Over the last two years, organizations had to move employees out of a secure office environment and provide them with access to corporate ERP applications from multiple remote locations — effectively creating an extensive remote and hybrid workforce. A recent report by Gartner predicts that 47% of knowledge workers will work remotely in 2022, compared to pre-pandemic levels of 27%. With this rise in hybrid working and network connections originating from outside the firewall, organizations are understandably prioritizing remote access security.

In this remote/hybrid work landscape, workers and organizations often struggle to replicate that 9 to 5 experience. An experience where employees commute to an office, sit at a desk, and securely access ERP systems behind the office firewall. The reality is that organizations end up facing the challenge of balancing securing ERP systems and critical data with the access demands of the hybrid workforce.

Let’s be clear about something: workers may work 9 to 5, but they have 24/7 access to your ERP applications. And just like you wouldn’t let employees have access to certain areas of a physical office (if it’s a big office space) at all times of the day and night, you shouldn’t grant them remote access to all areas of the ERP system any time they want. 

There isn’t a single technology that will secure remote access. Instead, organizations should leverage a variety of technologies that together provide the necessary remote access security when users are working “9 to 5” from home or other remote locations.

Implement Dynamic Access Controls 

Remote access security begins by giving users access to only the applications, transactions, and data needed to perform their jobs during the “9 to 5” workday. These dynamic access controls consider the different contexts of user access (i.e., location of access, time of request, device used, IP address, and others) to govern who can use specific applications, the types of transactions they can process, and when. For example, if you wouldn’t allow Ted from payroll to enter the office building at 1:00 AM to access employee bank account data when no one is around, why let him do it from home?  

Reauthenticate Users at the Data and Transaction Level

As we continue to follow Ted around his 9 to 5 workday in-office, he uses his security badge to access the accounting area. An area off-limits to most other employees. Essentially, Ted had to reauthenticate his identity before reaching his desk and executing a payroll run. Now that Ted is part of the hybrid workforce, it makes sense that he should reauthenticate his access with dynamic multifactor authentication (MFA) before changing sensitive data, like employee bank accounts, or running critical transactions, like payroll. Enforcing dynamic MFA allows organizations to implement challenges based on contextual attributes. For example, attributes like location, IP address, time, device type, etc. 

Gain Full Control of Data Access Using Dynamic Data Masking 

Controlling what information an employee can see is critical regardless of office location (on-premise or remote). For example, suppose Ted’s manager accesses his employee record to review his information or department settings. In that case, typically, his date of birth and social security number are on display. Data his manager doesn’t need to see to do their 9 to 5 job. Dynamic data masking leverages contextual access controls to ensure that sensitive data is only accessible by the people that need to see it to accomplish their job. Additional controls can ensure full or partial data masking. At the same time, click-to-view and MFA can create a record of data access for use in an audit. Dynamic Data Masking also means a hacker with compromised credentials will be unable to access or view sensitive data fields.   

Increase Visibility through User Activity Monitoring 

Even with remote access security in place, it’s vital that organizations understand who is accessing what, from where, and for what purpose. For example, a hacker compromises Ted’s credentials and starts accessing ERP applications outside of Ted’s regular 9 to 5 activity. With continuous monitoring of user behavior around data access and usage at a granular level, an organization can detect “Ted’s” suspicious activities and quickly apply an appropriate threat response. 

Appsian’s Approach to Remote Access Security  

As more employees take their 9 to 5 workday outside the confines of the corporate firewall and access ERP applications and data from nearly any location, Appsian can help organizations take a dynamic approach to remote access security. 

Contact Appsian today to learn how our context-aware access controls can anchor your remote access security policies and improve ERP data security for your remote teams. 

To ensure employees remain productive in a dynamic and hybrid work environment, organizations use SAP access controls to allow their workers remote and secure access to ERP data, transactions, and self-service modules. Unfortunately, the existing SAP role-based access controls (RBAC) have reached their limitations in a dynamic workplace because static roles do not leverage contextual attributes.

Understanding SAP Access Control Using RBAC

Functionally, role-based access control (RBAC) is a policy-neutral approach to granting (or restricting) SAP access based on the roles of individual users in the company. Since RBAC was intended for on-premises data access from behind a corporate firewall, it creates a very strict, static set of permissions. You either have access or you don’t.

RBAC has always provided a strong foundation for setting SAP access controls. However, the way people are interacting with data resources is constantly evolving and RBAC is struggling to keep up.

Enhancing RBAC by Using Attribute-Based Controls in SAP

Organizations are looking for more flexible and secure ways to grant users access to only the information and resources they need to perform a particular task. This dynamic approach to SAP access controls enhances RBAC by considering different “attributes,” enabling security policies to be dynamic and “data-centric” and leveraging a user’s context of access to determine access to data. By incorporating these attribute-based access controls (ABAC), organizations can control user access more precisely, and better balance policy and security requirements.

The more attributes you can incorporate, the more precisely you can define what, how, and when a user or group of users can access data. Unlike RBAC, ABAC allows you to use contextual information such as project ID, company code, IP address, location, device type, and more to authorize access.

The RBAC + ABAC Hybrid SAP Access Control Model

Appsian Security extends and enhances existing SAP access controls by combining RBAC security capabilities with attribute-based policies. Starting with RBAC, organizations set the foundation of their access policies. ABAC begins the moment users start to access data and transactions and considers the context of access (who, what, where, when, and how) before allowing a user to access transactions or data.

The key benefits of the RBAC + ABAC hybrid model from Appsian Security include:

• Reducing Attack Surface
  Organizations can reduce their amount of accepted risk by applying granular business policies and contextual access controls to strengthen data-level and transaction-level security.
• Dynamic Data Masking
  You can dynamically enforce data masking or outright restriction policies to any field in SAP when using real-time contextual policies that balance security and usability.
• Reinforcing SoD Policy Violations
  Adding ABAC to RBAC allows you to apply preventive controls in segregation of duties (SoD) exception scenarios. By doing so, you can prevent SoD violations while still allowing the flexibility of conflicting roles to be assigned (when necessary) and reinforces role-based policy to mitigate over-provisioning.

Without a solution like Appsian Security, the closest organizations can come to granting policy-based access to SAP is through customization or adding role derivations to a user for each attribute. Both options are costly and add complexity and overhead to role management in the long run.

Contact us today and schedule a demo to see how Appsian can help you enforce SAP access controls beyond the standard RBAC model.

As your company’s digital footprint grows, you can enhance your security posture by complementing your existing SAP Role-Based Access Controls (RBAC) with dynamic, Attribute-Based Access Controls (ABAC) to strengthen authentication and authorization. Both RBAC and ABAC are ways that organizations can control authentication and authorization, but they perform different functions across an enterprise IT stack. 

Understanding SAP Access Control Using Roles

Functionally, a role is a collection of permissions using sets, relations, and mapping that align access needs to resources based and limit access on a “need to know” basis.

RBAC involves three basic principles:

1. Role assignment: Only users with the right login can gain access to and interact with a system or application.
2. Role authorization: When combined with role assignment, administrators authorize a set of credentials that can gain access to and interact with a system.
3. Transaction authorization: A user can only interact with a resource to which she is authorized through her role memberships while also limited on a “need to know basis.”

RBAC has since evolved to include “hierarchies.” Hierarchies assign different roles different levels of access. For example, a Chief Executive Officer (CEO) needs to have a lot of access to sensitive information. Therefore, the CEO role has access that also encompasses the type of access provided to the Vice President’s, line of business managers, and standard employees. However, since a standard employee is at the “bottom” of the hierarchy, RBAC prevents her from accessing the sensitive information that the CEO can access.

Enhancing RBAC by Using Dynamic Authorizations in SAP

RBAC provides a strong foundation for setting access controls. However, digital transformation changes the way people interact with data resources. Since RBAC was intended for on-premises data repositories, it creates a very strict, static set of permissions. You either have access or you don’t. 

Dynamic authorization – also known as attribute-based access controls (ABAC) – enhances RBAC by taking into account different “attributes.” Attributes are the adjectives of the access control world because they incorporate an additional description of either the user or resource.

Examples of user attributes:

1. Department within the organization
2. Management level
3. Citizenship / Residency
4. Security Clearance

Examples of action attributes: 

1. Read
2. Write
3. Transfer (money)

Examples of resource attributes:

1. Data Classification
2. Transaction Code
3. Document Number
4. Plant Code

Example of environment attributes:

1. Time
2. Geographic location
3. Device type
4. Connection type

By incorporating these attributes, organizations can control user access more precisely, and with the flexibility of dynamic authorizations, better balance business and security requirements.

Achieving Dynamic Access by Using Attributes

Roles act as the foundation for providing access. If you think about it like a sentence, RBAC is the subject and verb. An IT admin has what we call “superuser” access. A simple RBAC sentence might look like this:

IT administrators can read and edit all information. 

Based on RBAC, this sentence provides so much access that an IT administrator could be a data breach risk. Whether maliciously stealing sensitive information or accidentally sharing private information, the unrestricted access means organizations struggle to restrict IT administrator access while still providing enough access for the employee to do their job. 

However, if we add attributes, or additional descriptors about how/when/where IT administrators can use their access, we limit the risk. By creating an “if-then” statement, we apply restrictions based on the defined characteristics. 

If IT administrators are accessing the database (resource attribute)
from their homes (environment attribute) then
they can read (action attribute) the information. 

By adding these attributes, we can prevent IT administrators from making changes to databases while they are at home. 

Furthermore, we can use attributes to grant access as well. Taking the same statement, let’s incorporate time of day as an additional attribute. 

If IT administrators are accessing the database (resource attribute)
from their homes (environment attribute) then
they can read (action attribute) the information,
but if they access the database
between 8 AM and 10 AM (environment attribute 2),
they can edit user data (action attribute 2). 

By adding the additional environment and action attributes, you’re creating a scenario that allows IT administrators to work from home while also reducing the risk. You have created a time-bound restriction that requires them to only make user data changes during the hours of 8 AM and 10 AM if they are at home while at all other times, they can only read the database information. 

The more attributes you can incorporate, the more precisely you can define what, how, and when a user or group of users can access data. 

Creating a Robust Data Security Strategy Using a Hybrid SAP Access Control Model

As organizations accelerate their digital transformation initiatives and allow more remote access to data and transactions, they need a way to configure a layered defense using a hybrid approach to SAP access control. Starting with RBAC, organizations set the foundation of their access policies. However, by incorporating different attributes such as user, resource, action, and environment characteristics, you can more appropriately limit access to and within your SAP data.

Without a solution like Appsian, the closest and organization can come to granting dynamic access to SAP is through customization or adding roles to a user for each attribute. Both options are costly and ultimately unmanageable in the long run.

Contact us to learn how Appsian can help you extend and enhance your existing SAP access controls and improve your reporting and auditing capabilities.