SAP security and GRC (Governance, Risk & Compliance) are getting more and more important for many of today's organizations. While traditional systems like HR, ERP, CRM, SCM or BW are at the core of fundamental business processes, the move towards SAP S/4HANA, Big Data and cloud solutions of both SAP and other vendors introduces another, either parallel or integrated, pillar of technology.

pdf KuppingerCole Report June 2020 Executive View (423 KB)

Ensuring an adequate level of security and compliance for the continuously changing landscape of business systems, SAP and beyond, is of utmost importance. Achieving compliance to legal and regulatory requirements is one essential business driver. Beyond that, more and more organizations understand that providing an adequate level of information security and access control is a key requirement for protecting the organization's intellectual property and for safeguarding essential business data, e.g. financial data or highly sensitive customer information.

Forward thinking organizations integrate strong security into all of their processes and systems which surely is a unique selling proposition for security-savvy partners and customers. An adequate corporate security strategy (typically defined in an appropriate policy framework) covers a wide range of aspects from Audit and Fraud Management to IAM and Risk and Process Management. At the core of such strategy is adequate protection of business application and their data.

CSI tools focuses on Access Governance for SAP environments, i.e. the management and control of authorizations, users, roles and profiles. This includes role modelling capabilities and the design and implementation of life cycle and workflow processes, including request approval and recertification. A typical next step is the control of business-oriented processes such as applying SoD (Segregation of Duties) rules or maintaining compliance with the principle of least privilege access.

These aspects remain at the core of what solutions for managing access entitlements and risk in SAP environments must deliver. However, the way this is done is changing. The application landscape is growing beyond traditional SAP ERP systems. The delivery models for any type of solutions that customers expect are changing, driven by "cloud first" strategies and the overall shift away from complex deployments. Thus, simple and rapid deployment and flexible operating models such as as-a-service approaches become a core requirement of customers. That does not mean that support can be limited to the most modern releases of SAP software. Many customers run mixed environments, where traditional SAP ERP is still used in some parts, while newer versions become added to the environment.

Amongst the specific requirements for SAP business applications, there is an apparent shift from a technical focus towards easy-to-use solutions targeted at the business teams. Such solutions must efficiently support in managing the complexities of entitlements, roles, and SoD rules, as well as delivering rapid insight into the current state e.g. via modern dashboards. The market for GRC solutions, including the ones supporting the management of access controls, for SAP environments is constantly evolving. One of the vendors in this market is CSI tools, a European vendor delivering a suite of solutions for managing access risks in SAP environments.

CSI tools provides a comprehensive and elaborated solution for managing access controls and user access in SAP environments. It is easy to install and can be quickly used for both audits and continuous management of authorizations in the traditional SAP environments, as well as for S/4HANA. Support for SAP cloud services or other vendor’s solution can be added by customization, but isn’t yet part of the standard.

The solution excels with its depth in managing access controls in SAP environments, delivering deep insight and analysis of entitlements and comprehensive, mature analytical capabilities, including transaction monitoring, emergency support, and additional features. CSI tools has spent significant effort in rearchitecting the solution, now quickly adding further capabilities to the solution. The user experience has been modernized and includes now modern web user interfaces and dashboarding capabilities. Support for key requirements in access control and specifics of SAP environments is comprehensive.

CSI tools’ solution is an interesting alternative to other solutions for managing access controls in SAP environments, being both feature-rich and lean in deployment and operations. We recommend evaluating CSI tools specifically for customers that run the majority of their business services based on SAP software.