Historically Enterprise Resource Planning (ERP) implementations have been secure inside the firewall but interconnectivity and data enrichment needs have evolved the threat matrix. Security Managers, Auditors and Compliance Managers need to look deeper than classic segregation of duties and Sarbanes Oxley (SOX) requirements when analyzing risk. The dialogue has recently expanded to include inquiry into how SAP, PeopleSoft, JD Edwards and other ERP software implementations can be folded into an overall Security or Cybersecurity Program. These large scale ERP software packages are the backbone of corporations, governments and supply chains across the world. They manage everything from human resources, financials, production creation and delivery, customer maintenance and archival.
Connectivity to internal ERP software has increased and the network firewalls and perimeter no longer defend the application. Cloud connectivity and data enrichment through sales, purchasing, human resource management and other applications in the cloud are new avenues for hackers. Mobile devices accessing core ERP data and the need for portions of the application to be available to the internet have opened new vulnerabilities. The risk to corporate intellectual property, customer, vendor and employee critical data is high and knowledge of how to protect against threats is low. Organizations need to understand and respond effectively step ahead of the hackers and protect the business critical data housed in ERP systems. Education and security are critical in order to reduce risk and train staff to maintain a Cyber Secure ERP implementation. Application level security is not the hot topic that chasing hackers on the network is, but it's a vital component of an overall Cybersecurity program.
The next generation of Cybersecurity Leaders will need to take a holistic view of the threat matrix; including network, firewall, server, application, and user level risks into account. A secure environment starts with strong and enforceable security policies, threat detection and response, patch and upgrade programs, and access management processes.
Many times consultants prescribe a role redesign for all your SAP security problems. In fact these are by far the most lucrative for consultants and not the clients. Many times the architecture is changed and new issues arise with the new role design structure. In the case of a large food processing company, the security process suffered from many years of fulfilling all requests using the model user approach. In this case, users acquired their access quickly however, the access contained multiple roles and excessive access needs. In addition the number of roles grew and exceeded the number of users. This became a maintenance nightmare as well as high-risk excessive access risks for both sensitive and powerful transactions from a control and audit perspective.
Because years of changes had resulted in multiple layers for user access, determining role changes and getting roles to be risk free was a monumental task. In addition, there was a need to revamp the security request process to avoid risks and excessive access on a pro-active basis. A parallel process to implement a new process using the GRC Access Request Management (ARM) process and a task based role design was initiated. The revamped process provides a leaner role population closer aligned with access needs. The task names are easily identified by business users and replace the risk prone “model” user approach.
A pilot of the approach was undertaken with three business areas. This enabled us to complete the proof of concept and to determine the benefits for an enterprise wide roll out. There was one global department, one with multiple areas located in the headquarters, and one group with multiple geographic locations. An Analysis of transaction usage among the users in each of the groups was used to determine necessary transactions. In addition controls by organizational areas where necessary were also analyzed from transaction history. A comparison of the new accepted, tested roles revealed a 44% reduction in access and 100% removal of access risks.