Blogger: Lori Rowland
Recently, Oracle further extended its investment in the governance, risk, and compliance (GRC) market by announcing its intent to purchase LogicalApps, an enterprise applications control management (EACM) vendor. This acquisition comes as no surprise for those following the GRC market, as Oracle and LogicalApps have a rich history together. LogicalApps has been a certified Oracle partner for over 6 years. LogicalApps was founded in 1999 and has been primarily focused on providing deep, low-level controls such as transaction monitoring, separation of duties (SOD), and access control technologies for the Oracle E-Business Suite. In early 2007, LogicalApps purchased Applimation to expand its suite to include controls for the PeopleSoft environment.
SAP made a similar acquisition in 2006 with the purchase of Virsa Systems. As predicted in Burton Group’s Identity and Privacy Strategies Report When Provisioning Isn’t Enough: Enterprise Application Controls Management (subscription required), Oracle’s acquisition of an EACM vendor was an inevitable next step.
There are several independent vendors at large that provide similar controls management and transaction monitoring for ERP environments including Approva, ACL Services, and Oversight Systems. Oracle and SAP’s recent GRC acquisition and strategy announcements have left people wondering what the future holds for these vendors.
There are obvious benefits to implementing Oracle and SAP’s controls management solutions to manage the respective environments. Who knows SAP SOD policies or sensitive transactions better than SAP, right? Oracle and SAP are in a unique position to provide detailed, low-level controls for their own environments. However, control requirements are not typically administered in a vacuum. Controls span multiple systems, platforms, applications, and environments. From an access control perspective, SOD is not limited to an SAP, PeopleSoft, or Oracle environment. Rather, SOD controls must span ALL of these environments as well as legacy or custom applications.
Another question organizations must ask themselves is: “Should the fox be watching over the hen house?” Many organizations require or prefer a third-party, independent solution to audit and manage controls over their environment. It is important to ensure that the software you select to manage your controls does not introduce a SOD violation itself (e.g. policy administrator same individual or system as policy auditor).
Oracle and SAP have stated that they plan to continue support for applications and platforms outside of their respective environments. This may be true; however it would seem that the most significant investment will be made within their unique environments. Oracle’s LogicalApps and SAP’s Virsa acquisitions are both part of a much larger GRC strategy. These organizations will continue to build out their GRC strategies which today are primarily focused on the Oracle and SAP environments, respectively.
So what does the future hold for the independent control management and monitoring vendors? I believe that these vendors will remain competitive. Many organizations are looking for an independent, cross-application alternative. To gain momentum, these vendors will likely partner with identity management identity audit, role management, activity monitoring, and other security and risk management vendors to offer integrated solutions to common customers. Independent vendors may also become acquisitions for system management vendors such as CA, HP, and IBM.
The term “GRC” is becoming overloaded. It is important to carefully evaluate all of your security, risk, and audit requirements when evaluating GRC solutions. Your GRC strategy will likely include multiple technologies from multiple vendors. EACM technologies are no exception to this rule.
Comments