Redefining Access Governance for Security and Fraud Prevention in Critical Applications

Good afternoon, ladies and gentlemen, welcome to our equipping cold webinar, redefining access governance for security and fraud prevention and critical applications. This webinar is supported by Sian. The speakers today are Pash, who is vice president of products at Sian and me Martin I'm founder and principal Analyst at copy a call before we dive into our topic, I quickly wanna bring up some information about keeping a call and some housekeeping information for the webinar. Copy a call is an Analyst company.

We are headquartered in Germany, but have people in the us and the UK and Australia and other regions, we provide mutual advice, expertise. And so leadership on a variety of topics around identity, access management, around information security as a whole around the digital transformation and many aspects around that.

We do this through three types of services, which are our research where we look at the markets, the trends, the products where we do our things like our leadership compass documents, where we compare when in certain market segments, we do it through our events, which include the webinars, but also variety of conferences and other types of events. And we do it through our advisory services, where we support organizations, for instance, identifying the vendor of choice or doing maturity and readiness assessments. We have a couple of upcoming events in the next months.

One is the consumer identity world Asia Pacific, which will run Singapore next week. And then we will do our digital finance world again, which focuses on the transformation of the finance industry. This particular emphasis on PSD two blockchain and related topics. This event will be held in end of February, early March Frankfurt.

And with may, we do again our European identity and cloud conference, our flagship event in the Munich region, which is the mainly vendor around identity cloud security and related topics in Europe, amongst our advisory offerings, we have, for instance, newly launched our GDPR readiness assessment, where we will evaluate in a very efficient process where organizations stand with respect to the upcoming European neural data protection regulation. So if you wanna know where you are and what you have to do, where your gaps are, this is a very efficient way to understand this with that.

We are the agenda. So our agenda for today is split into three parts as usual. And the first part I would talk about why and where we need to redefine access governance. So looking at all applications, regardless of where they reside looking at getting detail inside whenever required. So having to require depths and analyzes and looking at how can we move more towards efficient approaches to reduce the burden on the business. The second part on talk about, give overview of the solution.

Talk about framework support for heterogeneous environments, how to define rule sets and controls, how to map them to industry regulations and effect how to do it right. And the third part, we will do our Q and a session. I always recommend entering your questions once you have them so that we have a good list of questions available when we do our Q and a to make this very lively, was that I directed Trump into my presentation, and I wanna start very much from scratch from the bottom access governance. So access governance is something which definitely has arrived in corporate it.

So when I started my sort of career identity management, then it was really about, we have this identity management part and we have to technical access management. So some things like web web application file application, web access management, things like that. But I remember back in these days, there was administration authentication authorization. There was that really auditing part. And then with a couple of regulations, starting around sole, this topic became more and more prominent. That access governance really became an issue. And so it it's here.

It's here to stay and it's something which complement that traditional more technical driven identity management, access management disciplines. The target is to provide governance to achieve compliance and to mitigate access related risks. Access governance is maybe the most interesting area in, in some sense of all of these, because it's the one which tends to have the most diverse drivers and the most heterogeneous stakeholders. So when we look at, and some of the stakeholders, in fact also are audits, which appear from the driver's side on the, the, in the darker boxes on the right side.

But in fact, yes, there's management management has the regulatory pressure. We have the customers partners in some sense as the ones who want to, to, to get and, and access management overall done, but where we also have more and more requirements doing this, right? We have a workers council, which comes into play. And on the other hand, we have all these drivers like the data protection laws, the internal audit, external audit, other types of regulations, corporate policies, best practices, which lead to, we need to deal with a lot of parties.

And the biggest challenge, obviously next governance is dealing with the business. So we need to do it in a way which works for it. And we look at very down to, to the system entitlements, we are very detailed entitle entitlements sometimes from an it perspective sometimes also from a business perspective, on the other hand, we need to make it work for the business owners. And this is obviously a very big challenge here. So why do we do it? Because if we end up with the access related threats, we can have a lot of issues. So starting with illegal transactions.

So one part, when you look at access governance is segregation of duties, conflict. So avoiding that someone, whatever can onboard a supplier and then approve the payments to the supplier himself, things like that frauds in the broader sense. So beyond the legal transaction, informational leakage, so who has access to what? And what does he do with that information, data loss, external attacks, reputational damage. So there are a variety of these threats and we need to have it in place.

It's absolutely essential for every organization to have a good access governance in place because access related risks today definitely are one of the bigger business risks. I think there have been some, some very prominent examples of financial institutions losing a lot of money.

In fact, really coming into, in, into trouble by issues they had with their, their access governance, where were then fraudulent activities were done, particularly by traders, but it's a risk for every organization today. So if you also look at things like the GDPR, so if you don't have a CRI on your PII, and if the PII leaks, then you have an issue and issue, which is around, pre-trial an issue which might be around reputational risks and issue, which might be about penalties and other stuff.

So inappropriate access is directly connected to variety of business risks, strategic risks of iteration, risks, reputational risks. It's not an it thing because it's about having policies which come from the business. It's about the business understanding who is allowed to do what. So the approval part to do the review of recertification to, to terminate access. These are all things, the business must do the, it doesn't know exactly who needs to do what, who has access to what. And so basically to start with that, we need access governance. I think there's some doubt about it.

The question is, how do we do it? Right? And so while ago I put together what I called seven common symptoms of IM and IHG diseases. Not all of these are directly related to access governance, but several of these are at least to some extent. And one of this is that uses are complaining and what our users are complaining about. So too many ways to request access.

Yes, if I, if you have seven different Porwal. So if you have to go for your windows environment to a different Porwal for requesting access, then for your SAP, then for your cloud services, then you have an issue.

And if, and the one thing users always tend to complain about is if they have to do access reviews, because this is a pretty complex thing to do. So we need to get better on that. Obviously there's one thing, which is the MIS the MIS of connecting systems and reducing manual work. So you end up, particularly this happens when you look at the new or not so new world in fact of cloud services. So you how to connect them, how to get a grip on them. And then you end up saying, okay, and here I have to do a lot of work.

Again, onboarding processes are this movers levers, revocation of entitlements, obviously a big issue. And you end up as many entitlements you shouldn't have. So in some way, connected to the access governance, you don't, you're able to deal with your customers. Oh yeah. And then that really the big point comes the bumpy re-certification frequently. It's really hated by users. So they say, okay, again, I have to do these things. I have all my users here, dozens of entitlements. And I have no clue what these entitlements mean.

And I have to do this re-certification and this is clearly one of the areas where we need to get better, to find ways to do it better, incomplete, inconsistent role models. They also help. They also lead to a situation where, which, which frustrates people, because things are too complex to do. It's not an ideal world. So we have a variety of challenges. We frequently see identity management, identity, access governance projects, and a couple of them are really related to how do we do access governance, right? And so I'll touch some of these points over the next time.

So what is also good enough access governance? And I think there's a couple of questions we could raise. So is it enough to be compliant once a year for every single access? Only if you say my only target is to be compliant, but if your target is to mitigate access, risks, access related risks, that it's not good enough because when you say once a year, okay, I'm I did a review and it's all, okay. And the next day someone does something fraudulent or something accidentally, which opens the door. Then you have another 364 days until you detect it. Maybe it's even worse.

You detected very early because something went really, really wrong. It doesn't help you. So the question really is why not aim at always being compliant, permanently, being, being permanent prepared for audits, why not treating high risk access differently from low risk access, for instance, distributing the workload across the shoulders of a lot of people. So having the people really approving and reviewing things, they understand. So how can we sort of have, was a little bit of a continuous Analyst, as I understand, oh, things are going wrong.

We say, here's the change. Here are things different than they were before. Let's do a small review for these changes, all that other stuff. So I think it's important that we start thinking about access governance and not only focus on the regulatory aspect of that. On the other hand, we also see that our environments are getting or are changing. Don't say they're getting more complex.

It's, it's just, we have our on premises systems. We have that touches a minute.

Again, we have clouds systems, we have more different types of systems. And we also need to say, okay, we, those, all of these things, you need to access theirs. So they need to access their whatever Workday system they need to access their sales force or their success factor systems, etcetera. And they want to do approvals reviews and all that stuff in a consistent way. So one of the challenges arising also aside of that, how can we do it? Good and well, and efficient is how can we move to sort of one access governance for all systems?

So for technology perspective, it means where we can, we avoid redundancies, or if we have different technologies, at least where can we integrate this? Well for organizations and processes means integrated processes, friction free. So really think about this. Who's responsible for what, who is accountable for what, for the audit integrated with your enterprise chair. So you need one view. If it's a business risk thing at the end, we talked about it before then these risks must appear at your enterprise risk management or in your enterprise risk management. You need consistent controls.

And for the users, one interface, official process, integrated processes. This is absolutely essential to be successful. And so one of the things we also need to understand us, that's a complex challenge because, and that's what I try to show in this, this picture. There's a cross system view, there's a view at a system level. And so when we look at a role model, then we might have business roles and system roles, or even more types of roles, but we also might have a hierarchal structure.

If you look at an SAP system, if you look at an active directory, if you look at certain other systems, you have complex hierarchies within the systems. And so you need to get a grip, not only on this identity view of business roles and roles across the systems, but you also need to get a grip on what I've painted blue here on the various systems, which can be very simple depending on the system, which can be RA a complex if it's an P system or other systems.

And so it's, what is important to understand is when we do it, we need to not only cover sort of the breath, but also the desk, which automatically leads us to a question which is, does one size fit also breast versus dev. So devs would be sort of, we can really dive into the E access control. We can dive into the SharePoint security, which is more in a system U perspective press on the other hand would be, so we have in traditional access governance, we can manage all systems, but not always at the deep level. The question is, can we combine it?

And to some extent, I strongly believe particularly with the, with more and more cloud services that we need to integrate it, that we need to come to a point where we can do a lot for one solution, because if we have more and more business functions split across various cloud services, shall we really implement one sort of target system, specific access governance for the in-depth perspective per cloud service? I don't, that it'll work. So in fact, what is the challenge here? Or one is the biggest challenges coming up here is enterprise environments aren't change.

So we have distributed platforms. So SAP and hybrid environments we have on premise, we have UMT things where other things come in. So if you just look at this part of whatever, the SAP world, but not only SAP world, we have mobile access. We have so many changes here and we have obviously also the cloud. So things are, are really changing and it's not that we say, okay, we have here our SAP world, we rent our business and we have some window server or Linux service, other stuff sitting here, and a little bit of this around and some older systems. And it's done on premise and easy.

No, it's not easy anymore. It has changed. It never was easy by the way. But when you just look at this cloud part, without going too much into detail here, you just look in this cloud part, then there's whatever there might be.

The Reva, the success factors, field, class, whatever high risk conquer, how enterprise cloud business by design, whatever else and far more others from far more other providers. So it might be just really, really more heterogeneous than evolve before. And so I think it's just a, an, an evolution we are facing. So what we really need to figure out is how can we manage all these systems, the access risks for these systems and more in a consistent way.

And, and in fact, we, what we are really facing are so, so to speak also multidimensional changes. And that means we need to think about how does our access governance work in a world where we have so many new things where we have this technological changes. So we have new technologies systems moving to new platforms, the focus within the user organization, also sometimes changing. We have our things in here. So everyone gets digital. And so on. We have changing infrastructure landscape. Obviously the business processes are changing as well. So we rely on different processes.

We have more consumer facing things. We have whatever, all the business directly to consumer, which leads to new business process, which can be RAA critical, which we have to control where we need to get a CRI on the access risks. We have all these changing legal and regulatory requirements. So if you'll just look at things like GDPR, PSD, Q, and others, which are popping up for next year, we have new user organizations for, for these evolving enterprise applications. So we have different types of users that come out of SIM.

We need to get a grip on that from our access governance perspective, in a scenario, which is from access governance, which is definitely more complex with the cloud with more of these services, which are split across multiple cloud services, instead of being trust, the one enterprise and business application world we had before, which makes it more complex. So what do we really need here? From my perspective, there are three important elements. One is press and integration.

So we should look at saying, we are able to understand our access risk across all applications, regardless where they reside on premises in the cloud. But we also need depth, which provides us the detailed insight whenever required and for whomever required. So we need to clearly be able to split this workload across a lot of shoulders. Some people more understanding the technical de this other saying, okay, I have whatever. This is my business process. This is the thing to do in the business process. And I just understand that Martin Ko needs to do that.

But if we want to go deeper, we need to be able to go deeper. Ideally in this world in one system, not with many, many different ones. And then it's about effectiveness and, and, and efficiency.

So, so doing the right things and doing the things right. So effectiveness in fact means really saying we can manage, we have the capabilities we need and efficiency is then really, how can we do it in a way that the users don't hate us, but like us and say, okay, you make our life easier. Or at least they say, okay.

I said, I have to do it. And you did a great job in doing it in a way that is not too harmful and annoying to me with that. I want to hand over to ya for a deeper dive into this topic.

So yeah, it's your part. And you will talk about more how savvy investors and framework support rule sets, controls regulations. It's your term. Thank you, Martin. You set the stage perfectly for me. So it's my, my job is a lot easier, but I think you summed up really well in terms of how one needs to look at the access governance solution. But before I get deeper into what a solution should look at and what approaches organizations can take a bit of an overview about ENT ENT is a cloud identity governance provider provides some of the most comprehensive solutions as Martin was pointing out.

There are different market segments in this space. And what Xian has done is to bring those together. And those market segments include application GRC, which is where we are looking at the segregation of duty management security controls for applications and so on, which is, which is the primary focus of today.

And, and I'll speak more in, in depth as well as a, a second area, which is cloud security. So a single platform to do multiple things, getting into the next slide as Martin was, again, alluding to earlier, the adoption of applications is rising really fast, right? So you can see a number of applications in the cloud or within the enterprise. More and more of these applications are becoming critical in nature because they run the businesses at the same time.

The other aspect of changing and evolving compliance needs, whether it is GDPR or Sox or PSD two and many others that are shaping either local or global compliance requirements force us to look at these applications from a security lens than what we had done before.

So the number of applications that are considered critical keeps increasing at the same time, the changing it landscape, whether it is adoption of the cloud, the digital transformation initiatives, all these are putting again, focus on the new age technologies and solutions that also would fall under the ambit of compliance and security. So overall there is a need for us to look at different types of applications, which is what Martin was alluding to in terms of the breadth, as well. As you know, we look at how deeper you can go into each of these applications.

When we are looking at this solution space, basically organizations to needs to need to look at this more holistically instead of being audit ready, or being able to provide audit readiness once a year, it is important that this process becomes more continuous, right? And the approach that Sian as a solution provider suggests is to have a methodology in place, have a process in place to begin with, start with gaining the visibility, right? How do we identify the risks or sod violations in the critical applications?

Again, the emphasis to this discussion is primarily on the access governance and the, the application GRC side of things, where we are looking at critical applications. So in these critical applications, risks come from various aspects, segregation of duty risks, and the security control related risks are primary in nature. So being able to identify those risks and identifying those violations become critical in order to ensure that there is no fraud, there is adequate separation of duties.

And so on at the same time, it is important that we understand who has access to what in those critical systems. So it's important to gain that visibility across all the different areas within those critical applications. Once we have that visibility, it is the turn now to ensure that we protect the application through different means, right? So whether it is the ability to map the risks that we have identified to different regulatory frameworks that organizations have to comply with, it could be Sox.

It could be PCI, it could be hippy depending on the different regulatory, you know, applicability, but it is important that these risks are not just identified, but map to the regulatory frameworks. What would that, what would that help is in terms of the regular audits that you go through? It's very easy for you to go and say, Hey, gimme all the controls or risks that are related to this particular compliance com compliance framework.

So helps you in being agile in, instead of, you know, doing the spreadsheet or doing a manual work of compiling, all the controls that are necessary, the other aspect of protection. And I'm going to go through this in a little bit more detail is the, the ability to ensure that access, especially the emergency access is given appropriately and in a time-bound manner. So we will look at this.

This is a, a very essential part of critical applications. Some of you who have worked with and dealt with applications like SAP or Oracles, are pretty familiar with the firefighter emergency access process.

And that is essential that because of the, the, the risk involved in some fraudulent activity or activity that would, would result in system unavailability and so on and last but not the least is the ability to define and derive business friendly roles as Martin was alluding to earlier, it is important that the user experience, the effectiveness of the solution depends on how simple it is for the business users.

So by creating these business friendly roles for different users, user personas, it, it becomes easier for people to whether it is requesting access or certifying access or to group access. So that assignment becomes easier. The last part of the approach is the manage where, you know, it is, it is run phase where you are continuously managing and mitigating the risks and, and, and essentially looking at the impact of the changes that you're doing.

So a system that you would have should look at the impact of making any change, because now the changes that you're doing to the access should, would impact a larger audience. So understanding what is the impact of the change becomes very important.

Similarly, one of the key issues that we see is that access revocation does not happen on time. People leave organization for se, would have left organization for several months, but still carry that access. So how do we bring the identity governance processes in place? So that access is revoked on time and residual access is not left. The other element to this is the ability to identify and monitor activity so that we can identify suspicious behavior.

So this is, you know, a realm where we are looking at the user and entity behavior analytics to see who is doing what, and if that behavior is inappropriate. So when you look at this as a framework, you are basically, you know, setting, setting a, a, a process of well-defined process for gaining visibility, ensuring that you protect, you put necessary controls in place for each of those critical applications, and you continue with the manage or the run part of it.

So now, now let's look at how we can do this. And some of the specific use cases, it's difficult to cover in this webinar, all the different use cases that, that are relevant from an access governance standpoint. But I would try to cover a few of those use cases that are really important. Martin pointed out that applications are quite unique. Each application brings its own security model.

So being going into depth or providing that in depth visibility is, is again essential because you are now just scratching this surface, just looking at the business roles, or just looking at a very high level construct of access will not provide you with a greater level of detail and an understanding of who has access to what within that application. And as you can see here, a, a few screenshots of how access models vary across different applications. First of all, the number of hierarchies itself is going to be different.

Some applications have three levels are four levels of faxes in case of SAP, as most of you are familiar with it is the SAP roles, decodes authorization, objects, and authorization levels. So that's, that's four, but when you look at other applications, let's, let's take, for example, Oracle CIAs, you have the concept of responsibilities, menus functions, sub-functions etcetera. So each applications, each of these applications, complex applications have a minimum of three to four levels of hierarchy. And it can go up to 10 is, you know, is what we have seen.

So this system that you should have in place for access governance should be in a position to one import or ingest this hierarchical model, irrespective of where the platform is cl on in the cloud or on premise, the system should be in a position to comprehend N map the hierarchical access model to the identity or access governance construct. The second important thing is to be able to translate these fine grain details or fine grain entitlements or security model to a more business friendly or user-friendly construct. It could be roles.

It could be some, some other construct, but it has to be more business driven so that you are not just addressing the business side of the house technical side of the house, but also the business side of the house. So once you have this information, which is the authorization or the security model of the application ingested into a platform, the next item would be to run the, you know, the, from a specifically from an application GRC standpoint, run the segregation of duty analysis.

So what Xian does is it provides, so rule sets out of the box so that the key applications are covered and organizations can get a head start in terms of analysis. The rule set development itself is a more involved process. Many of you would have done that needs to incorporate all the business processes that are in scope from a compliance or audit standpoint, and need to go into in depth understanding or analysis of different entitlements or the authorization levels that any application might have and come up with those rule sets that conflict with each other.

Martin was giving an example of the ability to create a supplier, as well as approving the invoice. So similar, you know, use cases, but, but much more granular and much more detailed are required to be billed. And even though the business processes at a high high level, let's say ordered to cash, seem to be straightforward. The moment you get into these applications, that's where it gets more complex and more nuanced.

So understanding that right application model is, is necessary at the same time, the security controls, which are essentially the, the aspect of looking at whether appropriate security, whether it is configuration, whether it is appropriate control in terms of approvals workflows, et cetera, have been configured or not needs to needs to be established as well. And finally, one of the things that we need to look at is the ability to reduce the cost of the compliance itself.

So being able to being able to provide recommendations, pro being able to mitigate those risks at, at that fine grain level becomes, becomes really important. So we talked about creating these rule sets and security controls, and at a high level, I touched upon the, you know, mapping of the regulatory frameworks. So as you can see here, there are several regulatory frameworks I have that I have listed on the right hand side. Why is it important that we do this mapping? So you have reg standard frameworks such as COSO and co, but also the compliance standards and regulations such as PCI HIPAA.

So cetera now, as I mentioned earlier, when it comes to audit organizations are required to comply with different types of these regulations. So there might be PCI compliance audit beginning of the year, but you might also have to do Sox audit later down the year. So having to do this repetitive work, and, you know, it's a point in time, snapshot of access governance, as well as the security posture for those applications is not the most ideal. So being able to map these controls, different controls that are provided to the frameworks helps you in getting that view.

And to Martin's point, you know, people come with different perspectives. Somebody coming in as a, an auditor persona as a PCI auditor persona can be made, can, can be given access to only see those controls that are applicable for PCI and so on and so forth. Right? So the idea here is that by having this mapping one, it is fairly easy to be prepared for any audit and second, by creating different kinds of personas you can improve and the user experience, because now you are providing a view that is very specific and very tailored to that individual role.

So another thing that would help with, with being audit ready is to provide the intuitive dashboards to my earlier point of creating individual personas. What needs to also happen is the ability to map the controls as well as dashboards to those user personas. So that when I am coming in as a, an auditor or as a control owner, I get to see what the dashboards are in real time. So the data that is being provided to, to, to the user is real time data captures the, the, the latest changes or violations are control failures in those systems.

And that can be brought up to the notice of those individuals. So the idea here is that dashboards need to be intuitive, improves the, you know, the effectiveness of the solution and helps you in generating reports at, at any point in time, again, back to the point of when, when you do different audits, right?

You, you tend to generate reports and there is a lot of manual effort in model by providing these dashboards and analytics. It becomes easy for, for users, for auditors or organizations, to be able to pull that data fairly easily. The other aspect of this off critical applications and producing the risk and the attacks surface face itself is to manage the emergency access. As you know, the super administrators and administrators wheel such a power that they can, can do anything to that application, but it is from a security best practice standpoint.

It is important that that access is reduced and, and access to such roles are such privileged access is given only as necessary. So being able to provide or enable just in time provisioning or elevation of access is important as opposed to people having elevated access all the time. The second aspect of emergency access management is the ability to monitor the, the actual usage. So what transactions have as the user performed, whether there was any deviation to the typical activity that this user does.

So being able to one, identify any anomalous behavior, being able to capture the activity that the user is doing, and then bringing it to the access certification umbrella that, you know, Hey, there is, there is a, a different activity of the user performed and this needs to be reviewed by the manager or control owner or whoever it is from the risk management team. So helps organizations mitigate the risk or manage the risk much more effectively if you have an emergency access management solution.

So, so what are we, what are we really suggesting? The idea is that you need to consolidate, there are different applications that Martin alluded to Martin mentioned. When you look at on-premise systems cloud systems, there are tons of applications that are relevant and that are really critical to the business. It is important that we bring all these together from a, from, from a governance standpoint, at the same time, having point solutions are not going to help, right.

Having a specific solution for SAP or a specific solution for Oracle will only be localized or in, in, you know, worked in silos. It does not get across different applications and will not necessarily identify a potential fraud. If there are correlations, the system will only be focused on that specific application. So there is a need to centralize and finally aggregation.

So as we bring data that that could mean the user information, the access information, the entitlement information, the usage information, you now have a repository or what we call as a warehouse of all this data on top of which you can do analytics and identify it, risks, identify efficiencies, identify roles. So it, by, by aggregating all of this in a single warehouse and in a solution will help in driving a lot of advantages in terms of building more efficient, more business friendly solution. So we talk primarily on the applications like the SAPs, the work days, the Oracles, et cetera.

But the other aspect to that aspect to the critical assets is the data and the infrastructure as well. So it is not just, not just sufficient to only consider applications, but it is also important, especially as you are moving to the cloud, the data is moving to several collaboration platforms or infrastructure platforms, or all the workloads that you had within the enterprises, moving to the cloud. All these assets become equally critical and probably on par with other business critical applications like SAP or Oracle that you might have.

So providing that, or thinking about a homogeneous solution, bringing heterogeneous asset types and providing a governance, overarching governance layer is what we would recommend as a, as, as a solution or as a best practice for the access governance needs. And finally, once you, once you move towards that or adopt that architecture and approach, that's when you will really, and truly move from just being a checklist compliance, which most of the organizations to towards a better and integrated security model with that, I conclude the presentation Martin, back to you.

Thank you, Ashford, your presentation, the extensive input you provided. So let's continue with the next part of the webinar, which is our Q and a session. And to all the attend. If you have any questions, please enter them. Now you will find the area questions in the go webinar control panel, which is usually at the right side of your screen sometimes also on the top of the screen. And you can enter your questions. And the more questions we have, the more likely the discussion will be.

So I have already a couple of questions here, and Yaha, I wanna start with one, which is, I think it's an highly important one because at the end, even with the shift to the cloud and, and all that stuff, many most organizations also have their individual applications. So is it possible to use this framework you've presented for your home Chrome or custom applications or maybe for cloud services, which are not yet supported? Absolutely.

Martin, I think great question. In terms of the framework itself, the, the framework supports the ability to integrate with any applications, whether it is custom or homegrown or cloud applications.

The, as I mentioned, you know, the framework itself or the product, whichever it is, needs to support the ability to bring different rule sets and also provide the ability to create custom rule sets for those homegrown applications. Especially as, as, as you brought up the digital finance world, what we see as the financial organizations have a whole host of financial applications that are, that are built within the, you know, within the banks and financial institutions and they are highly customized. Yeah. Which means one, they are extremely complex in terms of the security model.

Second only the people with the domain knowledge would be in a position to come up with the rule set. So the idea of the framework is to provide flexibility in terms of defining once own rule set. And the idea is once we, once you have the entitlements or security model map to the product, it is, then it, it then allows you to look at what types of, and what hierarchy of entitlements you have and start defining those rule sets at fine grain level or at, in depth, as you were mentioning during your presentation. Yeah.

And I think definitely have, have to agree, because if you look at banks, I know banks which have several hundreds relevant and critical homegrown applications, which they need to get a crib on. So yes, it's a, I think your, your question, you answer to the question always to some extent answers another question I have here. So which of which is around, do you provide the option to customize the rules and controls? And I think you already, at least partially answered this with the yes.

Yeah, absolutely. Martin. And I think that that's a great question, too. And in terms of, you know, the distinction at least to call out what, what's the distinction between the rule sets and the controls, right? So rule set typically, you know, helps you identify risks around the segregation or separation of duties. So these rule sets are for application. So as I was highlighting earlier at a business process level, the rule set would look like the same. For example, you know, whoever creates a supplier should not be in a position to approve invoices or approve payment, but at the same.

But when you, when you start looking at and dealing the onions in terms of the, each of these applications, each application would do it in a slightly different way. So while the construct of the rule set or a rule is, is somewhat same in this case, the way it needs to be defined for that application needs to be different or specific to that. So inherently there is a need for the framework to have that flexibility in terms of defining a rule set, which can have rules map to specific applications.

So that has been our approach as well, where we have identified a good chunk of, or good number of these critical applications and our experts, functional experts go and dive deeper into these applications and help create these rule sets. On the other hand, controls are more, you know, the, obviously they are control. So security controls in terms of identifying whether you have, you know, the right configuration, whether you have, whether you have people with right access, people who, you know, identify whether they have orphan accounts and so on and so forth.

So there are these controls which are mapped to either the, it could be ITGC controls, or it could be very specific N or other, you know, compliance framework related controls that can then be evaluated for each of these applications. Again, it is important to note that there is important to note the distinction between the rule set and a control controls when it comes to an audit auditors, look at both the, you know, the separation of duty violations in terms of whether people have excessive access at the same time, whether the systems are operating appropriately or not.

So both of them are provided with the flexibility to create their own custom things as, as, as necessary. Okay. Thank you.

And again, to the attendance, if you have first questions, enter them, now there's another one I wanna grab. So it's, I talked about this, doing the things right, and doing the right things. And that's the question about any specific best practices for doing these things right. And I think there are a couple of, of them and some of them are already touched.

So I must, I have a strong belief that one of the most important things is to on one hand, reduce the workload for the individual. And in fact, there are two ways basically to do that. The one is really distributing the workload across a lot of shoulders. So having the people really do the things they can do and not having them, trying to have a few people who do a lot of reviews and with the fact that they are not really good in doing so.

And so the that's one part, and it's also about thinking, how can I make small chunks of review instead of once a year, or once every six months presenting people with a huge metrics of things to have to, to review. So these are things that really help. I think the other part is having one interface, which is, I think part of what also ya talked about. So really having one tool for all the various business services you're using.

And as, as I've said, that world is getting more hetero the cert. And I think another very, very important element in, in making these things work. Are you also, I've seen this dashboard, but what, what I also think is very important is try to do what you can do for them. We do it also for them. So that means about sort of the redefined.

There are other things like you can provide them with a lot of information about potential roles, cetera, by preparing the centrally, not only by it, I think this requires some business people, and obviously, but you can prepare a lot of things before you go out to the business department. So if you say, okay, I need you for one week for a workshop to work out this out, then, then you're doing, doing it the wrong way. It's about saying, okay, what can I prepare?

What do I know from the business process, the business activities, from whatever preconfigured rules that standard controls, et cetera, what can I get from other as other types of information, putting this together, preparing it and then say, okay, this is our basic view. So what do you need to, or what do we need to change specifically for your department? Then you're talking about a, maybe a couple of hours instead of a number of days you're talking with to PE people. So make it easy for them because at the end, their main job is running the business.

And so you need the tools and also the preparation, the work upfront, which you do centrally, where you prepare it for them to make their life easier. So these are some of the, the best practice recommendations. We're running a little out of time, but I think that maybe gives you some, some great ideas and together with what the Ash presented. Hopefully it helps you in doing your chop perfectly well. So with that, we are at the end of our webinar for today. Thank you very much for attending this cold webinar. Hope to have you soon at one of our events or one of our other webinars.

Thank you very much. Y Ashford, your highly interesting presentation, and I will not stay. Thanks Martin. Thanks everyone for attending. Thank you.