Hello. Welcome to our KuppingerCole webinar "uncovering the truth about identity and access management for SAP field". This webinar's supported by SailPoint and Turnkey and the speakers today are me, Martin Kuppinger, principal analyst at KuppingerCole, and then we have Alex Gambill, director of product at SailPoint and Tom Venables, practice director at Turnkey Consulting. And in contrast to our sort of common style of webinars, this will be more around table discussions that we will discuss about what do we look at this evolution from of, of key environments in general, we have identity management. We have a P we have a lot of pot business applications. So the question is what is, what on a perspective, some sort of having an identity and access management LMP, so to speak the GRC governance risk compliance piece for these complex environments.
So that will be the style of today's webinar, more or an interactive discussion. We are happy to get you your input at any time. Your question. So repeat questions are open and we can pick them. But before we start, I want to do a little bit of housekeeping. So we have a couple of events coming up in the next few weeks. So next week we will have an KC live virtual event called enterprise block trendy. As the title says, it's about blockchain. It will be a lot about blockchain ID and related topics. We then have one on securing industry for ago, and the end of October, and last, at least we will run our hyper-local and the cybersecurity leadership summit, which where you can attend online, or you can attend on-site in Berlin. And that's the title sisters' event will be about cyber security.
We had made very good experience with high Purdue ends with our European identity conference for runs September online at, in Munich. And so you would look into it as mixed format here. So happy to see you joining and to have y'all's to see so much we in Berlin on face-to-face because it's really a different thing to meet people again, face to face, and you can be assured we will be very strict as our hygiene measures to keep it as safe as can be them a few formal things, audio control. We are controlling audio. So you're all muted. You don't need to care about that. We do a Q and a session at the end, but feel free to enter your questions at any time. I always see the more questions we have, the more likely it is. And given that it's a round table discussion, we also might decide to pick the one on question of during Daron table.
If, if, if it fits in, well, we will do two polls and we will also discuss the poll results of the Q and a session. By the end of last, at least we we'll do a recording and boost the podcast recording on the slide deck as PDF will be available usually today after the webinar. So if you want to watch it later on again, or share it with your colleagues, then you will have that information. So let's stop us to poll that, look at the agenda to the introductions and don't stop is our discussion. So first Paul, I asked you to see about do y'all have separate. So you for SAP access controls to the access control solutions in the SAP environment for is risk management, auto business applications, such as whatever, Workday or Salesforce or whatever else and IGA, do you have it split? Or is it something where you say, this is really something that you look at integratively and let's start a poll. So the answers are very simple it's yes or no. Please select your answer integrator or not the Maureen's demoralizes. We have to better. It is. So I give you another, whatever 25 seconds.
So please try and Paul 10 seconds. So please enter your answers. Now I see that a couple of you haven't voted yet, so come on five seconds left. Okay. I think we've come close the poll. Thank you. And without further ado, we'd done. So to speak, dive directly on our round table. And with that, I, I think we best styled was a quick intro of you LX and Utah, before we dive into our conversation and our, to our discussion, Alex, do you want to start?
Sure. Thanks. Martin. Alex Gamble director product at SailPoint prior to joining SailPoint, I spent the vast majority of my career in the SAP space, primarily doing security role design, redesign work, and SAP GRC access controls and process controls implementations, both for a number of big four firms, as well as, as an independent consultant. I started my career as an it auditor. So have been in this space for 10 plus years, looking forward to the discussion, Tom.
Thanks. Good afternoon, everyone. Tom valuables. I'm the practice director for cyber and application security at turnkey. I've been securing SAP systems for nearly 20 years now, and really starting to feel that as you can tell by my hairline expanding a lot of the security discussions into the wider it environments and obviously identity and access management is a big part of that. So really looking forward to the discussion.
Yeah, so I'm more the identity management guy in the room, so to speak. So even what I always had to touch points with ACP, while also for instance, to our leadership compass on the it's a control. So yours recipe and other business applications, I didn't spend 20 years in managing access titlements within SAP, but probably more with a little bit of a broader focus across managed things, but it's many, many touchpoints to ACP and many discussions, many advisory around how to set up these things. So I think we have, I have a quite interesting big Sierra self panela scent. So we have structured as wrong table and in a few sort of seams topics groups. And the first one I'd like to discuss this, your perspectives on the landscape of business applications and maybe even beyond business application. So what, what we see, and I think what is very obvious in the market as this landscape is changing.
So, so in contrast to former days where we're all hospitals in our three or so DevOps maturity, we see a lot of SAS applications. Some of them being very prominent, some often being out for, for quite awhile for important parts of our business, even within the SAP portfolio, we see this shift from sort of, sort of rather monolithic OS brief, or it wasn't that monolithic in reality towards a more complex world. And so, so maybe I'll bring up a slide in the background that you might refer to. What is your position who wants to start tomorrow? Alex?
I can go first if you like. Yeah. I think you're absolutely right. Martin, the digital transformation journey as it gets badged quite quite a bit is changing the nature of the landscapes that we're securing. We're seeing far more adoption of cloud solutions, software as a service solutions and even, you know, managed service solutions for a lot of business applications, which is just a roading that network perimeter it's, it's putting more of our content accessible externally. So I think probably 20, 30 years ago, it might've been to say something like SAP is within our network. It's, it's entirely isolated. Therefore we can rely on those controls. I think these days, it's a little bit more tricky to put your weight behind that statement with we're seeing people push far more towards, as for adoption and the Fiori content on that, which is enabling web connections into critical business landscapes and the adoption of not just within the SAP cloud estate, but wider. You know, we're seeing Workday come into the mix to manage HR. We're seeing salesforce.com interfacing heavily as a CRM solution and putting customer data directly into the environment. There's a lot more customer self-service and the self-service side
I even would athletic. We look at, for instance, that shift off source now, which is being considered by many CIS was a strategic from traditional it service management to enterprise service management, to a work flow platform that combines many of these solutions. I think I would fully agree with style and Alex, what is your perspective on that?
You know, it's interesting. I think it's, it's, you know, complicating the shift from, you know, having more of that monolithic, you know, singular secured SAP instance that, that you may have had, you know, 30 years ago, moving more into the, the SAS position to where you have multiple third parties that are responsible either through managed services, through hosted services, you know, and obviously still a, you know, significant on premise landscape that you're, you're still managing, it's challenging. And I think it's complicated by the velocity of change. And it's not just the, the speed at which we're adopting cloud. You know, I think as we we've, we've talked before a Martin, it's a, you know, it's, it's the, it's the, you know, it's been expedited by COVID obviously, I don't think that there's any, any argument there that the move to SAS has been expedited, but it's also, you know, from a practitioner perspective, it's, it's challenging to keep up with the degree of change of SAS applications, you know, particularly, you know, if you just look in the SSP SAP space alone, it's its own application ecosystem.
And you know, it's a, it's a constantly shifting landscape, you know, there's multiple security models to consider there's multiple fronts from, from a securing access perspective. You know, as Tom touched on, you know, you've got web access, you've got cloud access, you've got, you know, basically the, the, the connectivity from, from your premiere employees now, not only that are not, not just working from the office, they're working from their home office, you know, they're working globally, they're working remotely, you know, you know, myself, I was working the last three weeks from, from, from my, from my caravan out west in the U S. And so, you know, you, you, you kind of bucket all that together and you start to see an increasingly complicated, complex and challenging environment to manage, and that's just SAP. And so you start to expand outside of that, and you look at some of the other applications that are financially and operationally significant, and it only continues to, to, you know, kind of, you know, exponentially increase the, the complications that you have within those, within those landscapes
Above, to be fair. I think you, you talking about 20, 30 years ago, but to be fair, isn't it that the shift in the practice for many organizations is just happening now. So that is really where the complexity is changing the way we see this increasing complexity so that it isn't, if you're, if you are fair, it is nothing which, which for most happened 20 years ago, but many, many are right now when they go to and of solutions, you mentioned a couple of days that they are right now in a, in a, I would say in a, in a different migration phase, in a, in a different phase of complexity. And maybe this also leads us a little bit more to our director, to our second scene, which is very closely related to the first one, that this is really what is relevant now.
So clearly some industries had this for four years when you go to a typical bank, that there were usually hundreds of critical applications in the business. And even in SAP, heavy bags, only a small part from that was it's a PFR businesses. It is very different than, but I think for everyone, it is a change process today. Because even if you say, SAP is my number one supplier, and that's the maybe go back to previous picture has shown the product cloud and the broader ecosystem. It's not that it's all that one sort of traditional, relatively monolithic approach anymore. It's way more complex approach, I think, which we also have onto the next picture. So your points on that.
Yeah. I, I completely agree. I think they, they, the accelerated pace of change is one of the reasons that it's so hard to manage the, these escapes effectively, you know, we're running to catch up with business evolution as they, as they move into a more interconnected landscape. So the, the, the challenge of identity management is making sure the right users have access to the right data at the right time to do their job. I mean, it's, it's a pretty simple statement, but when you're managing that across an ecosystem that might contain 12 or 13 interconnected applications that are currently hosted on premise and in the cloud, and you've got to understand those entitlements, understand that identity challenge, and be able to trace that journey throughout your, your environment. That's, that's really why people have got to start taking these things seriously. And there's not just the security, the operational efficiencies of managing identity across this estate. I mean, if you've got an employee, a separate security team for SAP and Workday and your AWS estate and your Salesforce estate and CyberArk and everything else that's on that diagram, then, you know, you've got an exponential number of people who are all trying to achieve a simple goal of Kelly's use to do that job when they show up tomorrow.
Yeah. You know, I think you nailed it. You know, if I, if I look at, you know, my career, I feel like 10 years ago, I had a pretty good handle on the technologies that I needed to secure and needed to be able to speak to. And, you know, just in the last three years, you know, the number of applications that I have to be, you know, moderately fluent and had, has gone through the roof. And, you know, and, and that's just from, you know, being in this director of product role, you know, I, I couldn't imagine being, you know, someone sitting in a position to where they don't have the technology assets to, to help to manage the, you know, the multitude of applications that have been adopted and, and, and be fluent in all of them, you know, down to that granular level.
You know, and I think, you know, the, the other piece, you know, Tom, you mentioned managing users, but it goes beyond just, you know, human identities. Right. You know, we've, we've started to see the proliferation of, you know, robotic processes and other non-human identities that we have to manage. And in many cases, and in many cases, organizations don't look at those as risky whenever they're setting up access for those IDs. You know, I think the, the, if, if we go back, I mean, we've, we've been dealing with like service accounts and whatnot and system accounts to manage integrations in the SAP space. And it's, it's shocking the number of organizations that just decide SAP all, because it's a, it's a non-human identity quote, unquote, no one can log into it. And, you know, we know that that's one of the, the key vulnerabilities, you know, just kind of table stakes vulnerabilities in an SAP environment.
Yeah. But I think robotic process automation at before, that would be a very interesting, separate theme. So, so I think on our website, there's a blog post. I wrote a couple of months ago about RPA and the tendency to create sort of super robots from an identity and access management perspective. So really ignoring the risk as you say, behind it. But yesterday the world is getting more complex and aside of our policy, or do you think during the seminar, we also included a few results. Vermont, a survey St point a turnkey did recently in, I think one of these questions and one of the interesting results here is do, do you feel your SAP roles at curricularly reflect your business process and the positions that operate across them? And w when there's a 40% share of people who say, this doesn't really fit to me anymore, this is, it doesn't reflect my reality. Then I think this is an interesting, yeah. What we were just discussing that the world is sort of tends to get out of control if we not take a perspective that covers. And that would be again, that picture, that covers all of the picture, because otherwise, I think these things are really deeply depleted. One that we end up in a, in a situation where we get out of control.
Yeah. I think the, the fundamentals there, I mean the, the 58% who think they do, it's, it's interesting that that's, you know, SAP roles, which is a business focused application. So we should be basing it on the business processes that it's supporting. We should have a good understanding of who the actors in those processes are and what they access requires. And then you'd be even more interesting to expand this question and say, do you feel that your enterprise roles accurately reflect your around your business processes and the, the access required for that? Cause I think that might skew the results slightly. I mean, we've got over 800 responses here, so that 40% represents quite a significant number of companies and organizations that aren't particularly confident that they're managing identity in the way that they need to, and, and governing that access to the systems. So I would say probably need to take another look at the BPMs, see if it's still fit for purpose.
And as you migrate to these new solutions, we're talking about the increasing complexity, your business process has changed, and you've got to evolve your access to reflect the changes to your operations. So if all of a sudden you're managing a customer identity now within your SAP estate, and you've integrated with something like Salesforce, you've given the customers the ability to rent, to interact with your solutions directly. What's the changing nature of your customer relationship management team, what access do they need, and those evolving processes, as we move much more towards a SAS model and the third party model, it means that the business needs to evolve and access is a key part that
I think it's interesting that the way that we manage access and access risk and data risk, even that's associated with as we kind of fragment access amongst multiple integrated, but, you know, heterogeneous applications, it's what I've seen in my career. As you know, I, to where, you know, customers really only cared about SAP and we'd go in and have a conversation about risk, you know, financial risk, operational risk role design. And they would say, look, focus on ECC. That's all we really care about the rest we'll deal with. And you know, that that conversation was alarming at the time, but a little bit more palatable, you know, as, as a consultant, I think now to have that same conversation and a customer say, you know, gosh, Alex, I really only care about S four HANA. And then you look at that, you know, keep going back to that spiderweb slide that Martin shared earlier, you know, it's, it's difficult to justify saying, yes, this is really where we need to focus our attention.
This is the, this is the most critical application because you know, sure SAP is, is typically going to be your source of record your S four HANA instance, your ECC instance, typically going to be your source of record for your financials, you know, which is obviously we're a significant component of risk lies, but look at all of the applications that they're contributing to that, that GL look at all those applications that also have financial and operational risks. And to say that we're really only focused on, you know, the, the, the center bubble on this slide is, is a little bit shortsighted at this point. And I think that's really where a lot of organizations are working to play, catch up to, you know, really understand the totality of risk. And what's the most logical and efficient way to manage it along with the identities that, that create the risk within those environments.
Yeah. And I think there's been some change. And I think once you brought up, I think even in the traditional SAP environment, we see the chase, so it doesn't make, or it doesn't simplify things because, and I think there's something more for us, the DBA SEP experts to elaborate on. But obviously there, there's also a challenge of getting a cripple in these environments because they are different. They are more complex than before. And maybe, maybe you want to elaborate a little on that because it's, I think a challenge starts even before we take the broader perspective, but it gets worse when we take the proper perspective.
Yeah, absolutely. So one of the things that you might not be considering is an impact of moving to S four HANA. Even if you're remaining on premise, you're not integrating a massive cloud estate, you still might need to double the administration overhead that traditionally you had one set of users, one set of roles to maintain within your ECC environment. And it was nice and clean and encapsulated in that monolithic system that you described earlier mountain, but with the, the frontend service servicing the web content, whether it's on mobile devices or, or just, you know, on your laptop over the web, you might need that fuel maintenance now. So you've got to maintain your front end to service. The, the theory comes in and your backend brows. So immediately without, without making a fundamental change to anything, just a straight system upgrade, but leveraging the, the theory content can double your other heads and you need to consider those. And that's true across a number of SAP applications now that are leveraging Fiori. It's a, it's a good practice to have a separate gateway because from a networking perspective, you can place it in your DMZ. You can firewall a little bit, you know, your backend data, but it can increase the complexity of what you, what it is you need to provision.
Yeah, it really just goes back to, to, you know, the multiple fronts at which we have to address, you know, security and risk. And, and for Fiore is one example, you know, and it also, it goes back to the velocity of change to where your typical SAP security analyst and admins, they really understand the backend security, you know, in terms of that traditional role design model. But now you throw in, you know, the, the, the service model that the Fiori solution brings in and now looking out and, you know, how do we manage that against our traditional backend model? And, you know, where are the gaps where we're, where are we exposed and how do we best address it, such that, you know, we're, we're still playing the role of the referee and the football match to where, you know, you don't really notice them until you actually need them.
At least whenever you have a good referee. And ultimately that's what we want from a security and access controls design is we want to be the good referee to where it's not noticeable until you need it. But again, you know, with the, with the, with the shifting landscape, it's challenging to create that, that balance within your environment. Because again, you know, w we're we're fighting to keep pace with, with the degree of change and the degree of, you know, enhancements from security, from the security models that we're looking at. It's, it's, it's a challenge all the way around. And, you know, the, the sooner that we get in front of it automate and, you know, take advantage of other technologies to help support, I think the better, the better off we are in terms of the position and our in managing our overall risk profile with an organization's.
Yeah. And I think this price is also too to an interesting theme, because I think this is what a lot of practitioners will always bring up when they look at they're very highly specialized solutions, for instance, for, for an SAP environment, that there's a challenge of. So to speak death versus breath. So on one hand, you have this cloud deaths, the detail, and as the insights that the specific Spanish, and bispecifics have, it's a P environment that doesn't get simpler, it gets more complex, more it's, as you just pointed out. On the other hand, we had the spider before with a lot of systems where somebody mentioned present. I think one of the interesting questions is how much death is needed and how to deliver it. And, and so, so when, when you look at this and you look at the staffs versus press question, what is your sort of first take on that?
Do you want to go first on this one?
Not, not especially now. Look, I think it's my, my initial impression is, you know, you just kind of take a deep breath, right? It's it's you look at the totality of the environment, you look at, you know, the, the on-prem versus hybrid versus, you know, cloud and, you know, it's, it comes down to what makes the most sense in terms of the assets I have, because I feel like that in a lot of organizations, you're, you're stuck at least in the interim with a lot of manual processes. And I think that limits, you know, as you expand it, as you expand the aperture. So if we, as we get wider, I think the depth is going to be dictated by the assets that you have on hand. And that's all, you know, that's not just technology assets that you have to manage. It's also, you know, the, the human element, right.
You know, do you have a Tom on your team? You know, and how many times do you have on your team and our, you know, and, and what's the, what's the expertise and experience. And, and how do you augment that with, with your managed services positioning? You know, I think that we're at a position now to where most organizations are having to look externally for third-party support simply because of, you know, this specific question, you know, how do we manage the breadth of our environment with the correct depth of control necessary to adequately secure, you know, both our intellectual property, as well as our financial position within the organization.
Yeah. I think you're absolutely right. That, that depth of knowledge you mentioned to you, that you've had to expand your, your capability to understand entitlements across a much broader environment. And you can't go to that level of depth. Once you start spreading yourself too thin, you've got to get the right expertise in place that can design something that feeds into that enterprise vision for identity management. So yeah, you need somebody with the breadth to give that stair, that's your strategy. That's, that's your identity provisioning, target operating model, if you like. And then within that, you need your specialists who say this services, the, the, the data to these business processes in the right way that we are operating securely, but efficiently. So somebody who can manage those data flows for you and, and feed that into an enterprise level world management or an enterprise identity management solution that's as here is my finance function here is all of the access that they need to perform that job here is of the restrictions over that access. So they can't just be dumping, you know, IP into SharePoint because the add groups match the SAP entitlements.
Yeah. Which by the way, it brings up a number of interesting questions around organization, around ownership of these technologies. But I think we w we might pick them up a little later. So giving you a little time to prepare for these questions and have a look at some of the survey results from your survey. And one of the questions you you've raised there was have you deployed an enterprise identity management, so you shouldn't, and which of these are so to speak provisioning access L S a P in which not. So, so I think the interesting part is very few don't have any, and the presidency management solution. So clearly depends a little on the one who has answered. So if you go into smaller organizations, et cetera, it might be more that would say no, but the adults today, I think the really interesting part is that a little more half than says, we approaching it to SAP and a little less, less, we, we keep the provisioning of SAP separate, which is I think, yeah, a realistic view of also what VC amongst our customer pays amongst our sort of community. What is your take on that?
I'll go first, if you like Alex. I think what it speaks to for me is that people have the right aspirations in this space. They, they know that enterprise identity is, is important. I think the, this would be interesting to see where they are on their roadmap for identity deployment. I think SAP often gets left later in that roadmap. So they, they, they tackle the low hanging fruit first, the ones that are slightly easier to manage, but the complexity of the, of the role models across an SAP estate can be a little bit daunting when you're first tackling it. I think I was really encouraged to say was over half that a, that are already in writing, you know, and I, I do take your point that this is probably skewed by the fact that we've got a lot of SailPoint customers responding to this who obviously are deploying those, those solutions. Our job is to, is to the side of it. Isn't scary to integrate SAP here. You know, it, it may be difficult, but it's not insurmountable. There are a lot of solutions that can help. There's a lot of people with the capability to push that out there, but it comes back to what you were saying about depth. You, you've got to get that depth of expertise within the SAP estate to really get it right, to build those entitlements in a way that, that feed that vision.
Yeah, that's a good point on, I think that this, it really puts the spotlight though the way the landscape has shifted. I think it puts the spotlight back on the business, because in my opinion, if you don't have a good business partner within the organization to help define those entitlements and ultimately help define those business roles, if it's strictly a security or it led initiative, it's, it's, it's not going to work in most cases. And so what's really interesting to me, and I'm a big proponent of coaching customers to, you know, take a hard look at their security role design before overlaying an identity solution, particularly in the SAP space, because it's, it kind of goes back to whenever I was working, you know, as, as an implementation its own, one of the biggest challenges was, was the, the data aspect of any organization as it, you know, the, the data cleanup, the data cleansing data enrichment as part of projects, and it never started early enough in the project.
It was always kind of a last minute thing. And, you know, and, and I'm seeing the smiles on faces. Y'all been there before. You know, I look at, look at, I look at security roles as, as that data component of, you know, this, this whole identity and access governance journey. And what's really interesting is the, the, the, if we look at the, the previous slide where you said, you know, like, you know, 60% of folks or 58% of folks really felt good about their, their role design. And you look at those numbers as compared to this, I feel like there's a little bit of a correlation. There is the, that that 58% probably in this 55% is actually provisioning identity to their SAP SAP assets. Whereas the other half kind of is that, that, that, you know, that the, the remainder on the other slide, that it's not quite as comfortable with their SAP
Yeah. That and alive, you apply neuron identity, information, quality around data quality. I think I've never seen approach where we're at this topic didn't Schwab sooner or later. It's probably one of the most overlooked problems when starting identity management, pro traits. So we, we usually come in when are in trouble. I think that's, that's a Malala road, but so he received always, I should say, but I think, yes, it's in the nature of things that we need to think more about data, about equality, but I think the points you made also quite well and interesting in the context of, so who manages identity, acts as punishment in your organization out here. It's an interesting split between more the ICU team company. So we're actually UNSW, I'm sort of unclear who the it team that might be more older, smaller ones at the end of the day company-wide ID I teach, or I am Kimora a risk management team.
So it's, it's still, I think what is hinting at, at us, we still don't have enough. I am organizations was indie organizations. And, and I, I believe I'm a strong proponent of saying we need strong. I am organizations. And I think in the context of what you said earlier abroad, you need to people who have to brought over you and you need to specialists. I think we need, my perspective would be also backed by these for, we need to think way more about how does the good I am organization look like? How does the right organization look like that works well across everything? And that is powerful enough, really to deliver to the targets.
Yeah, I think there's a key box missing from this. And I would like to see some people have specified other and to have included the HR organization in there because the management of identity starts with a vacancy. Ultimately somebody hires into a vacancy, we have a new employee in the organization. We have to provision the access that they need to do the job that we're recruiting for. But what I think they shows is that identity is seen as somebody else's problem by a lot of the business, rather than being embraced as a functional requirement of my business processes require these people to have access to this data.
I think things are super, super good in, in saying it's not our problem identity. I think HR organizations really eerie are extremely, extremely strong and say, oh, no, no, no, no, no, no. We don't care about identity. And do you have to deal with that mediocre data we deliver to you?
Yeah. And I've, I've tried delivering training sessions to HR organizations to say, you're, you're the first step in the process. You're the gatekeepers to the whole estate. So we need good quality information about a new joiner mover, leaver. You know, these are the fundamentals that we've got to get right. In order to manage the
Yeah.
Yeah. And even back like backing up one step further is, you know, let's get our positions correct. So that we can do some accurate rolled up position mapping and, and build out those business roles to where we can start automating, you know, once that once that new identity is created, joins the company, we're able to, we're able to create, you know, workflow to be able to get that individual up and running quickly based on, you know, just a few, you know, Oregon and position data points, but that, you know, again, typically doesn't happen, but, you know, back to your point, Martin, I think, you know, getting, you know, if we look at the breadth that that's really, it should become, you know, I think where you're going that breadth of knowledge really should be, you know, more or less an overarching identity leadership team. And then underneath that, I think it's a, it's a, it's a combination of internal assets, as well as those, those managed services organizations to create the depth of understanding, experience and knowledge, to be able to maintain, enhance and, and, and drive the, the individual components of granularity that are more tactical in terms of the, you know, the strategic approach that the, the overarching identity organization delivers.
Yeah. And maybe why don't we look at it, response to your survey? I don't know who manages identity access and S a P for your organization and modern health say that as a specialist, as a P team, at least close to, I'll say it's the same as the wider organization. So when you see that trend, I would dare to say that when I talk with, with customers of ours, that the ownership and responsibilities are shifting into a wider I am organization, but on the other hand, I think we also see a lot where there's Redis specialists as a TT, as a PT Mitch's. And I think that is from my perspective, the challenge, which is frequently, still widely isolated from the rest. And I think that is where we need to work on, because when we, when we say this ecosystem is changing, we have way more relevant business applications. Then, then we might think about a business application silo, but the business application silo does not equal the SAP silo. And so I think we need to, to rethink that. And I, at the end of the day, I would say, well, if the CIO tops is to rethink your organization context.
Yeah. I don't know. Yeah, absolutely agree. And I don't know about you, Tom, but I'm a little surprised at the low number, the 54% on the specialist SAP team, because of my experience that, you know, SAP is, is historically been, you know, this, this separate behind the curtain organ, you know, that, you know, whether it be center of excellence, I know that's kind of an overused term, but there it's always, there's the it team. And then here's the SAP team. And, you know, trying to, to, to get those two organizations to communicate has historically been challenging. And so I think as we, you know, as we move into more of a broader position, I think it's really important to engage that SAP team bring them underneath that broader umbrella and, and get them to engage because that's going to ultimately be reflective of how you're managing your enterprise roles, your enterprise risk, rather than continuing to, to manage things separately.
Yeah. And there's, there's cocaine, there's key information in both of those organizations. It's, it's the depth versus breadth. Then you can, it's, it's that overarching decision over, they need access to this application, but you can determine what that access is. And you can also feed in and say, actually, that part of my business within this business application is responsible for these processes as well, so they can inform the enterprise on and they should embrace it. I think as much as it needs to be a push from a central IMT, I think that needs to be a lot more pull from the SAP side. I think we, we, as an organization speaking for all SAP specialist said, we could embrace these initiatives a lot more than we do and stop treating ourselves as, as a special case and say, actually, we need to align with this because it's going to make these life easier.
And I think there are two things which play into this. The one is what we've already discussed, quite a, quite a number of times today, which is down more applications allocated today, so that the landscape is changing. The other clearly also is historically quite frequently. So to speak GRC 40 S P environment, including roses, et cetera, has been done by an app or AIDAP application. And it's really hard to, to, to say, okay, but the broader I am team uses dab hiphop application, in fact, runs in the SAP, the main, and the more we open up the morals of the SPS environment opens up into sort of task services and a broader or more, more open, more flexible and more disperse type of ecosystem. I think it wasn't that that part of it changes, but in the interest of time, maybe let's, let's proceed. It's not that far away. What you're discussing, I think upon is also, I am versus TRC is so TRC can be ever seen on scene from roads to very complex process and financial and whatever else think about when you look at trust, trusted risk, that case may leave not only, but also X's related risks, tenacity controls. The question also is it's the three trust, a single for a few business applications, or is this at the end getting broader and broader because things can go wrong. And so many areas for the background, again, bringing a little slide you've provided.
Yeah, I think the key here is that the segregation of duties, even in the middle monolithic ECC environment or a free environment, was a difficult thing to maintain. When you start to fall in that wider SAS landscape or third party escape, all of a sudden your segregation of duties across, you know, I can maintain a customer in one system. I can then initiate the payments to, you know, refunds on that customer. Or I can misappropriate stock in another third party system. You've got to have some understanding of the, the access across your enterprise to understand the risks that you still carry. And they used to be nicely encapsulated for us, but that that's a bit more of a challenge now. So first of all, you've got to understand the access allocated to your identities. And then you've got to understand whether any of that is a toxic combination. It's, it's more difficult. It's not, again, it's not impossible. And what we've got on screen shows how you can pull all of those data feeds into achieve that so that you, you can manage your identity efficiently, but also in a way that's reducing risk to the
Yeah, absolutely. A hundred percent agree. It's a, it, you know, it's, it's about again, I'll use the term expanding the aperture. You're really looking to gain that 360 degree view visibility to, you know, not only access to process, but also access to data within your organization. And I think that far too often, we, we, we treat access to process or an activity or a task that's associated with a process to data access. And I think there is those, those things cannot necessarily align as a one for one, right? And so, you know, when we started looking at, you know, the, the, the breadth of visibility, you know, that really the only way to, to achieve that is to increase your identity footprint with an organization and, you know, managing at the, that enterprise role level. And that's a challenge. You know, you look at the applications, you look, you know, we go back to the degree of change, the velocity of change, you know, it's, it's, it's, it's a challenge for everyone. And, and I think it goes back to, you know, integrating the organization more, you know, the SAP team leaning in the it team, leaning in leadership, leaning in, and really working as a, as a, as a organizational team with your external partners to develop an approach and begin building out your assets and, and, and, you know, addressing those data challenges such that you're, you're moving the needle.
Yeah. We have issues by the way. Again, another super interesting topic, all the data governance piece, because I think we haven't thought enough about data in the past. We need to get way better here. And, and, and one of the interesting thing is that the context clearly is also all the data sprawl. So data that resides within whatever DCC is, is, are, are, that's a problem data that Leafs, it might become our way bigger problem, because it is very, very, very quickly out of control. And, you know, when you talk with customers, oh, in our HR, we do whatever a hundred experts on, on a regular basis, but whatever four 90 of time, we have no clue what happens with them. Then we all know how big the problem is. So let's have a, to, to come towards now, look at integration. So how to make everything work falls systems. And I think this is an hour flight. You might elaborate a little, I think we touched a lot of things. It is about the depths of breast. It's about having something that goes beyond a single system, which delivers on the apprehend, the integration, or the sort of integrated death, or the integration with the solutions that deliver deaths for certain environments. That would be my take from, from what we discussed over the last 40, 45 minutes.
Yeah. Sorry. You know, I, I think the most important person in the organization moving forward is the business analyst and, you know, and, and, and whatever you call it, individual, the person I'm thinking of as a business analyst is that liaison between your it and SAP teams and the business. And ultimately that individual is going to provide the bridge to bring in those, you know, those folks from the organization, bringing that knowledge to best position, you know, all of those topics we've discussed, right? Because I, you know, again, at the end of the day, I'm bullish on bringing in business owners, process owners into the conversation early and often, because ultimately given that depth and breadth of, of the it, the technology assets that we're using to manage our business. I think that it's, it's absolutely critical to engage with those folks, make them a part of the conversation, you know, establish some ownership.
You know, I think that, you know, any, any change to, you know, a role, any change to a process in the identity space, there's a, there's a business individual on the other end, or at some point in that process. And if they don't have ownership of that overall design, it's difficult for, to, to obtain adoption. And ultimately, you know, I think that, you know, we can come in and we can design, you know, the, a near perfect identity and access governance methodology and, and, and, you know, set of technology solutions. But if the organization doesn't buy in just with any other application adoption, right. If the organization, the business doesn't buy in, it's going to fail.
Yeah. I couldn't agree with Alex more, the, the, the business analyst understands the process. So yeah, you need to integrate, integrate with that entire landscape. We've got onscreen there, but not for every user. So if, if you know, you'll use a community, like one of the first questions on any project is who's going to be using this to do what, and if you then say, okay, this person needs SAP and they need access to the Google cloud and they need the AWS estate that doesn't sound always can start to inform that discussion. You do have to integrate with the whole it estate. And you've got to do things like monitoring solutions and Olivia to detect and respond capabilities, but you know exactly which assets you're going to be touching. Cause you're tracing that process and those data flows through. So that's the person who can say, okay, we need to touch these assets. We need to create an access profile across these, these assets for this user community, without understanding that business process. You're just never going to get to that answer.
Okay, great. So let's have another poll and then go into the Q and a, I think we touched on a number of topics that you could speak for hours about photo details, but I just pull us some of the related to auto polls results we have seen, but it is about, is there a common ownership for application risk management? So it is across all the business applications, the traditional perspective and identity and access management in your organization. So common ownership yes or no. So the Paul should open in the second. Yes. Here we go. So I'll leave it open for some, so the second sources, so please enter your perspectives. So another 15 seconds, please kindly participate.
I'm hoping to say a few years.
Oh, it should be, yes. I don't know. It says he has another belief. Okay. A few seconds and then we'll close it. Okay. So thank you. Was that I think we can really go forward for a few remaining minutes as a Q and a, and Jordan did a Q and a if time allows me able to look at the results of these polls, but, but I want to raise one question first, which came in, which is when embarking on the identity and access management journey, what do you feel are the most important prerequisites who of you wants to start?
Well, I think Alex actually mentioned one earlier, which is, you know, get your entitlements, you get your roll design cleaned up and, and reflective of your business processes. And I think the other one that I would add in there is another one that Alex raised, which is that job catalog that understanding of your organization, you know, align with your HR, makes sure that your data feeds, whether those are the entitlements that you're granting or the triggers for your provisioning or deep provisioning or re provisioning activities are all in place, you know, try and try and get those data feeds to the best quality.
Yeah. You know, and, and really to, to add onto that as is, get the, get your business involved early and often, you know, have the, have the business involvement and, and, you know, it really helps on projects. You know, I was, I was a little bit skeptical early in my career, but, you know, having a strong voice in that senior leadership that is championing the project and encouraging, you know, support and participation and adoption is absolutely key. You know, that the change management component of these types of projects absolutely cannot be understated.
Yeah. And I think that there's not very well upon sort of stakeholder and expectation management. This is super essential. So, so Ray set expectations at a realistic level. I also believe what always is needed is, is this a vision is a blueprint is an architecture that our roadmap. So because the empty of the left is big elephant identity management, and you will need to slice it into pieces. And that means when you have to program on small projects, if you don't have to the bigger perspective to the risk that you're doing a project well, but totally wrong direction is high. So I think that a lot of points we have, I think time for one more question we can pick. And I I'd like to use it to look at here is list to move to a more diverse ERP estate, which solutions do you feel provided most comprehensive coverage for identity and access management and risk management. And maybe tell him you started then Alex,
I missed the start of that with the way the move towards
With the move, a more diverse ERP S state, which still
Usually provide a best value. I mean, obviously I've got to mention SailPoint, otherwise Alex will be complaining, but the, I don't think the solution is the, is the key component. There, there are a number of ways to crack this particular nut SAP, obviously governor and identities very, very well. But I would say for an enterprise level identity program, you want to think about integrating whatever you're doing in your SAP estate with the enterprise level. So I would say the diversity of the, obviously with the cloud estates, it's getting a little bit harder to manage the identity. The risk element is covered somewhat buys. SAP is IAG solution, which is why that's really in way back to the cloud pieces, but to give them the identity, I think you need to look beyond your ERP and really start as we decide all the way through this, looking at the enterprise level and find them a solution that works for everyone, not just your, your LPs.
Yeah. I'll, I'll, I'll kinda carry on the less, less mountainous. I look at technology conversation that stopped Tom started. I, I think it's, it's really about embracing change and understanding that this is much, this is as much as I probably process change evolution as it is a technology change. So, you know, as you're looking at IGA, you know, think about, you know, what's, what are, what are the process improvement opportunities we had along the way? You know, what problems can we solve for the business as well as for our, our, our it teams. And, and how does that, how does the technology we're considering, you know, SailPoint identity now, for example, how does that, how does that, how do we take those process improvements and how does that technology support those process improvements? And, and ultimately that's, that's where, you know, I like to see organizations start is with, you know, what, what problems are we looking to solve? Okay. How can the technology help us? Because far too often, I get into conversations and it's, Hey, we just want to recreate the processes. We're doing a day with a student new technology. And, you know, that makes zero sense to me.
Yeah. And I think you're speaking to my heart. I think it started with understanding, what is it, what are the requirements? What do you want to solve? And what do you need today and what will you need in the future? I don't also look at what you have and then look at what is the gap and how to fill that gap for sometimes you have crushing pressure for today and for the future. So we are at the end of the hour. So we, we, we used the full hour today. So between thank you very much for everyone listening to this KuppingerCole webinars. Thank you very much for sail pawn and turnkey consulting for us webinars. Thank you very much for you, Alex, and to you, Alex and Tom for taking the time to deliver your insights for this round table style of webinar. Thank you. And hope to see you also soon back in one of our upcoming events and webinars.
Thanks very much. Thanks. Thanks Martin. Thanks Tom. Thanks Alex. Thanks man.
