MarketScope for Segregation of Duty Controls Within ERP and Financial Applications
Segregation of duty controls for ERP systems remains an ongoing concern to auditors, particularly in the context of global financial integrity regulations. A variety of stand-alone and embedded control capabilities are available and are rated in this MarketScope.
Organizations seeking automated solutions to address segregation of duty (SOD) conflicts can typically be categorized in one of two ways:
- Needing a minimal approach with an immediate focus on identifying and remediating SOD conflicts using static analysis
- Needing a comprehensive approach that involves SOD cleanup, transaction analysis and compliant provisioning
Auditors and audit findings continue to drive the client need, but in 2013, most organizations address the requirement through consultants, homegrown processes driven by spreadsheets, or commercial software products. Gartner recommends organizations explore these commercial products to save long-term costs associated with this continuous requirement (see "Automate Segregation of Duties in ERP to Reduce Compliance Costs"). As such, the market growth is now driven by organizations converting from homegrown processes to packaged products.
While this type of SOD analysis has business benefits to reduce risk, few organizations engage in SOD projects without auditor pressure. Gartner recommends auditor engagement as early as possible to confirm that the chosen solution will meet auditor requirements for SOD analysis.
Although some organizations have standardized on an ERP platform, most have several separate instances of the application. The SOD analysis must be capable of spanning those multiple instances. The ability to analyze user entitlements across different ERP platforms is very important for enterprises that have more than one type of financial application with SOD conflict management requirements.
Analyzing user entitlements across disparate systems is also a capability of identity and access management (IAM) systems. Historically, IAM vendors have lacked detailed knowledge of ERP transactions to perform meaningful SOD analysis. Those vendors have also been reluctant to provide out-of-the- box rule sets for SOD analysis. However, this is changing as IAM vendors provide more capabilities in identity and access governance (IAG). (See "Magic Quadrant for Identity and Access Governance.") Gartner projects that SOD functions will merge with IAG products by 2015.
The market for SOD in ERP and financial applications experienced little growth in 2013, but it remains stable based on continued need in the Gartner client base to address related audit findings and auditor concerns. The ability to support multiple ERP systems and cross-platform SOD conflict detection (that is, the ability to create a vendor in one instance and pay that same vendor in another instance) grew in importance and is now supported by most vendors (see "Manage Segregation of Duties in ERP and Financial Systems to Address Audit Findings and Business Process Conflicts of Interest").
The ERP SOD control market offers several good technology choices, appropriate for organizations of different sizes, capabilities and monitoring needs. Organizations should analyze their requirements against the following capabilities, and choose the vendor most appropriate for their unique situation:
- SOD Analysis — Rules are applied to a representation of user entitlements to identify SOD conflicts. Depending on the product, the rules and the privileges may be highly granular or less granular. Highly granular processing of detailed privileges results in a more thorough analysis, but requires more effort in terms of rules definitions, more processing resources and typically higher costs. Less granular analysis techniques group related transactions at the role and business process level, and deliver faster performance at a lower cost. However, they must still meet the SOD requirements established by the auditor.
- Compliant Provisioning — Ideally, the SOD remediation project should address the root
cause of conflicts and identify SOD conflicts before users and roles are assigned. There are three levels of integration with the user-provisioning
- Integrate directly within the ERP system such that it is not possible to provision a user with SOD conflicts unless the conflicts are approved and logged.
- Use a modeling function that can be integrated into an existing, external third-party provisioning workflow that identifies SOD conflicts created by a proposed set of permissions.
- Own the provisioning workflow, and force the modeling. Many of the products also support role management and creation.
- Transaction Analysis — This is the ability to detect that conflicting privileges were actually used through monitoring financial system usage. This feature is quite useful at the beginning of SOD remediation projects to focus in on SOD conflicts that have actually occurred in the real world. Once SOD remediation projects are completed, this feature is useful as a control to ensure that no SOD conflicts appear unexpectedly in real-world transactions.
- Emergency Privilege Management — This is the ability to provision a temporary ID with high privilege, and monitor its usage. This usage monitoring is typically demanded by auditors for control of "super user" privileges by IT within the ERP system.
- Role Management — This feature enables users to perform "what if" modeling scenarios for user and entitlement assignments to roles. Advanced capabilities can analyze existing transaction entitlements for patterns to develop role recommendations. Role management capabilities support the creation of SOD conflict-free roles.
- Privilege Attestation — This feature provides the workflow support necessary to collect and manage attestations by business unit process owners that users have the privileges they need and that they are authorized.
An important consideration when selecting a product is support for these functions against specific ERP platforms. For example, a vendor may claim to have exceptional transaction analysis capabilities and support for both Oracle EBS and SAP. However, on closer inspection, the transaction analysis functions only work with SAP. Confirm each of the functional requirements against the required ERP platforms.
Products included in this MarketScope must support at least the static SOD analysis to directly satisfy the "minimal approach" to SOD remediation described above. Vendors offering more capabilities are called out as doing so. The included vendors had to provide at least three production references that are using their product primarily for SOD controls in ERP and financial applications.
Overall Market Rating: Promising
This is a very mature market, generating about $400 million per year, most of which is spent on Oracle and SAP SOD product offerings. The other vendors are very small in comparison, but offer lower costs and a range of options for organizations of different sizes and requirements. Innovation is low to address core SOD requirements, but innovation is high where it relates to integrating SOD functions into IAG capabilities. Market growth is mostly flat and driven primarily by organizations converting from homegrown solutions to commercial software products.
Source: Gartner (May 2013)
Source: Gartner (May 2013)
ERP systems: SAP
ControlPanelGRC, formerly SymSoft, is an SAP-only SOD product that provides the opportunity to integrate deeply with the SAP ERP platform and provides strong capabilities in all categories. The transaction analysis functions are well-integrated to demonstrate the frequency with which conflicting entitlements are used, but these functions are not as configurable for general transaction analysis as they are in other products we assessed. It has demonstrated scalability up to 12 SAP instances and more than 20,000 users. It is a smaller company than many of the bigger vendors in this market. Although it is more reasonably priced than some of the competition, it is not the lowest-priced product.
Shortlist: ControlPanelGRC should be on the shortlist of small or midsize companies that only need to address SOD issues for SAP.
ERP: SAP primarily, with support for cross-platform
CSI tools, a European company founded in 1997, has developed an inexpensive stand-alone toolset to address SOD issues and other SAP security matters. It offers two tools: CSI Authorization Auditor and CSI Accelerator. CSI Authorization Auditor should be considered an inexpensive, technically oriented, expert application for security administrators and auditors as a first step in SOD analysis automation. CSI Accelerator supports compliant provisioning and transaction analysis, but these are emerging capabilities that are not as strong as the competition. It does not support emergency privilege management. CSI tools' strength is in its two-layer security model and approach to automated role building, which are unique capabilities and may be of interest to some organizations.
Shortlist: Price-sensitive, small or midsize organizations in Europe focused on efficient SOD analysis and role management should have CSI tools on their shortlist.
ERP: Microsoft Dynamics, others through customization
Fastpath is focused on second-tier ERP systems with an out-of-the-box capability in Microsoft Dynamics. It has a very serviceable capability to address smaller organizations' requirements in SOD analysis, role management and compliance provisioning. It supports, but has less capability to address, transaction analysis, emergency privilege management and privilege attestation use cases. The company is run by former auditors and consultants who have embodied their knowledge in a suite of products. The zero footprint architecture is well-positioned for analysts to move extracts from machine to machine, while leaving no artifacts behind.
Shortlist: Fastpath should be on the shortlist of any organization using Microsoft Dynamics as its primary ERP. Smaller organizations with modest SOD requirements for other ERP platforms should also consider Fastpath.
ERP systems: SAP, Oracle, PeopleSoft and cross-platform
Greenlight Technologies LaserFocus specializes in cross-platform functionality with native connectors to all the major ERP platforms. It has strong support for SOD analysis, compliant provisioning, emergency privilege management and role management. It has serviceable capabilities for transaction analysis and privilege attestation use cases, but these are not strengths compared to competitive products. LaserFocus is one of the most appropriate products to address cross-platform requirements due to its application-independent architecture.
Shortlist: LaserFocus should be on the shortlist of every organization taking a comprehensive approach that requires strong support for all three techniques, especially those organizations that need to support multiple ERP platforms.
Rating: Strong Positive
ERP: SAP, Oracle, PeopleSoft, Infor and cross-platform
We rate the Infor Approva suite as Strong Positive because of its breadth of capability in all categories of SOD control. Its compliant provisioning and transaction analysis are not as strong as platform-specific competitors that can offer more integrated functionality, but the capabilities are serviceable. Following the Approva acquisition by Infor, there was a period of uncertainty regarding their continued support for the general market. Although we expect Infor to prioritize its own ERP platforms (Lawson, LN, SunSystems, SmartStream, Infinium) over other ERPs, Infor Approva remains one of the most appropriate products to address cross-platform requirements due to its application-independent architecture.
Shortlist: Infor Approva should be on the shortlist of every organization taking a comprehensive approach that requires strong support for all three techniques, especially those organizations that need to support multiple ERP platforms. It should be a leading choice for Infor customers.
Rating: Strong Positive
ERP: Oracle ERP platforms and Oracle financial applications with APIs to support cross-platform functionality
Oracle Governance, Risk, and Compliance (GRC) Controls Suite is a comprehensive SOD product focused on Oracle ERP platforms and financial applications. It addresses SOD issues, providing tightly integrated capabilities for static analysis, compliant provisioning, emergency privilege management, privilege attestation, and transaction monitoring. The system has added capabilities to support multi- and cross-platform functions. Oracle GRC Controls Suite uses embedded agents to modify application behavior within the Oracle application suite itself, thereby restricting the options visible to Oracle EBS users, including administrators. Oracle has also created a set of APIs to integrate third-party provisioning systems, including its own Oracle Identity Manager. This facilitates a workflow driven by the external provisioning system to make calls to Oracle GRC Controls Suite for modeling and approval functions.
Shortlist: Oracle GRC Controls Suite should be on the shortlist of every Oracle-centric enterprise using Oracle ERP and financial applications. It is more appropriate for organizations seeking a comprehensive approach.
Rating: Strong Positive
ERP systems: SAP with APIs to support cross-platform functionality
SAP GRC Access Control is a comprehensive product set for SOD conflict management, including analysis, remediation, role management, compliance user provisioning, emergency privilege management and privilege attestation. It is one of the more comprehensive products and can be leveraged beyond SOD requirements. Although it can be one of the most expensive products in a comprehensive enterprise deployment, in 2012, SAP introduced an entry point product focused on only SOD functions at a more reasonable price point.
Shortlist: SAP-centric organizations seeking a comprehensive approach should have SAP GRC Access Control on their shortlist. Gartner does not recommend it for organizations seeking a minimal approach.
Rating: Strong Positive
ERP systems: SAP, Oracle EBS and others partially through connectors for import
Security Weaver's solution suite is differentiated in its lower-cost and lower-complexity approach, which can complete an entire SOD analysis, in most cases, in a matter of minutes. Security Weaver can be used across multiple instances of SAP. Its emerging cross-platform capabilities are relatively new and used by few customers. Any connectivity to alternative platforms requires custom work — either by the customer or by Security Weaver consulting services.
Shortlist: Security Weaver should be considered when the organization is an SAP-centric shop looking for a lower-cost solution that delivers meaningful results quickly.
A small consultancy in Europe named wikima4 has productized its expertise into a software offering called mesaforte. The company is representative of a certain type of small vendor in the marketplace that has years of experience and can offer services and software to help an organization take control of its SOD problems through automation. Although we have rated wikima4 as Caution, based on size and overall capability, this may be the right type of vendor for an organization to get started with SOD automation.
Shortlist: Price-sensitive, small or midsize organizations (up to 5,000 employees) in Europe focused on efficient SOD analysis combined with services should have mesaforte on their shortlist.
We review and adjust our inclusion criteria for Magic Quadrants and MarketScopes as markets change. As a result of these adjustments, the mix of vendors in any Magic Quadrant or MarketScope may change over time. A vendor appearing in a Magic Quadrant or MarketScope one year and not the next does not necessarily indicate that we have changed our opinion of that vendor. This may be a reflection of a change in the market and, therefore, changed evaluation criteria, or a change of focus by a vendor.
Gartner's MarketScope provides specific guidance for users who are deploying, or have deployed, products or services. A Gartner MarketScope rating does not imply that the vendor meets all, few or none of the evaluation criteria. The Gartner MarketScope evaluation is based on a weighted evaluation of a vendor's products in comparison with the evaluation criteria. Consider Gartner's criteria as they apply to your specific requirements. Contact Gartner to discuss how this evaluation may affect your specific needs.
We define the various ratings below.
MarketScope Rating Framework
Is viewed as a provider of strategic products, services or solutions:
- Customers: Continue with planned investments.
- Potential customers: Consider this vendor a strong choice for strategic investments.
Demonstrates strength in specific areas, but execution in one or more areas may still be developing or inconsistent with other areas of performance:
- Customers: Continue planned investments.
- Potential customers: Consider this vendor a viable choice for strategic or tactical investments, while planning for known limitations.
Shows potential in specific areas; however, execution is inconsistent:
- Customers: Consider the short- and long-term impact of possible changes in status.
- Potential customers: Plan for and be aware of issues and opportunities related to the evolution and maturity of this vendor.
Faces challenges in one or more areas:
- Customers: Understand challenges in relevant areas, and develop contingency plans based on risk tolerance and possible business impact.
- Potential customers: Account for the vendor's challenges as part of due diligence.
Has difficulty responding to problems in multiple areas:
- Customers: Execute risk mitigation plans and contingency options.
- Potential customers: Consider this vendor only for tactical investment with short-term, rapid payback.