Access the Pathlock podcast to hear an expert in GRC discuss how to simplify compliance and reduce operational risk by combining SAP identity management (IDM) and access control solutions on a single platform. Learn how agencies are leveraging integrated GRC solutions to future-proof SAP environments, simplify critical operations and optimize user experience.
Anthony Jimenez
Welcome back to Carahcast, the podcast from Carahsoft, the trusted government IT solutions provider. Subscribe to get the latest technology updates in the public sector. I'm Anthony Jimenez, your host from the Carahsoft production team.
On behalf of PathLock and Carahsoft, we would like to welcome you to today's podcast, focused around navigating SAP's governance, risk, and compliance, end-of-life, and end-of-maintenance deadlines. Chris Radkowski, SAP GRC expert at PathLock, will discuss how PathLock Cloud provides a comprehensive solution to navigate SAP's 2026 transformation based on a fewer number of components, a broad set of integrations, and expanded capabilities.
Chris Radkowski
Hello, everyone. Welcome to the session today. I thought today we'd kind of go over, you know, the following agenda.
That would review the SAP strategy, talk a little bit about, you know, what a transition to a future-proof solution looks like, go over the PathLock solution components, answer the question, why PathLock now? I'm Chris Radkowski. I was the former solution owner for SAP Access Governance Portfolio.
I was there for 17 years, you know, leading a solution portfolio. I was also created the, what is now the Cybersecurity and Data Protection portfolios at SAP. These solutions all fall under a set of solutions that are part of what SAP calls now financial management software.
I came to SAP through, after being at a number of foundational startup companies in the industry. I was at Oblix that kind of defined, you know, some of the very first identity management solutions. Identity Engines was a network-based startup company, network-based identity management startup company.
And I actually applied to SAP just by sending a resume in, which was, I don't know, unusual. It's probably still is unusual today. But at SAP, I led a number of different partnerships.
I led the partnership with PathLock. So I was on SAP's side of the equation, managing the relationship with PathLock. I also proposed and led a integration and partnership with NexLabs and BigID, which is an interesting, almost like a reverse identity management company.
That one actually got sort of moved over to the P&I technology, the sort of data technology area of SAP. And lastly, I was responsible for sort of coming up with a concept and driving a relationship with Microsoft. SAP has a lot of initiatives with Microsoft, both on hosting with Azure, as well as a number of different technology integrations.
I am at a number of the industry events. So we were at SAP Insider. I hope to be at SAP Insider in Europe this year.
So feel free to reach out directly. With that, I thought we'd go over the SAP strategy and talk a little bit about maybe the background of how it came to be. I'm sure that many of you are sort of familiar with this.
So I'll add some, hopefully add a little bit of color to it, because there was a significant change to the strategy from 2024 to 2025. And so in 2024, the original concept to move the GRC components to a common platform was proposed, and the board approved both a on-premise and cloud version of the GRC 2026 platform. And this was largely to address challenges with pricing, the fact that the NetWeaver Java stack was going end of life.
So there had to be a change to the underlying technology stack. And so the board approved both on-prem and private cloud versions, which in 2024 we announced as a, when I was at SAP, we announced this, that was originally going to require every customer that was running any one of the GRC components, whether it's access control, process control, risk management, the entire list of components, everyone would have to move on to the GRC 2026 platform with a new SKU and, you know, the migration efforts behind that.
And I had a small role to play in this in that I was responsible for the commercialization. And even though we kind of sat on it for a while, I came to the conclusion that, well, this was going to be impractical for any customer running these solutions to go to a common platform with a new pricing metric and sort of maintain the pricing for anyone who is migrating from audit management, for example, or even access control, you know, to this new platform. Maintaining the same price with a different metric.
There was no way to come up with the ratios or anything that would work. And so that coupled with the fact that forcing every customer to upgrade their contracts and go through a migration was going to be impractical. So in 2025, we announced a new strategy that enabled the existing customers, those who are on S4 specifically, to continue with their maintenance contracts.
And there would be a migration under the covers to the new platform as part of a service upgrade, you know, which most customers are familiar with. So that left the, you know, the GRC version 12 NEDB customers that all will have to go through a, you know, a contract conversion and potentially database and, you know, product migration. So if you're running on GRC NEDB version, version 12 on premise, you'll have to upgrade eventually to the GRC 2026 platform, you know, or if you choose to continue on a sort of extended maintenance, you can do that.
GRC 2026 is a unified platform. So all the components that are part of GRC will be running on this platform. It allows sort of common components to be leveraged across each of the solutions.
And there are some solution innovations that are planned. However, since a lot of the effort is related to sort of the technical aspect of the migration, you know, updating the components to run on a new stack, there's really not that many solution enhancements that are planned. You can check this out on, you know, SAP.com.
Like I said, the driver behind this is really the NetWeaver Java stack is end of life. So there's a need to move to a new stack, SAP S4HANA foundation layer. The focus for this release, if you're following SAP sort of core strategies, this is, you know, related to business suite, business data cloud, and AI.
So products like GRC often have to pay, I don't know, it's a large company tax kind of. And so you get dragged along into these major sales motions or technology changes that the company is following. And I think it's a pretty solid strategy when you combine applications, data, and AI.
However, what this means for a product like GRC or access control, for example, you know, often you have to apply a lot of efforts to these initiatives. They aren't all aligned with the sort of where the market for access control or the other GRC components are headed. Once again, so if anyone is on access control, process control, risk management, have already purchased or running an S4 solution, there's no update to your contract and migration to GRC 2026 is done under this sort of normal maintenance process.
So like a service pack update. I think there's a lot of effort being put into trying to make the migration process as seamless as possible. One thing to point out, however, is that SAP GRC solutions have effectively been in maintenance mode for a long time.
There are really very few features that have been released even since version 10.1. The GRC 2026 platform does not really deliver on any really new integrations. There are a couple things planned. But a lot of these are fairly kind of low-level enhancements, really, in some cases maybe even bug fixes.
And so even after a long time, you know, there's really not much coming. Alternatives to access control, for example, like SAP IAG, with all due respect, you know, it's been in market for a long time. It may not replace access control as the go-to solution.
This is being more marketed towards greenfield customers. And so, you know, this is really not necessarily an option for a lot of customers, particularly those who have been running access control for a long time and have had lots of customizations implemented. One thing that kind of dawned on me before I left SAP is that these solutions are not strategic for the company.
And I think that that's maybe inherent in sort of what SAP communicates about roadmaps and other plans for the GRC components. There's been very little investment going into the product. And I think, you know, the idea is that, you know, just barely good enough is what is needed.
However, as we all know, these markets have grown significantly. And there are, you know, much, much greater demands generally on identity and application access governance solutions. You know, I think we see these as sort of potentially falling behind the market, particularly going forward.
So I would look to you to kind of ask you to look forward in terms of what you think the futures are and, you know, decide what, from a business perspective, it makes sense for your organization. All right, so I wanted to focus a little bit on SAP identity management because this is an end of life that was announced. It's really rare for SAP to announce an end of life for a solution.
And there is no successor for SAP IDM. It's been announced. I was involved in coming up with the alternatives for SAP IDM and was really concerned about the impact that it would have on SAP access control business and worried about the fact that without IDM, access control alone wouldn't meet the inclusion criteria for some of the markets we are participating in.
However, you know, there are a number of customers that are running IDM and access control. And so, you know, they will have to take a look and see what the plans are going forward once IDM is gone. IDM comes to SAP through the acquisition of Maxware back in 2008.
I mention this because I was involved in trying to buy Maxware when I was part of Oblix, which was funny. So I got to be, you know, reacquainted with a number of colleagues that were part of Maxware that came to SAP. The solution is based on a, you know, sort of a database, MongoDB with a lot of scripts.
So it's highly customizable. And we went out to kind of check the different customer implementations. We found that there was really quite a large variance in how customers had implemented IDM.
Inside SAP, IDM became part of, well, what is now sort of the BTP security team was responsible for development and the product management roles for IDM. And originally, it was acquired as a replacement for CUA, which is funny because we still see a lot of CUA customers today out there. And like CUA, IDM was free for SAP.
And there was no license cost required for customers who were using SAP IDM for SAP. Once you connected it to non-SAP, there was a license fee, which made it challenging to go off and try to figure out how many customers are running IDM. So the information about which customers had it or are running it is not 100% accurate.
IDM has kind of been in maintenance mode for a while. I was just checking the last customer connect program. So really the last sort of, I would say, minor enhancements were collected up in 2021 and implemented in 2022.
SAP IDM is not part of the GRC 2026 plans. It has grown in functionality over the years. So it does support identity lifecycle management, role management, access request process, user certifications.
I mention this because we had some functional overlap with access control. And so access control was really one of the main highly successful solutions, part of the GRC portfolio. It drove a huge percentage of the revenue and activity around SAP GRC.
So much so that when customers ask or mention that they had SAP GRC, often it meant, hey, we have access control. So we were often trying to rationalize the overlaps that increased over time with SAP access control and identity management. While SAP access control relied on SAP identity framework for connectivity and provisioning fulfillment, there was some overlap.
However, the workflow in SAP identity management was basically fundamentally different in that it wasn't supporting a compliance-oriented approval process where you could do risk analysis and add and remove items from a request and forward that request and so forth. So it didn't have the same level of capabilities with respect to the workflow or managing the compliance aspects of provisioning users and managing technical and business roles. The integrations SAP IDM has are, I would say, more at the data store level.
So if you look at the connectors, it's ODBC, JDBC databases, directories, as opposed to API level integrations with applications. I think I may have mentioned earlier, there are about 2,000 plus customers running SAP IDM. I'm not sure how many of you are running that, but it's still fairly widely implemented.
A lot of these implementations are integrated with SAP access control. So there's a large cross-section of the existing customer base running access control as well. One of the reasons to end of life the product and have no successor is that the technology that it was built on, database scripts and MongoDB, was a little bit different than other SAP technologies since it was part of an acquired solution.
It was very difficult to work that to the cloud. And SAP felt that even with a lot of investment, it would have, after four or five years, it would still be not necessarily market competitive or missing market features. And with the SAP SCI, SAP cloud services, nobody thought there was a business reason to go ahead and invest the development effort in building identity management from the ground up.
So instead, there was a huge effort internally. I mean, this lasts a year, what to do about SAP identity management. And so build, buy, partner, and buying is kind of out of the question.
Evaluations for identity management companies are very, very high, still very high. So even if there was something that was available for a billion, it most likely would have had a significant overlap with the other SAP GRC solutions. So partner was the combination of having open interfaces for the other IGA vendors and focus partnership on Microsoft Entra was the direction that's taken.
And any of you who are interested in learning more about that, if you search on SAP and Microsoft, you can find out more details about the partnership and the integration scenarios that are planned. And PathLock has also partnership with Microsoft and implemented some similar use cases. So please look to that if you're looking at a replacement for SAP IDM.
So we thought we'd talk about maybe what consider going forward. We went around, we started setting up conversations with customers who were running SAP identity management and wanted to share with you a little bit about what we learned and what kind of questions to ask. And I think that, you know, we can go over the list of questions.
I think the core thing that we kind of took away from this exercise was that given the amount of customization that organizations had invested and put into SAP identity management, the scenarios that were, you know, that were being, you know, implemented were very, very widely varied quite a bit. So we had a huge beverage company that was using this as a centralized tool to set up role packages, you know, for their customers and other organizations were using it, I would say, more in a generic sort of joiner, mover, lever, you know, way. Yet still other organizations were, you know, implementing, I'd say, mass maintenance capabilities, you know, ensuring that users were correctly provisioned with the right, you know, entitlements within SAP systems.
But I would definitely go down this list, you know, how many and what types of systems and identities are being managed. I mean, this basically defines the scope of the system, what kinds of systems have been integrated and what kinds of identities are being managed. Some organizations were using this for employees, yet others for, you know, for customers or partners, partner identities, what customizations have been implemented.
You know, this is a key thing if you're looking to transition to a different solution, you know, what customizations will you have to implement the new solution? It's not going to be one for one compatible exactly. So that has to be rationalized and planned out.
What features of SAP identity management are being used? You know, we ask this because, you know, for example, for SAP access control, there's a huge number of the install base that are running the SOD risk analysis and firefighting. Less so are using, you know, the business role management features, for example, but it's the same for SAP identity management.
So a lot of customers are running the mass maintenance, the synchronization, the, you know, the attribute sort of mapping capabilities. Less so have running workflows and business role management. And so, you know, understanding what the scope and what features are being implemented, absolutely critical.
Has it been integrated with an enterprise IGA or access control? And so does it integrate with, you know, access control as the, you know, underlying provisioning technology? Does it connect beyond SAP or is it part of an identity silo?
I think that's an interesting and critical item to consider. I think what we're seeing are convergence across SAP and more IT related IGA solutions. So, you know, I think over time, the SAP systems will be less siloed.
As we all know, you know, SAP is often managed by separate teams, basis teams, for example. So, but there is, you know, there are sort of elements for those silos that are collapsing specifically around cybersecurity. I think that will stretch to identity and management or governance of these systems as well.
I think one of the most important things to consider is, you know, what specific features are mission critical? Because these projects, you know, somebody will have to define the scope of these and being able to identify what features, you know, are mission critical for you. What are the most important features that have to be brought over to a new solution?
Absolutely critical. Are you checking for SOD, identity management? SAP identity management doesn't do that, but that's often a critical aspect of IGA or an integrated IGA and application access governance solution.
Compliance regulations will help determine what sorts of checks and balances, what kinds of approvals, what kinds of audit trails have to be maintained as part of the provisioning process, all aspects of the provisioning process, whether it's, you know, an HR driven joiner process, somebody being terminated, somebody changing a job, all of the related, you know, checks and balances have to be, you know, have to be maintained. You know, also, is this part of a broader transformation? Is there a, you know, an S4 HANA RISE project or a public cloud project being implemented?
You know, often some of these tools, identity management, access control, as well, are considered as part of a broader project. We would encourage you, if you're looking to replace IDM, to see if that's something that can be accomplished as part of an implementation effort or part of a broader technology transformation project. So I wanted to kind of highlight what to look for as you look to the future in your decision making around SAP IDM.
So this should be an enterprise wide platform. SAP IDM is very specific to SAP. You know, we think one of the main considerations is that it should be able to support SAP and other applications equally.
Of course, being a cloud native architecture is critical. You know, these solutions have all essentially moved to the cloud. We think that deep integration with SAP and beyond is important, especially if you have, you know, compliance or security or, you know, process related challenges or use cases.
You have to support deep integration with SAP and the authorization models in the SAP ERP and S4 HANA application is critical. You should look towards perhaps unifying some of the GRC and, you know, identity management capabilities. There are solutions that combine and integrate these products together in more of a seamless fashion.
You should look towards ensuring that your most mission critical capabilities are supported with minimal investment in the new platform. So time to value is critically important. You know, the solution should have a, you know, modern UI, you know, with all due respect to SAP UI.
You know, some of these are effective for many users, but also, you know, definitely older, at least in terms of what kind of technology new people have become accustomed to using these days. Future readiness for, you know, zero trust and AI. I don't think you could have a presentation on anything today without talking a little bit about AI.
Definitely future readiness for AI is important consideration. There are quite a lot of details and resources online. You know, PathLock, www.pathlock.com.
I would encourage you to check out the resources on our website. It's being constantly updated. And there's a lot of information and details about SAP IDM in general.
So I would encourage you to look towards resources outside as well. One thing at PathLock that, you know, we have been considering is really what is, you know, what is beyond IGA and what does it mean to evolve access controls and monitoring? We would encourage you to think strategically about IDM.
It's not just not just SAP anymore. It's essentially applies to any business critical application. And these all have all these applications have usage and logs and specific types of compliance related requirements.
And, you know, your application access governance really has to accommodate and support cross enterprise wide applications that ensure that the SOD risk analysis or analysis of critical access or permissions can be incorporated across, you know, your entire enterprise landscape. Not just SAP, but Workday and Salesforce and CUR, SuccessFactors, Coupa, and other applications. Each one of these have their own unique requirements for access risk analysis, compliant provisioning, certifications, elevated access management, role management.
And as you know, you know, PathLock has solutions that allow that support elevated access management or privilege access management scenarios for not only SAP ECC, but any of the enterprise applications that are part of the support matrix. And so that is a critical consideration. I think at SAP, our dream was to have firefighting scenarios supported across, you know, more than just ECC, but the underlying technology to proxy the authentication was something that was baked into the technology stack.
So, you know, that was a real challenge. And I don't believe that, you know, even though it was on the roadmap for a long time, I don't think there's any plans to release that anytime soon. So looking beyond just IGA and evolving your access control and monitoring capability is more than just about application access governance.
It also involves, you know, looking towards continuous controls monitoring. And so one thing that PathLock has done in that with the integration with SAP is that the controls management can pull the actual transaction logs of what users have executed in the application. So there's an end-to-end scenario that allows you to manage what users can do, and then using a controls monitoring process, pull the information that shows exactly what users did do.
And so that is critical in terms of meeting your audit requirements, monitoring for the correct kind of system activity, ensuring that you're prioritizing your efforts around managing risks and remediation capabilities. So I think that what we're seeing is that the business has really moved beyond just, you know, just IDM and involves a continuing set of different solutions that are really providing enormous business value in today's environment. And so once you've considered sort of the future of application access governance and continuous controls monitoring, there is an increasing number of different kinds of cybersecurity and other application controls you can leverage basically to use and collect sort of similar data.
So once the, you know, once you have connectivity at the sort of the base, you know, connector layer to pull the transaction logs, not only for firefighting, but for, you know, monitoring and did-do analysis, these have, you know, tremendous applications in terms of threat detection and monitoring, vulnerability management. If you consider the security implications for, you know, having that complete set of data opens the door for complete end-to-end capability around combination of access governance, controls monitoring, and security. Just wanted to go over some considerations.
PathLock is a complete integrated IGA application access governance and CCM platform in the cloud. IGA is Identity Governance Administration, Application Access Governance, AAG. Just wanted to refresh your memory on some of these acronyms.
I think we tend to throw those around sometimes and not everybody understands them all. PathLock is built on a comprehensive technology. Coming to PathLock from SAP, I think one of the, some of the key things I notice that, you know, the solution is highly flexible and the workflow is one of the key parts of it.
The ability to configure workflow steps and connect at a much deeper level to, you know, all of these business applications. Since the connectors have to integrate for basic user administration and provisioning capabilities, as well as pulling in data for monitoring purposes, the connectors themselves are, you know, much more comprehensive and robust for that reason. Most vendors in the market, SAP included, you know, their connectors, I'd say, are fairly lightweight.
You know, they're based on standards like SCIM or maybe they can provision an additional attribute. PathLock connectors are, you know, have to be, you know, I'd say multi-talented and handle a lot of different scenarios, not only the provisioning, but for the, you know, for monitoring. And so the logs that PathLock integrates with, for example, for firefighting, it's a lot more extensive, even than SAP.
So it's STAD logs and CDPOS. I don't want to name the entire list, but it's extensive. I think that's why, you know, for business scenarios, we've come out with this sort of a set of solutions around this called BPAM, business PAM, because there's a lot of confusion in the market about, you know, what privilege access management is.
You know, if you're CyberArk, for example, it's more about, you know, credential vault and, you know, enabling common set of credentials to apply to be able to log in and access the configuration of different servers and Unix servers. But for the scenarios that are critical for business applications, it's very different. There's a checkout process.
You have to have a reason to go in and, you know, check out a higher level entitlement. That session is monitored, and you have to be able to, you know, review the log afterwards and determine whether the actions that were taken were consistent with, you know, what was requested. And so the sort of notion of business PAM is, you know, we're putting that out there as differentiation against the other, with respect to the other PAM solutions.
Like I said, the platform is a complete integrated CCM, access governance, and IGA. And, you know, this is, I think, rather unique in terms of what's available in the cloud today. There's also significant investment going into PathLock products going forward.
So, you know, new strategies, new refactored components, you know, this is a market that PathLock is laser focused on, you know, and the products are perfect fit for organizations who have already made investments in SAP Access Control. So the personas, the roles, the functionality are very similar. You have control owners, mitigating control owners, you know, business process owners, risk owners, and so forth.
So for an organization that is, you know, has implemented access control, you know, PathLock is a perfect fit. It's designed to fit in and make, you know, migration as easily as possible. You know, SAP, you know, it's not strategic, repeating myself, but it's not strategic.
And, you know, only the MVP is, only the very, very bare minimum is going to be delivered. And it's not focused on market requirements. SAP is being, having to focus more attention on, you know, technical aspects of a platform migration, you know, not necessarily focused on market specific direction or requirements.
There's minimal enhancements on the roadmap, and that's available on roadmaps.sap.com. Anybody can go and look to see what's planned. It's very, you know, I'd say it's very light there, but there's reasons behind that because SAP is focused on, you know, I mean, S4 RISE packages, you know, and the broader strategies around business suite, business data cloud, agentic AI.
I mean, these are, you know, these are major initiatives at a company level. And these are, I would say, I don't know, major, SAP has much bigger fish to fry in these particular initiatives. And so one of the things that I realized is that, you know, as we kind of got reorganized around and found ourselves under the financial management software, the exercise really became, you know, how do we best attach these products to these major initiatives?
And so I think that's maybe what you'll see going forward. But, you know, the key thing is that really not strategic, minimal investment, minimal investment for a really long period of time. So, and I have to apologize for customers who have asked for things for years and years and years and not gotten it.
But, you know, there's lots of reasons behind that. There are some scenarios, you know, AI-based access request, UAR review is coming. You know, however, the architecture with the access control and its extensions to with IGA, it's complex.
That relies on a synchronization between IAG and access control. You know, the risk analysis is moving to the cloud. You know, that is different from a converged cloud platform like PathLock.
But there are plans, but there's nothing coming as far as firefighting scenarios for anything other than ERP and S4HANA public cloud. But there's no nothing else as far as Ariba or Concur or anything with respect to future plans for enhancing the emergency access capability. Access control is based on, you know, MSMP workflow.
There's no plans to change that. It's highly complex. People have made their careers on configuring BRF plus and, you know, function modules.
But this workflow, even though it's there under the covers for the other scenarios like business role management or UAR or firefighting, it's not customizable. And so it's not exposed. You can't customize the steps involved in any of those processes using the MSMP workflow except for the access request process.
And so one thing to think about in PathLock is the same workflow engine, the same flexible workflow engine is applied across all of the different processes. So it's much more easily customizable. So you can customize the workflows behind UAR, business role management, EAM and other things.
Next generation is here with PathLock cloud. Coming from SAP is that, you know, PathLock has to know more about SAP than SAP. It also extends to other kinds of applications because PathLock has to prove itself in all of the deals.
Every deal, every deal is competitive. Nearly every deal has an RFP. SAP, basically, I didn't have very many RFPs to respond to, and we didn't have to demonstrate our knowledge in any other solutions aside from SAP.
You know, however, that requires a core expertise to be established and PathLock is investing in that. I'm one example. You know, and so we're delivering a comprehensive solution that allows basically access, application access governance to be, you know, cover enterprise wide enterprise applications.
The new architecture is based on a complete, integrated, scalable, modular approach. And one thing, PathLock is able to implement the kind of workflow that makes sense for access, you know, access governance scenarios or IGA scenarios. SAP, you know, often the kinds of services are behind the scenes are generic or they have, you know, you have to use MSMP workflow because there's no other option unless you want to, you know, implement it yourself.
But these often have to be heavily customized. And so the internal teams are, you know, dependent on a workflow team or a reporting, you know, team to update their products in case there are, you know, challenges with implementing them. You know, PathLock has unique capability, you know, across all of these different topics, access governance, continuous controls, monitoring and AI.
Wanted to leave you guys with a couple of links. Please feel free to reach out to us, chris.radkowski@pathlock.com. Also check us out on our website, www.pathlock.com.
Anthony Jimenez
Thanks for listening. And thank you to our guest, Chris Radkowski. Don't forget to like, comment and subscribe to Carahcast and be sure to listen to our other discussions.
If you'd like more information on how PathLock or Carahsoft can assist your organization, please visit www.Carahsoft.com or email us at pathlock@Carahsoft.com. Thanks again for listening and have a great day.