Analyst Chat

Analyst Chat #114: Access Control Solutions for SAP Solutions

Access control tools for application environments, which include SAP in particular, but also a growing number of other business applications, are becoming increasingly important for compliance and cybersecurity. They also serve as a basis for granting proper access to employees efficiently. Martin Kuppinger and Matthias look at this market segment and at new, innovative solutions, on the occasion of very recent research that has just been published.

Welcome to the KuppingerCole Analyst Chat. I'm your host. My name is Matthias Reinwarth. I'm Lead Advisor and Senior Analyst with KuppingerCole Analysts. My guest today is Martin Kuppinger. He is Principal Analyst with KuppingerCole and one of the founders of KuppingerCole Analysts. Again, we continue our tradition regarding talking about just recently published research documents, especially Leadership Compass documents, And today, we want to cover a market that is very interesting because it covers a specific type of business application. I want to talk about the Leadership Compass Access Control Solutions for SAP and other Business Applications. Hi, Martin. Looking forward to talking to you about that.
Welcome, Matthias, a pleasure to talk to you again.
So this market, SAP governance, usually what you would think of this is a solution that also SAP could provide, should provide, and does provide. How does this market, what does this market range from when it comes to looking at individual products that cover this governance market for SAP solutions and other business applications?
Yeah. And I think the point is "other business applications" and we also see an emerging term for this market, which I didn't use for the Leadership Compass yet which might be the one I use for the next edition, which is application risk management, which could be as a business application or line of business application risk management. And so what we have is every organization has some of these lines of business applications, these critical applications that are used for key processes and key tasks in the organizations like finance, like HR. So what has been called ERP, for instance, includes customer relationship management, what includes HR capabilities, supplier relationship management, and many other solutions. So there's quite a number of these applications that serve organizations. Kill these applications, and the access within these applications needs specific attention from a security risk management and a compliance perspective. So who can do what in these applications?
Okay. So when you look at the capabilities that these provide, I would initially think of, for example, managing segregation of duties violations, identifying them, rating the risk, understanding the risk, and getting to SoD violations and mitigating them afterward. I assume this is one of the core capabilities, but not the only one. What other capabilities were you looking at?
It is one of the core capabilities, and this is related to managing the access entitlements in general. So segregation of duties then is one specific aspect of managing access. And there's the aspect of managing the users and the accounts. There's emergency access management, so what happens in an emergency scenario? How do you handle temporarily elevated access of users? So these are some of the things we have in that area. And we also look at a few extended capabilities like hardening and other things. So it's relatively focused on access risk management in that world. But we all know that it's a very essential field. The major difference to the previous addition factually comes from the overall evolution we see in this market from being sort of mainly SAP-centric to becoming more and more heterogeneous.
Right. And I think we are also moving away from this traditional on-premises data center SAP R/3 type application, and more moving towards cloud-delivered solutions. So I think that also should be reflected in that market segment so that they are also covering more cloud-based solutions and also maybe delivered from the cloud, these solutions. Is that the case as well?
Yes, I think that's hitting the nail on the head. And so we also touched this in the previous edition but right now we put way more focus on supporting sort of an increasingly heterogeneous environment. What is happening? So we see also traditional SAP workloads moving to the HANA world, so to speak, as for HANA, etc. But we also see that even SAP due to acquisitions, has other SaaS solutions in their portfolio like Ariba, like Concur, and like SuccessFactors, which are in their approach to technology, their interfaces, in the way that they handle access risks different to the traditional R/3 or ECC world. And the other side is that specifically due to the evolution of SaaS, we also see more and more new players entering this market or other traditional solutions moving to assess service and becoming easier to adapt, so the heterogeneity of these solutions is growing. We see Workday, and as I mentioned SuccessFactors, Salesforce, solutions from Oracle, and many others being in the field and the overall observation is that many organizations right now have to deal with a more complex, more heterogeneous, or diverse environment of a line of business applications than they had before. And we don't expect this trend to change. So organizations need to prepare to handle a bigger complexity. This was a major focus in this new release of this document.
Right, but that also requires that organizations that use these technologies are willing and ready to, on the one hand, move their applications into the cloud and even critical workloads into the cloud, because HR is critical because ERP could be and can be and usually is critical. But application risk management delivered from the cloud is of course, as well critical. So this is a trend that we see in the vendors. Do you think that the market already is there? That the users, the organizations that use these solutions are already willing to go that extra mile to move access risk data into the cloud?
I believe so, yes. So even when we did the previous release two years ago a couple of solutions were already SaaS-based. And we see, I dare to say, all types of workloads right now moving to the cloud and that's also true for the critical applications, for the line of business applications. And so also this access, or application risk management, access risk management solutions are making this move. And we see a growing number of these solutions that sit outside for instance of SAP. We still have a very mixed field. So we have some solutions which are very neatly integrated into the SAP world, we have - and that focuses on the traditional world of SAP - we have others that come with components that can be integrated with SAP, and in other solutions, we have vendors that started as a pure SaaS solution. So it's quite a mix of different types of solutions. And I think then also makes it very important to read thoroughly, very thoroughly through this Leadership Compass because we try to highlight where are these different types of solutions a better fit. So if you say I need something really... I'm very SAP-centric, I will keep my SAP environment for quite a while. Then some other solutions might be perfectly suited for that don't fit if you say, okay, I'm adding more and more different types of SaaS solutions in my organization, I maybe also have a very global organization where some teams build their HR in Workday and others use that SaaS solution for this and so on. So it's very important to keep this in mind. But the general tendency of... also when you look at what SAP is doing, SAP is branching out of their SAP domain with the support they deliver. So everyone is, or the vast majority of vendors are looking at supporting this trend towards a broader heterogeneity in the target applications.
Perfect. And because you already mentioned it partially, I want to stress this as well. Leadership Compass documents so shall help the audience to understand the market and identify the right solution for them and to apply their own criteria when selecting a potential solution or verifying their decision that they already made. So a product that is in the upper right corner or too far to the right within our visualization of this market segment, does not necessarily mean that this is the one-size-fits-all solution. Nevertheless, if we talk about this market segment, okay, we can think of SAP being in that market segment, what others are names that are relevant or that you came across or that you analyzed during this Leadership Compass.
Yeah. So again, it's always best to look at the Leadership Compass and it's hard, you know, not to forget one and two to sort of promote, to mention others maybe too much but I think we will see Pathlock in a very strong position, a company which derived from the former Greenlight GRC, which was an add on to the SAP access control for connecting to the outer space. They right now are active in this market. We see vendors entering this market more through acquisitions from a traditional identity management IGA layer segment like SailPoint. You know, we have Saviynt which is a vendor that plays somewhere between identity management SaaS, we also have quite some specialized vendors that really do this application risk management and I strongly recommend having a look at the report and as you said, no, don't just pick the one in the upper right corner or so, but read thoroughly through it. We provide quite a lot of detail about the capabilities and where is the product the better fit and how does it serve different types of, groups of requirements. You always need to come up with your understanding of what are my today's and future requirements and map this to products. So this is where then, Matthias, where your team comes in also with supporting our customers and making the right choice. So to speak, research delivers a standardized overview and a lot of detailed information. And you with your advisory team, are the ones who then can help the customer pick the right vendor for the specific requirements. This is very important in such a tools choice process.
Absolutely. I wanted to avoid my shameless self-promotion but then I do it as well. So that is true. The gathering of the right requirements and applying that for identifying the right solution is part of our daily work and that is really of importance. And I've seen this document already and it's substantial. It's a lot of pages of document, lots of data to take into consideration. So it's a good basis for the reader, but also us as advisors in supporting our customers. So I think we can close down here. It's an interesting market. It's an interesting document. It's published already, it's available through our website with a subscription or with a test subscription. Just go to and pick up the Leadership Compass in this market. And yeah, identify the right solution for you. And verify if you've made the right decision already. Thank you very much Martin for being my guest today. Looking forward to talking to you soon again.
Thank you, Matthias.
Thank you.

Video Links

Stay Connected

KuppingerCole on social media

Related Videos

Analyst Chat

Analyst Chat #125: Leadership Compass Access Management

Access Management refers to the group of capabilities targeted at supporting an organization's access management requirements traditionally found within Web Access Management & Identity Federation solutions, such as Authentication, Authorization, Single Sign-On, Identity Federation.…

Analyst Chat

Analyst Chat #124: Market Compass "Policy-Based Access Management"

Shortly before EIC, Graham Williamson and Matthias sat together virtually and discussed the recent publication of the Market Compass on "Policy Based Access Management". In this episode Graham gives a great introduction in this evolved market segment and talks about hybrid and cloud-native…

Event Recording

Panel | Protocols, Standards, Alliances: How to Re-GAIN the Future Internet from the Big Platforms

In talking about a "Post Platform Digital Future", it is all about a Vision, or better: mission to not let the current platform dominance grow any further and create the foundations for a pluralistic digital society & business world where size would not be the only thing that matters.…

Event Recording

Enhancing Cloud Security Standards: A Proposal for Clarifying Differences of Cloud Services with Respect to Responsibilities and Deployment

Widely used cloud security standards define general security measures/controls for securing clouds while not differentiating between the many, well-known implementations that differ with respect to the Service and/or Deployment Model they implement. Users are thus lacking guidance for…

Event Recording

Panel | Decentralized, Global, Human-Owned. The Role of IDM in an Ideal (If there is One) Web3 World

The Internet had been created without an identity layer, leaving it to websites and applications to take care for authentication, authorization, privacy and access. We all know the consequences - username and password still being the dominant paradigm and, even more important, users not…

How can we help you

Send an inquiry

Call Us +49 211 2370770

Mo – Fr 8:00 – 17:00