Welcome to the KuppingerCole Analyst Chat. I'm your host. My name is Matthias Reinwarth. I'm Lead Advisor and Senior Analyst with KuppingerCole Analysts. My guest today is Martin Kuppinger. He is Principal Analyst with KuppingerCole and one of the founders of KuppingerCole Analysts. Again, we continue our tradition regarding talking about just recently published research documents, especially Leadership Compass documents, And today, we want to cover a market that is very interesting because it covers a specific type of business application. I want to talk about the Leadership Compass Access Control Solutions for SAP and other Business Applications. Hi, Martin. Looking forward to talking to you about that.
Welcome, Matthias, a pleasure to talk to you again.
So this market, SAP governance, usually what you would think of this is a solution that also SAP could provide, should provide, and does provide. How does this market, what does this market range from when it comes to looking at individual products that cover this governance market for SAP solutions and other business applications?
Yeah. And I think the point is "other business applications" and we also see an emerging term for this market, which I didn't use for the Leadership Compass yet which might be the one I use for the next edition, which is application risk management, which could be as a business application or line of business application risk management. And so what we have is every organization has some of these lines of business applications, these critical applications that are used for key processes and key tasks in the organizations like finance, like HR. So what has been called ERP, for instance, includes customer relationship management, what includes HR capabilities, supplier relationship management, and many other solutions. So there's quite a number of these applications that serve organizations. Kill these applications, and the access within these applications needs specific attention from a security risk management and a compliance perspective. So who can do what in these applications?
Okay. So when you look at the capabilities that these provide, I would initially think of, for example, managing segregation of duties violations, identifying them, rating the risk, understanding the risk, and getting to SoD violations and mitigating them afterward. I assume this is one of the core capabilities, but not the only one. What other capabilities were you looking at?
It is one of the core capabilities, and this is related to managing the access entitlements in general. So segregation of duties then is one specific aspect of managing access. And there's the aspect of managing the users and the accounts. There's emergency access management, so what happens in an emergency scenario? How do you handle temporarily elevated access of users? So these are some of the things we have in that area. And we also look at a few extended capabilities like hardening and other things. So it's relatively focused on access risk management in that world. But we all know that it's a very essential field. The major difference to the previous addition factually comes from the overall evolution we see in this market from being sort of mainly SAP-centric to becoming more and more heterogeneous.
Right. And I think we are also moving away from this traditional on-premises data center SAP R/3 type application, and more moving towards cloud-delivered solutions. So I think that also should be reflected in that market segment so that they are also covering more cloud-based solutions and also maybe delivered from the cloud, these solutions. Is that the case as well?
Yes, I think that's hitting the nail on the head. And so we also touched this in the previous edition but right now we put way more focus on supporting sort of an increasingly heterogeneous environment. What is happening? So we see also traditional SAP workloads moving to the HANA world, so to speak, as for HANA, etc. But we also see that even SAP due to acquisitions, has other SaaS solutions in their portfolio like Ariba, like Concur, and like SuccessFactors, which are in their approach to technology, their interfaces, in the way that they handle access risks different to the traditional R/3 or ECC world. And the other side is that specifically due to the evolution of SaaS, we also see more and more new players entering this market or other traditional solutions moving to assess service and becoming easier to adapt, so the heterogeneity of these solutions is growing. We see Workday, and as I mentioned SuccessFactors, Salesforce, solutions from Oracle, and many others being in the field and the overall observation is that many organizations right now have to deal with a more complex, more heterogeneous, or diverse environment of a line of business applications than they had before. And we don't expect this trend to change. So organizations need to prepare to handle a bigger complexity. This was a major focus in this new release of this document.
Right, but that also requires that organizations that use these technologies are willing and ready to, on the one hand, move their applications into the cloud and even critical workloads into the cloud, because HR is critical because ERP could be and can be and usually is critical. But application risk management delivered from the cloud is of course, as well critical. So this is a trend that we see in the vendors. Do you think that the market already is there? That the users, the organizations that use these solutions are already willing to go that extra mile to move access risk data into the cloud?
I believe so, yes. So even when we did the previous release two years ago a couple of solutions were already SaaS-based. And we see, I dare to say, all types of workloads right now moving to the cloud and that's also true for the critical applications, for the line of business applications. And so also this access, or application risk management, access risk management solutions are making this move. And we see a growing number of these solutions that sit outside for instance of SAP. We still have a very mixed field. So we have some solutions which are very neatly integrated into the SAP world, we have - and that focuses on the traditional world of SAP - we have others that come with components that can be integrated with SAP, and in other solutions, we have vendors that started as a pure SaaS solution. So it's quite a mix of different types of solutions. And I think then also makes it very important to read thoroughly, very thoroughly through this Leadership Compass because we try to highlight where are these different types of solutions a better fit. So if you say I need something really... I'm very SAP-centric, I will keep my SAP environment for quite a while. Then some other solutions might be perfectly suited for that don't fit if you say, okay, I'm adding more and more different types of SaaS solutions in my organization, I maybe also have a very global organization where some teams build their HR in Workday and others use that SaaS solution for this and so on. So it's very important to keep this in mind. But the general tendency of... also when you look at what SAP is doing, SAP is branching out of their SAP domain with the support they deliver. So everyone is, or the vast majority of vendors are looking at supporting this trend towards a broader heterogeneity in the target applications.
Perfect. And because you already mentioned it partially, I want to stress this as well. Leadership Compass documents so shall help the audience to understand the market and identify the right solution for them and to apply their own criteria when selecting a potential solution or verifying their decision that they already made. So a product that is in the upper right corner or too far to the right within our visualization of this market segment, does not necessarily mean that this is the one-size-fits-all solution. Nevertheless, if we talk about this market segment, okay, we can think of SAP being in that market segment, what others are names that are relevant or that you came across or that you analyzed during this Leadership Compass.
Yeah. So again, it's always best to look at the Leadership Compass and it's hard, you know, not to forget one and two to sort of promote, to mention others maybe too much but I think we will see Pathlock in a very strong position, a company which derived from the former Greenlight GRC, which was an add on to the SAP access control for connecting to the outer space. They right now are active in this market. We see vendors entering this market more through acquisitions from a traditional identity management IGA layer segment like SailPoint. You know, we have Saviynt which is a vendor that plays somewhere between identity management SaaS, we also have quite some specialized vendors that really do this application risk management and I strongly recommend having a look at the report and as you said, no, don't just pick the one in the upper right corner or so, but read thoroughly through it. We provide quite a lot of detail about the capabilities and where is the product the better fit and how does it serve different types of, groups of requirements. You always need to come up with your understanding of what are my today's and future requirements and map this to products. So this is where then, Matthias, where your team comes in also with supporting our customers and making the right choice. So to speak, research delivers a standardized overview and a lot of detailed information. And you with your advisory team, are the ones who then can help the customer pick the right vendor for the specific requirements. This is very important in such a tools choice process.
Absolutely. I wanted to avoid my shameless self-promotion but then I do it as well. So that is true. The gathering of the right requirements and applying that for identifying the right solution is part of our daily work and that is really of importance. And I've seen this document already and it's substantial. It's a lot of pages of document, lots of data to take into consideration. So it's a good basis for the reader, but also us as advisors in supporting our customers. So I think we can close down here. It's an interesting market. It's an interesting document. It's published already, it's available through our website with a subscription or with a test subscription. Just go to kuppingercole.com and pick up the Leadership Compass in this market. And yeah, identify the right solution for you. And verify if you've made the right decision already. Thank you very much Martin for being my guest today. Looking forward to talking to you soon again.
Thank you, Matthias.
Thank you.
