Welcome to the KuppingerCole Analyst Chat. I'm your host. My name is Matthias Reinwarth. I'm an Analyst and Advisor with KuppingerCole Analysts. Today, we want to give answers and strategies for an issue that many organizations are currently facing. There is some time left, so there is time for a strategy and for making the right decisions, but it's not too much time. We want to talk about the fact that SAP has announced the end of life or the end of the maintenance of a key component that is just hiding within many of the traditional SAP environments. It's the IDM system, the identity management. It's just a thing that does its work and it's hidden. And as long as you don't see it, you don't really care. And now it's end of life. And this is an issue to a lot of organizations, namely those who are running traditional SAP on-premises environments. And part of SAP strategy is more moving to the cloud, more going hybrid. So Martin Kuppinger is my guest today, and he will explain what we can do, and we will discuss that. So first of all, I want to welcome Martin Kuppinger. He is the Principal Analyst at KuppingerCole. Hi, Martin.
Hi Matthias, pleasure being here and thank you for inviting me to your podcast.
So now if we go back to our topic, I think this is really an issue for many organizations. So the end of life is 2027. The end of an extended period of maintenance will be 2030. Sounds like a lot of time. Nevertheless, organizations should take care of that. So what would be key strategies that organizations should deploy for planning, for a good transition to something?
Yeah, good question. So the first thing is 2030 is not long. We're in 2024. That means we have basically six years left. When we look at the average time it takes to replace one IGA solution with another IGA solution, so the Identity Governance Administration, user lifecycle management, provisioning access governance, then we are talking about, I would say on average, easily three years. Including the process where all the things are thought through. We have also seen quite a number of projects that were running longer. We have seen projects running faster, but it is nothing you do on an afternoon. So take the time. And the second part also related to that is do it thoroughly. also to do with time. The lifetime of what you deploy next will be 10 years minimum, 12, 15, maybe even more years. So you're making a decision that goes to 2040 or beyond. And so you will have a lot of that positively or negatively and do it right. And right means don't replace a traditional IGA solution with another tool of the same type, just doing the same thing. Think about what you need in the future. Honestly, I would start even one step before that, which is thinking about how should your IAM look like in the future? This would bring us to the topic of the identity fabric, a concept that KuppingerCole Analysts has unveiled several years ago which since then has seen widespread adoption. We will talk about this soon, Matthias, me and some others, when we launch the next release of it. But that would be the best thing. Really think about how should your IAM look like? What are the guiding principles for the future? How do you do it best? And then you need to think about what do you need from IGA? How should it look like? And you surely have a lot of experience in what worked well, what didn't work well, what are requirements you haven't addressed yet, etc. And then we have the upcoming changes, regulations, technology changes, something analysts can help you surely about what are the trends, the bigger things that are happening. But start with a really thorough requirements analysis, not with the tool. The tool is the result not the starting point.
Right, and I think the step that SAP made right now, so really having that as an announcement, which really gives ample time to deal with that, actually also made some organizations or some more organizations understand that they should have maybe acted before, because during the lifetime of this IDM system, the application landscape around that changed dramatically for many organizations. Many have made that move into the cloud, adding another identity provider and another identity management system for cloud accounts. So that was a challenge that they had to deal with anyways, but the other systems, the older systems kept on running because they were working. But in the end, there are unique challenges that need to be covered, but maybe one could also look at this as an opportunity to get better in their overall IDM and in getting more adequate when it comes to meeting all these new regulations requirements that they need to fulfill anyway. So hybrid scenarios, new regulations, are these the requirements that you mentioned?
I think they are part of it. I think it goes further. We know that some things in IGA tend to be bit cumbersome, like no one loves recertification. Role management can be challenging. Application onboarding, not so super easy in many cases. So there's still in most implementations a lot of manual provisioning. So I think we really also need to think about what is the best thing to do? What's the best way to do IGA in the future in a modern way? And that's, I believe, how we should start, how we should look at the entire scene. Thinking about really what is our vision for IGA. And that differs clearly a bit from organization to organization. If you're heavily regulated, you have other things to do than when you're lesser regulated. When you're smaller, you these things differently than when you're big. There are really many, many options out there. When I look at the number of vendors, we just recently covered in the Leadership Compass on IGA, and which will be covered in the upcoming Leadership Compass on access governance. Then we are talking about whatever some 30 plus vendors we have in the rating and another... 20 or 30 vendors we have on the list of vendors to watch. So there's really a lot of options in the market. There are many, many, many vendors, but it really depends on how do you want to do IGA in the future? How does it integrate with ITSM or not? How much automation do you want to achieve? How complex is the regulatory landscape you're in? Et cetera. And you also should think about some other aspects, like how can you come to a solution that requires as little customization in the sense of coding as possible? Because this is one of the I would even say, nightmares that lot of IGA or owners of IGA implementations have experienced. That at some point, IGA implementations tend to show a slight tendency towards over-customization and they are, you can't easily implement updates anymore and all that stuff. You need to avoid it. So there are a lot of things you can do well in the future. Maybe you have done well already, maybe not, but really step back and think about how to do it right. And another point is, also think about how all your processes still there once you want to have for the next 10 years. Or does it make sense to really rethink the processes you're using, including the policies, role models, if you want to rely on role models in the future and all that stuff.
Right, and you said modern IGA as the next version, as the alternative to what you have, and that of course also means cleaning up the basement and getting rid of some stuff that worked fine years ago, but maybe, as you said, over-customization, et cetera, really hinders you in making the next step. So even organizations that do not now look into next-generation solutions could start cleaning up the basement. SAP is providing some answers when it comes to what should be or what could be the next generation platform. So they're talking about Microsoft Entra ID being one of the solutions, but they also provide SAP Cloud Identity Services that come with such solutions. How do these alternatives compare with what we have right now in traditional SAP R3 environments, for example?
I think first we need to be precise. It's Microsoft Entra ID Governance, which is the IGA solution from Microsoft, which is one option in the market, which may be a fit for an organization or not. Or it may be a good fit or a lesser good fit. It's never black or white in the space. It's probably more on the white or more on black side, so the light gray or dark gray. I think this is really the point. But you brought up another important point. Yes, we have the SAP Cloud Identity Services, we have SAP Cloud IAG as well in this equation. And we also, as an organization that is really SAP heavy in that area, so having SAP Identity Management and SAP Access Control, clearly should look at a broader picture here. So not only what do you do with IGA, and also what is the future of your "GRC" solution, so your application risk management solutions like SAP access control, which is called by many SAP GRC. Because at the end of the day, these things play together and you need to have a strategy that is more than just, as I've said, replacing one IGA tool with another IGA tool. The different elements should fit together and when you know that you will need to make changes, and I think this is just something which will happen sooner or later, also on the SAP access control side, then I don't say change everything now, but build a strategy that looks at everything, not just a piece of it. So that you, you know, this is the way I will proceed. then clearly the project becomes bigger and more complex, but you also can face it well. But it definitely helps to take a holistic view. And I think when you look at this, so... SAP has a number of partnerships. SAP has pushed out this blog post where they have some emphasis on Microsoft Entra ID Governance. Microsoft Entra ID Governance is a solid product. We also need to be very clear here. They definitely made progress. There are other products in the markets. There are products that are even leaner. There are products that have way more capabilities in specific areas. At the end of the day, there's no simple answer to that. Again, it goes back to what do you need? What do you need in the future and what is the best fit? And you should always look at it really thoroughly and analyze it thoroughly because that's also, I think, something which really should be well understood. This IGA replacement, maybe if you have the access control modernization as well, these projects will cost you a lot of money. Not only on the license side, but also on implementation side. So you will pay quite a bit of money to your system integrators. And having said this, the money you spend for a proper job at the beginning, processes, process review, requirements analysis, a proper tools choice, potentially with a POC that looks at certain sort of tricky points that you usually find in IGA that will pay off. It will pay off because you will save that money easily and save the time easily during the process by far. I've never seen a project that was well prepared that wouldn't have saved the time and money you would have spent otherwise in dealing with all those things you didn't identify or you need to redo or customize because you didn't do a good job at the beginning. So start with the work at the beginning. And as I've said, there is no single right answer, definitely not. And the most important thing really is don't start with the tool. So don't ask yourself, which could be the tool I use in the future? Ask yourself what do I need in the future and then you can ask yourself and others like us, what is the right tool to do it?
Exactly. Now that we are assuming that 2024 more or less is over, although we have five years left. So there are five years to actually put all that you just mentioned. So starting with the requirements analysis, understanding what you have, what has changed in the meantime, what is your target landscape? Is it just SAP? Is it SAP times three? So on-premise and in the cloud and other platforms as well. Or are you through mergers and acquisitions or just because it was an addition needed? Maybe you are already hybrid also when it comes to the line of business applications that you have applications that are non-SAP and need to be managed holistically together with everything that you do. All of this needs to be done right now and well put on a timeline ending up in 2030 with a running new system. I think this requirement analysis, and I have to admit, yes, the identity fabric and the reference architecture can help you and support you in designing solutions that are well equipped to dealing with these problems. You've mentioned already the cost of such an implementation project. Usually these figures tend to be very high and maybe not to scare people, but what are our usual estimates comparing license costs with project costs? What do we expect or what do people have to expect when they go on that journey?
Today it's probably more subscription cost, but I would say a factor of 6 to 10 is realistic. And yes, when you're used to some of the license fee models you may have had for your SAP identity management, at the end of the day, you will need to pay a regular price for whichever successor you choose. So that's the foundation for the 6 to 10X, not a discounted price.
Yeah, I think that that's absolutely true also from the the advisor perspective that I have when I look at these these projects. So this needs to be calculated into everything that you do. So when we summarize what we just discussed, it's a challenge for many organizations. There is no one size fits all answers, although we can cluster some types of of organizations together because they look like highly regulated hybrid and there are categories for that, but in the end there is no simple answer because there is more involved than just the SAP landscape. So really finding the bespoke solution, the well-defined solution for the individual organization is the main answer that we can give. And you need support by somebody who knows the market, who understands your requirements, who just does not want to sell a specific product to you. So it's really about neutrality, independence and creating the right infrastructure. Would that be our summary for today?
Yeah, I think that's fair and what Matthias refrained from making the very clear ad word. I think it's clear to everyone. We are in a very good position as KuppingerCole with our advisory team based on our research and with very well-grown methodologies on how to do this to support customers also in a smart and as lean as feasible manner. And I think this is the point, that you need to invest a bit, but it will pay off. And ask Matthias and his team.
Yeah, absolutely. And I would never contradict Martin, of course. But that's the way to move forward. We can support you. And trying to find the right way forward is something that we do on a daily basis. I leave it with that. Thank you very much, Martin, for being my guest today, for laying out also the intricacies of such a migration. But maybe it's a good thing that people are now forced to look again into their IGA better sooner than later. And maybe that ends up with being more compliant, faster in access governance. Finally, getting to the big red button that you can hit and say, what access rights does Martin have? Which users have access for this specific line of business application? Something that you maybe did not know before. Thanks again, Martin. Looking forward to seeing you again, then talking about the Identity Fabric next generation.
Thank you, Matthias.
Thank you. Bye bye.