Welcome to the KuppingerCole Analyst Chat. I'm your host. My name is Matthias Reinwarth, I'm the Director of the Practice Identity and Access Management here at KuppingerCole Analysts. My guest today is Martin Kuppinger. He is one of the founders of KuppingerCole Analysts and he is the Principal Analyst. Hi, Martin. Good to see you.
Hi, Matthias.
Great to have you. And this time this is a premiere because we will be talking about two documents at a time. So we will talk about two Leadership Compasses around a specific group of topics. We want to talk about governing and securing and protecting and taking responsibility for data in the key systems within an organization, at least for many organizations. The Line of Business applications we think of SAP and beyond. Why is this so important?
Yeah. when we talk about Line of Business applications, we're talking about ERP systems, so the finance applications, the HR applications, the CRM applications, all the others which form, so to speak, the core of the solutions around the business processes. These are, I think, without any doubt, essential for every organization. We have other critical systems, that may be operational technology systems, that may be systems that care for information that sort of makes up the core of the organization, the software organization, and surely everything which is around the code and the intellectual property is there. But a Line of Business applications are there and they are relevant to each and every organization. And that means that we must take special care for these systems. And Line of Business applications, that means, applications such as Salesforce, such as SAP systems, such as Oracle E-Business Suite and many, many others. So this is really a wide range of systems that are essential to support the core business processes within an organization. So, you ask what why is this so relevant? And I think this is the point. If there are attacks, if there are fraudulent access, if there is abuse, misuse of these applications, then we have a problem within our business process. That applies to financial data, surely. Going back to the 2000s with the Enron scandal, where then the SOX, the Sarbanes-Oxley Act followed, which gave this entire segment a major push. That is part of it. But it's also all the other types of relevant information we have around our business process that must be protected, that are increasingly in the focus of auditors. And this is the reason why we again looked at solutions that help us managing to access entitlements and to a certain extent, the security of these applications with the focus more really from the access control and SoD, Segregation of Duty perspective. You may call it Access Control Tools, you may call it Application Access Management or Application Risk Management. At the end, it's about getting a grip on who can do what in these systems and to ensure that really have a good control and enforcement of least privilege and all the other stuff.
Right. This is usually not something that is so much common in the news. So there are no fancy headlines or dramatic headlines when it comes to protecting these systems. But the focus is much more on the management of an organization which is responsible for this data. And you've mentioned already the auditors. So it's really about controlling the key components within organizations. And you've mentioned, it's SAP and non-SAP, because these are still the market segments where usually organizations choose from. And this is also the distinction that you've made when creating these two Leadership Compasses, right?
Yeah, so, so basically there's an overlap also between the participants in the two Leadership Compasses. So we have one that focuses really on Access Control Tools for SAP environments, which includes sort of traditional ABAP-based systems, the ECC world, but it also includes the S/4HANA systems and also the cloud applications provided by SAP. And then there's the one who really looks at more heterogeneous Line of Business applications, where SAP still again plays a vital role, SAP is the still dominating vendor in this market. But we also see that both within the SAP portfolio and beyond the SAP portfolio, we see a lot of change. So with SaaS applications, we see that more and more functions are sort of implemented in targeted SaaS applications and that has two consequences: we have in tenancy more vendors. So it's not a one vendor, but it's a some vendor environment. Typically it's not usually a real multi-vendor environment and it becomes more and more hybrid, sometimes even full SaaS, but most are, some are stuck in some vendors hybrid world of these applications. So that means it's not only SAP anymore, it is potentially more. And that requires and with processes spanning multiple of these tools potentially that it also requires some cross system segregation of duty controls to have a solution that helps us managing this across multiple applications instead of having sort of access control silos per Line of Business application. So the focus of the second one is really more on the breadth of support across a wider range of Line of Business applications. The basic functionality, the basic focus on handling entitlements, roles, segregation of duties, a bit of emergency access capabilities etc., this sort of basic set of capabilities we are looking for is quite similar for both of these documents. But the focus or the scope of support for applications varies significantly between the two.
When doing advisory, and I talk to organizations and their IT departments, there still is often this this a SAP kingdom. There is a department which is well-managed, which has good grip on their access entitlements, their roles, their identities. But they are more or less segregated from the rest of IT, but usually well integrated. If I understand you correctly, we are moving away from this kingdom with on-prem SAP R/3. The borders are blurring and we are moving more to cloud provided services, but also for access governance. Did I get that right, no matter whether it's SAP are not?
Yeah, so I think that is true, we see this shift more to SaaS services, by the way, provided by SAP or by others. And you bring up an interesting question, and there's no simple answer to that. How should the organization structure look like? The more we shift into a some vendor or multi-vendor environment, the more it's important to rethink that structure. Whether this ends up with something where you say, okay, I care for all types of access controls sort of across Line of Business applications across systems like Windows File Servers and SharePoint, etc. from one perspective, from one organizational unit or whether you say, I have something which is, so to speak, the successor to the SAP Department, which is the Line of Business application department, that I think is something which you can discuss. I think the starting point is something you're doing with your team quite regularly in advisory, that is building the target operating model that focuses on that to define which areas we have from the business people, for instance, must improve, must do certain re-certifications down to the technical operations, and then you can make a valid split of responsibilities and you can define the interfaces, the intersections and where people must work together. I think this is this is an essential step to modernize an organization. This doesn't necessarily say, there's no department that is focused on the specifics of all of these Line of Business applications anymore. But I think we must go a bit away from a vendor specific approach for an organizational department to a functional approach. And how we split this. This is a part of a discussion because we have this sort of depths across many systems beyond the Line of Business applications. And we have in the Line of Business applications, we frequently have very specific requirements and very specific access models. So when you look at traditional SAP systems, for instance, but also when you look at Salesforce, they have rather complex structures for access entitlements and this must be better understood and well managed. So you need to figure this out. But I think the best starting point is really to think from more a target operating model across all this and then think about how do you split it and where's the responsibility. So from an access control perspective and from the related risk perspective, there are the risk people to the GRC team. And there's the CISO, surely who can be in charge, factually across everything. For technical implementation, this is a bit different and this needs to be, I think, resolved in every organization to keep track with the changes we are seeing in the application landscape.
Right, I think this is an important factor because I think this also is reflected then, and we have not yet talked about the market segment actually, and the players in that market segment, that should also be reflected then in the number of vendors and the types of vendors and how they provide these services. So that should be vendors available that that cater for all these types of target operate operating models that you've mentioned. So from cloud delivered services to traditional on-prem, but also managed services that could be used for applying that in these different target operating models. Do you see that in the market and how did it change in general?
Yeah. So we see that. And one of the vendors in the market in the past year acquired several other smaller vendors. So to further expand the portfolio, which means there are, there's a tendency. It's interesting, I think we have basically three groups, the ones that are really very SAP centric, still the ones that are evolving from that world or always have been a bit more cross LoB or multi LoB focused, which are expanding. And we also see some of the vendors from the IGA, the Identity Governance and Administration space are coming into this market. Either via acquisitions, or via the technical capabilities their solutions have and these are also expanding into the market because they sometimes have a... they have the breadth usually from IGA, but they also sometimes have quite some depth in supporting certain types of Line of Business applications. So it will also be interesting to see how the convergence between IGA and this field of Access Control Tools continues. We definitely see some tendency here of a stronger convergence, both from a technology and from an organizational perspective as reflected in what I mentioned previously, the target operating model.
Right. And if we look at, for example, financial regulations just here in Germany, they demand for a unified entitlement model. So what does that mean when implementing such a system? If you have an entitlement model in in Line of Business applications and everywhere else, why don't you want to have that managed in a unified manner as well? So this convergence is also demanded for and it makes it much easier for the auditor, for example, to understand the overall administration of access of across all systems.
Yeah, but, here we also need to be clear that there's a unified layer, a common layer, and then there are definitely systems specifics and again, this goes into where do you make the cut, where do you sort of split this for the system specialist? But in other words, we have also our Active Directory administrators which are the specialists and we have the IAM people which are so to speak, across systems. So I think it's a something which is not new, not uncommon, we can do that and we should do it. I think it's in part to rethink it. There's a lot of... there are several tools out there. I wouldn’t say a lot. Both markets are rather small from the number of vendors. So compared to two out of market segments we are analyzing as analysts. These are really very specialized markets still, but they are here and they are super important from a regulatory perspective, from a risk, from a security perspective.
Right. So these two Leadership Compasses are just published right now. They are available. So if you are in the situation that you want to have an update or a modernization or just a change within your Line of Business applications, and want to catch up on that, from the regulatory, from the auditing perspective, then I think these two Leadership Compasses are the right place to look for. You've mentioned the overlap in the market segment, so there might be players that might be relevant for those who are migrating in one direction or the other or back or from SAP. So this is really an interesting market. So are there any final thoughts that you have regarding that market? Are there many changes or is this a stable market? You've mentioned these acquisitions. Is this, more or less still a volatile market?
I would say it's a market where we see a lot of movement and a lot of change, currently. So both, from very specialist vendors as for instance, also from SAP, which are modernizing their portfolio, going away from traditional access control, or SAP GRC access control, as many call it. And today, SaaS based applications also for the access control space. So we see a lot of change here and I think it's very important to look at it and not only to look at it from tools perspective, but also from an organizational perspective. That's where Matthias’ team can support very well
Yes, absolutely. Looking forward to talking to organizations interested in making that next step regarding a Line of Business access control management, because I think this is something that we actually also already see in our advisory projects, because this is more and more coming together also with this hybridization and this this this a new type of delivering applications. And no podcast episode without mentioning our upcoming event in November. So that will be the cyberevolution in Frankfurt in November, and that will be the event to be there when it comes to governance, when it comes to compliance, to cybersecurity, but also to the modern intersection of artificial intelligence, new technologies and cybersecurity. So SAP might even be a part of that as well. So thanks again, Martin, for having you today and looking forward to the next episode.
bye.
