Technology Insights HOME | Perspectives from Our Experts on Technology Trends and Risks

Technology Insights HOME

Perspectives from Our Experts on Technology Trends and Risks.

Search

ARTICLE

3 mins to read

Securing SAP S/4HANA with GRC 12 and IAG

Jay Gohil

Director - Business Platform Transformation

Aric Quinones

Managing Director - Business Platform Transformation

Views
Larger Font
3 minutes to read

With enterprises focusing on big data, mobility and cloud while managing cybersecurity risks that could exploit internal vulnerabilities that allow access to sensitive data, organizations have been on high alert about how to manage this risk effectively. Protiviti  recently held a webinar highlighting new features in SAP’s latest governance module, GRC 12, and Cloud Identity Access Governance (IAG). Peter Creal, senior director of SAP’s North America Center of Excellence and a leader in the SAP GRC and SAP security space, was a guest presenter at the webinar.

With GRC 12, SAP has created a single holistic compliance and control framework. This is important because a lot of companies have struggled in the past to properly manage segregation of duties (SoD) and provisioning across all the various applications and systems involved in complex processes such as purchasing or payroll. A lot of companies have already begun to implement GRC 12, and many more are considering it. With so much potential for improvement and risk in the legacy environment, it’s only natural that some are still uncertain about how best to begin.

The consultant’s answer to this question is always “Begin with a plan.” In this case, the plan should include a clear understanding of the organization’s cloud strategy. If the organization is planning to use cloud solutions from SAP, such as S/4HANA, Ariba or Concur, to name a few, it is important to know how it plans to manage cloud access and what the GRC implementation/upgrade strategy entails.

As companies move into the planning process, they should consider the following best practices:

  • Review SoD and rule set for sensitive-data access — In a dynamic risk environment like this, the first step in road map planning and securing SAP access is to update key application risks. Many organizations have yet to develop SoD rule sets for cloud applications like Concur and Ariba, for example. There may also be new risks associated with SAP’s Fiori mobility user interface and new S/4HANA transaction codes. Organizations should also consider cross-system risks as key functional activities are decentralized into other key applications or how it might be effected within the HANA database environment if recently implemented.
  • Upgrade or implement the GRC solution — Despite the best intentions, the simple reality is that a lot of companies are behind on their GRC support-pack updates. At this point, it’s probably best to just upgrade to GRC 12, which is designed for current risks and incorporates the latest functionality. Upgrading provides an excellent opportunity to evaluate what additional functionality might be required and whether there may be some important capabilities, such as user-access reviews, that already exist but are not being used.
  • Consider cloud-based managed governance services — More often than not, the success or failure of a technology implementation boils down to whether the people in charge of that technology have the skill set required to properly implement, validate, monitor and maintain the system. With time and talent at a premium and expected to get even tighter over time, cloud-based managed services can help many organizations mitigate critical access risks while focusing internal resources on activities that add value. SAP’s Cloud IAG solution, for example, offers key governance processes, such as access monitoring, user provisioning and SoD management. Outsourcing management of IAG and governance processes allows organizations to leverage SAP experts to review and validate SoDs and provide continuous improvement recommendations back to the business.
  • Ensure system connectivity (on-premise and cloud) — This should be self-explanatory. Legacy systems have been disjointed for too long. Any SAP planning process needs to include a specific review to ensure that HANA databases connect securely with front-end Fiori interface servers and to cloud products via IAG bridge.
  • Add functionality/enhancements This is the “why” of the project. Whether you are trying to integrate SAP with HR systems and identity management, streamline processes such as expanding Firefighter to Fiori/HANA, or implement robotic process automation, this final step of the plan provides the return on investment. Many people tend to think of GRC solely as a way to manage risk. The reality is that a GRC implementation/upgrade can create a lot of efficiencies in the end-to-end provisioning process.

Accomplishing all this isn’t something that has to be swallowed in one bite. We recommend a phased approach. The goal should not just be compliance, but rather the efficient and effective management of the entire risk landscape and the continuous movement toward maturity.

This post offers a very high-level overview of a much more complex and nuanced discussion, and I recommend listening in to the archived webinar, available on our website. We are happy to answer any questions you might have.

Visit Protiviti’s SAP consulting services page for more information on our solutions.

Was this article helpful to you?

Thanks for your feedback!

Subscribe to The Protiviti View Blog

To face the future confidently, you need to be equipped with valuable insights that align with your interests and business goals.

In this Article

Find a similar article by topics

Authors

Jay Gohil

By Jay Gohil

Verified Expert at Protiviti

Visit Jay Gohil's profile

Aric Quinones

By Aric Quinones

Verified Expert at Protiviti

Visit Aric Quinones's profile

No noise.
Just insights.

Subscribe now

Related posts

Article

What is it about

The upstream oil and gas industry is characterized by complex operations and significant financial transactions. SAP S/4HANA supports these operations...

Article

What is it about

Growth is good. But too much of a good thing can present challenges to any well-established business. In this case,...

Article

What is it about

SAP Datasphere, previously known as SAP Data Warehouse Cloud, represents a significant evolution in data management and analytics solutions offered...