Turnkey's team of expert consultants share their wealth of knowledge and in-depth insight into SAP security and controls in a series of blog posts.
Thursday, 24 October 2013
Posted by Richard Hunt
The cyber threat to IT systems in on the increase and this time it is not bored teenagers that we need to worry about. In this blog I ask, is it time to refocus some of our efforts towards the external threats to our SAP systems?
I recently watched a BBC documentary called “Horizon: Defeating the Hackers”. For anyone who didn’t see it I would thoroughly recommend it. Irrespective of your involvement or interest in the IT security industry it is an interesting programme.
The programme attempts to explain to the mainstream viewer some of the most complex IT security events of the past 5 years. This included Stuxnet, widely believed to be a US cyber attack on Iranian nuclear facilities. Understanding and explaining Stuxnet is something that I have attempted myself on several occasions so I take my hat off to the BBC for pulling it off so effectively!
If you haven’t already seen it here’s a clip - http://www.youtube.com/watch?v=-Vghre24Ur4
Whilst an interesting story in itself, the importance of Stuxnet to me is that it represents a shift change in the threats that our customers’ SAP systems face from external sources and consequently the vulnerabilities that our clients need to manage. Stuxnet had a very clear purpose once it breached the IT security perimeter. It’s objective was to cause maximum disruption to the IT systems that would hurt it’s target organisation most. In the case of Stuxnet this was the systems controlling centrifuges within an Iranian nuclear facility. However, with many large corporations placing an increasing reliance on their IT systems SAP could be the more likely target for a lot of big corporate brands.
The other significance of Stuxnet is that it was a state sponsored attack. Last month the Ministry of Defence announced that it was to create a new ‘Cyber Defence Force’ - http://www.bbc.co.uk/news/uk-24321717. In a written statement in December last year, Cabinet Office Minister Francis Maude said 93% of large corporations and 76% of small businesses had reported a cyber breach in 2012. We are not talking about spotty teenagers looking to get a kick out of their next cyber conquest. These are highly organised teams from both the government and private sector looking to gain competitive advantage at an industry and national level.
Having allocated significant time and resources to segregation of duties and other internal controls for some years now we are seeing a new trend in our more risk aware customers. Those organisations who are more susceptable or aware of their vulnerability to cyber attacks are increasingly asking us to refocus our efforts towards the external threats to their SAP systems. Perhaps this is something that all SAP users should be taking more seriously?
Thursday, 27 June 2013
Posted by Helge Glotz
Maintaining SAP Security and supporting Audit processes is often seen by many companies as an obligation that does not generate any profit. Therefore these mandatory tasks often do not get the required attention and resources to support, streamline and integrate the necessary tasks and processes with an integrated IT solution. As a result, a lot of time, money, manpower and quality get lost in redundant efforts, disintegrated processes, ineffective idle-time and continuous erosion of implemented concepts.
In my opinion the GRC 10.0 Application Suite is the only integrated solution, that is able to integrate and streamline all SAP Security and Audit related processes and reduce the operation and process cost significantly, as well as protect a company’s investment in the SAP security structure. Please allow me to explain how various ways of investment into an SAP GRC System can be quickly turned into a profit – from an obligation into a benefit.
Example 1: Reducing IT administration costs: GRC 10.0 User Access Management (UAM) and Emergency Access Management (EAM) support an automated user provisioning. Approved access requests for business users as well as emergency users do not need to be posted manually into the SAP backend system now. The saving potentials are here as much the reduction of IT support cost and the acceleration of the provisioning process and therefore reduction of idle time. The SAP Access Support can now be granted 24/7 without exorbitant bills from IT supporters. The integrated Identity Management (IDM) is able to support a complete starters and leavers workflow through all SAP and also non-SAP systems. For example we recently completed an ROI estimate identifying potential savings of €100,000.00 annually for the European operation of an international consumer electronics company.
Example 2: Accelerating business processes. The GRC 10.0 UAM also accelerated the processes for the business due to a system and device independent approval workflow supported by browser and mobile app technology. The workflow contains various substitute and escalation rules, ensuring that approval processes do not get stuck. The password self-service minimized idle time due to forgotten or mistyped passwords. GRC 10.0 enables the business as well to perform a risks analysis before creating or approving access requests and to mitigate the risks instantly. This saves time analyzing, reviewing and mitigating access risks on the long run.
Example 3: Reducing internal and external audit effort. The GRC Access Control applications are always available, any and all audit-relevant information: instantly and up-to-date. It does not require long analysis runs by external audit companies anymore to get a picture of the risks in the authorization’s environment, the data can be retrieved immediately. Any log or required process approval documentation can directly be retrieved from the GRC system to prove compliance without time-consuming browsing of the different applications and documents.
The GRC process controls application support all audit activities directly and provides many useful functionalities around the necessary controls. All relevant controls can be centrally managed and many controls can be automated. Interactive surveys with the user community can be run and analyzed also in complex organizational structures. Automated controls for SAP and non-SAP environments can continuously be performed and the results are always up-to-date. This various functionalities reduce the workload and time for internal as much as external audit and the business involvement into the audit process significantly. An analysis done by Turnkey Consulting for a European operation of an international consumer electronics company identified saving potentials of €200,000.00 for audit support.
Example 4: Protecting investments in SAP Security Concepts. SAP security concepts often take a large part of SAP project implementation costs. Roles are being developed in workshops with the business; testing and go-live support is provided by SAP security consultants. Once the developed roles are handed over to the support team, dynamic business requirements and needs for quick fixes often lead to a slow disintegration of the initial role concept – and therefore the customer’s investment. GRC AC Business Role Framework provides the transparency over the authorization roles that allow the development team to ensure a continuous high quality of the companies’ authorization concept. Possible risks within roles can be directly identified during the development, and the role change process is support by an approval process – therefore a high level of compliance can be enforced without additional effort, making sure that the role concept remains clean even after years of working with SAP.
Example 5: Reducing License fees and development costs: Many SAP access approval workflows are supported by third party workflows systems like Lotus Notes or SharePoint. The development in these environments can be expensive and are always disintegrated with the SAP environment. The user community has to have access to the proprietary workflow; clients and workarounds have to be provided if some user comes from external systems. The GRC AC User Access Management workflow provides a seamless integration from any possible client or mail system directly into the SAP backend systems. It simply requires a SMTP interface to an e-mail system and a web browser on the users front-end to forward, approved and post SAP access workflow or Emergency user workflows into SAP. No additional license fees or development costs for third party systems are required. The GRC Multi-Stage-Multi-Path workflow is easy to configure without ABAP/ development skills.
Example 6: Avoiding loss of money due to fraud: The main objective of the SAP Governance, Risk & Compliance Application Suite is of course to ensure security in access and processes. The rule-set provided by SAP for access controls is based on recommendations from the Big Four auditing firms to avoid possible fraud or fraudulent manipulations with the SAP supported business processes. It enforces segregation of duties or at least the assignment of mitigating controls. The transparency that SAP GRC AC provides to identify potential fraudulent activities helps saving companies large amounts of money that otherwise might get lost unnoticeably.
The latest version SAP GRC 10.1 Fraud Control now takes compliance to a new level: Fraudulent patterns within the online ERP data can be permanently monitored in a real time mode using SAPs latest HANA in memory technology. If patterns are detected business processes can be immediately be stopped and the responsibles will be informed. This prevents fraud without restricting access rights.
GRC process Controls support additional controls to processes outside of SAP from audit driven controls to physical controls and production and quality controls. The continuous awareness and transparency help companies safeguard against various financial damages.
Example 7: Avoiding capital loss by Risk Management. Companies often have some vague ideas about what the business, operational and security risks are that they need to tackle and which controls they need to put in place. The highly integrated approach of the SAP GRC application suite allows evaluating and classifying all possible risk and controls. This includes the access and process risks maintained in the GRC AC and PC applications as central master data as well as additional risks identified and categorized. The results of different risks analysis can be provided to the management in heat maps and other graphical charts. They provided visibility and transparency of the companies’ situation often assisting the management in making the right decisions to keep the company from large capital losses.
Summary: Investing into the implementation of a SAP GRC system turns for various reasons quickly into a profitable return of investment. It’s high integration through all GRC applications and also into SAP and many non-SAP systems help accelerating processes, reducing IT and audit costs and preventing the company from many financial risks. On the other hand, the costs for an implementation are moderate and very well assessable by using the available Rapid Deployment Solutions and experienced consultants from specialized companies like Turnkey Consulting. SAP GRC comes with many pre-configured features and easy-to-use workflows. In addition, the central master data concept helps avoid redundant efforts.
Tuesday, 21 May 2013
Posted by Richard Hunt
Apart from the introduction of our new US team the most exciting announcement at SAP GRC 2013 in Las Vegas this year was the launch of the new Fraud Management module!
Fraud Management is an exciting new addition to the SAP GRC family and adds a number of capabilities to the existing SAP GRC solution set. In this blog we explore some of these features and also discuss some of the possibilities that SAP GRC Fraud Management might open up for the future.
A HANA Backbone
The first thing to note about Fraud Management is that it is based on SAP HANA technology. We have been asked several times by customers about whether Fraud Management is available without HANA. The answer, unfortunately is no. HANA is a pre-requisite. That is not necessarily bad news though as the next release of SAP GRC, 10.1 - scheduled to enter ramp-up in June, will also be (optionally) available on HANA.
With HANA as the backend engine Fraud Management is able to offer some of the real-time transaction monitoring capabilities that were either difficult or in some cases impossible with SAP GRC Process Controls. The Fraud Management analytical engine also enables more effective management of alerts, suspected fraud cases, etc.
How it Works
Fraud Management is essentially an application or use-case of SAP HANA. Data relevant for Fraud analysis (from an SAP or non-SAP source) is extracted into the HANA database. This data is then interrogated using pre-defined fraud patterns and detection rules. The output is used to monitor and report on the likelihood of fraudulent activity through KPIs and KRIs and to trigger responses and/or alerts where appropriate.
Alerts can take the form of an RFC call to the backend ECC system, for example triggering a workflow or calling a BAPI to block a suspicious business transaction in real-time.
An example might be the analysis of vendor payment transactions within a certain tolerance % of purchasing approval limits. E.g. if multiple payments of £19,950 were found to the same vendor authorised by an approver with an approval limit of £20,000 these payments might be blocked pending further investigation.
What Does the Future Hold?
Fraud Management can already be combined with SAP Predictive Analytics to perform more advanced pattern analysis of fraud relevant data and to explore more complex modelling scenarios. In addition to further enhancements of these capabilities we would hope to see standard BAPIs available to enable pre-configured responses to fraud incidents. Another key functionality gap that we would expect to be available in the next release is configuration wizards for the fraud detection rules, currently these are defined manually using SQL queries.
From a customer perspective I think that applications of Fraud Management could extend well beyond fraud analysis, leveraging the capabilities of the tool for continuous transaction monitoring scenarios. For example the capabilities of the tool might be used to optimise working capital by highlighting and postponing vendor payments that were made prior to payment terms.
Our initial assessment of the Fraud Management module is that the key to getting benefit from it is a strong understanding of the indicators of fraud in your environment. This will be a combination of three things:
- An understanding of the key risk factors specific to your organisation
- A knowledge of any past incidents or fraud exposures.
- Content from your implementation partner.
To this aim we have been working with a well-known forensic accounting specialist, to develop content for our Fraud Management offering. We’ve also been exploring the technology in our own demo environment and are evaluating Fraud Management with several customers.
Real-time transaction analysis is a very welcome addition to the functionality available from SAP GRC solutions and significantly enhances the possibilities for continuous transaction monitoring as well as the obvious fraud management applications. Personally I am looking forwards to the prospect of exploring these possibilities further with our customers.
Friday, 8 March 2013
Posted by Ed Davis
Last week we discussed lack of visibility of access risks for management and the issues this creates. In this blog, I discuss the fifth and final issue of time and cost of audit, when no automated tools are in place.
Excessive time and cost of audit
Even before an audit, preparing for an audit is time consuming and costly.
Some external auditors will bring their own SoD tools to perform an audit. They will generally charge the client for the use of the tool and the time to set it up. For example, one of our FMCG clients had received a number of negative access audits and was being charged an additional substantive audit fee because the auditors could not place reliance on access controls in the sys.
They recently decided to implement GRC AC to address the issue, and during preparation of the business case, they found the one-off cost of the software purchase will offset the cost of the substantive audit fee.
Our clients who use AC find their auditors are willing to place reliance on the tool and the results. Customers have consequently been able to negotiate reduced audit fees of up to 30%.
Rapid Deployment Solution for AC
Turnkey Consulting Australia are the first in the country to offer a Rapid Deployment Solution (RDS) for GRC Access Control
You can be up and running with Access Risk Analysis and Emergency User Access in as little as 6 weeks for a fixed fee.
For more details please contact Ed Davis at firstname.lastname@example.org or see our page on the SAP EcoHub;
Monday, 25 February 2013
Posted by Ed Davis
Last time we looked at issues around managing access risk in a reactive and fragmented way. This week I discuss the fourth major concern around managing access risk which is lack of management visibility.
Lack of visibility for management
We all know that senior management hate surprises, even more so when it is delivered by an external party! It leaves them wondering what else is out there that they don’t know about!
By implementing a tool like Access Control, organisations are demonstrating that they are being proactive and keeping on the front foot with managing system risk. This will always be looked upon favorably by auditors and other stakeholders to the company.
Some of our clients, regularly report the status of the access risks to senior management using the dashboard we saw earlier. This gives a level of comfort to executives, to know that’s one less thing they need to be worrying about.
We find that customers love the drill down capabilities of the AC dashboard. They have the ability to see which business processes or users have the most issues, so that they can prioritise their remediation. They are able to clearly see and track the progress being made as risks are reduced over time.