Effectively Managing SAP Security Risks in the Modern World

The global landscape has changed in light of COVID-19. As companies quickly transitioned to a remote workforce, the need for remote access and application access increased — along with the risk of cyber threats. Now, more than ever, it’s critical to practice good security hygiene. 

In a recent webinar, “Effectively Managing SAP Security Risks in the Modern World,” now available on demand, we talked about the need to resist the temptation to downgrade or bypass standard security and change management practices, particularly with the increasingly remote workforce. Over 64% of the attendees at our webinar indicated that 75–100% of their workforce is now working remotely.

This shift to an offsite workforce demands that companies automate, streamline and monitor their security access and vulnerabilities to minimize threats and disruptions, all of which can be accomplished using SAP software solutions. SAP solutions can also enable companies to perform vulnerability assessments, implement threat detection, and ease the daily burden on the workforce by automating aspects of security access while still ensuring compliance. Continuous monitoring tools can also be leveraged to provide assurance by testing the full population of transactions.

Conduct Vulnerability and Threat Assessments

In the “new normal” of a world impacted by COVID-19, SAP tools should receive the same security scrutiny as the broader landscape of a business. Companies can leverage continuous monitoring for the SAP landscape so that attacks are identified, analyzed and neutralized as they are happening and before damage occurs. This can be accomplished using Security Information and Event Management (SIEM) solutions. 

Areas that can be monitored include:

Sensitive system configuration
Downloads of sensitive data via blacklisted reports
Failed log-ons of the same user for different terminal IDs
Log-ons of SAP standard users.

Companies also can monitor for brute force attacks, identify denial of service attacks, and analyze patterns to detect suspicious calls. As much of the workforce has transitioned to working remotely, these assessments are crucial to combat the increased risk of cybercrime from home, as well as other remote access points.

Proactive Vulnerability Management

In addition, it’s important for companies to know that vulnerability management is most successful when applied proactively as code is developed and before it is deployed. Above and beyond continuous monitoring, strategic thinking and planning should be incorporated into the design and development of new programs and applications.

Problems can arise when there has been a great deal of customization to the code within an organization, particularly when that customization has been poorly documented or not documented at all. If a breach or vulnerability is detected, coders must then find and correct the problem, which can be costly. 

Identify and Implement Access Automation for Virtual Workforces

In today’s growing remote workforce, companies are faced with the challenge of scaling centralized authentication and user provisioning, while at the same time managing new or temporary assignments to accommodate for ill or quarantined employees’ workloads. Things change rapidly, and it may be tempting to bypass certain controls, but maintaining compliance is essential to managing security risks.

SAP’s commonly used access management tools, such as SAP Access Control, can help enable efficiencies in granting access to SAP environments without getting in the way of productivity. Speed of access provisioning needs to be an enabler and not a bottleneck to getting work done. 

For users who require elevated or privileged access directly to end-user accounts, businesses need a way to provide this temporarily or on an extended basis, knowing that the access can be monitored and logged for further review.

Not every aspect of access can be automated (i.e., waiting on approvers and approvals required), but many can. For instance, the following aspects of an access provisioning workflow could be automated:

How access requests are taken
How they are routed for approval
Routing for compliance checks 
Provisioning, once approved.

Automation can also be applied during periodic access reviews, which will occur especially if a business has a SOX compliance requirement. Terminations or job changes where access wasn’t removed during the normal course of business can be cleaned up using systems that automate the actions around these processes.

Use Continuous Monitoring Solutions to Quantify Actual Risk Exposure

Traditional detective controls for user access can be labor-intensive and time-consuming to perform, test and audit. These types of controls, such as manual reporting or transaction sampling, are often redundant and ineffective, and can even slow down a process or burnout employees. A good control acts as a caution or warning, indicating that a process may present a potential security risk or compliance issue. If defined with specific exception criteria, the control will identify the user or transaction and flag it for a manager or risk owner to evaluate further.

Good continuous monitoring controls aren’t limited to high risk events either; they can also be used to collect data on processes that show opportunities for improvement, in terms of optimizing for safety and efficiency. Reported exceptions can then be analyzed at a supervisor, compliance, or executive level, to allow for informed decision adjusting processes in the wake of resource and work environment changes. This approach lends itself nicely to a remote work landscape, by enabling standardization across access governance and control testing. 

Solutions for continuous monitoring include:

Access Violation Management (by Greenlight) monitors for actual exceptions of an SoD violation, acting as an extension of Access Control for ‘did-do’ analysis. As these exception transactions are collected, the owners of these risks or users can review them, provide approval, and identify if any fraudulent activity occurred. This then creates a repository of mitigating activities which can be reviewed by audit organizations and executive leadership.

SAP Process Control automates the control environment at an enterprise level by acting as a repository for risks and controls. Continuous Control Monitoring (CCM) rules can be built in order to analyze for specific exception scenarios, such as configuration changes or unusual journal entries, and get real-time reporting and alerts that are remotely actionable.

Continue to Manage SAP Security Risks

Now is the time for businesses to revisit their approach to securing their application landscape. Clearer policy training and the right technical monitoring controls are key to staying secure with a virtual workforce. 

As team members take on additional roles during the COVID-19 pandemic, now is not the time to get bogged down in manual access-management tasks. Instead, leverage access automation to streamline provisioning and firefighting processes. Security controls which utilize continuous monitoring solutions can be an enabler for business and audit processes, rather than an additional task that reduces efficiency.

For more information on how your business can manage SAP security risks during this time, contact us or visit Protiviti’s SAP consulting services to learn more about our solutions.

About the Authors

Vijan Patel
Director
Technology Consulting, Enterprise Application Services