KuppingerCole's Advisory stands out due to our regular communication with vendors and key clients, providing us with in-depth insight into the issues and knowledge required to address real-world challenges.
Optimize your decision-making process with the most comprehensive and up-to-date market data available.
Compare solution offerings and follow predefined best practices or adapt them to the individual requirements of your company.
Configure your individual requirements to discover the ideal solution for your business.
Meet our team of analysts and advisors who are highly skilled and experienced professionals dedicated to helping you make informed decisions and achieve your goals.
Meet our business team committed to helping you achieve success. We understand that running a business can be challenging, but with the right team in your corner, anything is possible.
In this webinar, you’ll learn about
Martin Kuppinger, Principal Analyst at KuppingerCole Analysts, will look at the state of the market, the requirements on solutions, and will present selected results from the recent KuppingerCole Leadership Compasses covering this market segment for both SAP-specific and multi-vendor LoB environments.
Keri Bowman, Sr. Director Product Marketing, at Pathlock, then will explain how the Pathlock solutions support customers in managing access controls, access risk, and SoD rules across multiple LoB applications from different vendors from a unified interface.
In this webinar, you’ll learn about
Martin Kuppinger, Principal Analyst at KuppingerCole Analysts, will look at the state of the market, the requirements on solutions, and will present selected results from the recent KuppingerCole Leadership Compasses covering this market segment for both SAP-specific and multi-vendor LoB environments.
Keri Bowman, Sr. Director Product Marketing, at Pathlock, then will explain how the Pathlock solutions support customers in managing access controls, access risk, and SoD rules across multiple LoB applications from different vendors from a unified interface.
Welcome to our Kuppinger call Analysts webinar Beyond just SS a p, the need for cross line of business application access controls. This webinar is supported by Pass Lock, and the speakers today are Carrie Bowman. She's Senior Director, product Management at Pass Lock and me Martin Kuppinger. I'm Principal Analyst at Kuppinger called Analysts. So before we start and dive into our topic, a bit of housekeeping, we are controlling audio centrally, so you don't need to do anything here. We will run two polls during the webinar, and if time allows, we will look at the results during the q and a.
There will be a q and a session by the end of the webinar, but you can enter questions at any time. And at the right hand side of the screen of our events app, there is the option q and a where you can enter your questions so that we can pick them as usual. The more questions we have, the better. The more interesting, the more entertaining the q and a session will be. And we are recording the webinar and we'll make the recording and the presentation slidex available usually the day after the webinar, at least very shortly after the webinar.
So before we start, I'd like to begin with a quick poll. And this poll it's about responsibility for application access control. So who manages the roles, the ex entitlements, the critical entitlements, the segregation of duty rules, et cetera, for the line of business applications. So are these different departments depending on the applications of Salesforce department for Salesforce, SS a p, for Ss a p? Is it the s a p department only? Is it the i m department or do you have another solution here? So looking forward to your responses.
And as usual for these polls, the more people participate, the more interesting and the more relevant results will be. So looking forward to your responses. Thank you. And let's have a look at the agenda. The agenda split into three parts. As for most of our webinars, the first part, I'll, I'll take a look at the markets specifically on the, under the, with the, under the aspect of why do we believe that solutions that support a range of line of business applications are of increasing relevance.
And we also will look at results from our recent called Leadership Compass on the subject in the second part. And Carry Bowman will look, talk about delivering on the need of SS a P and cross line of business access control. So how do you, or how, how must the solution look like?
What, what must the solution do that works, so to speak, for, well, both for, for the SS a P world and for other line of business applications. And then as I've said, we will do our q and a session. So I'd like to start by talking a bit about the, so to speak, l o b change, the changing world of line of business applications. And when we, when we go back over and look at the past couple of years, then I, I think there were, were two trends that, that came together. The one is that, and the, there are in, in a certain respect, they are related to each other.
So we had, on the one hand we have the shift from on-premises to SaaS where I, I would say most organizations currently are in, in some hybrid state. So having still some on-premises solutions place, having usually several SaaS solutions in place. On the other hand, with the sort of growth of the SaaS l o b market, we have over the past factually already two decades plus seen more and more specialist vendors arrive. Some of them growing the bigger and covering a a range of areas.
Plus we also have seen surely the established vendors for line of business applications coming up with new solutions. So like d a p moving to s foura and stuff like that.
And, but what, what was this sort of set of new vendors, whatever Salesforce targeting c r m and related areas and or, or workday coming in historically from an HR perspective, et cetera. We, we have seen more vendors in this space and we also have seen an evolution where customers tend to go a step away from, from really a single vendor approach to the traditional SS a P on-premises world to a world where they have a couple of other solutions for different use cases and where they have a mix of deployment models. And we are convinced this trend is here to stay, to continue.
So this world has changed. And that also means that when organizations have multiple line of business applications in place, and even in the SS a P world, it's not a a homogeneous world. You have the, as a P E C C world, you have the HANA world, but you also have the success factors or Ariba and others concur. So even there you have different types of lineup applications, and these applications are connected in many cases there are sometimes processes spanning multiple of these applications.
And that also means that the, the perspectives we take on critical risks on segregation of duty controls and all the other stuff are increasing plus regulations mandate us to look way beyond financial data nowadays. So there's a need for, for really expanding our perspectives. And that means that, that we are in a situation where this application risk management or application access control must emerge and support a broader set of solutions. So then when we look at the market here, we did just recently and published two leadership compasses, which are overlapping.
The one has a very strong focus on sort of SS a p and ss a P first. So solutions that are strong in supporting the s a P environments with a lot of specific capabilities that are related to this environment such as whatever rollout support and a lot of other things and the support. Then the second leadership compass, which really looks at support for sort of cross vendor line of business applications. So supporting the heterogeneous world of line of business application. This is the one I I'd like to, to give a a shed a light a bit on and, and look at some of the details from this report.
And so when we look at the capabilities, then we have baseline capabilities that you will see that there's always also ss a p appearing quite a bit because s a p, even even organizations that have solutions for many vendors, for many of these organizations, it means s A P still is there, plays a wide role. Several systems are from SS A P.
Yes, for sure. They also when customers, customer organizations that don't have any s a p but supporting S A p surely is when we look at the overall market something that is important. But in this case, our perspective was about beyond SS a P. So SS a p and beyond I would say would be the right way to phrase it. And so when we look at these capabilities, one of the important things definitely is that we look at the deployment models. So supporters for modern as a service deployment support for a wide range of systems, SS a p and other vendors.
Then the capabilities of managing entitlements roles, doing access risk analysis, supporting the assignment of entitlements, doing super user management for different types of solutions, firefighter for different types of solutions, yes, d controls management and surely strong reporting capabilities as well. So this is I would say the, the baseline which we see as as key capabilities in this market.
And then there are sort of speak the advanced capabilities which we specifically measured and they, which also for instance, impacted the innovation rating a bit stronger, which go into other types of ratings. And so here also hybrid deployment models for instance are important because as I've said, a lot of customers to my perspective, to what we see in the market are sort of stuck somewhere in between things like role optimization.
So how do we deal with roles, how do you optimize this, this as we everyone involved in this type of solutions, know this is a sort of a recurring challenge for, for virtually every customer. So managing roles is definitely one of these areas that are challenging, that are difficult. Then we look at this entire press. So the systems, the non app systems, the s a P cloud solutions, the non S a P cloud solutions on premises and SaaS expanding into other areas like enterprise service management solutions such as ServiceNow and Jira, et cetera.
Which also play an increasingly critical role for a lot of business processes being being an important platform element for many, many organizations. But also the integration to cross-platform i g a solutions, be it part of the product or be it something where a strong integration is given because I g a, so the identity governance and administration as a market, which is more managing your ID accounts, managing your managing other types of accounts and the access of that overlapping definitely overlapping with, with line of business application, application access control solutions.
But the I G A solutions are definitely stronger when it comes to the breadths of applications. Also more at a system level database and all the other stuff. And so both usually exists and this must be integrated at least there must be interfaces to the, so that customers have the option to decide on how to roll it out, what to do, where unless it tends to, this is a bit of a trend become increasingly integrated. Auditor supports runtime executions. So where you don't need to deploy a complex system could be an important feature.
Some of the specifics for certain platforms, and again, so super user management, firefighter stuff, things like that. These are things we look at, we see as very important capabilities. And based on that, when we do our leadership compass, we create in our ratings. So it's a a lot of data. We gather a lot of interviews, we, we run, et cetera.
And then, then we take the step and say, okay, what, so to speak, what is our rating? And I want to to look at the only very few ratings here. Don't go into every detail. And these reports are published as I've said. So this is the one for SS a P. So this was the one leadership combusted looked really at the ss p specific capabilities.
And, and one of the areas we look at is product leadership. So basically we have four four leadership ca categories to, to give a very detailed and differentiated perspective. The one is product leadership, the second is innovation leadership, the service market leadership. And then we have an overall leadership. So product really focuses on, on technical capabilities and broader capabilities, but also interoperability, deployment, support and stuff like that.
Innovation looks very much at sort of innovative features, new features, more so capabilities that came out more recently or that are still rarely seen, but we as Analysts believe they are important and notably also Palo takes also a very strong position there. Then we have the market leadership, which is about number of customers presence across the globe. So across various geographic regions, but also the partner ecosystem and, and a lot of other capabilities. And this combines it.
So I, I picked the product leadership and I think this gives a a perspective on that, whereas you can see Palo has a very strong place here. And we did the same then for, for, as I've said, for the cross line of business application perspective, where then the support for a lot of different applications for a lot of different systems, well beyond the s a p world counted very significantly. Well the highly SS a p specific features were lesser relevance.
So again, this is a key impacting factor. And when you compare it with the previous chart and you see that following past, like there were several changes on that rating. 'cause vendors that are, are really more cross system, cross platform score and better than the very specialized types of vendors. It's always maybe a, a bit of a disclaimer, never trust, use any analyst's market comparison.
Say, okay, I go for the once and the upper right edge always goes through a thorough product selection process. That definitely makes sense because this is a generic perspective and you need to pick the right tool for your environment. But I think there's a reason that Ellis does it these things to help at least to to focus on who should you look at and the ones who are more in the upper right edge potentially are the ones that definitely should be included. But as I've said, this is not something which fits to everyone.
It's a generic perspective where pass lock scores very well because they have a broad set of companies and an excellent support for cross line business applications. We also have done these spider diaphragms, for instance, for render here for past log, which look at a couple of capability areas like support for SS A P itself and their older and newer applications, so to speak, non SS A P L O B support, which is an area of excellence for ProLock. And then also the functional things like role entitlement, risk, s o d, emergency access, et cetera.
So it, it is really a, a very strong rating here. So I think it's very clear inspired trial. The more you are towards the outer area, the better your score. And so it shows that past really comes with a rock solid solution. So I think the important thing is when you look at your world of line of business application, the first thing is you need to think about do do you want to have something? Do you need something that covers everything or are you still looking more at siloed approaches?
I think there's a tendency in the market with this shift in the line of business application world to go broader. And that is the way I think also, which changes the perspectives we have on the tools that help us managing access and staying compliant with these applications.
Also, as I said, with the fact that we have more of these for more vendors, but also need to protect more areas, not just financial data access to that, but definitely more. So this is from my end and before I hand over to Kerry, I'd like to bring up the second poll. And this is about identity management in one on one hand and then the application access control for, for the line of business applications, be it s a P or non s a p. The question is, is there a common ownership for this application access control on one hand and sort of standard identity management in your organization?
Simple answers, yes. No, I hope that a lot of you join that poll and provide their response.
Okay, thank you. Then I think we can close that poll as well and go back to our agenda.
So I, I gave a bit of an insight into where we see how we see the market, where we see the market, where we see vendors in this market and specifically surely looking at past lock in this recently published leadership compasses. And instead I want to hand over to Carrie Bowman and she will talk about delivering on the need of SS a P and cross line of business application access controls is yours. Thank you, Martin. What I would like to start with is, I'm not sure what my floating controls are hanging out here, but we'll hide those.
So I'd like to start by saying, you know, who path lock is and what we do and as Martin mentioned, I really want to speak to why there's a need and how we deliver on that need for SS a p as well as cross line of business access controls. And to do that, I typically like to start with, you know, who we are as a company and then talk about why we see the need that exists today to, to level set how we came to our company vision, right?
Our company vision is to provide full access controls and beyond functionality and to do that across a breadth of applications and at the right depth so that we're properly supporting compliance for access controls. So with that, I will just jump right in. So who is Path lock? Path Lock is a market leader in application governance, risk and compliance. We have a team of certified auditors, so css a like myself and others and application experts, subject matter experts for multiple different applications. And we provide a comprehensive suite.
So that suite includes application access governance, that's a lot of the access controls that Martin was discussing. The, the feature functionalities for continuous controls monitoring. So the ability to go beyond access controls and actually manage your controls themselves as well as quantify your risks. And then cybersecurity application controls. So when you're looking at vulnerability management and and securing your environment, things like that, we do have more than 1300 customers globally for our compliance solutions. And that covers, you know, companies of all various sizes, right?
From your mid-market to very large customers. The point there just being that we support a lot of customers for multiple applications. And so no matter where you are, maybe in your journey or in the breadth of applications that you're looking to secure, we have solutions that can assist you. So why does path lock exist, right? What are we trying to do here? We saw a need in the market, you know, we've been around for, you know, 15 years.
We, we saw a need in the market, right around not just access controls, but how we put all those pieces together. So 75% of controls are still tested manually today, even though the average company has seven plus tools and service providers on average, right? A significant number of companies report at least one material weakness. And that's due again to complexity of our applications and our landscapes as well as what we're having to manage in terms of ever-growing compliance requirements, right? Ever changing and evolving regulations. What does that result in a growth in audit costs, right?
If we're having to manage more regulations, more controls across more applications, we're going to have that growth in audit costs. And that cost comes from not only our audit team that's performing the audit, be that internal or external, but also our IT and business resources that have to support those initiatives, that have to gather that, that evidence and data and coordinate with audit to main maintain that compliance. So what does that all come down to?
Path Lock's customers are automating their controls testing, automating their access controls and reducing their cost and seeing that r o i through that, that automation. So that's high level what our goal is, right? Martin's spoken to, you know, the various things that they're looking at for solutions and we think that there's a, a significant need there that we're looking to help customers address. So how do we do that? We have three different products within our Path Lock Cloud suite.
And again, just trying to level set here, you know, what we offer in totality and and how this may help you fill your needs. So application access governance is what we think of as access controls. So that access risk analysis, your cross app, s o d and critical access, being able to level set your risk environment within your individual applications as well as any risks across those applications. Compliant provisioning.
So the ability to provision access while running s o d or, or those sensitive access risk checks in advance and being able to mitigate those prior to provisioning that access out certifications. Certifications are more than just a user access review, right? Does this user have access to this role? It's are you re-certifying your risks? Are you re-certifying your controls? Are you re-certifying your roles that you've designed within the applications?
So, and doing all that within the context of risk. Again, if we have the ability to run an access risk analysis and see what risks are in our environment, we should be bringing that contextual information into our certifications to allow our reviewers to have all that information available as they make decisions on what access should be retained. Elevated access management, that emergency access that Martin was talking about, you know, the ability to grant users access that's temporary and time bound for that sensitive access where we don't want them to have standing privileges.
And then role management, the ability to manage the access that's defined within our applications, and again, layering in the context of risk as we make changes to the access in our environments. Are we introducing any risk into the environment within those individual roles or within the access that's assigned to users? So that's, that's the application access governance suite. So that's mostly what I'll, I'll focus on today.
But just to round out what we do offer to give context to, whenever I say we offer three different products within our, our Path lock cloud suite, continuous controls monitoring, as I mentioned, this is your risk quantification. When we move beyond access controls, what can we tackle? How can we have a more complete solution? Risk quantification allows us to do that. It says not just what can you do, what access and risks do you have potentially, but what have you actually performed? Have you actually paid that same vendor that you created?
And if so, when did you do that? What was that time and date stamp? What was that amount? Which vendor was that for?
So again, if we're going to be monitoring more controls so that we can increase our regulation and compliance, if we can quantify those risks, we can now ensure that we're not just covering the scope of potential risks across our environment, but reporting on actual risk that are occurring. So we are encompassing more of that compliance that we want within our environment. Configuration change monitoring rate, are there set configurations that are highly important that we monitor in real time to ensure that they aren't being changed and if they are changed that we're notified.
So again, when we think about the capability and maturity model of any organization, we think about defining our processes and procedures first and then automating those where we can so that we can ensure compliance with them. And then we look to optimize. And so we see a lot of these features is that optimization, whereas access controls is automating our policies and procedures to ensure that we are provisioning access, maintaining and re-certifying access and monitoring our risks. Continuous controls monitoring is a lot of optimization.
It's saying let's quantify all of our total risk, let's do real-time monitoring for configuration changes. Let's monitor our, our business process controls and our manual process controls so that we can automate, for example, sending out of various reports that need to be reviewed. Because we can have a control all day that we say mitigates a risk, but if that control is not operational, then we're not being fully effective and compliant. So by automating the operational aspect of those controls, we can ensure better compliance license management. We have a lot of different applications.
SS a P is one, right? Where we have to manage licenses that are users are using and that can be at a great cost to our company, the licenses that we're using. So being able to enable management of those can help us recoup and manage those costs.
So again, just holistically how we're managing our systems. And then cybersecurity applications, as I mentioned this, this goes into the concept of where are we vulnerable, how are we doing threat detection, data loss prevention, are we doing dynamic data masking? So again, when we move into that optimization conversation, what are we doing that's beyond access controls to further secure our systems?
So again, this is kind of the scope of who we are as a company and what we're doing. And again, our vision is to provide full access controls, that full application access governance suite and beyond functionality, so the C C M and the C A C functionality that that goes beyond that. But this is only as useful as the applications we can do it for and the depth at which we can pull those details out of the applications to ensure that we're properly supporting compliance.
And I'd like to spend a little bit of time about talking about why that's important, why when we say that's our vision statement is application breadth and depth. Why we say that? And the reason is because we know that cross application risks is this, Martin talked about this, right? We've got SS a P, Oracle, Ariba, we've got Salesforce, you may have boss or L F Ss, there are multiple applications out there that we're using to run our business, right?
So we need a breadth of applications that we can support because it's no longer just what is your main monolithic E R P that you're housing 90% of your functionalities. And now we're seeing these parsed out into various applications, right? We may be doing, part of our business process is within one application, and then that is integrated into multiple other applications. So you know the example here, right? We may be doing part of our procurement in SS A P, but then we're doing goods receipts and invoice processing in Ariba and then we handle payments and accounts within Oracle, right?
Or this could be any other set of applications. So when Martin talks about the need to do access risk analysis and you know, how we provision access or how we handle emergency access into applications, it's not just one, it's all of those applications that are interconnected, those line of business applications that are also connected to our major ERPs. Like our SAPs like our Oracles because we're trying to address the full scope of risk in the environment. Now that's application breadth, right? Basically we need to be able to do these access controls for a lot of applications.
But why is application depth also so important to our company? It's because of the complexity and the differences between all of these applications. So you know, I mentioned in the last slide, S A P E R P, Ariba and Oracle, if we just take those three for example here along the left hand side, we have the access that's defined within a system, right?
Users, roles, actions and permissions within S A P, those are users and roles. Our actions are transaction codes. Our permissions are authorization objects, fields and values. If we look at Ariba, it is similarly a user and a role, but the actions are roles and the permissions are activities. And then when we look at Oracle, again, we have users, but we also have roles and responsibilities and our actions are called functions and our permissions are functions.
We also, if you look into Oracle Cloud, have privileges, right? So what this means is that the security permission structure for each of these applications varies based on application. They were not all built with the same security structure in mind. So that's why depth is so important because if we're only looking at those top two layers, the users and the roles we're missing the nuance and the difference between the access being provisioned to users at that action and permission level. So that's why depth is so important.
We need to get down to that permission level within each of the applications that we want to properly report on for access controls. So our S O D and our sensitive access risks, the way that we provision emergency access, if we're provisioning emergency access, we want to be very certain about exactly what access we're granting to users. So understanding at the permission level what access is granted is vital. Similarly for certifications, if we're gonna recertify access, yes, we may pull that access and report on it for certification at the role level, but is that a role?
Is it a responsibility? Is it a user group or a security class?
And then, you know, the risks that are resulting from that are the risks at the permission levels. So again, this is just trying to set the, the, the context set, the, the idea for why we're so focused in on both breadth and depth for applications that we support. Because we feel that to be able to accurately meet the requirements that Analysts like Martin are seeing a need for in, in the marketplace, we really need to be able to go down to that, that level of detail. And now why are we doing this? I mentioned we've been around for a long time, right?
And a lot of us, you know, are very familiar with, again, SS a P and Oracle and how those started out as our major ERPs that we focused on. But why have we as a company focused on expanding further beyond those? And the way I like to talk about it is, you know, from an audit perspective, why, why has audit evolved?
You know, where have we been? Where are we going? Right? 10 years ago, primary e r p systems, this is what we are focused on, right? And I know we, we have international audiences listening, you know, here in the states we're all very familiar with Sarbanes Oxley and sox. And and that's been 20 years ago that that major regulation was introduced. And when that was introduced, we were really focused on primary e r p systems, the PeopleSoft, the SAPs, the Oracles of the world where the majority of our functionality was sitting.
And it was really vitally important that we put access controls around those applications. But then, you know, when you've had 15, 20 years to audit those applications, what does that mean? It means that we've gotten good at understanding the access within those applications and now we start to broaden our, our base for what we're looking at. Where are we concerned about potential risks? Where do we need to be focused?
And that's why in the last five years, what we've seen is a shift towards what Martin's talking to here today, which is line of business applications in addition to our primary e r P systems. So what are the applications that are connected into our primary E R P systems? That example that I used earlier around Ariba, your NetSuites, you know, your Manhattans, your bosses, your sss, what are the applications that are interacting directly with those e R P systems where we're sharing data back and forth between them. We have users that are operational in those multiple applications.
And so we now need to say from an audit perspective, okay, what are they doing? Is someone creating a vendor in one application and paying invoices out in a different application? Do we have visibility to that? Are we exposed in terms of risk? So that's really come up within the next five years. And then where we really see things going from, from our company's perspective and what we've seen Analysts, you know, like in the KuppingerCole reports, is this drive towards where we headed, say in the next five years, it's all line of business applications, right?
Because any application within your environment that users can have access to may have risks involved, right? And then int any interplay between them may involve risks for users.
So again, it's just as we globally wrap our hands around the risks that are potential within our companies, we continue to expand that scope, right? And I, I always refer back to the capability maturity model, right? First step is define your policies, then automate where you can look to optimize, right? Make things repeatable. That's applicable too for how we look at the applications that are in scope for us to want to regulate and want to monitor and want to manage our risk and compliance around. We start with our major crown jewels, right?
And then we look at the applications that are interacting with our crown jewels, and then we start to look at all the other applications that we have out there. So it's, it's the same concept of baby steps. We start with one piece, we add onto it and we build from there. So this is, you know, where the concept of of path lock came from, what our goal is and why we think it's so important. So whenever I say I wanna speak to, you know, why there's a need and how we deliver on that need, this is what we see it as, right?
A need for application breadth and depth and for this zero risk concept of managing risk across our environment, within each application, across applications so that we can provide the access to users that they need to do their job without excessively exposing our company to risk. So I will wrap up with just a slide or two on, you know, how we do that.
So again, path block offers our main access controls product, which is called application access governance. It has five different modules that meet those key needs. So access risk analysis, compliant provisioning, certifications, elevated access management, and role management. And these are all, all a cart, right? You can utilize any of these pieces that you need. I like to think about them in the way that I would typically implement them. So in my prior life before working in software, I was a, a subject matter expert.
I was a SME for SS A P and in particular role design, redesign and, and G R C solution implementations. So the way I kind of tend to look at things is consultative. I like to provide users with takeaways in terms of how to think about how to implement. We've talked about a lot of applications, a lot of feature functionalities. Realistically, where do we start? Where do we go? In the last slide I talked about starting with your major ERPs, expanding to the line of business apps that integrate with those ERPs. And then looking at the rest of your scope of applications.
I would take the same approach here, start with the baseline functionality and then add onto it, right? And so we kind of think about it in terms of get clean, stay clean, optimize, right? Access risk analysis is how you can get clean. That's your baseline step, right? Baseline your risk environment. What are the s o d insensitive access risk in your application or applications? And who has those risks, right?
Run that report, see where you stand and work towards getting to that zero unmitigated risk status where you have addressed all the risks within your environment, either through remediation and revoking that access or through applying a mitigating control that acknowledges we're aware this user has the risk, here's the control that we're using to manage that, and now we have no risk that we're unaware of in our environment. That's a great first step. And then compliant provisioning is exactly what it sounds like.
Risk reporting, if you're just running static reports, those are exactly as they sound static. So they're out of date as soon as someone gets new access within an application. So compliant provisioning allows us to stay clean, right? We've done all the work to clean up our environment, to manage all of our risk compliant provisioning ensures that as we provision new access out to users, we're preemptively doing that risk analysis check and mitigating or addressing those risks prior to provisioning. So we're keeping our environment clean.
Certification say we're doing a good job of being compliant when we provision for that, you know, joiner mover lever process. But certifications allow us to revalidate standing access and ensure that nothing stale is sitting there. We have people who back others up, we change jobs and we get the new access for our new job, but we're supporting our old position for a set period of time. Certifications are just a great way for us as a company to revalidate the access that's still needed.
So again, users have access to do their jobs and, and nothing additional. And again, certifications build on what you've already done. The same way provisioning, we want to be compliant by pulling in that access risk analysis as we provision, make your certifications compliance focus, pull in those risk results to those certifications so that you're giving that contextual information to your decision makers. If I allow this user to retain this access, is it providing a risk to them that they can perform? Right? And then moving on to elevated access management.
Access risk analysis are not just ss o d risks, they're sensitive access or critical access risks. Well, once we baseline our environment and we're aware of the full scope of users that have access to perform a, a sensitive access risk, now we can look at elevated access management as a way to revoke that standing access for them so that when it's needed, they can request the access, check it out, have it for a time bound period, the usage of that access is monitored and reported on and then revoked at the end of their period of time that was pre-approved, right?
So we're still supporting the business initiatives, they can still use that access when necessary, but we have less exposure to risk because they have less standing privileged access, right? So again, marrying all the pieces together, elevated access management can play off of those sensitive access risk analysis that we've done in that first step. And then role management, again, I mentioned my background is in, in, you know, role design and access provisioning, role management, basing it off of our access risk analysis.
If we don't build risks directly into our individual role design, we can reduce the number of risks that we're exposing our users to when we assign access to them. It's gonna simplify the cleanup as well, the remediation of it, because it's just taking a whole roll away versus a role just automatically granting risk to a user when it's designed. So taking that concept into account and, and building that through our, our full design of our access so that we have cleanly designed roles, right? So again, you can use these products in any order.
That's just would be my tips and recommendations for the quickest r o i and a way to build, again, starting out small with one step and building on that success to be able to implement access controls across your, your suite of applications and to use it effectively. And in my last two minutes here, I will just wrap up with what is the value here? Martin spoke, you know, very eloquently to what exists out there, what products, you know, consist of access controls, why it's out there, why it's needed, what users can use it for.
I kind of mentioned this in my previous slide, like the value of it, but I like to leave you with some tangible benefits and, and how it benefits each of the various teams in your environment. So you know, if you are looking to assess for a, a different tool, as Martin said, you know, don't just take an analyst's word for it. Don't just take my word for it as someone who is telling you about what our product can do, but actually, you know, speak to existing customers or ask for use cases, right? And case studies for how others have seen value when they've implemented an access controls tool.
And these are some of the numbers that we've seen in our case studies with customers and clients, right? So we look at it as it our business and our internal controls or audit. How can each of these groups gain value with it? You're talking about a 50% task reduction that comes from things like if you're automating provisioning and you're automating your certifications, those are no longer manual tasks that it is having to perform, just managing the tickets, sending emails for approvals, going in and manually provisioning the access or de-provisioning access.
Additionally, whenever we're performing audits, it is not having to manually gather the audit trails from all those different places, the ticketing system, the emails, et cetera. Change logs in the tool and access controls tool will have an audit trail within it for provisioning, for certifications, et cetera.
So there's a standardized place audit can grab that data from that 50% task reduction is so valuable to it because they can move beyond keeping the lights on and they can really start to focus on business impactful items that the business is requesting in the applications to be worked on. So we're really freeing up it time to do that. Similarly with the business, you see a significant reduction in time to provision whenever that's automated. Same thing for certifications.
If all the contextual information, like when they got the access, when they last used it, if it's causing risks, if all that's included in the certification upfront and no matter what the application is, it's presented in the same format, that really simplifies their job to be able to complete those reviews and do it more quickly. So they're saving time doing that.
And again, they're not having to gather audit data because it's all of the audit trails in a centralized tool for audits to begin with. So we're taking that burden off of the business and that's where you can see that cost reduction in the time that they're spending performing these compliance initiatives. And then internal controls and audit and 80% risk reduction. This goes back to that concept of not just what can you do, what did you do if you have a centralized tool where you can manage not just one application, but multiple applications.
So again, that breadth of applications, what we're allowing us to our, our audit and support team to do is to manage more applications. Because again, the more that we automate, the more that we can do, it simplifies for us. And so we can cover more with the same amount of resources. And because we can cover more with the same amount of resources, we can reduce our risk exposure because now we're covering more applications, we're seeing where our risk is and we're managing it and monitoring it for compliance. So we're reducing that risk for the business.
So with that said, Martin, I will hand it back over to the group for q and a, but I hope this has been valuable for everyone to just get a little bit of an understanding of get path lock is what we do and how we can deliver on this need that has been identified for, you know, SS a P in line of business access controls. Paris, thank you very much for all the insights you gave right now we are at, so to speak, part number three, the q and a. We have a couple of questions here, so if there are any, any further questions then, then please enter them.
The, the first question I I see here is about, I think it's a question that goes to you, Kerry, because it's a bit also focused on the part I talked about. And so how do you see the access governance landscape evolving, especially with respect to line of business application and given the rapid pace of digital, oops, rapid pace of digital transformation and the growing emphasis on hybrid work environments. So what's your take on that evolution?
Yeah, I, I think I spoke to that a little bit, but I think the hybrid working environments is important, right? I think that goes to, we don't just have monolithic ERPs anymore. We have cloud applications that are interacting with those ERPs.
We have, you know, fully hybrid environments that are on-prem and in the cloud. And even as a lot of our on-prem things transition into the cloud, we're still operating. I think the statistic that came out a year or two ago was something like 30 on average, a company has something like 34 SaaS applications and 96% of companies have applications that are both in the cloud and on-prem. So they're operating in a hybrid environment. So I think that's a very common issue that we run into. And I think it goes back to thinking about your, your path to compliance.
You know, starting with your main applications, you know, your main ERPs, and then looking at the main line of business applications that are interacting directly with those. I think that's what comes in scope next.
And then, like I said, after that, it's the additional applications that will come into scope. And I, I think, I think that's where it's going, that's where we're seeing it going for, for audit purposes, right? As soon as you lock down one application, they say, this is great, now let's make sure we don't, we aren't exposed to risk in our other applications that are interacting with this one. Then you lock that down and they say, okay, this is great.
We've, we've locked down the major E R P and what's interacting with it now, what other accesses do users have in your system? What are they doing in those applications?
Are, you know, are you monitoring that? Are you managing it? Are there risks at present there? So that's kind of the progression that I see that that continues to happen. And I think that is applicable because like we said, so many companies have have hybrid environments that it's just, there's no way around it today.
Yeah, we have to find a way to address it. And, and talking about hybrid environments, there's another question which seems to be one that is popular amongst the attendees. So also others voting for that question to be asked.
And it's, we are in the midst of our migration to s Foura, but still have some on-prem SS e p after the migration. What recommendations do you have for us as we consider how to get a combined view of access risk for both cloud and on-prem based ERPs? And I think this is a, a perfect question for pass luck with your two parts of the portfolio.
Yeah, absolutely. So I think that, not to oversimplify, but whenever you are transitioning, you know, if it's SS A P E C C to HANA to S four or if it's an Oracle e B s to Oracle cloud transition, again, not to oversimplify, but I would look at it as the same concept of what we just talked about, about hybrid environments. If the application that you are you have in the cloud is another SS a P instance, or if it's an entirely different application, the risk is the same and the approach is the same, right? We want to take risk into account for both of those.
So we want to connect our access control solution to both of those applications, both your on-prem and your cloud application, and then make sure that you define your rule set. So your rule set should define risks for both of those standalone. So whatever is existing within your on-prem environment still today, you wanna look for sods and sensitive access within that. But then also is that on-prem environment in any way passing data back and forth with your cloud, with your SS four instance, if it is, you're gonna wanna look for cross application risks, right?
And to do that, you will need to update your rule set so that your rule set is looking for the, you know, when we build a rule set, it's various fun opposing functions, right? So we're gonna look for the function in our on-prem solution and the function in our cloud solution that may be conflicting to cause the risk. And then we want to report on that. So Martin was mentioning we have a broad solution tool. So Path walk cloud is something that we would offer that would connect to both of those within a singular system.
We do also have SS a P native type solutions that can connect directly to that. Or if you already have for example, SS A P access controls, we can extend that for you. We are a partner with them with SS A P, and we can extend your access controls to additional applications, be that other SS a p applications or non s a P applications.
So again, that's a lot of me talking, just to say that, to simplify it, take the same approach you would regardless of if it was SS a p SS four, or if it was Ariba or Salesforce or anything else. Look for your risks within the applications themselves on-prem and in cloud, and then look for your cross app risk between the two. Okay. We have one more question, and that is one which you touched a bit, which I touched a bit of where I can probably elaborate a bit more on.
So, so I probably would start and then hand over to you. So how would you suggest to evaluate vendors for cross application governance capabilities? Which areas should carry the most weight?
I, I would say as someone who's an Analyst and who also supports organizations and finding the right tools, there's no fixed answer to that because the weight depends on your requirements. The most important thing is really looking at your requirements. So which requirements do you have in your current world? This is also sometimes impacted by w what, what are things that are lacking? Wh where do you have challenges, et cetera. But also all the baseline stuff. And then there's also this perspective on what do you know will change and what could change.
So also look at, at where, where is this market heading? We talked a lot about where, where is the market heading today and the the landscape you need to support. And it's very important that you say, okay, so even while I maybe am in a traditional on-prem world today, I know that this will change because there's whatever this, the strategic direction given by our C I O C I O to go in that directors. And these are things you need to incorporate.
And then there are, and then you really need to build a good strong requirements list and think about what is most important, figure out the few, very few must have criteria. So if you have too many and too many I would say is everything which is north of 10 and must have, then then better go to a high priority in, in should have. And also define what is could have, which, which would be nice to have, but it's not so, so relevant. And from that you can then go really into a tool.
This is also where across the entire process, but specifically also when it comes to looking at who are the vendors to pick for the shortlist, et cetera, where reports such the one as we talked about today, can help. Carrie, anything to add here? I don't know that I could articulate it much better than that, but I would absolutely say know what your key needs are and find something that is going to meet your needs today, but also support where you wanna be tomorrow.
So, you know, an application and access controls tool can offer you everything in the world, but if it doesn't do the one thing that you need, that's not helpful. So find something that does what you need today. But then like Martin said, think about where you're headed tomorrow, what you know today, you may just need an s o d report tomorrow, you may want to do certifications and the next year you may want to be able to do that provisioning.
So, you know, think about what can meet you, where you are and what can grow with you as you, as you, you know, continue to improve on your, you know, your compliance approach. Okay. So that means just to say now, thank you, thank you to you, Carrie, for all insights you've provided.
The Oh, thank you Martin. Very, very interesting presentation. Thank you to for supporting this co call webinar. Thank you to all the attendees for joining our co call webinar. Hope to have you back soon at one of our virtual or physical events. Thank you.