SAP enters the Cloud IAM market – the competition becomes even tougher

14.10.2014 by Martin Kuppinger

The market for Cloud IAM and in particular Cloud User and Access Management – extending the reach of IAM to business partners, consumers, and Cloud applications through a Cloud service – is growing, both with respect to market size and service providers. While there were a number of start-ups (such as Ping Identity, Okta and OneLogin) creating the market, we now see more and more established players entering the field. Vendors such as Microsoft, or Centrify are already in. Now SAP, one of the heavyweights in the IT market, has recently launched their SAP Cloud Identity Service.

The focus of this new service is managing access for all types of users, their authentication, and Single Sign-On, to on-premise applications, SAP Cloud applications, and 3rd party Cloud services. This includes capabilities such as SSO, user provisioning, self-registration and user invitation, and more. There is also optional support for social logins.

Technically, there is a private instance per tenant running on the SAP Cloud Identity Service, which acts as Identity Provider (IdP) for Cloud services and other SAML-ready SaaS applications, but also as an interface for external user authentication and registration. This connects back to the on-premise infrastructure for accessing SAP systems and other environments, providing also SSO for users already logged in to SAP systems.

With this new offering, SAP is becoming an interesting option in that field. While they do not sparkle with a large number of pre-configured Cloud services – some other players claim to have more than 3,000 Cloud services ready for on-boarding – SAP provides a solid conceptual approach to Cloud IAM, which is strongly tied in all the SAP HANA platform, the SAP HANA Cloud, and the on-premise SAP infrastructures.

This tight integration into SAP environments, together with the fact that SAP provides its own, certified data center infrastructure, plus the fact that it is from SAP (and SAP buyers tend to buy from SAP) makes it a strong contender in the emerging Cloud User and Access Management market.

Posted in Cloud, SAP | No comments

Auditing access to sensitive information in SAP systems

14.11.2013 by Martin Kuppinger

In a recent SAP Insider article, SAP unveiled some interesting news around security auditing and information protection. In SAP NetWeaver Application Server (AS) ABAP 7.40 they included a new functionality called Read Access Logging (RAL). The current version supports Web Dynpro ABAP, web service, and RFC calls. Support for ABAP Dynpro is planned for a later release. SAP also has announced availability for release 7.31 near-time and is planning further “downports” to earlier versions.

What does this feature provide? RAL allows you to log access to defined sensitive data in these systems, as well as to define which access shall be logged. The configuration of logging is rather flexible. Logs then can be searched and viewed to analyze access to the information that is monitored.

However, RAL does not support automated analysis of the collected information. The logical next step would be to automatically act on this data, by analyzing it and identifying signs of fraud. Given that SAP has technology to do that in place – just think about SAP HANA as a platform for such analytics and SAP Fraud Management as a solution that allows you to deal with fraud – this would help customers to really have a solution on hand.

Despite this gap – it’s not about logging, but about making use of log data – this is an interesting feature for Information Security and SAP Security and worth to evaluate in detail.

Posted in SAP | Comments Off

SAP CUA and SAP NetWeaver Identity Management – some survey results

14.04.2011 by Martin Kuppinger

User Management in SAP environments has fundamentally changed over the course of the last 10 to 15 years. When centralizing user management became an increasing demand of SAP customers, SAP introduced CUA (Central User Administration) several years ago. However, CUA has some restrictions and many customers have chosen other options like provisioning tools from 3rd party vendors. Thus, SAP has decided to change the approach. SAP NetWeaver Identity Management no is the strategic recommendation of SAP for managing users across SAP systems. If blogged about that before here and here.

We have recently run a survey on what SAP customers are doing today and plan to do. The range of SAP systems in production is pretty big, from several respondents using 4 to 10 instances, but a few having a farge bigger number in use, up to 200. Amongst the responding organizations, close to a quarter is using CUA today for all production instances, while another third is using CUA for some of the production instances. That might be based on the fact that CUA doesn’t support all SAP systems. The reason might be also that CUA hasn’t deployed as the strategic tool for user management in the SAP environment, covering all instances.

Most of the organizations started using CUA early, but some few deployed the tool after 2007 and thus after the first strategic announcements of SAP that SAP NetWeaver Identity Management will be the successor for CUA. However, most customers will migrate from CUA. Roundabout 60% plan to migrate to SAP NetWeaver Identity Management, but only one out of ten companies plans to move to provisioning tool of another vendor. Interestingly, some 30% of the organizations don’t plan to replace CUA within the foreseeable time. From the ones migrating roughly half have started their migration, while most of the others will make that move within the next two years.

The numbers prove that SAP appears to be successful with their strategy of migrating from CUA to SAP NetWeaver Identity Management. The customers tend to choose SAP NetWeaver Identity Management for user management within their SAP environments. Given that there are sufficient architectural options for IAM today, with Access Governance solutions or Service Request portals on top of one or multiple provisioning tools below that, this approach still leaves sufficient strategic options for the holistic view on IAM and Access Governance for the entire, heterogeneous IT environment.

To learn more about these options and how to best manage SAP and other environments from the user management, access management, and IT governance perspective, visit EIC 2011 in Munich, May 10th to 13th.

Posted in IAM market, Provisioning, SAP | Comments Off
© 2015 Martin Kuppinger, KuppingerCole