Integrated Risk Management
Through the application of technology and automation, we'll help you manage your risks efficiently and effectively across the entire enterprise.
Identity and Access Management
We'll help you ensure everybody within your organisation has access to the right systems and data, for the right reasons, and at the right time.
Cyber & Application Security
Our experts will uncover security weaknesses within your security design and business-critical applications. Helping you protect your organisation from both internal and external threats.
About us
A group of passionate individuals with a shared purpose to help the world's leading companies embrace best practices for GRC and risk management.
Turnkey's strategic partner network consists of selected organisations that complement our capabilities.
Corporate Social ResponsibilityCSR
We are committed to being agents for change through our Climate Action Plan, championing diversity in our workplaces, and more.
Get in touch
We have operations in all corners of the globe, so see which office is nearest to you and connect with them.
We have operations in all corners of the globe, so see which office is nearest to you and connect with them.
Webinars & eBooks
All of Turnkey's webinars, guides and other insights available in one place.
Read the latest insights from our experts on GRC and risk management, covering the latest industry topics.
Press Coverage
See all the publications where Turnkey, our experts and our successes have been noted.
Key events
See the key industry conferences on GRC, SAP security and risk management which we are attending.
Case Studies
Client satisfaction is of the utmost importance to us, and we strive to constantly deliver above expectations, going the extra mile at every opportunity.
We've put together a comprehensive list of frequently asked questions - along with our responses - to the most common GRC and SAP security issues.
21 January 2016

Least Privilege: Stand Up For Your Principles!

One of the most ubiquitous terms in information security, the principle of least privilege is used in SAP just as much as it is applied across other IT systems.It-business-and-social-functionality-min (1)

This principle is widely considered appropriate in SAP systems as it aligns well with the way in which we allocate authorisations to the roles and users. Because SAP authorisations are additive, we start with a blank slate and add the transactions and authorisations to the role, building up a profile which should only contain what’s needed to complete the task or job the role is built for. We cannot add something to the role which restricts what a user can do (for the most part).

In theory, that sounds like the best case security principle to operate from. However, that principle often gets diluted over time. We usually come across this situation in implementations which have grown organically, with access creep and continuous change in environments chipping away at the principled design, until an amalgamation of authorisation is granted which no longer conforms to these principles.

This kind of organic departure from principle can be especially prevalent where security is handled by implementation partners or internal organisations which do not “think security”, like those which are part of a BASIS function, or with a focus on incident resolution, often without the luxury of time or, occasionally the interest in seeking design signoff or approval.

The problem, of course, is one of cost and time – building with least privilege requires designs to be robust, the testing and re-testing of authorisations and can increase time to delivery, or time to resolve incidents. This, understandably, can lead organisations to look for other ways to achieve compliant systems and user accesses.

The most highly regarded security design from a business perspective is one which is invisible to them. Users should have sufficient access to get their job done without impingement. Authorisation failures cause business pain points as they immediately stop the business user from completing the tasks at hand. When you add in the time lost from productive operations, the time taken to log, investigate, resolve and implement the fix, it can be costly to operate at a truly least privilege state. Additionally, any business process innovation or amendment may be constrained by the authorisation restriction thus stifling business dynamism and agility.

To support that desirable situation, some organisations have abandoned the least privilege principle in favour of having a risk based approach which permits potentially wider than required, authorisation profiles to be used, as long as they do not contravene pre-defined risk levels. This can be easier to deal with operationally as users are only restricted from compliance relevant risks but the design can be reactive to fast moving business innovation. It often aligns more easily with a job-based role profile, thus making the design more easily translated into language that a business user or approver may understand.

This approach does require careful management as the risk profile of the organisation may not be static. Access granted may not constitute a risk at the time, according to risk reporting but may, in future, cause additional conflicts which can take time to understand and resolve – unravelling authorisations which have grown in this way is often a more complex and costly exercise than investing the time in a proper design and implementation upfront.

In conclusion, the principle of least privilege is still a worthy aim for many IT systems, but improved risk reporting, monitoring and automation of controls are enabling organisations to approach their security design in a way that can take an approach with slightly wider privileges and place control around that. It is important to understand what your security design is there to do - is it designed to allow compliance to be easily understood by auditors and regulators or is it there to support your business operations in a controlled yet flexible manner?

The concept of least privilege will be a permanent fixture in discussions relating to security - it is still relevant, especially when managing implementation partners and lower-skilled security teams. The alignment with design and build activities plus the supportability and future-proofing of the system justifies the investment in applying these principles to your SAP estate early in development.