Webinar Recording

Effective Identity Access Governance in Hybrid SAP Environments


Log in and watch the full video!

Increased cyber threats and regulatory requirements for privacy and security make staying on top of user roles and access rights in hybrid IT environments more important and challenging than ever, which means it’s important to understand the real risks and how to mitigate them effectively with modern GRC capabilities.

Join IAM experts Martin Kuppinger, Principal Analyst at KuppingerCole, Anna Otto, Customer Advisory Expert for SAP Security & GRC at SAP, and Steffen Trumpp, a Solution Advisor Expert at SAP, for an in-depth discussion of modern IAM challenges and solutions, especially in the context of traditional SAP environments and SAP Cloud applications such as Ariba and SuccessFactors.

Martin Kuppinger looks at the evolution of the IAM (Identity and Access Management) and Application Risk Management (ARM) markets. He will explain how to support in-depth management of SAP environments including the cloud-based applications, while supporting the broader IT environment, and discuss strategies for convergence and integration.

Anna Otto and Steffen Trumpp provide an overview of SAP Cloud Identity Access Governance and how it can simplify management of users and authorizations in hybrid IT environments. They will also discuss benefits of activity monitoring, risk simulation, and automation in terms of regulatory compliance, efficiency, and security.

Log in and watch the full video!

Upgrade to the Professional or Specialist Subscription Packages to access the entire KuppingerCole video library.

I have an account
Log in  
Register your account to start 30 days of free trial access
Register  
Subscribe to become a client
Choose a package  
Welcome to our cooking cold webinar, effective identity access governance and hybrid SAP environments. This webinar is supported by SAP and the speakers today are Anto, who is customer advisory expert at SAP chef to who is solution advisory expert at SAP and me Martin equipment or I'm principal Analyst at Analyst, before we dive into the subject of today's webinars, I wanna quickly hint on a few upcoming webinars, upcoming events. So we have a series of Casey life event with our full, fully online events in tune around cybersecurity fabrics in July, around the future of identity and access management. And in November, we'll have our cybersecurity leadership summit hybrid event to be held in Berlin or online, which is then, is the name says about cybersecurity topics. Then I have a couple of housekeeping information. Also, not very much for audio you don't need to care about is you're central, your control.
These features, we will do it Q and a session by the end of the webinar. And I always sort of encourage everyone and appreciate also to see a lot of questions from the audience, because we then can have a lively Q and a session, and you can use the opportunity to directly ask your questions to the experts such as, and we are doing a recording. We will provide the podcast recording soon after the webinar. And we are also will provide access to the slides. At last, not least we do a pulse during the webinar. In that case, we have two polls prepared, which are quick pulse. And I always like to see a lot of people participating in these polls so that we have some, some good results out of that. And that directly brings me to the first poll here, which is about a little bit understanding which types of line of business applications such as SAP, such as success, success factors, Salesforce, etcetera, you have in place in your organization. So is a primary SAP, is it post legacy and, and sort of modern SAP quotas? Is it a multier environment or is it mostly a SA multi environment? So please pick the, the one which fits best to your organization.
And I'll leave this poll for a 20, 30 seconds. So as I've said, the more people participated, the poll better, the results are, so I give you another 10 seconds and then I'll close. Okay, all done. Then I close this and thank you very much for supporting this and participating. And if time allows, we'll pick up the results during our Q and a session, as we also will do for the second poll we will do later. Right now, let's have a look at the agenda of today's webinar, which is as for most of our webinars split to three parts. The first part I'll give a sort of a quick overview of where I see on the one hand identity, access management, specifically access governance and access risk management, or application risk management, and sort of the, the intersection between these two areas where I see this heading.
So what is happening here? This is my, I would say a little bit more high level Analyst perspective on that in the second part, then on our auto will go way more into detail and look really into the specifics of SAP cloud, a as a solution that supports a simplified identity and access management, and specifically in governance in hybrid environments. And as I've said, then the third part of our talk will be about, or will be the Q and a session. And again, the more questions we receive for Q and a, the better it is, and you can enter the questions at any time using the go to webinar control panel inside of your screen. So where I wanna start is with the change of the line of business world. So when we look, look at it, what happened over the past years, then we had quite some, some impacting factors in how line of business applications.
So E P HR and all the other types of business applications are changing in the way they are deployed and many other aspects as well. And I think the, the two most important changes are sort of depicted in this metrics I have created, which on the, the vertical access looks at type of deployment. So on premises hybrid and SA and on the horizontal axis, more at a single vendor, few renders to multier approaches. And I think when we look at the overall tendency, then we see a tendency from the lower rights area more to, I would say, probably to the, the mid, upper, mid area in the sense of that. We see clearly an uptake of SaaS solutions in the line of business market applications market. But we also see that there's still a lot of legacy around. And as we all know this who are long enough in it, legacy has a tendency to stay here for, for quite some while and not always easily disappear.
So it's, it's a transition phase modernization of solutions. And also that is definitely partially also due to the fact that we see more and more SA and SA is relatively easy to deploy. And sometimes also more cran the types of solutions that we see some tendency towards more than one vendor, at least few vendor solutions. But I, I would say what, what I observe most current in the market, what you observe most from our Analyst perspective is this clear strategy towards us and having it in some sort of an, a service deployment with some tendency towards multi vendor, but sticking to usually one main supplier. So not just picking, oh, just the sort best of re like, this is the best for HR. This is the best for this. This is the best for that. And, and so on, maybe for every unit to be you pick something different, but saying, okay, we have something which just builds the core. And we complemented when required with some also other specialized solutions as solutions, and specifically over here in Europe, but not only in Europe, surely that sort of main supplier is SAP has been SAP and still remains SAP. So this is I think the reality that we have a lot of organizations, which build sort of the line of business applications, environment around strong core of solutions delivered by SAP, but also with the modernization within the SAP world. Also with many of the other applications such as success factors and others.
One, I think we, we have clearly have also one advantage in this overall evolution that the more modern solutions we have, the easier it becomes to integrate and to orchestrate them in today's world, where we get more powerful orchestration tools, where we have APIs to integrate. So I expect from my Analyst Analyst perspective that this evolution will continue over the next time. So, so having such an environment, which is in some way hybrid to a certain extent, not just single vendor anymore, that means there's the need of managing that, of managing the identities of managing their entitlements of implementing the adequate level of governance. And this requires always two, two aspects. And the one of that is theft.
Everyone who's familiar with line of business applications knows that they frequently are complex, that they have a lot of detail as in what can be done. And that there's also need for a very sophisticated phrase that way management of entitlements, of who can do what of segregation of duty rules and othering. So lot of business applications at the end need special care. They are, this is the nature of many of these applications. They are business critical. And so we need to understand what is the risk, what is happening? We need to comply with regulations, starting with enforcing a least privileged principle. And so we, we need the ability to manage the use in all the different line of business applications and to, to have, for instance, a good deprovisioning process to get rid of someone who's not in the organization anymore also might go into supporting legacy specifics, central user administration, cetera.
It goes into close to creation to HR and HCM systems. We have that world of entitlements, which frequently have way more complex models than we the, than we see in other applications. So I think everyone, I assume probably everyone who's listening to this webinar is familiar with the S and P environments. So you probably be know better than me, how sort of complex and deep the entitlement, the access models in that world are, but there's also the need for optimization. So specifically in the S SAP world, we, we see quite a number of solutions that help in optimizing roles based on best practices. And I think this is an advantage the line of business world, where at the end, for, for whatever financial system in a certain industry, you can work with best practices because some things will be more or less the same in every organization.
So there's this option where you can go very deep, very, very automated, but also generate entitlements automatically, etcetera. So there are a lot of things you can do, but there are very specific and you need depths to be efficient in these complex environments. You need the depths as a D controls build on standard rule books, or however you, you name these standard sets of SD and critical entitlement rules. And also the integration to enterprise risk management, because SI also one the learnings over the past years, access risk is business risk and things that go wrong in access, for instance, by an attack can even kill your organization. So we need this death and capabilities, but we also need the breadth and capabilities. We need something which is broad. And this is where, where, where this interesting intersect between let's call these these two, two areas, IHA and RM.
So IHA for identity governance and administration RM for application risk management, where, where they come into play and there are specific. So IGA tends to support a wide range of applications, way beyond the line of business, the ad Azure ID support. There's a lot of technical stuff in there. Lot of more system level things on the other hand application risk management comes with these specializations, like the rule books, like roll optimization for line of business applications, like all the SAP specific features that help you drilling down into the very detail and getting a on RA complex system environments. And then there are things which are somewhere in between like provision users. We need to provision users to create accounts in the right places, the use of lifecycle management, try removal, lever and more the access review, the OD controls, which you find in both areas.
And at the end, it's a little bit about, I was bras andm with death in the capabilities. And I think it's very important for everyone to understand which of these tools can help you and which part of your it, how do they intersect? And they intersect. So I, I'm a strong believer. I'm breaching this for years, may probably more than 10 years, that there's a logic in, in not keeping these things separate, but understanding that there's intersection understanding how this intersection best is built and how, how you integrate the different worlds for many or maybe most organizations. It'll not be an or just saying, I use that one or that one, they will be both. And then it's about integration. That leads me to the, to my final point already for today, which is about teamwork. And, and I think with this changing world where you see more vendors where you see different deployment models, where you see the, the world getting more hybrid and, and where, where we have this intersection between IM and RM, it's important to also build the organization in an appropriate manner.
This is more standard target operating model for identity and access management. So this is not specific to, to the application risk management or to the E word, but I think what, what should be done? What, what I strongly recommend is to, to work with such a model, look at what are the, the main functions, the main things, the main chops to need to be done, which are the different organizations and who is then responsible for what, how do you, where does it overlap? How does maybe also change when you get some more assess services? How do you handle all these things in an appropriate manner? Because the solutions are not isolated. You need a technical integration and you need an organization that is a unified organization. From my perspective, not one where, where there are two different parts, which rarely really work with each other.
I think it's really time to move to a key work approach in, in this intersection and to, to apply an adequate organization that helps in dealing most efficiently with all the various issues we face in IGA and our RM with step, I move over to the second poll for today. And that is about responsibility. And I trust touched in the target operating model aspect. The question is who in your organization is responsible for the application risk management for a line of business application? So is it sort of a different department per line of business application? Is it the SAP department, if it exists is an IM department, which also cares for the line of business application and for the specific tools, or is it somewhat something else? So I'll start this and again, I appreciate your participation on this poll and the more people participate the better it is. So don't be shy. I'll leave it over open for another 15 seconds. So please take part. So a few more answers would be super, don't be shy. Okay. Thank you. And with that, I'm done with my part, so to speak the intro, and right now I'd like to see Anna and Stephen on the speak virtual stage.
Okay. Yeah. Also warm welcome from our site. I'm Anna Otto, customer advisory expert in Germany for the identity and access management solutions of, of SAP and presenting today with my colleague step.
Yeah, I name I'm a super advisor expert for GRC and security in the region, middle and east Europe and SAP. And we would like to start with a picture. You maybe somehow know it. And that maybe says that IG is still a challenging task for many companies. So many users often distributed over the globe. They request access. And usually they don't care much about access compliance and they just want to work without any bad intention. And I don't know how you experience it in your company, but usually also management let's say does not have a dedicated technical knowledge about exercise. They just want it fast and cheap and compliant. Of course, because the audit you see on the bottom side, well, from an internal side and from an external side, you usually, they usually look at this topic. So the access governance topic, and they look to it in detail. So if somebody has critical access rights or there's no segregation of duty, usually they say, that's not okay, and you have to change something. And that handling is usually not easy, is it?
No. So we have like three different stakeholders having, I would say different requirements and in the middle is the operations team, which yeah. Can find creative ways, how to handle, how to handle these requirements.
Well, then let's have a look at the solution, the solution name as SAP cloud identity, access governance, and it contains of five main functions and the first function, and this is a kind of core functionality because it's also used by the other functions is the access analysis function. There, you can identify single critical access, but also critical access combinations user might have. And it also comes with a pre-defined risk template, which show that in the next slide later on. But this functionality really then is used by, by the other functions, like for examples, your whole design, where you can manage and optimize your business holds. So create some without access conflicts, segregation of duty conflicts, and you can also use machine learning functionality for even improves. These business holds over the time. Then another main functionality is the excess test functionality. It's an easy self-service functionality.
We would also show that later on in the life demo. And then you can, of course also include the access analysis. That means if you reach fast something and it contains a certain access risk, the approvers will see it and they can decide if they still want to approve, or if they want to change it. And with that functionality, you have to guarantee to really proceed the given workflow you defined in your, in your companies and with a really nice efficient user friendly and secure and compliant process. The first functional functionality is the access certification functionality. This is a review of the assignment of access on a regular base, and you can define it, which is a regular base. If it's monthly, weekly, yearly, whatever, and for which applications and users it should happen. And there's also workflow behind and the managers or responsible people, they then can confirm or change the access of users during the certification processes.
And last but not least the privilege access management, it's really an important function from a compliance perspective because there you can give temporary access with critical authorizations to users. So for example, for administrators and so on, and the very interesting thing here is that we also monitor the activities the user has done in the system. So it's not only the granting of critical access to the user with a given workflow, of course, but also the monitoring. What then really happens in the system. And as I said, often used for administrators, the external auditors also really force the customers to, to, to use such a functionality, but it can also be used for stand-ins for people who are on vacation or maybe sickness now. So that's the overview of the functionality. Let's go a little bit deeper on the topic of risk definition. As I said, we already deliver a wood set with the product.
And on the left side, you see the structure of the wood set. So it's a, the concept is on the one hand it's defined in, in business language and business processes. We will also see that in, in the system, how this looks like, but then we break it down into functions. It could be either one single function, so a single accesses or a combination of critical functions. And then we continue to break it down at the lowest level that is possible, let's say it this way. So for the classical E word, or, or as for a world, we go down to the action and permission level. And for other applications like Ariba, we go down to the group level, which is the keyest level there. And we check the critical combinations on that level. That's why overall we have a combination possibility of more than 500,000 critical authorizations in the schools that we already deliver with the product. And as I said, it, it checks on that level automatically, and the business us, then they can see the details. We will also see a data and the demo, but they also see the business description of service. And then they can decide if they maybe want to accept service if they want to mitigate the or whatever. And yeah, I already mentioned ECC. So E P and S content, but we also deliver content for the cloud applications, the Etel applications like ABA or integrated business plannings, or the other ones you, you see on the list.
There's also the possibility to a system, this analysis. So not only for one system, but also combination of two. Well, anything to,
Yeah. You actually said already, but just to be sure. So the idea is first of all, to monitor the authorization risk, be aware of it, then if possible, refine it. So removing access if it's not used or if it's not necessary. And then sometimes that is not possible. That's depending on how much employees you have in a certain area, or yeah. Could be depending on the process as well. So in case the authorization risk is necessary, you can accept it and can mitigate it in the system and therefore document that it is a risk that you are aware of, but you accepted that risk.
Yeah. Great. Yeah. I would say let's have a look in the system. Yep.
Okay. So I'm switching to the demo system. The user I'm logged on with has a lot of like authorizations. We can see that, that there are a lot of, a lot of theory apps in here. And first of all, we wanted to take a look into the systems that are connected to our demo system. So for the demo scenario, we have an ABA system, we have an Azure connected. We have an Shan cloud as well as an Shan on premise. So I is capable of being connected to on premise systems as well as cloud services, but on the demo system, we're not using all that is possible or, or IEG is capable of. So therefore I just wanted to show that when we create a new system, you see all the possible connections we have, we have for now, and there are still more coming.
So would be possible to connect the business technology platform with cloud Foundry and L up, if you have a system speaking LD up, that would be a possible connection. The Azure, of course we had. And then also this one would be the connection to access control. We're gonna look at that a little bit later in case you have a hybrid scenario. And then of course, cloud services like ABA conquer, field glass, marketing, cloud IBP. So there are already a lot of systems or possible connections in the list, and there are more coming. So basically every deployment comes with with new connections. So those are generally the systems and how to connect them. And then we have a look into the risks we have, we have in, in this system, which are the pre, which is the pre delivered, was just talking about. And it's a long risk of, of risk that is in the system.
As Stephan said, some of them are critical authorizations. Some are segregation of duty. So combination of critical authorizations, and you could either scroll down at list or what we're gonna do is look into specific ones that will give you a little bit of, of an idea, how it looks like. So the first one I selected is for it's mainly authorizations, ABA, so, and segregation of duty risk for ABA system. And then we can look into the functions and we, first of all, we have the action level. So that is basically the action in, in ABA. And then on the permission level, you see the group that mentioned already also before. So that is kind of the level of detail we get for, for an ABA system. Then let's look into another one that is for the Han cloud that shows a little bit more, this one is a critical access risk.
You can, you can see that there's only one function that is already creating, or if you have functionalities of that or authorizations of that functionality, you would have an authorization risk. So if we look into the permissions area, first of all, we have the system and the action in the Han cloud, and then we have the authorization object, the field, and then the field value. So for example, here, you can see that we're actually checking for the activity zero two or zero one, which would be change or create. So zero three would not be part of the rule set because then usually it's not a conflicting functionality is just a display functionality. And then additionally it's possible, but that's something that has to be defined by every customer is the organizational value. So sometimes it could be that you're saying risks are only relevant in certain organizations, for example.
So that would be a possibility to enter or to add this information into the rule set. And by saying that we have a predefined rule set, but you can always change it and adapt it to your needs. And that would be one possibility how to do that. So then these would be the functions. So the actions in, in the Han out, and then also let's take a quick look into an old, old setup, old, I shouldn't say for, for an Han system and on-premise system. So this one is an on-premise system. And here you can see that we have the action, which would usually be in ANCC system, a transaction code, but in Han it could also be a FII app. And those are maintained in the rule set as well. So we either check for the transaction code or for the fi app based on, on the Han on premise systems.
Well, maybe Anna, we, we also look at the cost system risk. I think that maybe it's also of interest.
Yeah. So we now also have cross system risks. So redefined cross system risks. This is one of them. So when I look into the first function, I can see that it's it's for an Han on premise system. So we, in this scenario, we only have transaction codes and those are possible functions on an SPH on premise system. And the second function is only on the S cloud. So in case you have both this systems in use, you could use this cross system cross to identify yeah. Possible authorization risks there. Then I would to the next part, which would be the excess analysis. So how does it look like if a user has authorization risks and how do do we, I would say display that, which kind of possibilities have you there. So, first of all, we have a list of the users which have authorization risks.
I'm gonna search for a specific one, and you can see that on the first screen, we see whether there are sods. So segregation of duty, risks, or critical accesses for, for these, for the users, the system is finding, giving my search term, and then let's look at the, at this specific user. And this specific user has two authorization, risks, just critical access. So both of them are critical access, authorization, risk, and one of them is already mitigated. That was the mitigation I mentioned before. It's possible to assign a mitigation control to document that you are aware of that risk and you have the risk under control and having this one risk mitigated results in a 50% access compliance, because that user has two authorization risks. And one of them is mitigated. The access effectiveness is related to whether someone reviewed the authorization and removed unused authorization.
So this wasn't done for this user. Therefore, the result is zero, but this user has one authorization role assigned in this scenario, it's for the S Han cloud. And we can look at the details for the authorization risk and you really drill down into the details. So what is really result or what is the reason why the access risk was found? And here we see the authorization where's coming from. So this is the authorization assigned to the user that is creating the authorization risks. And then we see that it's on an Han cloud system. This, this would be the, the authorization object. And in this case, it's activity zero one and zero two. So you can drill down really to the, to the depth level we heard about before. You can really find what is causing these authorization risks. And in case you say, okay, I, I want to accept that it it's necessary for that user to, to have that authorization risk.
You can assign mitigating controls. One is already assigned. So I'm gonna do that for the second authorization risk as well. So first of all, I select the control. And second of all, I select a group of people being responsible for monitoring that control. So you can always, yeah. Have someone being responsible for monitoring the authorization risks, and then the assignment has a validity. So I'm just gonna assign a short one as it is a demo system. And that validity is, is, is just how long is the mitigation control assigned afterwards? The, the mitigation would be, would be removed. So once I save that the mitigated risk should get up and now it's a hundred percent excess compliance. I'm not gonna save it completely because of the demo scenario. So we're gonna just exit there, but that's how it would look like to have a user and how to monitor the authorization risks of a user. And then let's have a quick look into the access request. So we have an access request inbox. If I'm an approver, I can create an access request for myself. I had an overview about the status, which we're gonna look in soon. And what I'm gonna do is I'm gonna create an access request for others. So I'm gonna create one for the user we just saw.
And
Yeah,
So it's possible to search for applications or for authorizations. First of all, you can search by the name, but then you can also search by certain applications, which would, which would be the systems. And then we also have different business processes, et cetera. So there are different possibilities. What we did is prepare some or select some, which we're gonna request the first of them is from, for an ABA system. And the second one is for an Han system.
So that would be the one for the S Fahan on premise system. So I'm gonna request both of them create the access request. And then I have to select the reason that is something you redefine in your system. So kind of a customizing configuration of the IEG and in our demo system, there is no manager assigned. So that's something which would be also part of the configuration. And as there is no manager defined for that user ID, it just goes to a default group of, of possible approvers. So I selected one of them, and then we have the time sheet manager and the Arba system. And on the Arba system, we don't have a validity period for authorizations, but on the SVA system, we have that functionality. So what I would do is request the authorization assignment for a certain time period as well. I could uploaded hedge if I want to, but we're just gonna submit the request. And then we see the number 96 that was created. And what he's gonna do now is he's gonna jump to an overview about the access requests and the one we just created. So I see the authorizations that I requested. I can see who's gonna be the approver, and that's what we're gonna jump to now, the approver for, for this access request, gonna switch the user ID and log on with that other user ID
To approve the access request and to show you that would look like. So now we go to the inbox and there should be, yeah, there's the excess request we just created. And we can see now that, that there are three risks occurring now, because one of the roles I requested, the accounts payable clerk apparently has an authorization risk. So that was, would result in the user having three risks. And for those who are a little irritated, because there are zero risk mitigated, that is because I didn't saved it in the other system, or didn't saved it before and it's not really confirmed yet. So that's the reason why in the excess request, we still see zero risk mitigated because I canceled before. So now I have those two authorizations and I can remediate the risks so I can check whether I might want to, to assign some controls or what I could also do is I say, I'm gonna approve the first one, but I'm gonna reject the second one because that one results in an excess risk.
And if I simulate that, then it's showing that now there are no risks and the user would again have just two risks, but we're gonna approve both of them, simulate that again, and then confirm. And now I can submit the request. Unfortunately, in our demo system, there are three stages of approval. So I'm stopping here due to time constraints with the access request. And just gonna quickly show you one thing I, that, that I wanted to show you with the other user ID that I actually forgot about. So excess identity access governance comes with a dashboard and we have a risk strand bike water. So you can see whether risks were there were more occurring or there were reduced in our scenario looks good. So the risks were reduced over time. We have an overview about how many authorization risks are violated and then by the different categories.
So all the risks have a risk level. We have an overview. So right now there are seven applications connected to the IEG and all of them have users and authorizations. So there's no there, all of the system are actually having users on it. And the second one is showing you business processes with violations. So right now we have 29 business processes defined and 20 of them have user violations. So for example, in the apple area, which is no surprise because the system we have connected as an S Farhana system for, for a demo scenario, there are no user, no violations for authorization risks in that area, but we also have different areas where we have a lot of user violations. So if I go a little bit to the left in the end, the real interesting ones are coming. So here, you can see that. For example, for the inventory accounting, we have a lot of violations and as well as for the basis authorizations, and then there are some, yeah, some displays for users by risk score and risk occurrences. So that would be the dashboards. And with that, I'm jumping back to the presentation and over to
Thanks, Anna. So it was only possible due was the time to give you part the impression of the product we, we selected. Let's say, I think the functions set that are really relevant for everyone in this picture, you actually see yeah. What we have seen at least part of it. So what I want to say is the SAP cloud identity access governance, and we, we have seen this and the system over through also the access request. It can connect the cloud applications and on-prem applications. So it's possible to serve, let's say both worlds with it. So not only cloud, but also the on premise systems. And we mentioned already in the beginning, the product has more functionality. So we now have to look at the access analysis at the access request, but we had had a look at the whole designs, the access certification and the privilege access management due to the time.
But this is also part of the product. And if you want to have a solution that can solve all of these functionalities with a cloud driven product, but to manage cloud and on premise cloud identity access governance could be the solution of choice for you. But of course we know we have a lot of customers who already invested in access control and for them, we also have a solution approach, which is, I think very great because you can stay with your access control investment. So a lot of customers invested in customized workflows and really setting up the system, let's say, in a way they want to work with it. And they also can use cloud identity, access governance without the need to replace access control. And we do that via the identity access governance bridge, which is a connection between cloud identity, access governance and access control.
And we only then use part part services of, of cloud. I, that means the access analysis, the whole design and the connectors to the cloud world or to non-SAP on premise systems. And so it's possible with really minimum investment to extend the access control also to cloud applications or to non SAP on premise applications and mainly stay with the processes as they are so very nice approach for access control customers. But maybe you are one of the customers who say, I don't have access control because it was maybe too expensive in the past or whatever, but I have an identity management solution, hopefully the one of SAP, but maybe also another one. And you can also link that with the SAP cloud identity access governance service. So for that, we have a new cloud, new IBM API for our cloud identity access governance product since three months now on the market, this new API, and there you can link identity management solutions and you can do it in two ways.
You can send a request from an identity management workload to cloud IG and ask, Hey, is my request full of access conflicts or not? And you get the feedback and then you can continue in the identity management, but you can also let's say push the whole request to the cloud identity access governance, and not only let the I, the cloud, I do the analysis, but also do the provisioning. So you can also benefit obviously connectors we deliver with the cloud service. And of course you can use the other functionality like access certification, whole design, or privileged access management with the cloud identity access governance service. So I think it's a very good possible way to extend existing identity management landscapes with the service. And with that coming to let's say, yeah, the final slide we hope that you have seen in the short overview we got give today that the challenge of identity access governance can be solved easily, and it can be solved for on premise and cloud systems.
And it's really, it doesn't matter if you already have access control or an identity management solution, you can connect it. You can continue to work on a way you worked before, but now connect other systems and use other functionalities. And these IEG processes can really be automated. We have seen, for example, the approval workflow that automatically the approval, but then also after the approval pass, it also does the provisioning. So it reduces the manual effort a lot. And it makes, let's say all the stakeholders happy. So the management can be happy because they achieve their goals to be very efficient. The audits. Yeah. They also can be happy because there should be no, no unknown risk anymore. And if there is a risks transparent to them and you can discuss it, discuss it on an operational view, if you want to have that risk or you want to mitigate us. So a very good way to be very transparent and be that also in the very detail like Martin manage in the beginning. So really go down closely authorization objects, especially in the SAP environment and to analyze it really on the deepest level so that there's no, or should be no secure data anymore concerning the access files. And with that, we close what we prepared and we still have, I think, 12 minutes or so for, for question answers. And we look forward to that.
Okay, Anna, and thank you very much for the insights you've provided turn back control to me. And I, I like, I like the identity management API thing, honestly, because I think this is really something which is, is important to bring, bring this worlds closer together as, as I've management. Maybe that is also, it's interesting when we look at the first poll here at the second poll, the results of the second poll, because when we, when we look at this, then we see that we have quite quite a diverse set of results around. Who's responsible for that. Who's responsible for application risk management, is it are multiple departments, is it only the department? Is it the IM department or others? And so there's no sort of homogenous perspective that as I've said, I, I'm a strong believer saying, you need to unify that you need to bring those things together, dealing with specializations, with the, with different teams being responsible for different needs, but working really in a, in a teamwork closely hand, hand in hand, just as a quick, quick overview.
And, and with that, I think we can look at at least a few of the questions we have here. And one question I, I see here is, are, are there ways to support cross system risk analyzes like you have as for H and so as a process step and you have field class and another process step, so can you do something which go crosses these systems and are there even plans maybe to have sort of for, for some of the common applications out of the box rule sets or something like that, or is this at the end too specific?
Well, I think we have showed it in the beginning when we showed the, but I'm not sure the, the, so this definition in the system, yeah. Then we have also shown that there's a possibility to define cost system list. And let's say for all systems that can be connected to the cloud service cause system are possible to be defined. And we currently deliver, I think we also had said on a slide and I think you will get it on a handout on the slide. We had the over for which systems we currently already deliver content. And it was as for cloud ER P field class, you mentioned Martin ABA, business planning, integrated business planning. And I forgot one thing. I, but I don't know which one
Did you say, ABA?
I think I, yeah. Success factors. It was success factors. Yeah. Yeah. And, and we plan to extend it. So with any commitment to a certain application at this point, but we plan to extend that job.
Okay. So, so that's another question we got from the audience, which is around success sector's rule set. So, so is this at a sort of similar level of granularity as, as the rule sets that are customers are used from whatever access control for the good old SAP E P world?
So the rule set that was part of access control is also part of IG. So the, I would say old rule set that customers are used to from excess control. That is also in IEG. There are some additions and most of the customers, or I would say some of the customers might not have yet the, the new rule set for Esfahan as well, which is available in access control as well. So IG has the latest, I would say the latest rule set that we have for access control and then some additions for the cloud services. And it's also possible to upload or download a rule set from access control and upload it into IG. Or if you use the bridge directly transfer,
That also means you can, can use a custom rules set and migrate it to cloud IG. Yeah,
Yeah.
Which probably is the most relevant use case here. Okay. So let's look for some of the other questions. Yeah. And maybe I think this is the question we've came up in different forms and you touched to some extent, but maybe you kind elaborate a little more also on this customers have access control and want to, to migrate to cloud I, so how is it best done? And I understand from property told that there's sort of quite a range of options from migrating fast to long coexistence to moving rule sets up to, to cloud ag. So what would you be your recommendation here?
Well, I would say that depends, sorry. Step.
Yeah, exactly. It depends what we want to achieve that I think the main question. So if you want, just want to extend to cloud applications, well then you should use the bridge. Yeah. Because usually as I said, customers invest a lot in access control and there's no immediate need now to, to replace access control. Yeah. But we also have, but that could also customers who said, well, I maybe have an access control, but I didn't really deploy it. Let's say it this way due to reasons. Yeah. No hardware, whatever, no product. And then say, okay, I want an easier approach than, than the access control.
Yeah. It might be also, I could imagine that some customers say, okay, at the end, I don't want to have two tools on a longer run. So I think it's the other side. We, we are getting quite a number of questions, but don't have much time left. So I will stick to one question. So I think chef and Anna, you can follow up with the adverse separately after the webinar. So that one questions about the idea API, and the question is, will this be similar to the current SAP IDM to GRC access control creation framework and, and where will it be implemented? Will it be implemented IG or in the identity management solutions? So how is this this built and where can people find more information about it?
We have a documentation about that. Yeah. It's, it's actually, it's built in the I service of course, because that's the only thing we can change when we provide a cloud service. And so I only can suggest to, let's say, go to the documentation of the cloud, I, and have a look at it so that we have a description on it.
But one mainly the integration will be on the IDM part. Like it would be with control because I is providing the interface, but IDM has to call it.
Yeah. Okay. Got it. So we are unfortunately already approaching the end of the time we have, and, and I thank you very much for all the information provided. He thank you for reporting us this webinar. Thank you to all attendees for listening into our call webinar, as I've said, the recording and Slidex will be available online soon. So thank you very much.
Thank you. Bye-bye bye.

Stay Connected

KuppingerCole on social media

Related Videos

Webinar Recording

Evolving Identity and Access Management for the Digital Era

Join Identity & Access Management experts from KuppingerCole Analysts and Broadcom as they discuss how business IT is changing, and the implications for IAM. They will define modern IAM and explain why and how IAM needs to change to support modern app development, regulatory compliance,…

Analyst Chat

Analyst Chat #154: 2022 Wrapped Up - Major Trends in IAM and Cybersecurity

Another year gone already! It's time to take a look back at 2022. Martin Kuppinger and Matthias talk about what happened in the past year and identify top trends in IAM and Cybersecurity. They go beyond technology but also look at processes and business models. By this, they also…

Event Recording

Panel | Why Access Management Is About Managing Risk

Analyst Chat

Analyst Chat #152: How to Measure a Market

Research Analyst Marina Iantorno works on determining market sizing data as a service for vendors, service providers, but especially for investors. She joins Matthias to explain key terms and metrics and how this information can be leveraged for a variety of decision-making processes.

Event Recording

Cyber Hygiene Is the Backbone of an IAM Strategy

When speaking about cybersecurity, Hollywood has made us think of hooded figures in a dark alley and real-time cyber defense while typing at the speed of light. However, proper cyber security means, above all, good, clean and clear security practices that happen before-hand and all day,…

How can we help you

Send an inquiry

Call Us +49 211 2370770

Mo – Fr 8:00 – 17:00