×
[searchandfilter taxonomies="search"]
Home / Blog / SAP Access Management: Automating and Centralizing the Identity Lifecycle

SAP Access Management: Automating and Centralizing the Identity Lifecycle

By David Vincent • September 2, 2021

If you do an internet search for the most common cause of data breaches, you’re going to get a variety of answers: ransomware, phishing attacks, stolen credentials, insider activity, etc. While these types of cyberattacks lead to data breaches, there is one simple truth ERP customers can never overlook: data breaches are caused by unauthorized access. Of course, not all unauthorized access is malicious. It can also be accidental due to poor access management (also called identity lifecycle management). 

Clearly, the best practice is using the principle of least privilege to grant access to the applications, transactions, and data that a person needs to carry out their jobs. While data security and privacy are the primary elements of a successful access management process, the overall identity lifecycle management process should be automated, centralized, and provide IT teams and business units with audit-ready information. This information is critical for providing reasonable assurances that their SAP access management process is compliant and operating effectively.

Poor Access Management Exposes SAP Data to Risk

The process of SAP access management shouldn’t exist in a vacuum or a silo. Unfortunately, many organizations struggle with manual and decentralized identity lifecycle management. This leads to a variety of situations where unauthorized access leaves valuable ERP data exposed to risk:

  • Unused new accounts with default passwords
  • Employees collect new authorizations as they move around the business without removing unnecessary ones
  • New employee authorizations causing SoD issues and sensitive access issues
  • Employees leaving the company while their user IDs remain valid
  • And many more

The identity lifecycle requires a process for controlling user access to critical information within an organization. The IT Infrastructure Library (ITIL) has a framework of best practices for access management: Requesting access, verification, providing rights, monitoring identity status, logging and tracking access, and removing or restricting access rights. But one department isn’t more responsible for the access management process than another, as outlined in this diagram:

ITIL Access Management Process

While business leaders are the first line of defense and are responsible for owning and managing their risks, those business unit leaders and the IT departments are responsible for assigning and monitoring user privileges in ERP systems. Unfortunately, existing access management processes are manual, siloed, and error-prone. For instance, HR might request access by emailing IT or using a self-service portal to create a request. IT might use a provisioning solution that’s included out-of-the-box with their ERP system. But this approach is still mostly manual and exists in siloes, requiring one unit to rely on each other for updates.

This less-than-optimal approach leaves organizations exposed to security and compliance issues. Increasingly, organizations are under regulatory pressure to prove they are protecting access to corporate resources. As a result, organizations can no longer rely on manual and error-prone processes to assign and track user privileges.

Audit-Ready Access Management

A poorly managed identity lifecycle process not only leads to security gaps but also visibility and compliance gaps.

As you can see from this illustration, all departments involved with access management will be audited to prove that their internal processes’ operating effectiveness sufficiently manages access risks, data security risks, and data privacy risks.

Audited SAP Access Management Processes

What’s missing for many organizations is an access management solution that centralizes and automates these tasks and enables granular access control and auditing of this process.

Automating and Centralizing Access Management with the Appsian Security Platform

Taking control of SAP access management from the start is key to enforcing data security, maintaining internal and external compliance, and adhering to various regulations. With ProfileTailor GRC from Appsian Security, you can easily organize, understand, and control the identity lifecycle process across your ERP landscape. Enabled by artificial intelligence, machine learning, and predictive analytics, it continuously identifies potential risks and provides optimized suggestions to streamline access management, including:

  • Recommending the best alternatives when activities need to be removed from a user.
  • Recommending the optimal segregation of roles to sub-roles according to business needs and actual usage. It automatically locks and removes the old authorization role from users who had it before the split.
  • Solving SoD violations by replacing a user’s current roles without losing access to the activities actually needed.
  • Choosing the optimal authorization role to grant users that enables them to perform additional activities without violating SoD policies.

Contact the SAP experts at Appsian Security for a demonstration on how you can prevent unauthorized user access at the transaction and master data level.

Related Articles.

Go beyond traditional SAP GRC capabilities with Appsian
How Appsian Enhances SAP GRC with Cross-Application SoD & Risk Management
What is SAP GRC? SAP Governance, Risk, and Compliance (SAP GRC) is a set of SAP solutions that enable organizations…...
December 31, 2021
Learn More
How To Handle Expiring SAP User Role Assignments
How To Handle Expiring SAP User Role Assignments
There are many reasons why SAP customers need to provide temporary access to their applications. These include short-term contractors or…...
December 16, 2021
Learn More
Appsian How-To: Enforce Transaction Level Policy Controls in SAP
The typical business application’s role-based access control (RBAC) security model provides poor dynamic transaction level policy control enforcement. In this…...
November 24, 2021
Learn More

Put the Appsian Security Platform to the Test

Schedule Your Demonstration and see how the Appsian Security Platform can be tailored to your organization’s unique objectives

Home / Blog / 3 Critical SAP Risks to Prioritize In A Dynamic Business Environment

3 Critical SAP Risks to Prioritize In A Dynamic Business Environment

By David Vincent • August 31, 2021

SAP applications are the backbone of business operations across the world. They improve efficiency and help your business grow. But are they equipped to protect your business and data? The risk landscape is constantly evolving, with users working remotely and using personal devices to access enterprise SAP applications.

Since SAP is a critical business application used to access sensitive data and execute high-value transactions by thousands of employees across multiple locations, an effective SAP risk management capability should be an essential element of your security and compliance strategy. Here are the three critical SAP risks that, when not properly mitigated, can lead to a material level control weakness during your external audit that you need to prioritize:

Transaction Risks

Significant risks can occur at the business transaction level if effective controls are not enabled within your SAP applications to prevent or detect these risks. There are multiple scenarios where a lack of transaction-level controls could enhance risk.

  • Duplicate payments may occur because SAP may not be properly configured to detect the unique ID numbers associated with individual payments to prevent a duplicate payment from being created and approved.
  • Excessive payments amounts can occur when the payment amount entered exceeded the actual amount required, and no independent review is required to verify the accuracy and completeness of the data input amount before the payment is finalized.
  • Fraudulent payments can occur when segregation of duty issues exist, enabling the user to create and approve a fake vendor and then be able to create and approve payment to that vendor.

Without the necessary controls, these transactions could lead to misuse of finances, compliance failures, and fraudulent activities. Such risks can be mitigated by implementing security solutions that allow you to define fine-grained rules and policies that can act as checkpoints for even authorized users. Furthermore, consider implementing layers of security and controls to enhance your ability to detect, prevent, and respond to anomalies and threats at the segregation of duty, transaction, and master data level. 

Data Integrity Risks

Data integrity is the assurance of data accuracy and consistency over its entire life-cycle. Data integrity risk is when data stored and processed by IT systems are incomplete, inaccurate, or inconsistent across different IT systems. It is a result of weak or absent IT controls that can verify the accuracy and completeness of data inputs and appropriately restrict access to view, change, or extract the data.

For example, an unauthorized change to financial data stored in SAP can negatively impact the accuracy and completeness of the organization’s financial reports, which is defined as a material level control weakness by external audits. Material level control weaknesses are the worst control deficiency, which the organization must publicly report during the period of occurrence, and can negatively impact the confidence of current and potential investors.

Managing data integrity requires implementing controls that can minimize exposure of sensitive data with dynamic data masking and logging of user activity so that any change to data can be monitored and tracked. Furthermore, consider implementing layers of security and controls to enhance your ability to detect, prevent, and respond to anomalies and to threats at the segregation of duty, transaction, and master data level.

Security Risks

Security risk includes the risk that access to your SAP applications is not appropriately restricted. Native SAP security features provide role-based static access controls that allow users to have unrestricted access based solely on roles and authorizations aligned with those roles. However, the evolving business landscape requires users to access systems from their homes, personal devices, and public Wi-Fi, significantly increasing security risk.

Access has become dynamic, and trust can no longer be implicit, making context-aware access control a necessity for the modern enterprise. For example, access from a foreign country, access to sensitive data beyond business hours, or access from an unknown device or location are potentially risky for any business.

If your SAP access controls do not take context into consideration, your overall risk significantly increases. In simpler terms, the greater awareness of context your system has, the greater your ability to mitigate and manage risk. Furthermore, consider implementing layers of security and controls to enhance your ability to detect, prevent, and respond to anomalies and to threats at the segregation of duty, transaction, and master data level.

SAP Risk Management with Appsian

The Appsian Security Platform enhances SAP’s existing Role-Based Access Controls (RBAC) with Attribute-Based Access Controls (ABAC), allowing you to deploy data-centric security policies that leverage the context of access and enable risk management across your SAP ecosystem. Additionally, it enables you to implement layers of security and controls to enhance your ability to detect, prevent, and respond to anomalies and threats at the segregation of duty, transaction, and master data level.

Click here to get a better understanding of how Appsian can help manage your SAP risk.

Related Articles.

Improvements in ERP Security, Risk, and Compliance
[Video Interview] David Vincent Talks to Security Guy TV About Improvements in ERP Security, Risk, and Compliance
Appsian Security’s Vice President of Product Strategy and Customer Experience, David Vincent, recently appeared on Security Guy TV to talk…...
September 30, 2021
Learn More
Preventing Risk from Privileged User Accounts
Preventing Risk from Privileged User Accounts: SAP, Oracle EBS & PeopleSoft
Organizations that use ERP applications like SAP, PeopleSoft, Oracle EBS, etc., manage thousands of users. Most of these users have…...
September 24, 2021
Learn More
SAP Access Management: Automating and Centralizing the Identity Lifecycle
SAP Access Management: Automating and Centralizing the Identity Lifecycle
If you do an internet search for the most common cause of data breaches, you’re going to get a variety…...
September 2, 2021
Learn More

Put the Appsian Security Platform to the Test

Schedule Your Demonstration and see how the Appsian Security Platform can be tailored to your organization’s unique objectives

Home / Blog / [Customer Story] How ProfileTailor GRC Helped Global Shipping Leader, ZIM, Streamline Segregation Of Duties And Authorizations in SAP

[Customer Story] How ProfileTailor GRC Helped Global Shipping Leader, ZIM, Streamline Segregation Of Duties And Authorizations in SAP

By Esha Panda • August 31, 2021

ZIM Integrated Shipping Services Ltd., commonly known as ZIM, is a publicly held Israeli global container liner shipping company. The company operates over 100 management systems spread across the company’s global offices. Each system has multiple users running numerous applications, all consisting of different authorization systems. This scattered approach eventually led to siloed teams operating with their own rulesets and segregation of duties (SoD) policies, which stood in the way of effective internal audits within stipulated timelines. 

The decentralized teams at ZIM needed a comprehensive GRC solution to streamline SoD, standardize context-aware controls, and customize authorization management solutions for their different locations without impeding productivity. Specifically, they needed a system that would:

  • Control authorizations in a multi-regional, multi-system environment 
  • Manage authorization related processes effectively on all systems worldwide 
  • Comply with SoD in a complex environment 
  • Monitor activity in production systems 

So the company turned to Appsian Security’s ProfileTailor GRC solution to improve their global, multi-system authorization layout and improve GRC compliance. 

ZIM’s Transformation From Siloed To Centralized  

ZIM’s transformation from siloed to centralized did not happen overnight. It was a large-scale, global roll-out with multiple milestones that Appsian played an integral part in. 

Centralizing Control & Visibility Over Global Authorizations: ZIM now has centralized control over global authorizations in their complex multi-system environment with Appsian’s ProfileTailor GRC Solution. Additionally, they have generated Employee Cards consisting of authorizations on all applications from a single point of view. This is providing visibility to relevant managers in every location. 

Identifying SoD Violations: ZIM’s BMC Remedy IT Management System seamlessly integrated with Appsian’s solution in the next phase. As a result, ZIM can now stop potential SoD violations in their tracks at the early stage of requesting authorizations, helping their teams streamline Segregation of Duties and stay compliant in the long run. 

Automating & Customizing Authorization Review Process: With their authorization request policies cleaned up, unified, and customized for each location, ZIM is now operating with an automated authorization review process without disrupting the workflow. They are also able to save overhead expenses and have become audit-ready. 

The Last Mile – Standardizing Contextual Access Controls: Presently, ZIM is equipped to control the access of the IT teams into production systems. With Appsian’s ProfileTailor GRC, they can now continuously monitor users in the production environment and allocate temporary roles for specific tasks. 

Their teams can standardize every process in terms of access, authorizations, and policies while allowing exceptions (e.g., specific data privacy regulations) based on locations.  

Streamline, Standardize, Customize: Appsian’s Framework Could Benefit You Too 

Through a series of successful implementations with the help of Appsian Security, ZIM is now – 

  • Streamlining Segregation of Duties  
  • Standardizing context-aware controls  
  • Customizing for each region without workflow disruption  

If your organization is working with siloed teams engaged in manual audits and approval processes, Appsian’s ProfileTailor GRC Suite is your one-stop solution to gain better control over access risks, SoD, compliance, and audit. It can be used as a stand-alone solution for streamlining, managing, and enforcing SoD or as part of a suite of compliance products. 

ProfileTailor GRC is compatible with all leading ERP applications, including SAP, Oracle E-Business Suite, Oracle PeopleSoft, Microsoft Dynamics, and more. Best yet, it can be implemented rapidly and will not require any changes to monitored systems.  

Contact us for a customized demonstration today and find out how Appsian Security can help you.

Related Reading: Full ZIM Case Study


Image source: Wikimedia Commons

Related Articles.

3 Major Benefits of Implementing Automated User Provisioning For JD Edwards
3 Major Benefits of Implementing Automated User Provisioning For JD Edwards 
Increased compliance regulations and the rising number of internal threats have forced organizations to tighten application access and adopt the…...
April 29, 2022
Learn More
3 Key Steps To Prevent Fraud In Your JD Edwards EnterpriseOne Applications
3 Key Steps To Prevent Fraud In Your JD Edwards EnterpriseOne
When you have a few hundred or maybe thousands of users logging into your JD Edwards EnterpriseOne applications – many…...
April 13, 2022
Learn More
4 Steps That Enable You to Prevent Fraud in Oracle EBS
4 Steps That Enable You to Prevent Fraud in Oracle EBS
ERP systems like Oracle EBS are at the core of financial operations for enterprises across the world. With hundreds of…...
March 31, 2022
Learn More

Put the Appsian Security Platform to the Test

Schedule Your Demonstration and see how the Appsian Security Platform can be tailored to your organization’s unique objectives

Home / Blog / Solving Complex Security Challenges with Dynamic SAP Data Masking

Solving Complex Security Challenges with Dynamic SAP Data Masking

By Ryan Quinonez • August 30, 2021

It’s been a period of unprecedented change and adaptation for organizations of all sizes and in every industry over the past 18 months. During this time, I’ve had the opportunity to speak with many of our SAP customers about how they are managing their business risks and protecting their sensitive data. While the topics vary, I’ve noticed a recurring theme: there is a growing—and urgent—interest in using SAP dynamic data masking to strengthen data protection and enforce governance and compliance policies.  

But what exactly do we mean by SAP “dynamic” data masking, and what are the best practices for using it to manage business risks and increase data security?  

Dynamic Data Masking in SAP Starts with Attribute-Based Access Controls (ABAC) 

Data masking is used to protect various types of sensitive and personal data stored in ERP applications, including intellectual property, personally identifiable information (PII), financial data, such as credit card, bank account information, and more. As traditional security perimeters dissolve and compliance requirements increase, protecting your ERP data is of growing importance. This is where dynamic data masking shines. Focused on protecting data at the UI-level in production systems, dynamic data masking can significantly reduce your risk exposure.

A Quick Clarifier: Often, data masking is used in non-production environments to protect ERP data copied from production. This technique is also known as data obfuscation, data scrambling, or data anonymization – and modifies the data itself – meaning it does not work for production systems. Dynamic data masking obfuscates information at the presentation layer (UI-level) without affecting the underlying data (at the database level). 

Before dynamic data masking, traditional data masking policies used a static, role-based approach. For example, you include the role(s) and the field(s) in your rules – and a mask is always applied in all circumstances. While it minimized exposure, the static nature limited adoption as it would create barriers to data, and policies would have to be continually updated as users changed roles.

Dynamic data masking extends this policy logic by incorporating attribute-based access controls (ABAC), allowing flexible and wide-reaching rules to be created that incorporate identifiers such as role and other user, data, and access attributes. For example, user’s residency or security clearance, org code, IP address, location, and much more. 

Static data masking versus dynamic data masking seems cut and dry. However, my conversations with SAP customers revealed two distinct approaches to using dynamic data masking: One focused on user attributes, and the other focused on the dynamic attributes of access and data itself. While the former allows simple, wide-reaching data masking that addresses functional risk, the latter enables a contextual, risk-based approach that truly balances data security with the needs of the business to access data. 

Data Masking Approach #1: Wide-Reaching Policies Based on User Attributes 

Many organizations start their data masking journey by analyzing how necessary it is for specific users to see specific data. Focused on functional risk, this approach aligns to least privilege and sets out to mask data that is unnecessary for a user’s job. For example, does a customer service rep need to see the full bank account info on an order? In most cases, no. Or should an HR manager be able to view the PII in a user’s profile from another business unit they are not responsible for? Certainly not.

Using dynamic data masking in these scenarios can deliver wide-reaching policies that incorporate user attributes such as role, business unit, org code, or country of residency. The ABAC technology allows data masking to be enforced “dynamically” when any activity that matches the defined conditions is present. (Meaning there is no need to make changes when users change roles, new users are created, etc.)

This approach is superior compared to the legacy approach that relies on static, role-based policies. Data exposure can quickly be minimized, and from a lifecycle management perspective, ownership is much simpler. However, data is still masked at all times for users, which means the practical scope of usage is still limited.

Data Masking Approach #2: Risk-Based Policies Based on Access Attributes 

I’ve recently noticed a shift in thinking from policies based on user attributes towards those based on access attributes. Organizations might be realizing, thanks to the growing number of data privacy regulations and enforcement fines, that their data is now a liability, and they need to implement more risk-based masking policies based more on access attributes than user attributes. 

Now an organization can leverage context-aware access controls to mask data in high-risk scenarios and show data in trusted scenarios. For example: 

  • Masking unpublished financial data from unknown IP addresses/locations
  • Masking sensitive business data outside regular working hours 
  • Masking data for emergency access sessions

A recent use case for this approach to SAP dynamic data masking is on display at a Canadian rail company that needed to provide secure access to sensitive data to a hybrid workforce while also allowing access to self-service SAP modules on mobile devices for their remote workers traveling from city to city and connecting from wherever they have a Wi-Fi connection. They were able to enforce risk-based data masking policies based on access attributes such as location, IP address, time, data sensitivity, and more.  

Protecting Data with SAP Dynamic Data Masking Solution  

The more I speak with our SAP customers, the more I realize the different “definitions” they have about dynamic data masking. The more accurate definition is that SAP dynamic data masking uses risk-based policies based on access attributes. Without ABAC, companies must enable data masking with extensive customization, resulting in an unscalable ad-hoc solution. 

Fortunately, the Appsian Security Platform’s (ASP) dynamic data masking leverages ABAC capabilities to provide fine-grained control over which sensitive data fields can be masked for any specified user in the context of any situation.   

I invite you to contact the SAP experts at Appsian to learn how for yourself how we can improve SAP data security and reduce compliance risk with a fully dynamic data masking solution.   

Related Articles.

How Often Should You Perform PeopleSoft User Access Reviews And Why
How Often Should You Perform PeopleSoft User Access Reviews And Why
PeopleSoft teams often face threats caused by excess privilege, malicious insiders, and access misuse. Most of these can be mitigated…...
May 27, 2022
Learn More
How to Detect PeopleSoft Security Threats with Real-Time Analytics
How to Detect PeopleSoft Security Threats with Real-Time Analytics
PeopleSoft applications process and store vast amounts of customer, employee, and financial data that are constantly accessed by an increasing…...
April 12, 2022
Learn More
PeopleSoft Data Exfiltration: Be Alerted to the Violation of Data Security & Privacy Policies
PeopleSoft Data Exfiltration: Be Alerted to the Violation of Data Security & Privacy Policies
The financial, reputational, and regulatory impact of a data breach can be catastrophic. Data exfiltration, whether malicious or accidental, typically…...
April 8, 2022
Learn More

Put the Appsian Security Platform to the Test

Schedule Your Demonstration and see how the Appsian Security Platform can be tailored to your organization’s unique objectives

Home / Blog / How to Reduce SoD Conflicts in SAP for Effective SOX Compliance

How to Reduce SoD Conflicts in SAP for Effective SOX Compliance

By David Vincent • August 24, 2021

With several large public companies deploying SAP applications for their financial and accounting operations, ensuring SOX compliance within the SAP ecosystem is crucial for a successful audit. Segregation of Duties (SoD) in SAP plays an important role in managing roles and authorizations among SAP users to prevent conflicts and mitigate the risk of fraud.

However, user access to SAP systems is dynamic in nature due to constantly changing roles, making it challenging to track, detect, and prevent SoD conflicts. Unfortunately, SAP’s security/access management capability is static, preventing a risk-adjusted adaptive security approach recommend by Gartner. In the context of SAP, SOX compliance demands that organizations also implement an effective monitoring, alerting, and prevention mechanism for fraudulent activity arising from SoD conflicts.

How SOX Affects Internal Reporting and Controls

The Sarbanes-Oxley Act has two sections that address requirements for evidence of effective internal controls over accounting and financial reporting – sections 302 and 404. Section 302, titled: Corporate Responsibility for Financial Reports, states that the CEO and CFO are directly responsible for the accuracy, documentation, and submission of all financial reports as well as the internal control structure to the SEC. That act mandates the CEO and CFA to confirm that they accept personal responsibility for all internal controls and have reviewed these controls in the past 90 days.

While SOX section 302 defines the internal controls affecting accounting and financial reporting, SOX section 404, titled Management Assessment of Internal Controls, specifies requirements for monitoring and maintaining internal controls related to a company’s accounting and financials. Section 404 is the most complicated, most contested, and most expensive to implement of all the Sarbanes Oxley Act sections for compliance. 

The Role of Access Controls for SOX 404 Compliance

Access Controls are intended to effectively manage the inherent risks associated with managing access to systems and data. These risks include segregation of duty security violations, granting excessive access, ineffective access change management process, ineffective access termination process, ineffective access review and recertification process, and poor password enforcement, to name a few. 

According to Audit Standard # 5, if these types of access risks are not effectively controlled, the external SOX compliance audit will report a control issue. Control issues are ranked as a control deficiency, significant control deficiency, or worst of all, a material level control weakness. Appsian ProfileTailor GRC helps organizations effectively manage the entire SAP access management lifecycle to monitor and manage the internal control requirements of SOX sections 302 and 404.

What is SoD Conflict in SAP?

Segregation of duty conflicts and SoD security violations are associated with inappropriate access at the SAP transaction workflow level. For example, an SAP user may have access to create a new vendor, create a vendor payment, and authorize that vendor payment. These three access functions should be appropriately segregated between different people because it can lead to fraud. SoD conflicts in SAP arise when user roles and the authorisations associated with those roles are not clearly defined. This leads to user over-provisining with users gaining more authortizations than required as per company policies and compliance regulations.

Overcoming SoD Conflicts in SAP for Effective SOX Compliance

To avoid access risks like SoD security violations and achieve SOX compliance in SAP, organizations need to implement the following layers of controls:

Establish effective governance and oversight of the SAP security administration process, which includes defining roles, responsibilities, policies, processes, procedures, etc., and monitoring the performance of SAP security to identify and correct performance variances quickly. Governance is often one of the most overlooked processes, and often significant SAP security administration issues occur that could have been avoided.

Establish an effective SAP security administration process for adding new users, modifying access of existing users, terminating user access in a timely manner, and performing periodic reviews of all user access for recertification. Leveraging automation, analytics, and artificial intelligence can dramatically improve the operating efficiency of the SAP security administration process. Leveraging an attribute-based access control (ABAC) security model provides more effective and adaptive security than the role-based access control model native to SAP. Additionally, ABAC can automate your SAP policy enforcement at the business process, transaction, and data level.

Internal auditors should perform an independent audit of SAP security to verify the design and effectiveness of all SAP access controls after the business unit and IT department perform their own self-assessments.

Appsian ProfileTailor GRC is a comprehensive compliance platform that enables greater control over user access risks, segregation of duties, compliance, and audit. The platform leverages embedded AI, machine learning, and predictive analytics to continuously identify potential risks and provide optimized suggestions to resolve conflicts. With Appsian, your organization can achieve SAP SOX compliance by:

  • Establishing effective layers of control in governance and oversight
  • Automating security administration procedures
  • Implementing AI and ML empowered access risk analysis & recommendations
  • Automating policy enforcement with ABAC
  • Effectively monitoring and reporting with real-time analytics
  • Addressing SAP security challenges with self-assessment and independent audit capabilities

Get in touch with our SAP Compliance Experts to achieve and maintain a clean SAP security environment.

Related Articles.

[Podcast] Automated Controls for Compliance – How and Why
Appsian’s Vice President of Product Strategy & Customer Experience, David Vincent, appears in the latest episode of Brilliance Security Magazine…...
March 2, 2022
Learn More
Internal SOX Controls: A Quick Overview
Internal SOX Controls: A Quick Overview
What is Internal SOX Controls? The Sarbanes-Oxley (SOX) Act of 2002 was established as federal law to ensure accurate financial…...
January 31, 2022
Learn More
ZIM streamlined, standardized, and customized its SoD and authorizations with Appsian Security
[Customer Story] How ProfileTailor GRC Helped Global Shipping Leader, ZIM, Streamline Segregation Of Duties And Authorizations in SAP
ZIM Integrated Shipping Services Ltd., commonly known as ZIM, is a publicly held Israeli global container liner shipping company. The…...
August 31, 2021
Learn More

Put the Appsian Security Platform to the Test

Schedule Your Demonstration and see how the Appsian Security Platform can be tailored to your organization’s unique objectives

Home / Blog / Data Loss Prevention: 7 Best Practices for SAP Security

Data Loss Prevention: 7 Best Practices for SAP Security

By David Vincent • August 20, 2021

A constantly evolving threat landscape and compliance environment with inconsistent standards have made data loss prevention (DLP) a vital component of an organization’s SAP data security strategy. The global cost of data breaches hit a record-high in 2021 ($4.2 million per incident), highlighting the importance of a robust DLP strategy to protect organizations from financial, legal, and reputational damages. 

What Is Data Loss Prevention?

Data Loss Prevention is the practice of identifying and preventing data breaches, exfiltration, or unwanted loss or destruction of sensitive data. Businesses use DLP solutions for SAP and PeopleSoft applications mainly to:

  • Secure Personally Identifiable Information (PII)
  • Comply with data security and privacy regulations
  • Protect intellectual property critical to the organization
  • Prevent unauthorized transfer of data outside the organization

Seven Data Loss Prevention Best Practices

For any DLP strategy, you need to understand which organizational data to secure, where that data resides, who has access to that data (and when), and how the data should be used. Unfortunately, data loss is difficult to spot because data routinely moves in and out of an enterprise and closely resembles normal traffic. Let’s take a look at a list of data loss prevention best practices that have helped our customers achieve their data security goals and meet compliance standards.

  1. Configure Dynamic Data Loss Prevention Policies
    Preventing unauthorized exposure of sensitive information and protecting against insider data leakage begins by configuring contextual, attribute-based DLP policies that restrict transactions based on user and data attributes. Unfortunately, traditional role-based access controls (RBAC) can’t completely safeguard data in dynamic environments as static roles fail to leverage contextual attributes such as time of the day, geolocations, IP address, transaction type, etc.   
  1. Establish Clearly Defined Rulesets for Segregation of Duties
    Establishing a clearly defined ruleset for segregation of duties that divides business processes between multiple users helps limit the risk of fraud and error while ensuring that a user’s access privileges do not conflict or violate business policies.
  1. Deploy Policy-Based Data Masking and Redaction
    Companies can enable dynamic data masking to reduce unnecessary exposure of sensitive information while allowing employees to do their jobs. For example, masking specific fields on a page an employee is accessing. Or using click-to-view masking to unmask data or require an MFA challenge before data is revealed to log access to a particular field. And don’t forget to protect non-production environments where dynamic data masking ensures development or testing teams can only access the data they need and nothing more.
  1. Continuously Monitor Data Access And Usage
    Monitoring user behavior around data access and usage in real-time at a granular level provides visibility into how users interact with sensitive data, triggering security event alerts for high-risk access and abnormal activity at the field level. (Native application logging capabilities cannot tell the difference between malicious user activity and normal usage.)
  1. Increase The Levels Of Access Control & Monitoring for High-Privilege Users
    Because privileged user accounts are magnets for hackers, companies should isolate activity and access data by these accounts to ensure integrity and alignment with current business policies. For example, an employee from the HR department needs access to payroll information to do their job, but do they need that access outside of office hours or from an unknown IP address? 
  1. Closely Monitor Report and Query Downloads
    Monitor instances of query running and download attempts, ensuring that sensitive queries are not being downloaded onto unauthorized devices, from suspicious locations, or outside business hours.
  1. Leverage DLP Solutions to Automate As Much As Possible
    For all the features and value ERP systems provide, they lack the functionality to provide a dynamic, automated data loss prevention solution. Automating DLP processes across the organization allows you to enforce dynamic policies to identify and protect data before it exits the organization. In addition, automating compliance audits allows you to constantly monitor data access and usage and alert security teams to abnormal activities. 

How Appsian Security Helps Enable Your SAP Data Loss Prevention Strategy

Whether careless or malicious, employee, partner, or contractor, it can be difficult to tell the difference between a user’s regular activity and activity intent on causing harm or theft. The Appsian Security Platform (ASP) helps SAP customers deploy these data loss prevention best practices, and many more, to prevent unauthorized exposure and exfiltration of sensitive data, PII, and intellectual property.

By configuring dynamic access controls, you can uniformly enforce policies that restrict transactions based on user and data attributes. In addition, you can deploy policy-based data masking that help you comply with data security and privacy regulations by reducing the exposure of high-risk data.

Contact us today for a demonstration and see for yourself how Appsian Security can help with your data loss prevention strategy.

Related Articles.

PeopleSoft Data Exfiltration: Be Alerted to the Violation of Data Security & Privacy Policies
PeopleSoft Data Exfiltration: Be Alerted to the Violation of Data Security & Privacy Policies
The financial, reputational, and regulatory impact of a data breach can be catastrophic. Data exfiltration, whether malicious or accidental, typically…...
April 8, 2022
Learn More
PeopleSoft Data Privacy: Detecting When Users View Co-Worker PII Data
PeopleSoft Data Privacy: Detecting When Users View Co-Worker PII Data
Data privacy is often associated with how companies are allowed to collect and handle customer data. Lost in the data…...
April 6, 2022
Learn More
PeopleSoft Data Privacy: Accessing Executive or Co-Worker Compensation Data
PeopleSoft Data Privacy: Accessing Executive or Co-Worker Compensation Data
When it comes to PeopleSoft data privacy, the financial, reputational, and regulatory impact of having your employees’ or executives’ compensation…...
March 31, 2022
Learn More

Put the Appsian Security Platform to the Test

Schedule Your Demonstration and see how the Appsian Security Platform can be tailored to your organization’s unique objectives

Home / Blog / How Appsian Approaches Cross-Application SoD for SAP, Oracle & More

How Appsian Approaches Cross-Application SoD for SAP, Oracle & More

By Moshe Panzer • August 18, 2021

The concept of segregation of duties for SAP and other ERP applications is simple to understand: ensure that a user’s access privileges do not conflict or violate business policies and divide business processes between multiple users to limit the risk of fraud and error. However, the streamlining, managing, and enforcing of segregation of duties is far more complex. These days, organizations are turning to technology to help them automate tedious manual processes and reinforce internal controls—technology like Appsian.

Enforce Cross-Application SoD Rulesets from A Single Control Point

Appsian is a single control point that enforces cross-application SoD rules – allowing auditors and security managers to implement one SoD ruleset and enforce it on multiple applications simultaneously. They can also create rulesets for specific systems or change, activate, or deactivate SoD rules that can influence all systems together or only particular systems. Essentially, ProfileTailor GRC unifies all applications into one “language” so auditors and security managers do not have to try to understand each application’s jargon while giving them complete control over their SoD compliance, helping them comply with SOX regulations.

Maintain, Upload, and Download Rulesets in Multiple Schemas to Fit Different Scenarios

Ruleset maintenance is a focal point of any SoD implementation. ProfileTailor GRC includes various methods to create and maintain SoD rulesets easily and effectively to maximize the level of control over segregation of duties. For example, auditors can prepare a ruleset, upload it using a built-in mechanism, and then maintain the rules inside the application.

Segregation fo Duties for SAP Violations Screen Shot

Alternatively, they can create rules in the application and then maintain, download, and upload them to Excel sheets. Further, auditors can lock specific rules for editing while allowing others to be opened. Business units can edit their own ruleset while being able only to view the organization’s global ruleset. Additionally, ProfileTailor GRC comes with a predefined ruleset that is ready for customization so organizations can be up and running almost immediately.

Resolve SoD Conflicts in Seconds

The best way to handle SoD violations is to solve them clearly and quickly. ProfileTailor GRC analyzes user behavior and usage data paired together with vast amounts of hands-on experience in the field of risk assessment to resolve SoD conflicts in just a few seconds. ProfileTailor GRC can audit violation events in real-time because it assesses SoD risks and violations based on users’ actual usage, not only on their given authorizations, and recommends the best solution for solving the violation and up to 5 additional possible solutions

Make ProfileTailor GRC a Critical Part of Your Compliance Strategies

ProfileTailor GRC can be used as a stand-alone solution for streamlining, managing, and enforcing SoD or as part of a suite of compliance products. This means that enforcing an SoD ruleset will influence other workflow processes. For example, provisioning/de-provisioning user accounts, requesting new authorizations and preventing SoD conflicts, opening new user accounts automatically without SoD violations, and business rules for granting or revoking authorization roles.

ProfileTailor GRC is compatible with all leading ERP applications, including SAP, Oracle E-Business Suite, Oracle PeopleSoft, Microsoft Dynamics, and more. It can be installed as an on-premise solution for continuous protection or in the cloud as a continuous inspection solution.

For more information on how ProfileTailor GRC approaches segregation of duties for SAP and Oracle ERPs or to receive a customized demonstration, please go HERE.

Related Articles.

3 Major Benefits of Implementing Automated User Provisioning For JD Edwards
3 Major Benefits of Implementing Automated User Provisioning For JD Edwards 
Increased compliance regulations and the rising number of internal threats have forced organizations to tighten application access and adopt the…...
April 29, 2022
Learn More
3 Key Steps To Prevent Fraud In Your JD Edwards EnterpriseOne Applications
3 Key Steps To Prevent Fraud In Your JD Edwards EnterpriseOne
When you have a few hundred or maybe thousands of users logging into your JD Edwards EnterpriseOne applications – many…...
April 13, 2022
Learn More
4 Steps That Enable You to Prevent Fraud in Oracle EBS
4 Steps That Enable You to Prevent Fraud in Oracle EBS
ERP systems like Oracle EBS are at the core of financial operations for enterprises across the world. With hundreds of…...
March 31, 2022
Learn More

Put the Appsian Security Platform to the Test

Schedule Your Demonstration and see how the Appsian Security Platform can be tailored to your organization’s unique objectives

Home / Blog / SAP Access Controls: How RBAC & ABAC Work Together

SAP Access Controls: How RBAC & ABAC Work Together

By Michael Cunningham • August 18, 2021

To ensure employees remain productive in a dynamic and hybrid work environment, organizations use SAP access controls to allow their workers remote and secure access to ERP data, transactions, and self-service modules. Unfortunately, the existing SAP role-based access controls (RBAC) have reached their limitations in a dynamic workplace because static roles do not leverage contextual attributes.

Understanding SAP Access Control Using RBAC

Functionally, role-based access control (RBAC) is a policy-neutral approach to granting (or restricting) SAP access based on the roles of individual users in the company. Since RBAC was intended for on-premises data access from behind a corporate firewall, it creates a very strict, static set of permissions. You either have access or you don’t.

RBAC has always provided a strong foundation for setting SAP access controls. However, the way people are interacting with data resources is constantly evolving and RBAC is struggling to keep up.

Enhancing RBAC by Using Attribute-Based Controls in SAP

Organizations are looking for more flexible and secure ways to grant users access to only the information and resources they need to perform a particular task. This dynamic approach to SAP access controls enhances RBAC by considering different “attributes,” enabling security policies to be dynamic and “data-centric” and leveraging a user’s context of access to determine access to data. By incorporating these attribute-based access controls (ABAC), organizations can control user access more precisely, and better balance policy and security requirements.

The more attributes you can incorporate, the more precisely you can define what, how, and when a user or group of users can access data. Unlike RBAC, ABAC allows you to use contextual information such as project ID, company code, IP address, location, device type, and more to authorize access.

The RBAC + ABAC Hybrid SAP Access Control Model

Appsian Security extends and enhances existing SAP access controls by combining RBAC security capabilities with attribute-based policies. Starting with RBAC, organizations set the foundation of their access policies. ABAC begins the moment users start to access data and transactions and considers the context of access (who, what, where, when, and how) before allowing a user to access transactions or data.

The key benefits of the RBAC + ABAC hybrid model from Appsian Security include:

  • Reducing Attack Surface
    Organizations can reduce their amount of accepted risk by applying granular business policies and contextual access controls to strengthen data-level and transaction-level security.
  • Dynamic Data Masking
    You can dynamically enforce data masking or outright restriction policies to any field in SAP when using real-time contextual policies that balance security and usability.
  • Reinforcing SoD Policy Violations
    Adding ABAC to RBAC allows you to apply preventive controls in segregation of duties (SoD) exception scenarios. By doing so, you can prevent SoD violations while still allowing the flexibility of conflicting roles to be assigned (when necessary) and reinforces role-based policy to mitigate over-provisioning.

Without a solution like Appsian Security, the closest organizations can come to granting policy-based access to SAP is through customization or adding role derivations to a user for each attribute. Both options are costly and add complexity and overhead to role management in the long run.

Contact us today and schedule a demo to see how Appsian can help you enforce SAP access controls beyond the standard RBAC model.

Related Articles.

Go beyond traditional SAP GRC capabilities with Appsian
How Appsian Enhances SAP GRC with Cross-Application SoD & Risk Management
What is SAP GRC? SAP Governance, Risk, and Compliance (SAP GRC) is a set of SAP solutions that enable organizations…...
December 31, 2021
Learn More
Remote Access Security: How to Replicate the 9 to 5 Workday
Remote Access Security: How to Replicate the 9 to 5 Workday
Over the last two years, organizations had to move employees out of a secure office environment and provide them with…...
December 23, 2021
Learn More
How To Handle Expiring SAP User Role Assignments
How To Handle Expiring SAP User Role Assignments
There are many reasons why SAP customers need to provide temporary access to their applications. These include short-term contractors or…...
December 16, 2021
Learn More

Put the Appsian Security Platform to the Test

Schedule Your Demonstration and see how the Appsian Security Platform can be tailored to your organization’s unique objectives

Home / Blog / How to Protect Your ERP With an Adaptive Security Model

How to Protect Your ERP With an Adaptive Security Model

By David Vincent • August 13, 2021

Agility is the name of the game in today’s ERP data security landscape. Organizations are being challenged to detect threats as they happen, quickly address vulnerabilities, and continuously improve their security posture while protecting crucial ERP data as well as their overall business. One strategy that is helping organizations become more proactive is aligning to an adaptive security model. 

Focused on operationalizing agile, context-aware, and adaptive technologies, an adaptive security model enables organizations to strengthen security and leverage automation for continuous improvement. 

What is Adaptive Security? 

Adaptive security is an approach to managing security that analyzes behaviors and events to protect against and adapt to threats before they happen. With an adaptive security architecture, an organization can continuously assess risk and control effectiveness monitoring and automatically provide proportional enforcement that can be dialed up or down to fit its need.  

Figure 1: Adaptive Security ArchitectureAdaptive Security Architecture

You’ll note that there are four stages of an adaptive security architecture: Prevent, Detect, Respond and Predict. These stages help organizations transform the old static, roles-based approach to ERP data security to a continuous monitoring and risk-adaptive approach. Zero trust is a core concept to adaptive security, which promotes continuous monitoring and analysis as a starting point, enables rapid detection of behavioral anomalies, and permits rapid responses to quickly stop and resolve security incidents. 

Seven Imperatives for an Adaptive Security Architecture 

According to Gartner, supporting digital business transformation in an environment of advanced threats requires a new approach for all facets of security. Security and risk management leaders can use these seven imperatives of an adaptive security model to embrace the opportunities and manage digital business risks. Each imperative is Gartner’s recommended capability required of your ERP security, risk & compliance solution to enable the security model.

  1. Replace One-Time Security Gates with Context-Aware, Adaptive, and Programmable Security Platforms 
    Organizations need to replace the initial one-time, yes/no risk-based decision at the main gate to their systems (typically managed by a static authentication and authorization process) with a continuous, real-time, adaptive risk and trust analysis of user anomalies with context-aware information across the platform. Context-aware security (also known as attribute-based access controls or ABAC) uses situational information, such as identity, geolocation, time of day, or type of endpoint device.  
  2. Continuously Discover, Monitor, Assess and Prioritize Risk — Proactively and Reactively
    Risks events are fluid and require constant identification, analysis, prioritization, monitoring, and response after the initial login assessment. This should include a combination of proactive and reactive capabilities. For example, if a user attempts to download a large amount of sensitive data, you need the ability to detect and prevent this action if it’s considered inappropriate. Again, the use of ABAC can provide organizations with preventative controls at the business process, transaction, and master data level.  
  3. Perform Risk and Trust Assessments Early in Digital Business Initiatives
    This imperative focuses on early risk assessment, meaning performing risk and trust assessments early in the process execution.  
  4. Instrument Infrastructure for Comprehensive, Full Stack Risk Visibility, Including Sensitive Data Handling
    This is a continuous risk assessment recommendation across the full tech stack and data handling to enable adaptive security decisions.  
  5. Use Analytics, AI, Automation and Orchestration to Speed the Time to Detect and Respond, and to Scale Limited Resources
    This imperative recommends using artificial intelligence, machine learning, analytics, and automation to increase the efficiency and effectiveness of risk detection, analysis, and response capabilities.  
  6. Architect Security as an Integrated, Adaptive Programmable System, Not in Silos
    Avoid silos! Organizations shouldn’t perform risk assessments in individual isolated silos. Instead, aggregate continuous risk assessments provide a more accurate view of the organizations’ risk exposure.    
  7. Put Continuous Data-Driven Risk Decision Making and Risk Ownership into Business Units and Product Owners
    This imperative encourages better transparency and decision-making through better data-driven risk visibility to the business unit leaders for their own decision-making.   

How Appsian Security Helps Organizations Achieve Adaptive Security 

The problem we help companies overcome: In its current form, the static data protection approach utilized by most organizations lacks the effectiveness required to manage today’s complex challenges. Without an accurate picture of risk exposure in their organization, security administrators protect data the only way they can – with restrictive measures under the principle of least privilege and zero trust. 

Here’s how Appsian Security’s capabilities align to the Gartner adaptive security model. The Gartner adaptive security model is illustrated with the Appsian Security solution capabilities aligned with their Predictive & Discovery Requirements, Preventative & Adaptive Access, Detective & Monitor Usage, and Respond & Manage User capabilities.  

Appsian Helps Companies Achieve Adaptive Security

Five Ways Appsian Security Helps Improve ERP Data Security 

Organizations are being challenged to protect access to sensitive and confidential data while improving their ability to analyze security data and detect attacks in progress. Here are five ways that Appsian Security can help your organization meet these challenges:  

  • The capabilities of the Appsian Security solution align with Gartner’s Seven Adaptive Security Imperatives. 
  • Appsian offers context-based access controls that can prevent, detect, and respond to user anomalies at the business process, transaction, and data level. 
  • Appsian enables continuous monitoring and real-time reporting of user anomalies. 
  • Appsian offers artificial intelligence, machine learning, and automation to increase the efficiency and effectiveness of your risk detection, analysis, and response capabilities. 
  • Appsian can automate the enforcement of your policy requirements at the business process, transaction, and data level.  

Contact Appsian today to learn how our zero trust solutions can anchor your adaptive security architecture and improve your ERP data security. 

Related Articles.

MFA Is A “Critical Security Baseline” for Your Zero Trust Strategy
MFA Is A “Critical Security Baseline” for Your Zero Trust Strategy
Following up on last year’s Executive Order to help improve the nation’s cybersecurity posture, the White House released a 30-page…...
March 3, 2022
Learn More
Appsian How-To: Enforce Transaction Level Policy Controls in SAP
The typical business application’s role-based access control (RBAC) security model provides poor dynamic transaction level policy control enforcement. In this…...
November 24, 2021
Learn More
How Identity, Governance, and Administration (IGA) Compliments IAM to Improve Data Security
How Identity Governance and Administration (IGA) Compliments IAM to Improve Data Security
Identity, Governance, and Administration (IGA) is defined by Gartner as an “activity within the identity and access management function that concerns the governance…...
October 27, 2021
Learn More

Put the Appsian Security Platform to the Test

Schedule Your Demonstration and see how the Appsian Security Platform can be tailored to your organization’s unique objectives

  1. Pages:
  3. 1
  4. 2
  5. 3
  6. 4
  7. 5
  8. 6
  9. 7
  10. 8
  11. 9
  12. ...
  13. 34
Request a Demo

Start your free demo

"Learn how you can reduce risk with rapid threat protection, audit response and access control. All from a single, comprehensive platform"

Trusted by hundreds of leading brands