SAP Enables Secure, End-to-End Compliant Identity Management

by Scott Behles

With governance, risk and compliance (GRC) issues acknowledged by leading industry analysts as the number one driver of identity management projects at organizations worldwide, SAP AG today announced the immediate availability of new GRC Web services from SAP that enable the seamless integration of identity management software solutions with SAP(R) GRC Access Control, the market-leading application for monitoring and enforcing user access and authorization controls. Based on open standards and built on the SAP NetWeaver(R) platform, these new Web services from SAP open up the full capabilities of SAP GRC Access Control and allow identity management software vendors to tightly integrate their respective solutions, providing customers with a single set of tools to efficiently and cost-effectively manage user identities, enforce corporate security policies and ensure compliance with regulatory mandates. The announcement was made at SAP(R) TechEd '07, being held in Las Vegas, Nevada, Oct. 1 - 5.

SAP, together with leading identity management software providers including IBM and Sun Microsystems, is responding to the challenges faced by CFOs and CIOs in proving to auditors that they are effectively controlling their financial and IT-related risks by combining complete, automated, end-to-end compliance controls with the full range of identity management functionality. In addition to the integration efforts currently underway by IBM and Sun, SAP is also using these new Web services to integrate its SAP NetWeaver(R) Identity Management component, created following SAP's acquisition of identity management software provider MaXware earlier this year, with SAP GRC Access Control to provide an end-to-end solution for compliant provisioning across heterogeneous IT environments. The provision of open interfaces to link SAP products with those of third-party software providers continues SAP's open partner strategy and preserves its customers' freedom to build and deploy a solution of choice that best fits their needs, using both SAP and non-SAP components.

Compliance continues to be the number one business driver in the identity and access management market, according to industry analyst firm IDC (1). Furthermore, as organizations continue to move to a highly distributed environment of enterprise service-oriented architecture (enterprise SOA), business users are increasingly working with multiple devices, applications and systems, and are often involved in multiple business processes spanning company boundaries with customers, distributors and suppliers. To help companies solve the growing challenge of managing identities and improving security, while at the same time ensuring compliance in this increasingly distributed and highly regulated environment, SAP is providing customers its own solution through its combined GRC and identity management offerings, and is also working with partners such as IBM and Sun to bring together continuous compliance capabilities with core identity management functionality.

"Compliance initiatives are the major driver for the security and identity and access management markets, accounting for more than 70 percent of all revenue," said Sally Hudson, research director, security products and services, IDC. "As government and industry regulations proliferate, alongside other market forces such as greater security threats and a broadening enterprise workplace, companies will require integrated, standards-based software solutions to successfully manage through this new environment."

"Faced with growing security threats and increasing regulatory oversight, more and more companies are demanding seamless integration between their GRC and identity management solutions," said Narina Sippy, senior vice president and general manager, Governance, Risk and Compliance Business Unit, SAP AG. "Today's competitive and global business environment demands that organizations open up their enterprises to make important resources available to more people than ever before. At the same time, these organizations are required to provide unprecedented levels of transparency to outside stakeholders. More than ever, it's imperative that companies keep a watchful eye on the safety, privacy, security and integrity of valuable data assets. The new GRC Web services offered by SAP, along with the SAP NetWeaver Identity Management component and the integration efforts of IBM and Sun, provide our customers with an integrated toolset making possible truly secure, compliant identity management across heterogeneous IT systems."

Identity Management Leaders Integrate with SAP GRC Access Control

Integration efforts by leading identity management software providers IBM and Sun are already well underway to tightly link IBM Tivoli Identity Manager and Sun Java System Identity Manager, respectively, with SAP GRC Access Control. This integration will bring together critical compliance capabilities -- including segregation of duties (SoD) enforcement, risk analysis and remediation, compliant user provisioning, role management, audit and reporting -- with key identity management functionality, such as user provisioning, authorization and authentication, password management and directory services.

"The successful integration of IBM Tivoli Identity Manager and SAP GRC Access Control provides extensive customer value and demonstrates IBM's commitment to improving customer IT environments by embracing industry interoperability with our comprehensive security and compliance management solutions," said Joe Anthony, program director for identity management, IBM Tivoli. "SAP customers now can incorporate SoD checking from SAP into their Tivoli Identity Manager user lifecycle management workflows prior to provisioning entitlements that would result in SoD violations. Testing for SoD violations after they have been established is reactive; IBM Tivoli Identity Manager can provide a proactive, automated, rules-based approach that helps ensure business controls and roles are firmly established, helping to mitigate risk and save valuable time in security audits."

"We are excited to see that the integration work between Sun and SAP is going so well," said Jim McHugh, vice president of marketing, software infrastructure, Sun Microsystems. "With the integration of the Sun Identity Manager into SAP GRC Access Control, SAP customers can now take advantage of one of the leading user provisioning solutions as part of their standard compliance process."