Effective Application Access Controls in the Modern Business IT Landscape

Welcome everyone to our K call webinar, effective Application Access Controls in the Modern Business IT Landscape. This webinar supported by pass and speakers today are Carrie Curry I, she's VP Product Management Pass. And I'm Principal Analyst K call Analyst. Before we go into the sort of the main topic of our webinar today, some a little bit of housekeeping and first poll. So audio control, we are controlling everything you don't have to care about it. Polls we are, we'll run two polls actually during the webinar and discuss the results of time loss during q and a.

There will be a q and A session by the end and you can use the app, the, the tool, you have to enter your questions at any time and at least we are recording the webinar recording and presentation. Flat X will be made available for you. Download same place where you have been registering for the webinar. So with that, enjoy the webinar and become active directly now. Cause I wanna start with a poll and that is who your organization is responsible for application access control for line of business applications such as sap, such as Salesforce, and all the other types of applications.

So this is split across different departments depending on the application. Is it the SAP department? Maybe cause you're really an SAP shop, is it the IM department which is responsible for other types of access control for other types of applications or are others, are there other solutions? So looking forward to your response. And we leave, just follow open for some 25 to 30 seconds or maybe a little bit more. So please come back to and enter your responses here.

Okay, so then let's directly dive straight into the subject of today's webinar. As most of webinars, this webinars split into three parts. And the first part I'll talk a bit about application access control and how this relates to or versus IGAs or the identity governance and administration, which is the disciplines and identity and access management, where we look at managing users, their access, their entitlements and access governance across variety of applications. And the second part, and Carrie will talk about the benefits of the holistic application access management.

So across every single bit. And in the third part, we will have us already announced our q a. The more questions we have for q a, the better it is. This makes it more likely. So please enter your questions on the continue.

And where, where I wanna start is with the, this world of lot of business applications is really changing. It's changing for since a couple of years and it's changing away from a frequently relatively monolithic single vendor on-premises approach to an approach which is more hybrid, which is more vendors. It's probably more a few vendor than a multi-vendor approach in most cases, but it's increasingly a SaaS approach.

So, so for a reason, I painted this arrow a bit more up to SaaS and lesser to really multi-vendor, but there's a trend clearly towards SaaS multi-vendor, but also frequently built around one main supplier for certain carbon elements. Frequently its sap, not always, but frequently it's, and we expect the trend to continue because SaaS, it also means that the, there's a tendency to have sort of smaller chunks of line business applications which can be implemented rather quickly. It's the common deployment model. And so this is, this is really changing.

I I dare to say that from, from the research we do and the insights we have that still the majority of organizations are somewhere in a hybrid line of business landscape. Not everything is SaaS, but part of it ourselves. This is I believe a very important change. And when we look at it from an access control, from an access governance, from an access risk perspective, it means we, we need to figure out how we deal with that. So how do we, how do we manage that? And there are two aspects to look at. The one is death, so more that direction. The other is breadth with the various applications.

And we, we obvious need to give a bit bit of a special care to line of business application cause they are, this is critical. And when we look at what, what is happening in the audit space, I think it's becomes more and more clear that auditors take and must take a broader perspective beyond just purely financial data and financial relevant data. So the perspectives are getting broader when it comes to aspects like critical entitlements like this controls, where do I need to have it?

But we also have this situation we, we need to manage, let's start with users first before I go into the governance. We, we need to manage users in more applications now, including support for legacy specifics such as the ccp, central user administration integrated with, with commonly HR and H C M systems. But also I think we, we need to look at how does the, the standard iga, user management and user lifecycle management play into this.

Then we have the entitlements and I think we, we know all who have been sort of involved with lot of the applications that some of these have rather complex, unfortunately also some have a bit ever-changing models and they can be quite complex. They need optimization to, to be manageable, to remain manageable.

We, we need approaches on how can we generate all that stuff. So we need a lot of capabilities when it comes to managing these entitlements. And unfortunately in a, in a, in a multi vendor, even in usually a multi-product environment, these models are not necessarily consistent. So even from the same vendor when you take the virtual on-premises acquired SaaS applications, there may be, there frequently are major differences between these models.

But we, we need to manage all of these models. Well also because we need that in the SSD controls management, in the critical entitlement management, we need to integrate potentially to enterprise risk management, et cetera. So we need to give special care to that cause these applications are important.

We, and we, we need to be good managing these controls. Notably, we also need to give special care to SharePoint teams in those file service, whatever else. So it's not that we, we can't sort of avoid going into the deep details of these solutions, but for line of business applications due to the special role, it's still something which is of a specific importance. And we also need a breath here. So we need to, to look at how, how do we manage all these different applications.

I have mentioned one of the challenges we are facing is that we have more of these and we have iga on one hand we have, we have the, the application access control, application risk management or access control for line of business application, however you name it. These areas are overlapping, and I'll go a bit more into detail here in a in a minute. But basically IGA focuses on use lifecycle management.

So joiners movers, leavers, provisioning them, creating accounts and target systems and access governance across a wide range of applications, which frequently supports some of the lineup business applications. But depending on the vendor, maybe only some, not too many. And also depending on the vendor's, more or less of depth. The application X control world, on the other hand focuses primarily on land is applications and going very deep into details. Some of them, some of the players in the market really just do sap, some even primarily do SAP in the abap world.

Within that it's a bit about breath and depth, but we also see that there's some, some some increase overlap. And also from, again, when you go back to, to controls, we we, and we need to have in place when we look at the regulatory compliance of what audits are looking for, then also it becomes clear that the intersection is growing and we need to think about how we deal with that and, and for our environments really have a look at what is the best approach to do it.

So I change the wide range of applications beyond all the application access control tools, which come with rule books, rule optimization for these tools, et cetera. Frequently, very specific features for certain types of tools. When when I go further another bit here then and, and come up with a really a, a feature comparison, and this is really a very average I G A versus very average a c. Not not in the sense of very average negative, but when I look at multiple tools in the market, then some are stronger or some are weaker.

So it's not that all these tools are exactly the same, it is trust that, that we have some that are probably better than the error indicates some maybe less or weaker than the error and indicates. But we have things like provisioning to AD Azure active director on our enter id, Linux, et cetera. Clearly a domain of iga application access controls frequently relatively limited. So find a bit more aada enter id less of the rest of it e even more extreme potentially before exchange SharePoint.

But on the other hand, when look at sap, we see that both types of solutions are relatively strong while I g a comes to its limits, the more line of business applications we are looking at for the industrial license, we have some which have, have quite some good technology in iga, but it's clearly more the location access control domain. Better workflows tend to be in i g role management, even more sophisticated and ally role optimization, the more sophisticated in the AAC side, both, both have these access review, access analytics things.

But for instance, I commonly is lacking books of rules, standard standard sets of SOD controls, et cetera. You would apply in certain types of line of business applications but can be quite good when it comes to, to cross system approaches, use that service emergency access, not a common domain of i g There's access management, which has a bit of an overlap. Continuous controls management we see a bit more increasingly in the a c world. So it it becomes clear there's, there's an overlap even when we go really a bit further into the details, but it's not yet at least not yet the same.

And, and so I think the, the, there is some convergence we see, we expect to see more convergence but it's still our, to a certain extent different domains. And so we, we need to think about what is the right approach to deal with this. This also depends on the solutions. Cause clearly if we have one solution that it's a tendency an advantage over two solutions if it serves what we need. So what definitely should, should look at is at least timber. So getting away and getting rid of having different teams that do do little with each other. I think this is a very, very important aspect.

And so, so what you should look at is at least a certain level of unifying your organization. This is not, not not a specific model for this world. This is a standard target operating model for identity and access management. But these models help you to to, to structure your organization. There might be one team, there might be two, but there might be even more if you look at multiple end of business applications.

I, using back to the poll questions I raised, but define a target operating model where you look at the entire space of identity manager or in this case i g a application access control. And to understand who does what, who's responsible of what, what, which things are better than in common, which things are maybe better than separately define the responsibilities, define also where, where, where the interfaces are between different teams so that they can collaborate and doing things in an ideal way together. But this is a bit provocative, I know I think it's time to break down silos here.

I think we need to think more in a, in a, as a unified perspective with the world of of line of business applications changing. We still can discuss line of business applications versus other parts of it versus the more the individual person of it, et cetera. Totally fine with that and I think there are reasons for that on that. But I think we should get rid of product specific silos at least and then focus on functional and organizational organized silos that are looking at this more holistically.

This will really enable you to better deliver to the business also to make a split and according to, to a target operating model between for instance the business services, the business responsibility and the technical responsibilities. All that is in such a target operating model, but we definitely need to tackle that.

With that, I'm already done with my part of the presentation and I'd like to hand over right now to Carrie who will be doing the second part of the talk. Carrie, it's your term right now. All right, so let's now talk about the benefits of holistic application access management, what they mean to your organization.

So for those of you on today's call, not as familiar with path log, I'll provide a quick intro and then we'll get into today's content path log helps over 1300 customers worldwide automate their application access governance processes by providing a comprehensive suite to limit risk, automate controls, and reduce fraud. Our approach is to offer a complete platform to automate the most challenging aspects of access governance. We do this by focusing on areas which offer the most impact when it comes to efficiency gains and cost savings.

Access risk analysis, which is automating the reporting and mitigation of segregation of duties and critical access risks across the business and IT compliant provisioning, which is automating the process of role and user provisioning to ensure compliance with business and regulatory requirements. Access certification, which is automating user access reviews to continually refine entitlement assignments and reduce risk emergency access management.

Some I know as pam, which is managing temporary granting of privileged access with a domain specific workflow and role design, which is designing compliant roles compatible across all of your business applications. Our value proposition can be distilled into a few simple statements. Our advisory product and solution teams, our LED by certified info certified information system auditors with a broad experience across business applications we rely on today and may rely on in the future.

As I mentioned before, our approach of offering a complete access governance solution is unequal to the industry. Our solution is able to demonstrate unmatched r OI by leveraging our prebuilt rule sets connectors and controls content for rapid deployment. So you see immediate positive impacts from the efficiencies of automation or provisioning, simplified access certification activities and end-to-end audit reporting. And lastly, our unparalleled T C O value.

Our ability to integrate with other vendors as well as support significant numbers of applications for fine grain analysis and reporting enables you to move beyond multiple silo tools and into a singular comprehensive solution. Okay, let's get into today's presentation. As Martin already discussed, business mees are evolving quickly and with that comes the rapid expansion of line of business applications. Those applications require access strategies to be effective. We typically encounter three common situations when we engage with organizations to discuss access governance.

First, due to the proliferation of a line of business applications, organizations are dealing with a scale of distributed processes, all of which need fine-tuned access to be effective. Second, attempting to manage the controls for these applications and interconnected systems is often done manually via spreadsheets and often requires outside consultants to help untangle.

And lastly, we often, we've often found is that a lack of transparency and alignment across functional teams when it comes to designing, enforcing, and reporting on access, which in the end often creates a friction and compliance and audit reporting. Let's take a look at how we got here and how this is framed our point of view here at Path Walk. As Martin mentioned, access requirements and the controls auditing along with it have evolved in just the last 10 years. 10 years ago it was typically the ERPs that saw focus of access control audits.

This made sense as many organizations had the bulk of their processes operating within their E R P as specialized applications for human resources finance supply chain started to gain popularity. Those applications were then added into the audit mix, but mostly only so much as they were connected to the individual E R P. What we expect to see within the next five years is that the majority, if not all of the line of business applications will be in scope as the new normal for access analysis and audit reporting.

That's quite a dramatic shift and one that organizations need to start planning for. Now, just consider the advantages or advancements of AI in large language models, which will exponentially increase the processes that controls, that need controls and gen include generated from these tools may have, may have a greater pro risk profile that could slip through legacy identity tools. This table represents how the challenges of trying to manage across applications manifest itself with an IT audit and application teams.

Across the top you see the names of common ERPs and line of business applications and on the left hand side you will see the common access relevant objects that need to be considered. The models don't line up, which can cause gaps in UN in in scope of access which is needed, which can result in bloated privileges and inefficient processes. Where the real challenge lies is with the actions and permissions within these applications. It's highlighted in the red box center your screen. It is one thing to have a wide range of connections into applications.

It's another thing entirely to have the breadth into those applications to deeply understand and be able to administer the core activities within those apps. Your I G A vendor may have rule sets for a handful of applications, but without fine grain visibility for the actions and permission levels within those apps, there may be unseen segregation of duties violations. Now multiply that against the number of applications we're assuming will be in scope soon for access analysis and auditing.

And that should really highlight the issues with attempting to meet these challenges with your traditional IGA technology. This brings us to a point of view here at Path Block. As I mentioned into our introduction, we offer a complete platform to automate the most challenging aspects of access governance. Our advice for organizations is to build for the future, not for the past. That includes being risk focused by design legacy identity vendors built their solutions to speed up the process of getting users onboarded and productive more quickly. They didn't begin with the concept of risk.

This risk focused design also includes modernizing and automating controls so that we've aligned with business requirements. And this includes the ability to leverage best practice rule sets across your application ecosystem, getting away from the piecemealed and manual approaches to access analysis. Another key plan for the future concept we talk about a lot is to Halle the foundation to be able to mature beyond risk identification and into the mitigation of risks. And for example, prioritizing mitigation with things such as risk quantification.

And lastly, something that both Martin and I have talked about earlier in this presentation is the need to empower cross-functional teams of unifying that organization, surfacing the data and insights needed for them to reduce risk in their day-to-day roles. This would typically be my summary slide, but I also wanted to take the opportunity to introduce you to path logs approach to application access governance.

For those of you on the call that may not be as familiar with Path log, our application access governance solution is a comprehensive set of modular capabilities all designed to work together to offer a far greater reduction of risk than the traditional identity management or join or move or leaver type of offerings. Access risk analysis, this is our ability to analyze and report on access risks across segregation duties, data privacy and cybersecurity in one view at at a more granular level than any other solution. The first step to a more secure environment is depth and breadth.

As Mark mentioned and visibility of our risk landscape. We need to be aware of our risks in order to clean up our environment compliant provisioning. Here we are automating access provisioning with risk scoring and policy-based workflows. This goes beyond just provisioning access and includes the ability to perform preventative segregation of duties and critical access risk checks. So risk is addressed prior to provisioning, keeping our environment free of unaddressed risk access certification.

You review user access roles, risks and controls across your business applications while automated provisioning enables faster user access certification ensures we are reviewing and removing any stale access and could continually monitoring our environment and keeping it up to date. Elevated access management may also be known as pam. This is the ability to request approve and monitor temporary privileges users throughout your collection of usage data change log enforcement of controls and automation of the review process of elevated accounts. And finally, role design or role management.

We support the building of risk compliant technical and business roles with risk simulation analysis. So how does path log drive value and transparency throughout the organization For IT users, our automation capabilities drastically reduce it overhead and workload. This is true for everyday activities such as provisioning, as well as reporting requirements. This reduction allows IT teams to move beyond keeping the lights on mode and enables them to have bandwidth to address the ongoing enhancement and support requests from the business.

The security side of it sees the risk of breach reduced due to having continuous change monitoring in place. It can see as much as 50% of their access related tasks reduced with path log. Once again opening up their capacity to support business critical requests that are beyond keeping the lights on Business users get up to a 70% reduction, which largely comes from the automation of controls testing, but also in the reduction of time it takes for provisioning requests and user access reviews.

Granting a user's access in two days instead of something like two weeks significantly impacts the business user's experience, an ability to continue performing their job in a timely manner for internal controls and audit. Our customers have seen up to an 80% risk reduction when it comes to negative audit findings or the need to report material weakness. Another tangible benefit is we allow controls and audit teams to become more strategic. The ability to shift from a transaction based audits to risk-based audits increases the coverage and benefit audit brings to your organization.

Ultimately, path log enables it the business and audit teams to work better together. Before I hand it back over to the KuppingerCole team, Martin, I just wanted to say thank you for your time today and I hope you enjoyed the presentation. If you'd like more information on how Path Lock can help on your access governance journey, more information can be found@www.pathlock.com. Now I'll turn it back over to Martin and team for some q and a.

Carrie, thank you very much. I hope you everyone can hear well just go straightforward to the q a and as we're questions from the audience, the more questions better. But you already have a couple questions here tool and the first question I I'd like to look at, so, so if, if you as an organization say, okay, I, I wanna to make such a step, I want move forward from a sort of non holistic approach to holistic approach, how would you like to phrase it? How do you do that? What are the key steps and items to be aware of as part of such a process? That's a great question.

So moving from siloed approach or individual e R p holistic or individual approaches to a more holistic approach, our customers have found success when moving from, you know, that siloed approach to a more holistic one with the help of application and audit experts. So whether that be through pathos implementation services for example, or one of our partners, we bring experts to the table to help build a strategy that is not only compliant but maximizes efficiency and cost savings and provides for longevity as your organization grows.

So one of the keys there in moving from that siloed approach to a more holistic one is engaging in experts alongside a platform that will allow for that longevity and growth in your organization. I think those are the two key pieces or key elements is having experts on side so that you can move and understand granularly, you know, SAP versus Oracle cloud versus E B S and bringing that together into one approach. You're gonna need some experts on side, some out of box content is really helpful in terms of rapid deployment and approach.

But then I'll as well the platform which will enable you to actually have a holistic approach. Okay, great, thank you. And maybe before we go to the next question, I'll, let's do the second poll here, which is a bit related to the first poll but not exactly overlapping. This is really about ownership. So who owns application access control versus who owns identity and access management? Is this a common ownership combined one in your organization or not? Yes or no?

Again, I'm looking forward to your participation in this poll. I'm looking forward to results. I give you another whatever, 30 seconds, 40 seconds here.

Okay, I think we then can close that poll as well and let's proceed. So the second question I have here is, I think it's again one this, it's a bit related to to the first one, but I think it adds another angle. So how does a holistic approach to access or application access control affect on organizations for maturity level and or maturity model?

So, so does it mean you have achieved a certain level of maturity for that one tool and then you say, okay, I would cross everyone and you go down to to a way, way lower line baseline right now. So, so what is your experience here? Can you sort of transform your achievements from the past In terms of maturity and being able to expedite maturity or transition maturity from from one one platform or tool to another? There's a couple of thoughts there. One around achieving sort of maturity in general. So we're not mature, we're we're starting off.

There's things that can help in terms of rapid deployment and using the certified and validated content for example, especially within your, you know, those access governance main staples of audit, you can audit different types of rules, you can audit more rules, covering more modules of your E R P or or more business processes within and across your E R P and really ensure you're doing the doing so at a more fine grain level.

So really rudimentary level of maturity is being able to leverage content validated and certified content through rapid deployment that'll get you far greater ahead than starting sort of brush or new. Secondly, being able to leverage a modular platform approach. So implementing something like risk analysis and starting with segregation of duties, a critical access risk checks and getting clean and then implementing other modules to stay clean that are critical to, to application governance such as provisioning access certification.

That'll ensure you're covering more controls than ever with one platform and you're leveraging what you're using in segregation of duties for example, that rule set, you're able to leverage that in provisioning, you're able to leverage that with access certifications for example. And thirdly, in terms of where you're all sort of mature already, you're really mature in in now your access governance.

Choosing a platform where you're able to grow that's able to grow with your organization and offers continuous controls monitoring for example, where you can start to optimize compliance is gonna be key. Okay, great, great, great, great answer. And I'd like to continue directly with I think a related question which is about the metric to use when, when you look at these projects also in comparison to other projects. So when we talk about maturity we also talk about matrix.

I is a bit of specific matrix, so, but that's directly related to maturity as as we know, but it's an important, so, so what, what would be suggestion here? Sure. So the metric I would use is one of efficiency games via automation key in this area. So that can lead to, you know, can be tied to hard dollars of external consulting costs. When we look at gaining via automation efficiency via automation, it's related to the accuracy, accurate testing of controls and reduction of false positive.

That's less time that you're, you know, risk owners in your organization are having to review false positive information. It can create inefficient work streams and that really adds up. Keep in mind we can also work with existing I g A solutions and enhance or extend their capabilities. So overall I would say the ROI metric to use if in in access governance project, if you're trying to leverage that in your organization is one of efficiency gains through automation is the key. Ok.

Interestingly there, there came another question which is written about what are the common metrics can be used to measure organizations. I am maturity level. What I'd like you do here is to, to hint on, cause we're just showing in the background a bit of related research. There is also an advisory note of a call which looks at identity management maturity levels. And I think this is, this is a good one to look at when you look at what, what, what are are good matrix you can use to, or what, what is your maturity?

And so that might be something which is first to look at and I believe that last year's e c I've been, or this is e i c, I'm not sure at least for one of our European also giving that talk about the maturity levels and which matrix I would use and how to implement this. So there's some material available, this our research to, to look at and what I strongly believe is you need to spread these maturity levels. So you need a couple of metrics here because you have different areas you need to look at and you need to measure.

But obviously when you look at the metrics there are some, some very, very common ones which are around the numbers of going down, number of of accounts, the number of managed systems you have included. Also the number of of incidents when you go more to authentication, the password reset, the help desk calls and stuff like that you can use.

So there, there are definitely a lot of these, some material here already in our website. And what I like like to is the of the second poll, which were about the ownership question. It's interesting that it's really close to evenly split between, so a bit more than 50% saying we have common ownership and with less saying we have a split ownership of identity management application access control. What we observe is that more and more, at least this CSO becomes the one where, where the ownership comes together and have a responsibility also for the, the, the line of business application world.

It shifted over. Okay. So let's look at the, the remaining questions. I think we have at least one here.

Oh yeah, that's, that's a good one. So you have your standard line offices application, you may also have some custom applications here. How to deal with this if you're not only have commercial line offices. Applications carry A great question cuz most organizations will have some custom applications in some, in some in some ways.

You know, I think here that you want to partner, you know, with an organization or company such as path log that has expert, an expert in-house team that specializes in building these connections for custom applications that can then be integrated into, you know, our products. A specialized team can assess the feasibility and the benefit and the value of incorporating that custom application alongside your other commercial line of business applications.

You'll also want to do that alongside an experienced implementation team as, as well to ensure that you're steered in the right direction in terms of the overall strategy and ensuring, you know, those compliance and cost savings is a little bit of benefit value, you know, that you'll have to assess going through that, but you'll wanna do it with an experienced team, you know, that has a common connection framework that they're building and really leverage that to see if you're gonna get value and benefit of bringing that custom application into the platform alongside your, your line of business applications.

Okay, great. So thank you for all, all your insights and all your responses. Thank you very much for being part of the webinar and thank you to everyone listening, KU and Cole webinar, looking forward to have you this attend as well, one upcoming webinars, events.

Carrie, thank you very much to your, for your thank you Martin. Thank you very much past luck for supporting this webinar. Thank you.