Business PlatformsSAP

Securing SAP S/4HANA with GRC 12 and IAG

Aric QuinonesJay Gohil
November 30, 2018
4 min read

With enterprises focusing on big data, mobility and cloud while managing cybersecurity risks that could exploit internal vulnerabilities that allow access to sensitive data, organizations have been on high alert about how to manage this risk effectively. Protiviti  recently held a webinar highlighting new features in SAP’s latest governance module, GRC 12, and Cloud Identity Access Governance (IAG). Peter Creal, senior director of SAP’s North America Center of Excellence and a leader in the SAP GRC and SAP security space, was a guest presenter at the webinar.

With GRC 12, SAP has created a single holistic compliance and control framework. This is important because a lot of companies have struggled in the past to properly manage segregation of duties (SoD) and provisioning across all the various applications and systems involved in complex processes such as purchasing or payroll. A lot of companies have already begun to implement GRC 12, and many more are considering it. With so much potential for improvement and risk in the legacy environment, it’s only natural that some are still uncertain about how best to begin.

The consultant’s answer to this question is always “Begin with a plan.” In this case, the plan should include a clear understanding of the organization’s cloud strategy. If the organization is planning to use cloud solutions from SAP, such as S/4HANA, Ariba or Concur, to name a few, it is important to know how it plans to manage cloud access and what the GRC implementation/upgrade strategy entails.

As companies move into the planning process, they should consider the following best practices:

  • Review SoD and rule set for sensitive-data access — In a dynamic risk environment like this, the first step in road map planning and securing SAP access is to update key application risks. Many organizations have yet to develop SoD rule sets for cloud applications like Concur and Ariba, for example. There may also be new risks associated with SAP’s Fiori mobility user interface and new S/4HANA transaction codes. Organizations should also consider cross-system risks as key functional activities are decentralized into other key applications or how it might be effected within the HANA database environment if recently implemented.
  • Upgrade or implement the GRC solution — Despite the best intentions, the simple reality is that a lot of companies are behind on their GRC support-pack updates. At this point, it’s probably best to just upgrade to GRC 12, which is designed for current risks and incorporates the latest functionality. Upgrading provides an excellent opportunity to evaluate what additional functionality might be required and whether there may be some important capabilities, such as user-access reviews, that already exist but are not being used.
  • Consider cloud-based managed governance services — More often than not, the success or failure of a technology implementation boils down to whether the people in charge of that technology have the skill set required to properly implement, validate, monitor and maintain the system. With time and talent at a premium and expected to get even tighter over time, cloud-based managed services can help many organizations mitigate critical access risks while focusing internal resources on activities that add value. SAP’s Cloud IAG solution, for example, offers key governance processes, such as access monitoring, user provisioning and SoD management. Outsourcing management of IAG and governance processes allows organizations to leverage SAP experts to review and validate SoDs and provide continuous improvement recommendations back to the business.
  • Ensure system connectivity (on-premise and cloud) — This should be self-explanatory. Legacy systems have been disjointed for too long. Any SAP planning process needs to include a specific review to ensure that HANA databases connect securely with front-end Fiori interface servers and to cloud products via IAG bridge.
  • Add functionality/enhancements This is the “why” of the project. Whether you are trying to integrate SAP with HR systems and identity management, streamline processes such as expanding Firefighter to Fiori/HANA, or implement robotic process automation, this final step of the plan provides the return on investment. Many people tend to think of GRC solely as a way to manage risk. The reality is that a GRC implementation/upgrade can create a lot of efficiencies in the end-to-end provisioning process.

Accomplishing all this isn’t something that has to be swallowed in one bite. We recommend a phased approach. The goal should not just be compliance, but rather the efficient and effective management of the entire risk landscape and the continuous movement toward maturity.

This post offers a very high-level overview of a much more complex and nuanced discussion, and I recommend listening in to the archived webinar, available on our website. We are happy to answer any questions you might have.

Visit Protiviti’s SAP consulting services page for more information on our solutions.

Aric Quinones

Managing Director
Technology Consulting

View all posts

Jay Gohil

Director
Enterprise Application Solutions

View all posts

You may also like

Subscribe to Topics

Protiviti Technology Follow

Protiviti leverages emerging technologies to innovate, while helping organizations transform and succeed by focusing on business value.

ProtivitiTech
protivititech Protiviti Technology @protivititech ·
2 Nov

Many often overlook the potential impact—both positive and negative—a #TechnModernization project can have on operational #resilience. #ProtivitiTech's Kim Bozzella shares her thoughts with #Forbes Technology Council. https://ow.ly/1FLA50TYIaE

Reply on Twitter 1852806697112187072 Retweet on Twitter 1852806697112187072 Like on Twitter 1852806697112187072 Twitter 1852806697112187072
protivititech Protiviti Technology @protivititech ·
1 Nov

Establishing a scalable #AI #governance framework is crucial for balancing innovation with #risk and #compliance. Dive into our latest ebook, co-authored with #OneTrust, to explore key steps and technologies that will elevate your AI governance strategy. https://ow.ly/QqKy50TVUx3

Reply on Twitter 1852320075530809735 Retweet on Twitter 1852320075530809735 Like on Twitter 1852320075530809735 Twitter 1852320075530809735
protivititech Protiviti Technology @protivititech ·
31 Oct

News reports implied that China has managed to break "military grade" encryption using quantum computers. But the truth is more complicated than that. Protiviti's #quantum expert Konstantinos Karagiannis explains it all to #VISIONbyProtiviti. https://ow.ly/Zb9z50TWNuh

Reply on Twitter 1852018952433549469 Retweet on Twitter 1852018952433549469 Like on Twitter 1852018952433549469 Twitter 1852018952433549469
protivititech Protiviti Technology @protivititech ·
31 Oct

The #IIoT can help organizations collect and analyze data to optimize operations and maximize resources. #ProtivitiTech's Kim Bozzella details how IIoT can yield benefits for businesses and the people they serve with #Forbes #Technology Council. https://ow.ly/V5I250TVLAj

Reply on Twitter 1851988257015226688 Retweet on Twitter 1851988257015226688 Like on Twitter 1851988257015226688 Twitter 1851988257015226688
protivititech Protiviti Technology @protivititech ·
31 Oct

Protiviti has earned the AWS DevOps Competency, which complements our existing Migration and Security Competencies. These competencies reflect Protiviti's ability to deliver comprehensive AWS system integration services. https://ow.ly/Baj550TWR9I

#AWSDevOps #AWSCloud #AWS

Reply on Twitter 1851821523918528853 Retweet on Twitter 1851821523918528853 Like on Twitter 1851821523918528853 1 Twitter 1851821523918528853
Load More