I’ve been in IT long enough to remember when business applications were home-grown and written in COBOL. In the early stages of my career, I even gave computer classes on the standard algorithms for good COBOL programming, such as sorting and grouping.

In the more than three decades since, I’ve seen SAP R/3 being discussed as the revolutionary approach for business applications, moving these from mainframes into client/server models. I’ve seen the emergence of the first SaaS applications, with some such as Salesforce or Ariba still being around. I’ve seen the broader adoption of the cloud for critical business workloads, such as SAP S/4HANA Cloud. And, I have also seen GRC (Governance, Risk & Compliance) become mandatory for organizations.

The hybrid reality of today’s business applications

For many, if not most organizations, the landscape of business applications has changed over the past year. With the advent of SaaS services, there are typically more vendors for the various business applications than there were a few years ago, and with the shift to the cloud, most organizations have ended up with a hybrid infrastructure. This makes managing such applications and providing GRC solutions for these environments more complex, starting with enforcing consistent identities, access controls, and SoD controls (Segregation of Duties) across these applications.

To further complicate things, other IT services are evolving towards becoming business applications.  ITSM (IT Service Management) solutions, for example, are morphing into ESM (Enterprise Service Management) solutions with central platforms for workflows and services that support several lines of business, well beyond IT.

A challenge of breadth versus depth

GRC and, within that, access control, are about finding the right balance between breadth and depth. In rather monolithic landscapes of business applications, there is logic in using a highly specialized solution. In hybrid, heterogeneous landscapes, however, there often isn’t a single GRC solution that covers all the business applications and services anymore. Some deliver depth, such as for the traditional SAP ERP solutions, while others provide breadth, starting with standard IGA (Identity Governance & Administration) solutions. There is no simple answer, and for many organizations, there won’t be a single solution.

This challenge is further complicated by organizational and ownership issues. Traditional SAP Access Control runs on SAP and commonly is owned by the SAP team. But how should the organization look in a world of hybrid and heterogeneous business applications? Is there still room for an SAP silo? Who should own what? CIOs, CISOs, and CROs (the Chief Risk Officers) must rethink the way GRC and access control are implemented for today’s ecosystems of business applications. This starts with revising the organizational structure and responsibilities.

For a more in-depth analysis of access control tools of SAP environments read this Leadership Compass.


See also