank you to everyone. Thank you to you, Vinit. Thank you to Savin for supporting this webinar. Thank you for everyone for attending this webinar. There are a lot of other webinars in the next couple of months. There are other events like our Cyber Evolution.
Next year, May, we will have our European Identity Conference again, so don't miss these events. And with that, again, thank you very much for being here. Thank you.
Thank you, Martin, and thank you everyone for attending. It was a great show. Thank you.
