As most businesses know and analysts have been predicting, the market has embraced cloud computing, SaaS, and the flexibility this provides for remote working. As quoted by ResearchAndMarkets.com, the "global cloud computing market size is expected to grow from USD 371.4 billion in 2020 to USD 832.1 billion by 2025, at a Compound Annual Growth Rate (CAGR) of 17.5% during the forecast period." This represents spectacular market adoption, and it has the potential to deliver significant results at a fraction of the costs associated with traditional legacy or monolithic approaches. But this explosion in the number of applications in use has created a new concern: employees have access to more SaaS solutions and use that access to perform more tasks than ever before. This makes a new series of access-related risks: Who has access to your systems? What are they doing? And where are you at risk?
Multiple Applications: How big is the concern?
Companies want best-of-breed capabilities for their employees, and SaaS solutions have never been easier to implement. Blissfully studies this space and releases their annual Blissfully SaaS Trends Reports based on proprietary data from thousands of companies worldwide. Their analysis confirms that the number of Apps per Employee has exploded over the past year, whether in spite of or propelled by the global pandemic. For a mid-sized company with 100-1000 employees, the average number of Apps per Employee has grown from approximately 8.2 in 2019 to approximately 14 in 2020 – a 70% increase in the number of apps per employee! In their most recent report, Blissfully categorizes the average number of Business Applications companies have and the number of applications their employees can access.
Reference: 2019 Annual SaaS Trends Report
The current trend also includes "best platforms" delivering the same results as multiple applications. The Blissfully reports mentioned earlier show that the average Apps per Employee has risen from 9.3 to 10, or a 7.5% increase across their entire workforce in the space of just one year. Over a large workforce, that is a material increase in application access. Even very large global companies who would have not necessarily embraced the best-of-breed mentality in the past can't deny the benefits of multiple applications.
These trends are supported by analysts such as the Gartner Group who published research that called for Worldwide Public Cloud End-User Spending to Grow 23% in 2021.
"The events of last year allowed CIOs to overcome any reluctance of moving mission-critical workloads from on-premises to the cloud," according to Sid Nag, research vice president at Gartner. "Even absent the pandemic, there would still be a loss of appetite for data centers."
This Gartner report and many others continue to confirm the movement to the cloud and multiple "best of breed" and "best platform" applications per employee.
What are some examples of the "multiple applications" phenomenon?
A few years ago, a single solution approach to enterprise application deployment was the norm. Many CIOs of large companies feel that this philosophy helps maintain IT and other efficiencies. Other companies have taken the approach that they should be using nothing but the best technology available to perform tasks. The idea here is that a vendor that makes the best ERP system does not necessarily make the best CRM or HCM system. As stated earlier, the data supports this trend.
The best-of-breed approach means that products from multiple vendors will interface and exchange data and that employees will have varying degrees of access to each of these systems. Some examples of leading solutions deployed in many companies include Workday for HR, Salesforce.com for CRM, Coupa for Purchasing, ServiceNow and Jira for ITSM, AuditBoard and Workiva for GRC Controls, and a variety of ERP providers based on company size, vertical, specialization, and needs. There are also many combinations of these business solutions in use today: NetSuite-Salesforce, SAP-Workday HR, Oracle-Coupa, Workday Financials-Salesforce-Coupa, Dynamics-AuditBoard, and many others. The use of multiple applications by companies to run their businesses efficiently is increasing, and there is no reason to believe this trend will change.
OK, so the number of applications is increasing, which means the number of applications per employee is surging. What's the problem?
The new challenge facing Information Security, Compliance, and Audit professionals is: how do we monitor application access, manage access controls, and address segregation of duties across the various software solutions from different manufacturers?
Segregation of Duties (or Separation of Duties or SOD) distributes the elements of a critical business process or financial transaction among multiple individuals to ensure that one person cannot have complete control over the activity and use that autonomy to hide errors or fraud.
SOD is complex enough when looking at custom roles and permission combinations within a single business application. With increased Applications per Employee, this has grown to require SOD risk to be considered in multiple applications containing critical data, especially cross-application risk where processes start in one application and finish in another.
The American Institute of CPAs (AICPA) is the world's largest member association representing the accounting profession. They have been tracking the concerns related to cross-application risk. Their recent paper, entitled Segregation of Duties, digs into these concerns and highlights two examples of internal occupational fraud and how they happened.
Case Study 1, "Accounting Software and Operational Systems Control: An Opportunity for Fraud," highlights a situation where an ERP/Accounting tool that is integrated with inventory management missed internal occupational fraud. The case study concludes that "SOD in the implementation of new software is where this problem became supercharged; the inventory problem was swept under the rug during the data load!"
Case Study 2, "Sales Processes and Managing Data: A Revenue Recognition Risk," highlights a frequent cross-application case of Accounting and Salesforce Automation not being reviewed for cross-application SOD. The case study concludes, "What's the lesson? Watch out for the segregation between revenue and technical operations."
These examples often include an area of transaction with a third party or areas requiring internal approval steps. A classic example in procurement can be illustrated with a straightforward workflow across ERP/Procurement such as NetSuite-Coupa or SAP-Ariba.
In a typical procure-to-pay scenario, there may be a Requester, Approver, and Accountant, and process steps are dispersed across systems. A sample process flow has at least 15 steps across two systems, and there is a conflict between step 3 and step 11. Due to processes spanning systems, this is not a conflict easily found without an automated detective controls system.
These two simple cases, showcasing Accounting-Inventory Management and Accounting-Sales Automation, stress the importance of embracing cross-application SOD as businesses embrace multiple SaaS solutions to run the business effectively.
I want the best applications for my business. What do I do?
The good news is that SOD is a business area well understood by a handful of solution providers, including Fastpath. The guidance we typically provide is:
- Define the areas of the problem you are trying to solve. Is it simply SOD, or does it also include Audit Trail and Preventive Controls around compliant user provisioning? Understanding this will help narrow the number of automation providers who can assist.
- Define which solutions have critical data or sensitive activities and which don't. Fastpath typically recommends the core four business areas that frequently have cross-application access implications are: all aspects of finance and accounting, purchasing, sales, and HR. It is uncommon to monitor SOD for more than six business applications per company in order to achieve great results.
Using that simple formula and the support of companies like Fastpath, multi-application/cross-application SOD can be managed more easily.
Fastpath is a leader in cross-application access security and can help your business address your security, audit, and compliance concerns.