With enterprises focusing on big data, mobility and cloud while managing cybersecurity risks that could exploit internal vulnerabilities that allow access to sensitive data, organizations have been on high alert about how to manage this risk effectively. Protiviti recently held a webinar highlighting new features in SAP’s latest governance module, GRC 12, and Cloud Identity Access Governance (IAG). Peter Creal, senior director of SAP’s North America Center of Excellence and a leader in the SAP GRC and SAP security space, was a guest presenter at the webinar.
With GRC 12, SAP has created a single holistic compliance and control framework. This is important because a lot of companies have struggled in the past to properly manage segregation of duties (SoD) and provisioning across all the various applications and systems involved in complex processes such as purchasing or payroll. A lot of companies have already begun to implement GRC 12, and many more are considering it. With so much potential for improvement and risk in the legacy environment, it’s only natural that some are still uncertain about how best to begin.
The consultant’s answer to this question is always “Begin with a plan.” In this case, the plan should include a clear understanding of the organization’s cloud strategy. If the organization is planning to use cloud solutions from SAP, such as S/4HANA, Ariba or Concur, to name a few, it is important to know how it plans to manage cloud access and what the GRC implementation/upgrade strategy entails.
As companies move into the planning process, they should consider the following best practices:
- Review SoD and rule set for sensitive-data access — In a dynamic risk environment like this, the first step in road map planning and securing SAP access is to update key application risks. Many organizations have yet to develop SoD rule sets for cloud applications like Concur and Ariba, for example. There may also be new risks associated with SAP’s Fiori mobility user interface and new S/4HANA transaction codes. Organizations should also consider cross-system risks as key functional activities are decentralized into other key applications or how it might be effected within the HANA database environment if recently implemented.
- Upgrade or implement the GRC solution — Despite the best intentions, the simple reality is that a lot of companies are behind on their GRC support-pack updates. At this point, it’s probably best to just upgrade to GRC 12, which is designed for current risks and incorporates the latest functionality. Upgrading provides an excellent opportunity to evaluate what additional functionality might be required and whether there may be some important capabilities, such as user-access reviews, that already exist but are not being used.
- Consider cloud-based managed governance services — More often than not, the success or failure of a technology implementation boils down to whether the people in charge of that technology have the skill set required to properly implement, validate, monitor and maintain the system. With time and talent at a premium and expected to get even tighter over time, cloud-based managed services can help many organizations mitigate critical access risks while focusing internal resources on activities that add value. SAP’s Cloud IAG solution, for example, offers key governance processes, such as access monitoring, user provisioning and SoD management. Outsourcing management of IAG and governance processes allows organizations to leverage SAP experts to review and validate SoDs and provide continuous improvement recommendations back to the business.
- Ensure system connectivity (on-premise and cloud) — This should be self-explanatory. Legacy systems have been disjointed for too long. Any SAP planning process needs to include a specific review to ensure that HANA databases connect securely with front-end Fiori interface servers and to cloud products via IAG bridge.
- Add functionality/enhancements — This is the “why” of the project. Whether you are trying to integrate SAP with HR systems and identity management, streamline processes such as expanding Firefighter to Fiori/HANA, or implement robotic process automation, this final step of the plan provides the return on investment. Many people tend to think of GRC solely as a way to manage risk. The reality is that a GRC implementation/upgrade can create a lot of efficiencies in the end-to-end provisioning process.
Accomplishing all this isn’t something that has to be swallowed in one bite. We recommend a phased approach. The goal should not just be compliance, but rather the efficient and effective management of the entire risk landscape and the continuous movement toward maturity.
This post offers a very high-level overview of a much more complex and nuanced discussion, and I recommend listening in to the archived webinar, available on our website. We are happy to answer any questions you might have.
Visit Protiviti’s SAP consulting services page for more information on our solutions.