1 Introduction
Access risks are amongst the fundamental challenges organizations are facing in their Risk Management. Many incidents in the past, around insufficient SoD (Separation of Duties) rules, but also the fact that overentitlements and access risks are continuously used by both internal and external attackers demonstrate the need for organizations having a strong Access Risk Management posture.
Traditionally, Access Risk Management is split into two disciplines. One focuses on access risks in Line of Business (LoB) applications such as SAP. The other focuses on the broader application landscape and is commonly referred to as IGA (Identity Governance & Administration), consisting of Identity Lifecycle Management, User Provisioning into target systems, and Access Governance. The specialized Access Risk Management solutions for LoB applications have evolved in the various ecosystems, specifically around SAP.
Both market segments are evolving, and both segments are about to shift to closer integration. IGA is increasingly powered by AI (Artificial Intelligence) and ML (Machine Learning), for becoming more automated and dynamic, instead of focusing on static, standing entitlements. On the other hand, Access Risk Management is evolving beyond the domains of single vendor's LoB applications. This is a logical consequence of the evolution in the LoB space, with new SaaS solutions complementing existing LoB solutions such as SAP ECC. Thus, Access Risk Management must support different types of technologies, beyond, e.g., the traditional SAP ABAP environments. Additionally, customers are shifting towards multi-vendor LoB infrastructures, where, e.g., CRM is run via Salesforce, while ERP functionality remains with SAP or Oracle.
The integration of Access Risk Management with IGA is a logical consequence of this overall evolution, with neither access risks nor SoD controls being limited to the core LoB applications, and with IGA anyway serving many LoB applications aside of IT infrastructure and other IT services. Several IGA vendors have, e.g., strong support for the SAP stack of LoB applications for long.
Within Access Risk Management, we expect seeing a range of capabilities, either delivered directly or through integration with IGA solutions. Main capabilities include:
- User Provisioning and Lifecycle Management, specifically the provisioning of accounts into the LoB applications
- Access Request Management and the related fulfilment
- Access Certification
- SoD (Separation of Duties) controls, including predefined rule books for major LoB applications, enriched with utilization logs
- Emergency Access or Firefighter capabilities enabling time boxed, and controlled, privilege escalation
- Access Risk Analytics and Management
- Access Modeling and "What if" Simulation
Many of the solutions in the market come with additional capabilities.
Having strong Access Risk Management solutions in place that integrate well with the IGA solutions is a mandate for every organization today.
SailPoint, being a leading vendor in IGA, has extended its support for Access Risk Management through the recent acquisition of ERP Maestro, a specialized Access Risk Management vendor supporting SAP and a range of other LoB applications, in the integration of the resulting SailPoint Access Risk Management solution with the other SailPoint products.