Saviynt

The application landscape in organizations is getting more and more complex. Applications from vendors are more plentiful - or they differ very much from each other - and the combination of on-prem and cloud applications is no longer unusual. It's easy to lose track of all the different risks that are coming with that. Application access governance helps in unifying the different security perspectives. Martin sat down with Keri Bowman from Saviynt to take a deeper look into this topic.

For many enterprises, SAP systems are an essential part of their corporate IT infrastructure, storing critical business information and employee data. SAP systems have traditionally been a major focus area for auditors. It is therefore essential that all existing SAP systems are covered by an effective solution for managing risks, including managing access controls and SoD controls, and implementing adequate Access Governance.

As organizations accelerate their digitalization efforts to stay relevant and competitive in the marketplace, they must evaluate and embrace technologies that can not only support the enablement of their digitalization efforts but can also support the speed, scale and security required for such digitalization efforts.

Most organizations now use multiple cloud services as well as retaining some IT services on-premises, this multi-cloud hybrid environment creates many challenges for security and governance.

Conventionally, Identity Governance and Administration (IGA) products have been developed and deployed with a focus on on-premise IT systems and applications. While IAM leaders were still struggling with IGA solutions to deliver effective identity administration and access governance, the move to cloud with a need to support an increasingly mobile workforce has entirely changed the IAM priorities for organizations.

Enterprise platforms from SAP, Microsoft or Oracle, applications for highly regulated industries like finance or healthcare, even cloud services – all of them have their own unique and complex security models and each is usually managed by a separate team. Growing organically but even more so through mergers and acquisitions, a substantially large enterprise inevitably faces the challenge of managing risk and maintaining regulatory compliance across multiple and highly heterogeneous critical applications. Some of them are no longer even under their direct control and are managed instead by a cloud service provider.

The only viable approach towards tackling this enormous challenge is to design a holistic method to enforce access controls and implement access governance for all critical applications, on-premises and in the cloud. Only when these controls are applied uniformly and continuously providing organizations full and clear insight into every business application platform, can an organization assume that its assessments of security risks and regulatory compliance are based in reality.

Just like traditional IAM, CIAM requires identity governance to verify and maintain the required quality of the identity attributes collected from consumers. “Quality over quantity” should be your motto from now on: not only it ensures that the data your marketing and business analytics are based on is valid and up-to-date, it automatically reduces the risk of compliance violations, which in case of GDPR can be very costly. Given the widely varied level of trustworthiness of various customer-generated data (remember, “on the Internet, nobody knows you're a dog”), the importance of identity assurance increases dramatically. Depending on the industry and area of operation, integration with external assurance providers may even become a must-have feature of your IAM infrastructure, subject to compliance regulations. And, of course, scalability to millions (let’s be optimistic) of potential customers is another must.