As part of Saviynt’s multi-part blog series leading up to our annual conference, Saviynt Converge, I wanted to discuss a topic that I am very passionate about. I believe there is a major shift occurring in the IGA and GRC markets – in fact, I believe they are converging – pun intended. Audit departments are looking to expand their Segregation of Duties (SOD) risk management capabilities to cover not only traditional ERP systems (i.e. SAP or Oracle) but also manage cross application SOD risks. For these reasons – and many others – I believe an Enterprise IGA solution that is capable of handling complex security architectures is well suited for this task.
How did we get here?
For a long time now, many companies have worked to integrate their Identity Governance and Administration (IGA) platforms with their Governance, Risk and Compliance (GRC) solution to perform a preventative segregation of duties check before granting access. This led them to needing different teams and multiple technologies.
Legacy Identity Management and IGA technologies lacked the capabilities necessary to handle complex security architectures within ERP platforms, which then meant internal audit and GRC teams needed a solution to manage SOD risk within these applications. Given the familiarity with their own platforms, the major ERP vendors created solutions to manage SOD risks and other Governance, Risk and Compliance activities. This led to multiple silos of data and risk information that made it difficult for management to get a true sense of risk across the enterprise.
I have seen two key trends in the market that lead me to believe these capabilities should reside in one enterprise governance platform. First, some organizations have developed and maintained complex integrations between their Identity Governance and Administration platform and the SOD engine in the GRC systems. In following best practices, they want to perform a preventative SOD and Sensitive Access risk analysis simulation during the access request process by leveraging web services available in the GRC system. In most scenarios where customers have implemented this, the risk analysis during the access request process only applies to certain systems (i.e. SAP) and does not take into account other potential risky access in additional applications (i.e. Salesforce, Workday, Active Directory). Second, organizations are looking for functionality to expand GRC capabilities to identify SOD risks that span multiple applications (For example, SAP and Salesforce). I constantly hear from customers that are struggling to extend their legacy GRC solutions to additional applications.
Enterprise Governance Requirements of Today
Today’s enterprises require both IGA and GRC (SOD Management) capabilities to meet compliance requirements in hybrid environments. As organizations undertake digital transformation initiatives, they can also open themselves up to a variety of new risks.
With the current trend of business processes spanning multiple applications, both in the cloud and on premise, Auditors are requiring companies to understand and mitigate potential SOD violations they may have which span across applications.
At the same time, organizations are looking for modern IGA solutions that can meet their requirements to efficiently manage joiner, mover, leaver scenarios within the hire to retire process and satisfy compliance requirements in hybrid IT environments. An IGA solution enables you to have a single source of truth for what access a user has in applications across the Enterprise. Companies are searching for IGA solutions that are flexible enough to meet their requirements and are designed on modern data management platforms that provide the capability to dynamically scale when needed.
Competing Goals and Priorities
Now, I do admit that these two teams have different goals and priorities requiring different skillsets to complete their missions. Typically, a GRC program will have much more of a business risk focus while IGA programs are focused on managing the identity lifecycle in IT assets and solving the problems related to integrating varying technologies. I believe these teams should not be working in silos but understand each other’s strengths and work together to increase efficiency, meet compliance requirements, identify risks, and remediate them. Internal audit and GRC departments are searching for solutions to help them manage this business risk across the entire Enterprise and not just on major ERP technologies. With a modern IGA platform, like Saviynt, organizations can do just that.
Saviynt allows organizations to manage complex security architectures across many different technologies and allow the different departments or stakeholders to collaborate together on a single platform to provide an enterprise view of risk while taking advantage of lifecycle management and automation you would expect in a full featured IGA platform.
The Convergence of IGA and GRC
For a while now, some large organizations have gone to great lengths to maintain complex integrations between IAM and GRC solutions. IGA vendors are developing tight integrations and go to market strategies with GRC vendors when unable to provide fine-grained SOD capabilities. GRC vendors are adding traditional IGA capabilities and leveraging 3rd parties to build integrations to other applications outside of their technology stack.
It has been painfully clear from conversations with our customers that they are looking for robust SOD Management capabilities from their Enterprise IGA solution. It is extremely important to ensure that your IGA solution can support complex entitlement hierarchies (like SAP or Oracle) and manage SOD policies at the fine-grained entitlement level. This allows you to identify potential risk violations that may be introduced during the role change management process and eliminate false positives.
There are a number of benefits to realize from including capabilities traditionally in a GRC application within your IGA platform. These can include the following:
Preventative SOD and Sensitive Access risk analysis as part of the access request process
Performing a SOD risk analysis simulation before a user even submits an access request can help drive better end user behavior. Converging IGA and GRC in a single location that uses analytics provides users with a statistical view into what additional risk this access request may cause. Using peer-based analytics gives users visibility into whether their access request is something that will be approved. Many users requesting access without deep clarity into the need for the access will not choose to continue with their access request if it is sends an additional alert to the compliance team due to causing access risk. This information can also be leveraged by approvers to make more informed decisions.
Risk based approval workflows during the access request process
Having the ability to route an access request differently based on the risk posture of the request can create more efficient onboarding processes. Organizations can also integrate the GRC or compliance team into the approval workflow only when a high risk is detected. Approvers have the ability to review risks and assign mitigating controls even before this access is assigned in production environments.
Standardization of SOD management processes
Managing SOD and Sensitive Access risks from an IGA solution allows you to standardize your risk management processes. This gives management the capability to easily view access risks across the entire enterprise and not have to aggregate data from multiple GRC applications.
Cross application SOD detection
By having security entitlement data from applications across the enterprise and correlating that back to an Identity in your IGA platform, you can easily identify Segregation of Duty risks that may exist across multiple applications.
Including risk analytics in the user access review process
Reviewers can make more informed decisions during an Access Review campaign with risk analytics information. For example, a Manager reviewing a user’s access can identify security entitlements that are causing SOD violations, are outliers compared to their peers and do not have any usage data. This helps reviewers make more informed decisions.
Include risk analytics in your Enterprise Role Management processes
Incorporating SOD analysis into your role management processes can allow you to identify potential risks before they are rolled out to a large user population. Role mining / engineering capabilities can be configured to not recommend roles that will violate risk policies you have configured.
Why Saviynt? Converging IGA and GRC as-a-Service
Saviynt’s cloud-native, Gartner-recognized Identity Governance and Administration platform provides customers all of the governance and automation capabilities they require for the modern enterprise.
Manage Cross Application SOD and Access Risks in One Place
From the same platform, organizations can manage SOD and Sensitive Access risks within their main ERP systems (i.e. SAP, Oracle, Microsoft Dynamics, PeopleSoft, Workday, etc) and identify risks that span multiple applications (Cross Application SOD violations). We enable customers with a single pane of glass to view and manage application security risk across the entire Enterprise and move away from siloed Governance platforms that struggle to extend visibility outside their technology stack.
Our goal is to provide “Assured Compliance-as-a-Service” from one platform in the cloud that spans legacy technologies (yes, even mainframes), Cloud applications (Workday, SAP S4HANA or Salesforce), collaboration suites (Office 365, Box or Google Apps/G Suite) and even Public Cloud Infrastructure providers (AWS, Azure, GCP, Alibaba and IBM).
The Saviynt platform is designed to be delivered from the Cloud, thus allowing your organization to forget about managing a large on premise infrastructure footprint. Our Cloud native platform enables our customers to focus on providing value to the business by executing on your Governance and Compliance goals while also extending their SAP, Workday, or PeopleSoft governance across applications to prevent audit findings.
There is a clear trend in the Industry where these two markets are converging. I believe that fine-grained SOD Management capabilities will be available in most IGA solutions in the future because they (should) have all of the data.