- December 8, 2017
- Posted by: Raghu
- Category: Blog
Half of the enterprises today have a poorly executed SAP security design which causes issues such as unauthorized access to the SAP system, increased potential risk, and numerous issues during the yearly audits. These enterprises give very less importance to a well-designed security strategy because of limited resources, knowledge, and functionality requirements, etc. However, it’s essential for businesses to proactively identify and address potential security issues to mitigate expensive and challenging issues related to risk and fraud.
With complex compliance guidelines and strict regulations, a well-designed SAP security is a go-to option for organizations. A good and efficient security framework not only saves your business from regulatory and non-compliance penalties but also reduces the risk/fraud to a greater extent.
Below are the three major advantages of implementing a strong security design:
One thing that falls upon every organization is taking care of some events that can put SAP system at risk. These events involve-
- Removing and adding authorizations for a short time period
- External IP logins and logins at irregular time/hours
- Giving access to non-IT team members
- Inactive users or dormant user accounts
- Managing segregation of duty (SoD) implications
Though all these events might sound unusual, they affect various organizations and their SAP systems. A proper security strategy helps the security team to closely monitor these unusual activities and ensure that the system is not exposed to these system risks and potential frauds.
Transparency in the design:
SAP system optimization is another crucial task for many businesses. Reducing and optimization of authorizations is an important activity that SAP system requires and it is successfully achieved with the right SAP security design. Implementing roles and authorizations that are free from risks and SoD complications leads to transparency of user authorizations and makes your audit easy. In addition, a proper and well-defined change management process will help you keep your system clean at any point of time.
Makes you compliant with regulatory and compliance requirements:
While SAP system is really important, it is not easy, and it comes with various compliance and regulations. These regulations and compliance guidelines demand your SAP system to be secure and follow stringent rules related to SoD, sensitive access, privacy, and unauthorized access.
Non-compliance and regulatory penalties are known to everyone, and the issue is you cannot fully stay compliant unless you have a strong security structure. You can overcome the challenge of meeting strict compliance guidelines by a complex and compact SAP security design.
Mitigate yourself now, and here is how you can do that –
If you already have a SAP security design in-place and feel that it should be revamped to reap the benefits mentioned above, here are some of the points that you need to consider:
- Update to the latest SP/EHP level
- Master data governance
- Define the right role architecture/design
- Implement an organization structure governance
- Define a Security provisioning process
- Use the right tools to automate the processes
- Identify the interfaces and evaluate the type of activity
- Monitor your system 24/7 to keep it in a healthy state
Always update your SAP system to the latest version, SP/EHP level:
If your SAP system is on an old release, we strongly recommend to upgrade it to the latest version. SAP makes numerous changes in its functionality, business process design, adaptability to newer technologies, and integrations with the newer versions. Further, SAP’s latest business suite provides innovation without disruption through the SAP Enhancement Packages (EHP). SAP Enhancement Packages represent a new software delivery strategy that allows you to get innovations on top of SAP Business Suite without the need for upgrading your current release.
With regards to security, SAP releases numerous updates, new transaction codes, vulnerability fixes, etc., and hence, it is highly recommended to implement the latest release/version.
Master data governance:
Today’s businesses have a large volume of unstructured and duplicate master data such as material, customer, and vendor master data. Business teams give the least importance to manage this master data, and wrong data entry by users leads to re-work and might lead to fraud, as there are no validations and checks. Manual process of maintaining master data leads to a lot of duplication and inconsistent material data.
ToggleNow is helping organizations to address this complex challenge with its partner solution which acts as a complete governance tool for material, vendor, and customer masters. It has structural workflows defined for every master with roles and users defined as per organizational structure.
Define the right role architecture/design:
Lay the foundation for picking up the right design. When you are about to choose the right role design, ensure that the role architecture is designed to reduce your existing access risks (in case of a new implementation, build risk-free roles). Note that you also have to consider and support business objectives while defining a security architecture. It is important to consider how to balance business priorities, such as the need for flexibility and control. Also, keep in mind the importance of minimizing the number of security roles to keep maintenance efforts to a minimum.
Involving business process owners in the design and ownership of roles will make sure that the roles truly reflect business functions and will be sustainable in the longer term. To help design and keep roles free of SoD conflicts over time, many companies use a security and compliance solution such as SAP GRC AC. It is also important to consider the naming conventions and role groupings. These need to be intuitive not only to IT security experts but also to business approvers and reviewers.
The roles can be either;
- Single, master, derived and composite roles (These are the technical designs which can be further broken into job-based and task-based roles)
- Job-based and task-based roles (Based on the job function, or business task)
- Position-based design (Roles assigned to a position in the HR system. Every user will have the required access based on his/her position)
In our experience, we have noticed various clients using the Enabler role concept. Using this approach, you might end-up granting the users far too much authorization than required. This happens due to the collection of authorization objects in the “enabler” role, as the enabler “enables” a whole load of different transactional roles. There is always a debate on this concept, few of the companies have implemented and are managing this design properly and effectively. All it needs is a highly skilled team, which might not be the case for every client. If the role design task is outsourced, and the provider has low skilled resources deployed for the project, it will lead to a significant authorization creep. It becomes hard to automate provisioning, and this creates more object level SoD and a lot of false positives during the risk analysis. In simple words, your risk analysis will be inaccurate in most of the cases.
Implement an organization structure governance:
During various audits, we have identified that the organization structure related to the authorization is not maintained appropriately. This is true in 8 out of 10 cases. The roles that are derived from the same company code or plant will have a different set of organization derivations and values maintained. It is highly recommended to have a proper organization structure in place.
This can be easily achieved by implementing solutions such as SAP GRC AC Business Role Management, or ToggleNow’s xPedite solution. Where the organization mappings can be done quickly and maintained appropriately, and the organization structure derivations always happen from the pre-defined organizational maps. It further reduces the lead-time to create the organization level based derived roles as the security administrations don’t need to reach the business teams to identify the values that need to be maintained.
Define a security provisioning process:
How sure you are that your users don’t have excessive access? Many of us still use the traditional way of granting access using the access request forms and manual user management activities. This approach to provision the user requests is a manual and time-intensive process and involves multiple people and teams. Risk analysis of Segregation of Duties or sensitive access is either checked manually or never checked, which leads to excessive access and SoDs.
It is very important to have the right provisioning process in place. SAP GRC AC access request management (ARM) eases this process with automated provisioning and approval process. The workflows can be easily defined using the standard MSMP cockpit or extend it using BRF+. ToggleNow has rich experience in designing complex workflows and helps you if GRC is already implemented in your system and you need to automate some of the manual processes that are being followed today even after a successful implementation of GRC. There are numerous other players in the market, who offer similar provisioning solutions, in case GRC AC is not an option for you based on present business conditions.
Use the right tools to automate the processes:
As there are various access control applications available in the market, they offer rich capabilities such as managing and automating the provisioning, risk management, and continuous control monitoring. Few of them are SAP Access Control, Process Control, ToggleNow’s Verity, Audit Arrays and so on. Using these, the effectiveness of the controls can be determined quickly, and further management becomes easy. These applications are delivered with a set of pre-defined controls that can be used effectively from the day one of application deployment.
Identify the interfaces and evaluate the type of activity:
A good security strategy doesn’t end with managing your SAP system effectively. With the technological changes and high level of automation, it is important to identify the interfaces in the SAP system and ensure only legitimate data is moved to the third party systems. In the digital age, securing your company’s data means getting serious about information security. Protecting sensitive information is protecting your customers from fraud and identity theft, and it safeguards the reputation of your organization.
ToggleNow’s Optimus service can help you to identify the third-party interfaces quickly. It also suggests the additional licenses that you might need to make yourself complaint with the SAP licensing agreements. Read more about our Optimus service here.
Monitor your system 24/7 to keep it in a healthy state:
Now that you have understood the importance of a well-designed security strategy, you need to monitor it to ensure that the design is within the defined boundaries and your business data is safe.
SAP GRC Audit Management (AM) is one such solution that can be designed to monitor your SAP security system. In addition, our partner solutions such as ARC (Audit Readiness Cockpit) can also help you. There are 100+ automated monitoring controls available with these solutions along with whistle-blower BOTs that notify you of any incorrect usage. For e.g., any activity using SAP* or DDIC should be notified immediately, which is possible with these solutions.
Our SAP security and GRC SME pool carries years of experience in delivering SAP authorization and GRC projects. If you have a requirement, let’s talk. We are a click away.