Event Recording

Martin Kuppinger: Beyond SAP Security & SAP GRC: Reflecting the Changing Business Workloads


Defining strategies on governance, risk management, compliance, security, and identity beyond the SAP silo

Business applications are under change. While some remain on-premises and in traditional architectures, others have shifted to the cloud – and several of these being provided by specialist vendors such as Workday or Salesforce. The established vendors such as SAP also are changing their platforms, applications, and delivery models, while also acquiring SaaS vendors such as SuccessFactors and Ariba. The days of homogeneous, vendor-focused, one-stop-shopping business applications are past. Most organizations are dealing with a heterogeneous landscape of business applications, regarding both vendors and deployment models. While this raises the more fundamental questions whether IT organizations that still have a SAP unit are still reflecting today’s reality, or should undergo fundamental change, there is an ever more pressing need for delivering governance, risk management, compliance, security, and identity for all types of business applications and beyond to other parts of the IT services such as ESM/ITSM (Enterprise/IT Service Management) and newly born digital services.

Martin Kuppinger will look at this evolution and discuss what to change and how to balance depth of capabilities for certain environments with the need for a broad support of heterogeneous (business) applications

And sec, welcome to the audience. So the topic I'm talking about today is in fact, not only SAP security, I've titled my talk beyond SAP security and SAP GRC reflecting the changing business workloads. So defining strategies on governance, risk management, compliance, security, and identity beyond the E silo. And I think this is the point I, I really touch on this, this last aspect, because what we observe is that the workloads are changing. And so for the next 20 minutes or so, I'd like to cover a number of aspects in this area, and I'd like to start with, you're not alone. And I think what we look at what happened over the last more than 20 years right now, but what's definitely speeded up over the last few years is that business workloads have been changing the way we deliver business applications. We, we deliver business workloads really has changed beyond SAP, ER P the traditional sort of SAP landscape.
And this is happening for SAP itself. If you look at success factors, a Reba, and for others, those sales forces out there for quite a while. And that means when we look at this entire topic, it means the world of business workloads is becoming more heterogeneous. And we need to think about how do we best deal with this changing world. And this is an interesting sort of challenge of balance between that's what I touched later between the deaths we need in this environment and the breaths. So the sort of the complexity to increasing heterogeneity we are facing. And overall, we see that there are a couple of trends which affect the entire scope or landscape of what we do around SAP security and access control. And one of these trends is that that's always the question of value. It is always harder to sell even internally that we want to, or that we need a security solution, a technical access control so usual.
So if we can prove that there's more, that we can do more than checkbox compliance that we can provide insight into our business process are working, that we can provide more positive value. Then we are clearly on the better side of the story. We can argue, have better arguments for the investments and the technology we need. So we must think about what we can do. And I think outside of the, the business value, I've never been a believer in checkbox compliance because at the end, it's about being really secure being sort of ahead of the auditor, not always drilling the auditor. The second aspect already touched to some extent is this changing systems landscape. And it, it gets even broader. When we look at, for instance, the enterprise service management strategies, a lot of organizations are following these days. That means we have even more here. We have an even bigger complexity, more vendors and critical business information resides in many places today.
The other aspect is we need to, and this is an I think an ongoing challenge we have, we need to do it well with the business teams. So we all know that that business people don't really like to deal with whatever T codes and stuff like that. And so we need to do it in a manner which is sort of deep enough, but also usable enough. And so things are changing here. And at the end, we also need to deploy it also in the context of this change in late landscape. So when organizations are moving to S for H when organizations are adding other types of business applications that run as a SA service, then we need to be ready with all we have in access control and security to support this changing environment. We can't be the show stopper or the, the, the, the one who delays the business initiatives, we must be ready.
And that also requires that the way we run such services, whichever they are, is adequate to the requirements of the business. And once it's very clear, we will always need tools. So we can solve the challenges in securing business applications and implementing adequate governance for business applications, without tools. We also need tools to translate, to automate and to reduce complexity. And this complexity thing is something we, we must not underestimate when we look at what is happening in these environments. So the more hetero used to get the more complex they become. So you have your user accounts and maybe roles and the title and system a and some others in system B with a little bit different constructs and than the system C might use other terms again, and other concepts. And this complexity in a, in a multi system environment is extremely hard to manage.
So we need the tools to reduce complexity, and this need is increasing when our world becomes more heterogeneous. And so this is I think, super essential to understand, and to react onto, to build the environment we, we are using to protect all these, all these systems to keep that always in mind. And also we must keep in mind that there are different perspectives from a business perspective, from a technology perspective, there are things which are seen quite differently and are understood different levels. So businesses understand the business activities. So the individual tasks, they understand how these tasks map into business processor, how they are part of business processes. That is what business people know. And at the end, this is also their perspective on who should do what people know their, their tasks in the business, understand to which business processes counts. It already get, gets a little bit more complicated when we talk about business roles.
So roles are, and I talked about in, in a previous Casey life, we went some few weeks ago, which more was more about access governance roles are an artifact. So they are artificial and defining roles is always challenging. So here, the problem in some ways starts because we need to translate something. The business is totally and sort of inherently aware of into some more abstract artifact and so business roles, but still come from the business. And again, we all know that this is frequently a challenge that the, the, the business doesn't work very closely sometimes with the it on defining the roles, the various level of growth. And then we have the technical artifacts. So all these system controls whenever they are. And again, I think a, another level of complexity we are facing is that when we have a more heterogeneous environment, these artifacts, the technical ones are not always the same.
So every vendor has its own ideas on, on how to manage security, how to manage access controls, how to manage all these artifacts in its own environment. Sometimes that even changes for, with nature leases or additional models are added. So when we look at some of these models and that makes it really complex, and it makes it even more difficult to understand for business people. So once we are, when we have the past, this sort of homogenous world of SAP three, it was easier because everything was somewhat the same. It isn't anymore today. And then we also have the data. So we also need to understand what does it mean? Not only from a functional perspective, so who can perform, which function, which transaction, but also the data at the end, it is always the data we want to protect. And this also makes it more complex to understand how, how we set up this entire environment, and we need the technology here.
So a challenge, clearly we have to solve with what we do in this spaces that we need to map this business perspective and the technology perspective, as well as the artifact on both ends. And so we have a business view, which looks at, at, at, at, at the entire thing for our business perspective. And we have a technology view. And so we have to business artifacts like processes, business process, and tasks or activities. And we have the technical aspects from the various systems. And what we need our tools to do to be successful is to help us in, in managing this complexity in, in reduc that complexity. And one aspect here is that we need to tion. So translate the perspectives so that everyone sees what is really relevant to him or her. It is about mapping. So mapping these business artifacts and business to the technology view.
And it's about automation and insight. Because at the end, at the technical level, we have so many different artifacts like roles like authorization, objects, like entitlements. We can't manage them manually. We need something which helps us to automate, which helps us to identify where for instance are the biggest risks, which helps us gaining the inside we need here. And that is for, from my perspective, the reason why we need these tools and why we need adequate tools that are able to deliver this translation so that we have a unified view of the business across the entire environment. And another view on this system, on this system and this system. And on the other hand that we have the, the death of inside, we need at a technical level. So what's the key to success. I believe the key to success in today's environment is understanding that we need a broader scope for, for modern GRC, for business applications and beyond.
And when you look at what many probably most vendors are currently doing is that they are expanding into this broader sort of to, towards this broader scope. So when I look at some of the key requirements for successful JRC, so what was provide today, then the first one always is the business perspective. At the end, the tools must deliver to the business. They must provide interface the business. They must provide their information in a, in sort of in the language of the business. They must deliver the translation. That also means there must be a modern UI that works for every user with dashboards, cetera. Yes, you need the other, the UIs, which are very efficient for the tech savvy users, for the ones who have to, to do a lot of work in that. But at the end of the day, it must be good modern UI that is targeted at the various groups of users that are using the systems. So not everyone is expanding all day with these systems, not everyone's an audit auditor, which runs audits every day or every second day or however. So we meet to understand, and we must support that fact that most users only look occasionally into the systems. Part of this entire thing is as I've said, mapping. So terminology mapping in both directions because business users don't want to understand tech terms and they should not be obliged to learn tech terms and vice versa.
We need automation with complex environments with tons of data that are, that you, that we have for our security, with very complex entitlement structures with when we go more towards the security events, with immense amounts of security events to handle, we need the automation, which reduces the complexity and which analyzes, where are the things we really need to put our emphasis on, but we also need to be able to drill detail. If there's a red flag, we need to go down into and to understand what is behind that red flag. So we need this part as well.
I, I'm a strong believer. We need a broad system support. That is clearly one of the, the interesting things to discuss. You also might come up with something which is a little bit layered where you say, this is my, my cross system perspective we have on top. And then we have to specialized systems for which help us to implement security and to governance, risk compliance for certain environments, not necessarily one tool, which solves it all, but you need to understand at the end, you, you need to take a broader perspective, reflecting the changing reality of business applications, but also provide a deep insight into the various areas.
Supporting the flexible operating models also is essential. The world is changing and we see that vendor trust just recently called it cloud first multi hybrid. So cloud first as the very common strategy, but at the end, we have a hybrid environment with different clouds we are using and with different types of deployment models form on premises to public cloud. And we should be able to deal with this, these environments in a flexible manner. And as I've said last, at least it goes even beyond the business systems. So think beyond that sync GRC identity manage, think beyond traditional GRC space, think about how does this relate to identity and access management. We have a lot of sensitive data and how can we map this? What is, what is this enterprise service management, this business process management, cetera cybersecurity, when it comes to the security analytics part, there's more to integrate with and what it needs from my perspective is we need a broader plan on this.
So what we need is we need a breadth and integration across applications, deployment models. So it's the connect part, the depth to analyze, and we need the ability to deliver these solutions. So I think it's a good time to, to think a little bit broader about what we are doing here, still having the depth, but adding more breasts than we had before. And I think a lot of the starts also with effect also the way our organizations look like. And that is what I want to do. Maybe some of you feel this being a little bit more provocative, but I think it's important now, some sort of a, let's call it a call to action to the CIO because with business workloads change with business applications changing, we need a modern and adequate organization here. And when I look at many of the discussions I see around access control and QRC for SAP and other environments, then many of these are because there are certain organizational silos. And I think it's time to think about breaking down silos. I think if, if we think in these silos, we better think in a business application, a service silo holistically, or we even think about which responsibilities should remain in it, and which should be shifted to the business organization, where it is more supportive organization as a pool of resources. I think it's first to rethink how must the organization look like? And that is the job of the CIOs of today. Thank you.

Video Links

Stay Connected

KuppingerCole on social media

Related Videos

Webinar Recording

A Comprehensive Approach to Solving SaaS Complexity

As businesses adopt cloud-based services as part of digital transformation programs to enable flexible working, boost productivity, and increase business agility to remain competitive, many IT and security teams are finding it challenging to gain oversight and control over the multitude of…

Webinar Recording

Effective Identity Access Governance in Hybrid SAP Environments

Increased cyber threats and regulatory requirements for privacy and security make staying on top of user roles and access rights in hybrid IT environments more important and challenging than ever, which means it’s important to understand the real risks and how to mitigate them…

Analyst Chat

Analyst Chat #118: A first look at the new Trans-Atlantic Data Privacy Framework

On March 25th, 2022 the European Commission and the US government announced a new agreement governing the transfer of data between the EU and the US. Mike Small and Annie Bailey join Matthias to have a first look as analysts (not lawyers) at this potential milestone for data privacy…

Analyst Chat

Analyst Chat #109: From IT GRC to Integrated Risk Management Platforms

The three biggest threats to business resilience are IT Risk, Compliance Risk, and Vendor Risk. Integrated Risk Management Platforms address these risks. KuppingerCole's Lead Analyst Paul Fisher has analyzed this market segment recently and he joins Matthias to talk about recent…

Webinar Recording

Managing Risk in Ever-Changing As-a-Service Environments

In the infrastructure and platform-as-a-service worlds, application developers are the new infrastructure superstars. With concepts ranging from containers to infrastructure-as-code, we are experiencing a paradigm shift in how tightly coupled application code and the related infrastructure…

How can we help you

Send an inquiry

Call Us +49 211 2370770

Mo – Fr 8:00 – 17:00