Last week, news broke of the acquisition of FastPath by Delinea. Acquisitions continue to occur at a rapid pace in the IGA/PAM/Application Access Controls software space. There has been significant consolidation over the past few years as these spaces in the industry are converging and maturing.

Delinea is a leader in the PAM space. FastPath was a strong leader in the SoD/SA space for testing application access controls within and across ERP systems. They matured their IGA capabilities significantly over the past few years. This acquisition appears to be accretive for Delinea.

Ideally, management wants one vendor to handle identity management across as many systems as possible AND an ability to test and re-certify their application controls. This should include testing of SoD conflicts and Sensitive Access risks using the same vendor. With these consolidations, this reality is becoming more likely, which is likely to drive down costs within the competition.

The Unsettling Reality of Acquisitions

These acquisitions can be a bit unsettling for organizations who rely on these technology providers for key controls to their SOX compliance requirements. One may start to wonder if the acquirer will continue to support the software and content the acquired company provides. The acquisition of FastPath by Delinea is no exception.

Even more so, organizations who get annual, semi-annual, or quarterly assessments using third party software, such as FastPath, may wonder if the assessments will continue to be supported and updated for the foreseeable future. We know some software companies have expressed concern about whether the use of their software has cannibalized their own software sales. Many have discussed internally whether they even want to license their software to audit firms or others to perform their access control assessments.

We are strong believers that every publicly traded company should own Segregation of Duties conflict / Sensitive Access risk testing software and using it regularly to test access controls.

We have outlined some critical reasons why this is the case in these articles (Article 1, Article 2). This is especially the case with SaaS applications, which we explain in detail in this article as well.

The correct program development must support the acquisition of FastPath – or any software – to mature its use appropriately over time. At ERP Risk Advisors, we use the crawl – walk – run progression to express the maturing of your application security program.

Crawl phase.

The crawl phase includes the proper design of roles and development of mature joiners, movers, and leavers processes. Management needs to have a strong partner to help them design roles mapped to jobs or positions. This is so stacked role combinations can be identified for each person based on their job or position. Having this level of maturity when an ERP system is implemented is extremely rare. The majority of the System Integrator industry is biased against a secure and compliant implementation. I lay out the reasons why in this training class.

Walk phase.

Once a system is implemented, it typically takes three to six months to clean up the mess left behind the System Integrator and align roles to jobs or positions.  Often role remediation is needed and that takes time from your security admin team and the process owners to work through the change management process.  Ideally, in the walk phase roles are finally mapped to jobs and positions and provisioning becomes standardized and hopefully automated.

Run phase.

During the run phase, management starts to be proactive at managing risk in these processes:

• User Access Reviews / Re-Certifications
• Role Change Management
• Patch Change Management
• Development Change Management
• Cyber Incident Risk Analysis
• Testing the Independence of Controls Performers
• Lookback Procedures

Getting back to the acquisition of FastPath by Delinea… FastPath has been a significant provider of the scanning engine supporting the audit industry. And many customers that we support use FastPath software. I suspect that Delinea will continue to support this revenue stream for a period of time, but time will tell.

ERP Risk Advisors Can Help

If you are concerned about whether the acquisition of FastPath will leave you out in the cold, are unsatisfied with the quality of the results or the consistency of the resources you interact with, please consider ERP Risk Advisors as an alternative.

What ERP Risk Advisors Has to Offer

ERP Risk Advisors can provide the stability you need by becoming your partner for these assessments. We offer high-value, often lower cost assessments through what we call ERP Armor as a Service. We can support annual, semi-annual, or quarterly assessments ‘as a Service’ without the need to own software.

Because we are the only provider of risk content in the world, we have a broad range of partnerships and relationships with software companies that have a SoD/SA scanning engine. We provide ERP Armor as a Service by leveraging our relationships with these leading providers and can easily shift demand from one provider to another if there is a change in the market or satisfaction.  We can provide the stability of services and data that you need.

Additionally, we are the only firm in the world we know of guarantying the provision of regular updates to the SoD Conflicts and Sensitive access rules for each assessment. We look and feel like a software company because we continue to enhance our ERP Armor: Rules through a release process. ERP Armor is our leading-edge risk content, and our research team updates it as each ERP software provider updates their applications through patches or releases. We also provide this same level of support, as needed, for obscure COTS systems and home-grown applications. Additionally, we map custom objects to Sensitive Access risks and Segregation of Duties conflicts at no additional charge.

You can think of ERP Armor as a Service as a managed service rather than just a one-off presentation of SoD/SA results.  Our goal in our relationship with your company is to mature your program over time through the crawl –> walk -> run phases.

Benefits of ERP Armor as a Service

The following are the benefits of partnering with us for your access control assessments via ERP Armor as a Service:

• External audit proven comprehensive set of SOD/SA rules.
• Updates to SOD/SA rules with each update by software provider (quarterly, semi-annually, and as needed)
• Unlimited feedback on role design
• Quarterly calls at no charge – up to 4 hours
• Provides peace of mind for the CFO, CAO, CIO, CISO, and COO
• We provide stability for your team when there is turnover
• Scoping rules for your external audit from your RACM:
  • We will work with your financial and IT auditors to ‘box out’ your external auditors
  • You will be provided on-demand training for your team on this topic
• Addresses fraud, compliance, cyber, data security risks

Your organization may already be affected by Delinea’s acquisition of FastPath. If you already have licensed software such as FastPath, we can mature your program through the licensing of ERP Armor: Rules. ERP Armor: Rules is a subscription for use in any IGA / PAM / Access Control software where there is a SoD / SA scanning engine. We can provide our release notes which allows you to maintain your rules internally. Alternatively, if you are looking for stability, we can manage your access control software and provide updates to your rules through a managed service contract. US-based, highly-skilled, credentialed resources manage our services.

More Ways We can Help

Over time we can help you mature your application security program by evaluating your role design and implementing or maturing these processes:

• Role Design
• Provisioning
• User Access Reviews / Re-Certifications
• Role Change Management
• Patch Change Management
• Development Change Management
• Cyber Incident Risk Analysis
• Testing the Independence of Controls Performers
• Lookback Procedures

In some cases, we help you identify and manage license exposure leading to substantial savings in license costs with your ERP provider as well.

If you have not licensed access control software, we can help you identify the right partner(s) at the time it is appropriate for your organization.  Licensing software is necessary to reach the run phase and address fraud, compliance, cyber, data security risks.

My number one objective for ERP Risk Advisors is to help organizations better manage your application security risks at an affordable and reasonable long-term cost of ownership.  For some organizations this includes providing risk content (SoD/SA rules) based on the frequency of updates provided by the software provider.  For other organizations, this involves using our advance managed services.

Contact Us Today!

If you are interested in learning more about how we can provide certainty for your program and move you from crawl to walk to run, contact us at sales@erpra.net.