Keeping Up with the GRC Demands of the Digital Age

How to Take On Application Security in the Cloud

Application security has taken on new meaning in the digital age. Digital enterprises have an increasingly strong presence in the cloud, a significant mobile footprint, and data that often lives outside an organization’s walls. Ensuring that only the right people have the access they need to enterprise solutions has always been of utmost importance, and this remains true today. However, the strategy an organization for achieving impervious enterprise security must evolve to reflect this new dynamic where application security extends beyond securing fixed assets.

Organizations and security professionals understand that we are entering uncharted territory in governance, risk, and compliance (GRC). New sets of security requirements, government regulations, and Information Security Management Systems (ISMS) industry standards appear with regularity, directing companies to protect their assets from a breach and recognize that digitization in the enterprise requires new layers of protection.

GRC as a Business Partner

To address this evolving threat landscape, SAP has hardened its “three lines of defense” strategy, which takes a holistic, enterprise-wide approach to operational management, risk and compliance management, and independent assurances.1 Embracing three lines of defense as an end-to-end security strategy is about more than adopting the latest technologies to guide a company through a field of increasingly dangerous risk landmines. Rather, it is a business-based approach that creates and shapes an organizational culture that views GRC not only as a means to drive compliance, but also as a way to optimize business performance.

While optimizing business performance is largely equated with a digital-first mindset, which may introduce or increase the danger from new kinds of security breaches and more sophisticated cybercriminals, it doesn’t lessen the need to protect an organization’s fixed assets that have traditionally been the domain of the IT department.

Baseline protection against fraudulent or malicious application access is no less relevant today even with new threats cropping up, and SAP will continue to invest in technologies to ensure this protection. SAP solutions such as SAP Access Control and SAP Enterprise Threat Detection provide companies with the tools they need for real-time monitoring of probes from inside and outside firewalls to guard against the unauthorized access of restricted systems.

Innovation with Partners

Protecting applications — and the data produced and housed by a company’s applications — also highlights the importance of SAP partners in the GRC and security space as new and evolving threats in cybercrime take root. We’ve worked with partners on solutions that tackle specific problems — like providing companies with industry best practices surrounding regulatory and security requirements and explaining what measures to take to close gaps that may arise in an application security portfolio. Or creating an application that can help protect intellectual property, ensure proper data segregation, and enhance data security across the business. 

Such solutions reinforce the idea that end-to-end enterprise security encompasses a business-first mindset — that compliance for compliance’s sake can no longer be the objective for companies serious about GRC in the digital age. Our partners understand, just as we do, that companies need to think beyond merely checking boxes for an audit and complying with regulations, and instead focus on how GRC can benefit the organization as a whole.

Next-Level Identity Management

To address emerging cloud application security issues, SAP has introduced the first piece of its next-generation cloud identity and access governance suite. Released in June 2016, SAP Cloud Identity Access Governance addresses the growing demand for an identity-as-a-service (IDaaS) solution that is easy to use and consume, and is unparalleled in its convergence of identity and access management tools that meet the challenges and opportunities of running mission-critical applications in the cloud.

Built on SAP HANA Cloud Platform, SAP Cloud Identity Access Governance is designed to help organizations centrally manage identities and optimize compliance processes across the business. This set of IDaaS solutions builds on SAP’s experience innovating with SAP GRC services and extensions that are in step with the way companies are consuming enterprise technology.

Companies can achieve cloud-based, secure authorization and simplify identity management across both cloud and on-premise landscapes. When fully released, benefits will include:

  • Optimization of user system assignments in accordance with compliance policies
  • Mitigation of costly access issues involving financial loss and fraud
  • Reduction of ongoing operating costs of auditing and compliance
  • Speed of cloud deployment for quick identification and remediation of potentially costly segregation of duties (SoD) conflicts
  • Ability to refine or remove incorrect or unused user roles

SAP Cloud Identity Access Governance meets the new paradigm for governance and security in a digital enterprise, allowing companies to extend their identity and access governance management as their business evolves and the need for cloud security intensifies.

The “Suite Spot”

Structured and unstructured data is flowing into enterprise systems at never-before-seen volumes, helping to kick-start organizations on their journeys to become a digital enterprise. This journey is often marked by a transition to a hybrid cloud environment, which makes secure access to cloud applications of vital importance. SAP’s GRC and security teams are proud to be in the “suite spot” in this key area for the digitally transforming world by driving innovation in SAP’s core application security solutions in the market. And by working with SAP partners, companies can pursue this journey at a pace and structure that best meets their organization’s needs.

For more information, visit  

1 To learn more about the three lines of defense, read Bruce McCuaig’s article “Gain Control and Mitigate Risk: Leveraging 3 Lines of Defense for a Holistic Security Framework” in the April-June 2016 issue of SAPinsider. [back]