SAP Security Blogs

Turnkey's team of expert consultants share their wealth of knowledge and in-depth insight into SAP security and controls in a series of blog posts.

SAP GRC 2014, Orlando

Friday, 4 April 2014

Posted by Richard Hunt

Last week I attended the US based SAP GRC conference for the eighth year in a row and this year it was back to where it all started for us, Orlando Florida.

It was a great opportunity to catch up with our US based SAP colleagues and customers and I was joined by three members of our US team and a couple of our team in the UK who were speaking at the conference. The team at SAP Insider put on another well organised event and co-hosting it with the SAP Financials event, I felt, worked really well as everybody had an interest of some sort in GRC.

The event was again well attended and it was a fantastic opportunity to hear from US customers how they are leveraging their SAP GRC tools.

The highlights for us this year were:

1. The official launch of SAP GRC Audit Management on HANA.

Audit Management is the latest addition to SAP’s GRC focused solutions. The solution is focused on helping companies manage the audit cycle. The solution is still evolving and with a HANA backend its future roadmap is sure to include some very interesting audit analytics capabilities.

Here’s an overview diagram of the new product:

Audit Management Overview












2. More customers leveraging Process Controls.

At this year’s event we noted more customers with experience of SAP GRC Process Controls in their environments. This led to a lot more detailed discussions around the capabilities and potential use cases of the product and it was great to explore ideas with these customers.

It was encouraging to hear that our customers are still at the leading edge in terms of getting benefits from process controls.

3. Increased uptake of HANA in the US customer base.

We noted that the take up of HANA was significantly more prevalent amongst US based customers than we have found to be the case in Europe to date. This is a very positive development as it indicates a shift towards this technology amongst the SAP customer base generally.

HANA offers a lot of exciting possibilities in the GRC space and we are looking forward to helping more customers to harness this technology.

4. Increasing interest in SAP GRC Risk Management.

Having successfully implemented Access and Process Controls we are finding more and more customers turning to the Risk management module. This is an area we have put significant focus on over the past two years having developed a Rapid Deployment Solution (RDS) with significant enhancements over and above the SAP standard solution.

We met with a number of customers on this topic in Orlando and are looking forward to helping more customers to utilise this product.

5. Increased product integration across AC, PC and RM.

Many customers we spoke to at the event were interested in how they can make their usage of GRC more efficient and improve their GRC processes by further integrating the GRC components. We had several discussions around options for sharing risks across AC, PC and RM and around how best to integrate the products to take a more holistic approach.

This is something that we have been seeing more in our own customer base and its encouraging to see other SAP GRC users looking to maximise the return on their GRC investment.

It was great to be back in Orlando and we are already looking ahead to next year which may well be back in Vegas (TBC). For those who were not able to join us at the US conference the good news is that this year's European event is only a few weeks away and will be held at a new venue in Nice, France. We will be there again, with our speakers repeating their sessions in addition to some other content we have been asked to provide. If you’re interested in attending the Nice event please let us know – as exhibitors we are able to offer you a customer discount.

Hopefully we will see you there!

Make a Comment

The Paradox of password rules

Friday, 14 February 2014

Posted by Simon Persin

Many organisations can expect to see some sort of findings on their audit reports pertaining to their system password rules and settings. Examples of these include the number of lowercase, uppercase, numerical or special characters required in passwords in combination with not being able to reuse passwords which have already been used. It is a widely held belief that the more restrictions and conditions that are placed upon passwords, the more secure your systems is. I believe that this is actually a paradox. In my experience, more complicated password conditions actually lead to a proliferation of simplistic passwords which can be more easily guessed or cracked. This actually reduces the security of your system rather than enhance it. It is also much more likely that users will write down their passwords in an unencrypted document on their PCs or potentially on a notepad or post it note nearby as a way of remembering the complicated passwords.

If you have largely unrestricted password conditions, you open up the possibilities that the passwords can be anything. Although you will always get the common ones such as spouses names, children’s names or swear words, there is also more chance that the password will be something completely random since the user has the freedom to choose anything from the languages available across the globe. For example combining two randomly different words together as a single password would mean that the character length is naturally greater and would take an increasingly greater period of time to crack through brute force. To protect yourself from very common passwords many systems, including SAP, have a prohibited passwords list which can be maintained.

If you start enforcing greater levels of complexity, users naturally have to think harder about the passwords which they choose. Having worked on multiple client sites, I dread the time where the little dialog box is sitting there asking for me to define a new password. Often, I spend more than a few minutes trying to think about what will fit the client password conditions and then what I am likely to remember. Until you meet the criteria specified by the system, you will simply get error messages stating the deficiency in your password strength. Once you have finally met the criteria, you will then understand the minimum standards required by the system and therefore understand the likely structure of a number of users’ passwords within that system. Whilst this might actually appear to make the password itself more complicated, you tend to find that more people follow the same thought process and therefore mean that you can actually guess many more people’s passwords than you would ordinarily have been able to. I have lost count of the amount of times people end up with a swearword with a Capital first letter and an incremental number with a $ sign at the end. A worked example shows the common thought process for building a compliant password yet not actually making it difficult to work out, starting with my first name:



Previous Input Password

Updated Password based upon Condition

Length must be 6 characters



Must have upper case character



Must have a numeric value



Must have a Special Character



Next Password



Next Password




Whilst the password initially appears very secure with a combination of characters which may not easily be guessed, over time, the password settles into a very simple pattern whereby it remains largely static and simply increments the number with each change. 

Therefore, this password has retained its adherence to the complicated convention & standards set by the system yet remains an inherently weak password in general terms. 

In SAP systems, you have the option of configuring an additional parameter, login/min_password_diff, which requires that the password has a minimum number of differences from the previous one. At Turnkey Consulting, we recommend that this is set to “3” as a minimum but even then, users will find a simplistic pattern to meet those standards with as little thinking time as possible.

Make a Comment

Common Characteristics of High Performing Teams

Thursday, 19 December 2013

Posted by Alex Ayers

10 characteristics of high performing security and GRC teams.

As we come to the end of 2013 I have been thinking of some of the projects that we have been working on in this time.  One area of focus for me has been been working with clients to improving their governance around security and GRC.  A key part of that work has been helping them define their target operating models, put in the right supporting organisational structures and get responsibilities and good decision making embedded in operations.

Much of this work is classical Organisational Design (OD) and there are numerous techniques and methods that can be used to assist with this.  

Part of OD that is often difficult to articulate is how to really make a team effective.

Teams have to exist within wider organisational structures and what works for one organisation won't work for another.  Budgetary, political (internal and external), & organisational factors provide constrains that have to be considered. Naturally our clients want to know what good looks like.  Having accumulated a few hundred years of industry experience among the team has it's uses.  We are very fortunate to have worked with some fantastic teams so we spent some time analysing common characteristics and behaviours that could be applied to any situation.  These can be summarised as:

  1. Retain core competency. Overall accountabilityfor security/GRC/controls should not be outsourced. Without retained competency it is not possible to make effective decisions.
  2. Work with a partner with specialist skills to augment internal capability where required.
  3. Promote a nurturing and sharing environment.  Everyone has skills and everyone can improve.  3rd parties and contractors often don't like to share and a good environment is one where that attitude is not acceptable.
  4. Invest in internal R&D. This a great way to develop skills of a team and generate innovative ideas and solutions to our challenges.
  5. Maintain strong business engagement.  Our remit is enable the business to run in a secure and controlled manner.  That is why we do this job and not being engaged with this audience means we cannot perform our job properly.
  6. Knowing limits.  We frequently work with clients who have spent a lot of money trying to do things internally but have not invested in training or external support. Everyone has different limits but recognising them is important.
  7. Automate transactional activities.  It is often cheaper to automate than to outsource and/or offshore.  It also means that internal and 3rd party teams can focus on complex and/or value added activities.
  8. Operate strong governance over 3rd parties. Identify roles & responsibilities, embed standards, processes and procedures and operate contractual penalties for non compliance.
  9. Work with, not against suppliers.  There are several common objectives which benefit all parties when they are achieved. Good governance puts in the framework to support this and manage under delivery by supplier or customer.
  10. Last but not least, Integrate with risk management and infosec functions.  More often than not there is little to no engagement between SAP teams and risk management or infosec functions within an organisation.  The years of SAP being a silo'd application that only moves to the beat of it's own drum are over.

I would love to hear any thoughts/observations/things that I have missed.  Over to you.


Make a Comment

SAP: The Increasing Cyber Security Threat

Thursday, 24 October 2013

Posted by Richard Hunt

The cyber threat to IT systems in on the increase and this time it is not bored teenagers that we need to worry about. In this blog I ask, is it time to refocus some of our efforts towards the external threats to our SAP systems?


I recently watched a BBC documentary called “Horizon: Defeating the Hackers”. For anyone who didn’t see it I would thoroughly recommend it. Irrespective of your involvement or interest in the IT security industry it is an interesting programme.

The programme attempts to explain to the mainstream viewer some of the most complex IT security events of the past 5 years. This included Stuxnet, widely believed to be a US cyber attack on Iranian nuclear facilities. Understanding and explaining Stuxnet is something that I have attempted myself on several occasions so I take my hat off to the BBC for pulling it off so effectively!

If you haven’t already seen it here’s a clip -

Whilst an interesting story in itself, the importance of Stuxnet to me is that it represents a shift change in the threats that our customers’ SAP systems face from external sources and consequently the vulnerabilities that our clients need to manage. Stuxnet had a very clear purpose once it breached the IT security perimeter. It’s objective was to cause maximum disruption to the IT systems that would hurt it’s target organisation most. In the case of Stuxnet this was the systems controlling centrifuges within an Iranian nuclear facility. However, with many large corporations placing an increasing reliance on their IT systems SAP could be the more likely target for a lot of big corporate brands.

The other significance of Stuxnet is that it was a state sponsored attack. Last month the Ministry of Defence announced that it was to create a new ‘Cyber Defence Force’ - In a written statement in December last year, Cabinet Office Minister Francis Maude said 93% of large corporations and 76% of small businesses had reported a cyber breach in 2012. We are not talking about spotty teenagers looking to get a kick out of their next cyber conquest. These are highly organised teams from both the government and private sector looking to gain competitive advantage at an industry and national level.

Having allocated significant time and resources to segregation of duties and other internal controls for some years now we are seeing a new trend in our more risk aware customers. Those organisations who are more susceptable or aware of their vulnerability to cyber attacks are increasingly asking us to refocus our efforts towards the external threats to their SAP systems. Perhaps this is something that all SAP users should be taking more seriously?

1 Comment(s)

SAP GRC – Turning an Obligation into a Benefit

Thursday, 27 June 2013

Posted by Helge Glotz

Maintaining SAP Security and supporting Audit processes is often seen by many companies as an obligation that does not generate any profit. Therefore these mandatory tasks often do not get the required attention and resources to support, streamline and integrate the necessary tasks and processes with an integrated IT solution. As a result, a lot of time, money, manpower and quality get lost in redundant efforts, disintegrated processes, ineffective idle-time and continuous erosion of implemented concepts.

In my opinion the GRC 10.0 Application Suite is the only integrated solution, that is able to integrate and streamline all SAP Security and Audit related processes and reduce the operation and process cost significantly, as well as protect a company’s investment in the SAP security structure. Please allow me to explain how various ways of investment into an SAP GRC System can be quickly turned into a profit – from an obligation into a benefit.


Example 1: Reducing IT administration costs: GRC 10.0 User Access Management (UAM) and Emergency Access Management (EAM) support an automated user provisioning. Approved access requests for business users as well as emergency users do not need to be posted manually into the SAP backend system now. The saving potentials are here as much the reduction of IT support cost and the acceleration of the provisioning process and therefore reduction of idle time. The SAP Access Support can now be granted 24/7 without exorbitant bills from IT supporters. The integrated Identity Management (IDM) is able to support a complete starters and leavers workflow through all SAP and also non-SAP systems. For example we recently completed an ROI estimate identifying potential savings of €100,000.00 annually for the European operation of an international consumer electronics company.

Example 2: Accelerating business processes. The GRC 10.0 UAM also accelerated the processes for the business due to a system and device independent approval workflow supported by browser and mobile app technology. The workflow contains various substitute and escalation rules, ensuring that approval processes do not get stuck. The password self-service minimized idle time due to forgotten or mistyped passwords. GRC 10.0 enables the business as well to perform a risks analysis before creating or approving access requests and to mitigate the risks instantly. This saves time analyzing, reviewing and mitigating access risks on the long run.

Example 3: Reducing internal and external audit effort. The GRC Access Control applications are always available, any and all audit-relevant information: instantly and up-to-date. It does not require long analysis runs by external audit companies anymore to get a picture of the risks in the authorization’s environment, the data can be retrieved immediately. Any log or required process approval documentation can directly be retrieved from the GRC system to prove compliance without time-consuming browsing of the different applications and documents.

The GRC process controls application support all audit activities directly and provides many useful functionalities around the necessary controls. All relevant controls can be centrally managed and many controls can be automated. Interactive surveys with the user community can be run and analyzed also in complex organizational structures. Automated controls for SAP and non-SAP environments can continuously be performed and the results are always up-to-date. This various functionalities reduce the workload and time for internal as much as external audit and the business involvement into the audit process significantly. An analysis done by Turnkey Consulting for a European operation of an international consumer electronics company identified saving potentials of €200,000.00 for audit support.

Example 4: Protecting investments in SAP Security Concepts. SAP security concepts often take a large part of SAP project implementation costs. Roles are being developed in workshops with the business; testing and go-live support is provided by SAP security consultants. Once the developed roles are handed over to the support team, dynamic business requirements and needs for quick fixes often lead to a slow disintegration of the initial role concept – and therefore the customer’s investment. GRC AC Business Role Framework provides the transparency over the authorization roles that allow the development team to ensure a continuous high quality of the companies’ authorization concept. Possible risks within roles can be directly identified during the development, and the role change process is support by an approval process – therefore a high level of compliance can be enforced without additional effort, making sure that the role concept remains clean even after years of working with SAP.

Example 5: Reducing License fees and development costs: Many SAP access approval workflows are supported by third party workflows systems like Lotus Notes or SharePoint. The development in these environments can be expensive and are always disintegrated with the SAP environment. The user community has to have access to the proprietary workflow; clients and workarounds have to be provided if some user comes from external systems. The GRC AC User Access Management workflow provides a seamless integration from any possible client or mail system directly into the SAP backend systems. It simply requires a SMTP interface to an e-mail system and a web browser on the users front-end to forward, approved and post SAP access workflow or Emergency user workflows into SAP. No additional license fees or development costs for third party systems are required. The GRC Multi-Stage-Multi-Path workflow is easy to configure without ABAP/ development skills.

Example 6: Avoiding loss of money due to fraud: The main objective of the SAP Governance, Risk & Compliance Application Suite is of course to ensure security in access and processes. The rule-set provided by SAP for access controls is based on recommendations from the Big Four auditing firms to avoid possible fraud or fraudulent manipulations with the SAP supported business processes. It enforces segregation of duties or at least the assignment of mitigating controls. The transparency that SAP GRC AC provides to identify potential fraudulent activities helps saving companies large amounts of money that otherwise might get lost unnoticeably.

The latest version SAP GRC 10.1 Fraud Control now takes compliance to a new level: Fraudulent patterns within the online ERP data can be permanently monitored in a real time mode using SAPs latest HANA in memory technology. If patterns are detected business processes can be immediately be stopped and the responsibles will be informed. This prevents fraud without restricting access rights.

GRC process Controls support additional controls to processes outside of SAP from audit driven controls to physical controls and production and quality controls. The continuous awareness and transparency help companies safeguard against various financial damages.

Example 7: Avoiding capital loss by Risk Management. Companies often have some vague ideas about what the business, operational and security risks are that they need to tackle and which controls they need to put in place. The highly integrated approach of the SAP GRC application suite allows evaluating and classifying all possible risk and controls. This includes the access and process risks maintained in the GRC AC and PC applications as central master data as well as additional risks identified and categorized. The results of different risks analysis can be provided to the management in heat maps and other graphical charts. They provided visibility and transparency of the companies’ situation often assisting the management in making the right decisions to keep the company from large capital losses.

Summary: Investing into the implementation of a SAP GRC system turns for various reasons quickly into a profitable return of investment. It’s high integration through all GRC applications and also into SAP and many non-SAP systems help accelerating processes, reducing IT and audit costs and preventing the company from many financial risks. On the other hand, the costs for an implementation are moderate and very well assessable by using the available Rapid Deployment Solutions and experienced consultants from specialized companies like Turnkey Consulting. SAP GRC comes with many pre-configured features and easy-to-use workflows. In addition, the central master data concept helps avoid redundant efforts.

Make a Comment