#SAPTechEd – SAP Netweaver & GRC Identity Management
During the last 30 month I was rather critical towards SAP´s approach on how to position and further develop the technology acquired from Norwegian MaXware in 2007. The visit to SAP TechEd 2009 in Vienna showed through several technical presentations and direct interviews with people such as Keith Grayson, that SAP did a really job in not only integrating MaXware into the Netweaver group but also coming up with a sound strategy on how to move forward with whole offering. Besides the fact that Business Objects GRC systems still has some valuable functionality as provisioning tool for complex environments, the capabilities regarding the “Netweaver to SAP application” provisioning can now safely be called “unparalled” in the market. If you have access to the SDN platform, make sure to get your hands on the numerous slides in the SIMxyz track of TechEd. You can learn how to easily implement SAP Netweaver Identity Management, integrate with SAP Business Objects GRC and much more. As pointed out above, the joint deployment of the “standard provisioning engine” and the GRC one does have some benefits, especially if the Compliant User Provisioning (CUP) features are needed due to strong GRC requirements. It has been stressed in the sessions, that such a design needs to be planned very carefully and that cross-competence teams should be in charge of this to get all requirements and stakeholders represented in the final architecture.
Regarding 3rd party system integration, the ongoing standardization plays into SAPs hands, as Keith and I discussed the growing relevance of SPML and SAML 2.0, which, by the way, has now been tested and certified to be working with SAP ID management solutions and might find its way into the core product in the future. More and more provisioning targets become easier to integrate, as the corresponding ISVs now see openness towards IAM solution as a benefit.
To sum the impressions up: Keith and all the others did a great job in “turning around a skeptical analyst”. I am positive, that the current setup and strategy will result in a good position in the ever changing Enterprise Identity Management market for SAP.

I already pointed out my personal satisfaction about the recently announced cooperation between SAP and Novell in the GRC market. This morning I had the opportunity to discuss the whole approach with Jay Roxe of Novell and Ranga Bodla of the SAP GRC group, operating both out of the US.
Besides my enthusiasm about the materialization of something I suggested to be beneficial (every once in a while, analysts DO show that they are humans, too!), the discussion of business opportunities, market pull and demand for GRC in general were almost identical between the three of us.
First let´s check the market pull: both companies said they received multiple requests by existing customers to provide insight on how to couple the more business-GRC oriented SAP solutions and the more IT-GRC oriented SIEM tool Sentinel of Novell. As open APIs were already available and Novell had their products on the path to SAP certification, taking the next step and analyzing the related business opportunity was only a matter of weeks. The joint approach beyond using and testing the APIs was then tested by a large consulting and system integration company in their labs. Looks like when there is a proven market, everybody is interested in providing a solution.
Second, the demand for End-to-End GRC solutions: as KuppingerCole indicated during last year`s GRC event in Frankfurt, more general and broader oriented solution would be necessary and on offer soon. Only 10 month later, not a single-product but a joint solution IS available! SAP and Novell beat our projections and I guess it will take another 6-9 month before we either see another co-op or even a merger between two niche-players to offer a competing solution or product.
Third, the business opportunity: SAP being the Business Intelligence provider they are, quickly was able to provide Novell with numbers on SAP GRC customers and quite a few hundred of them were identified as possible candidates to be addressed for a joint deployment. Vice versa, existing Novell customers with SAP deployments turned out to be of a significant magnitude, thus both groups form a considerable target. We at KuppingerCole can only second, that both the identified customers and the remaining “white space” in the market would benefit from a joint and integrated deployment – the former generating added value almost instantly – the latter reaping the benefits from the then (expectedly) available best practices generated by the early adopters.
General perspective: KuppingerCole sees their own projections and analysis fulfilled ahead of time! SAP and Novell now have a considerable head-start in the market and thus have potential to counter offerings such from Enterprise GRC vendors such as BWise, OpenPages or Mega due to the breadth and depths of the combined solution.
If you like to receive further insight, which GRC approach now makes sense for you, feel free to contact us and make sure to attend our upcoming related webinars http://www.kuppingercole.com/webinars

Communication & Collaboration – that is what email is all about – or should be.
The GoogleWave concept mimics the snail-mail and a wiki at the same time, while being a protocol and an application also.
The demo looks like a cooperative instant-message chat, but showing character by character, making an almost f2f chat impression…
Who used OneNote online before, may be used to see the joint changes of multiple participants in one document – but it is amazing to see even uploads of photos and other material into the wave in a blink of a eye.
To see somebody adding a Google-map into the wave and have it adjusted to show the right location IS amazing!

Let us put it like this:
As a digital nomad and “never in the own office” worker, I want this, and I want it NOW!
Now for Enterprise 2.0:
adding a SAP Business Process Design tool Gravity to Wave enables cooperative work on new process designs inside the Wave.
Re-designing processes to adjust changes caused i.e. by Mergers & Acquisitions now becomes easier due to real-time collaboration between subject matter experts. Cool user experience…

Again, sorry for bothering you with non-IAM information, but this is heavily interesting for those looking into Business-GRC.
Jut now, Nokia, SAP and Gieseke+Devrient announced the JointVenture calles Original1, which will offer SaaS solutions for anti-piracy and anti-conterfeiting projects.
Goal is to enable customs officers, supply-chain service providers and possible whole-sale customers to check and verify if a certain batch or delivery is actually original product or counterfeited merchandise.
The solution will leverage technology by all three vendors, comprising SAP ERP back-end information, Nokia mobile device extensions for on-site reading/scanning of products and Gi+De technology to secure the process steps and information. The company will be led by Claudia Alsdorf as CEO and will be located in Frankfurt, Germany. As to specific requirements, the solutions will be technology agnostic and available on devices and systems not offered by the contributing parties.
Target customers will be the brand-owners and vendors of high-value or high-risk products, e.g. luxury goods, pharmaceuticals or the like.

Did you find yourself adding hash-tags in emails or “old-fashioned” blog posts recently?
Well, I think we are all tweeting quite a lot (except for me, I do not spend to much time on it) and organizing tweets that way is a good thing, for sure…

In between two Netweaver security tracks I just wanted to give you an update on the cool show, SAP put together once again! I already met so many friends and colleagues and usual suspects, I almost felt like visiting EIC in Munich.
Novell made some great announcements recently and – to no surprise for me – their now combined SAP/Novell offering for end-to-end GRC does add a lot of value for customers of both companies.
Just a few weeks ago, doing an invited talk at the SAP Partner Port in Waldorf with Loren Heilig, Managing Director of IBSolutions, I claimed that SAP does have a big advantage when it comes to Business GRC, while they really lack the depth needed to control everything down to the system-level, aka “more technically”. As a complimentary solution vendor, I showed some Novell slides, and the reactions were pretty … ambigious.
While the customer audience seemed to like the idea, the vendor representatives seemed a bit uncomfortable. Today, I find my self to be proven by reality – my own little “analyst crystal ball” only had a “warning period” of roughly 4 month, though. Maybe I should get to London and place some bets, before making my next presentations…
SAP and Novell: congratulations! You now offer the most complete GRC approach in the market today (at least from my humble perspective!)

Ok, this should be a blog about insights to the general Identity & Access Management and Governance, Risk Management & Compliance Markets. Sorry to bother you guys with technology details (like the one about Win7 and 3G(UMTS) on netbooks, every once in a while, but I think one blog is enough to maintain and publish stuff to ;- )
So, who ever started using Win 7 in a secure environment may have come across the issue that smartcard log-in works like a breeze in these days, but you may be as puzzled as I was, when I pulled the card from the reader and the system did NOT lock itself…
Well, as my friend Walter Hofer of IDpendant was kind enough to investigate the issue (and let me know right after he found out):
Even with a corresponding GPO in the AD set, Win 7 will refuse to lock the computer after the smartcard has been removed from the reader as Microsoft chose to create a new system service called Smartcard Removal Policy – and it is set to MANUAL. Unless you look that service up in the “Services” menu and change its start behaviour to “Auto”, you will not get the expected results—
Just to get you a faster solution if this should occur to you, too!
Keep up the safe&secure computinge experience!

Well, unlike Falco in his famous hit single, this time it is SAP, who´s calling the worlds´ERP elite to Austrias capital next week – and I am happy enough to participate in this one-in-a-thousand events that really stand out. My very high expectations regarding the expertise I am planning to meet is only paralleled by the curiousity if (and if yes, who) there is gonna be a star like Zucchero performing as part of the event
Ok, back to the real issues, because there is lot of work to be done while I am at the event. First of all, I will try to get as much in-depth technology insight as possible and my agenda is bustling with activity around Netweaver Identity Management and SAP security. Especially the second, more general topic has some relevance as I am looking into the SAP and 3rd party audit and compliance solutions available today. Besides SAP´s own offering in the GRC arena, I am about to dive deeper into CheckAud of ibs Schreiber, a tool I came across in several Master´s thesis I have been advisor for. Next is “mesaforte” of Swiss Wikima4 AG and last not least the SAST System Audit and Security Toolkit, of Akquinet, especially since they now co-operate with my valued friends at Virtual Forge (some of my former Fraunhofer SIT colleagues are the founders).
Do you have expertise in one of those? Are you at TechEd in Vienna? Make sure to meet me over a cup of coffee or a Stiegl Bräu beer!
Looking forward to meet you in Vienna!