Third-Party Risk Management (TRPM) is the process of analyzing and controlling risks presented to your company, your operations, your data, and your finances by Third Party Service Providers (TPSP). Most companies rely on a network of third-party vendors, suppliers, and service providers to support their business. As an integral part of the overall business operations, third-party entities end up storing, collecting, uploading, and accessing data as needed.

However, adding TPSP users to your ERP applications also increases the risk of data exposure and the possibility of breaches. Though most businesses have access controls in place and undertake periodic audits to assess and mitigate this risk, TPSPs are still one of the major causes of data breaches, and typical static access controls are not enough. According to Gartner’s Continuous Adaptive Risk & Trust Assessment (CARTA) model, organizations need to move away from the initial one-time, yes/no risk-based decision at the main gate to their systems (managed by a static authentication and authorization process) to a continuous, real-time, adaptive risk and trust analysis of user anomalies with context-aware information across the platform. (Context-aware security is the use of situational information, such as identity, geolocation, time of day, or type of endpoint device, found in Attribute-Based Access Control (ABAC) models.)

Additionally, with roles and authorizations constantly changing across your ERP applications, keeping track of changes manually at the transaction, process, and application level is virtually impossible, and with the hundreds or even thousands of TPSPs you may have, it’s difficult to monitor user activities with traditional role-based access management solutions to quickly detect and stop threats. This is where ABAC and Continuous Controls Monitoring (CCM) are making huge strides to change the overall approach to continuously identifying, detecting, protecting, and responding.

The Third-Party Risk Landscape

Before diving into the need for CCM, it is crucial to understand the gravity of the security situation when it comes to third-party access. Digital relationships with third-party providers have become a necessity today. Collaboration with third-party vendors increases opportunities for business growth, capturing market share, and cost reduction, but the flipside is an increase in security breaches.

A 2018 Opus & Ponemon Institute survey of more than 1,000 CISO’s revealed that 61% of U.S. companies had experienced a data breach caused by one of their third-party providers – up 12% since 2016. Furthermore, 22 percent of respondents admitted they didn’t know if they had a third-party data breach during the past 12 months, and more than three-quarters of companies think third-party security breaches are increasing.

On average, organizations spend more than $10M responding to third-party security breaches each year. However, information security is not the only area impacted. Third-party relationships can introduce strategic, financial, operational, contractual, credit, compliance, business continuity, and reputational risks.

Research conducted by Gartner in 2019 found that third-party risk was identified as a top threat by compliance leaders, and 71% of organizations report their third-party network contains more third parties than it did three years ago. Furthermore, the same percentage reports their third-party network will grow even bigger in the next three years.

What is Continuous Controls Monitoring?

Gartner defines continuous controls monitoring (CCM) as “a set of technologies to reduce business losses through continuous monitoring and reducing the cost of audits through continuous auditing of the controls in financial and other transactional applications.”

In simpler terms, CCM is shifting from the traditional audit and assessment approach of randomly sampling a portion of the data over regular intervals to monitoring  100% of the transactions and controls continuously 24/7, 365 days a year.

A core objective of CCM is to ensure that those controls operate as designed and that transactions are processed appropriately. If done right, CCM not only increases the reliability of the controls but also improves the management oversight, policy enforcement, and operational efficiency for critical financial processes, often producing hard-dollar savings.

How Continuous Controls Monitoring Reduces Third-Party Risk

The risk posed by providing access to third-party vendors makes it imperative for businesses to ensure that third-party access to applications and data is controlled and audited. Unfortunately, despite having access control mechanisms in place, third-party data breaches have been on the rise. One of the key reasons for this is the lack of effective monitoring of user anomalies. Roles and authorizations are never static. As new vendors are added, granted varying degrees of authorizations, and terminated from the system, there is a need to continuously monitor access controls and user behavior associated with critical data.

Current auditing practices are primarily manual and time-consuming, with auditors only looking at a sample of the data logs. As a result, a significant part of the process and transaction-level data is still going entirely under the radar. By implementing tools and technologies that enable Continuous Controls Monitoring (CCM) at the access, transaction, and master data level, businesses can automate the risk and control assessment and monitoring process needed to observe control effectiveness for audit, risk, & compliance management programs.

Enabling Continuous Controls Monitoring with Appsian Security

The list of third-party vendors your business is working with is only going to grow over time. In addition to managing the security risk, companies must also comply with regulations like GDPR, SOX, CCPA, etc., which adds additional burden and cost. CCM technologies offered by Appsian help provide real-time, context-based monitoring within your ERP applications at the access, transaction, and data level to enable you to be audit-ready.

Appsian 360 helps you detect and respond to fraud, theft, and errors by employees and third parties by capturing granular data at multiple levels. Through a visually rich dashboard, you will be able to identify data access and usage trends at the business process, transaction, and data level that reflect suspicious activity by any third-party vendors. In addition, the continuous monitoring and detailed log data eliminate much of the manual work required for performing audits and ensures that you remain compliant with new data privacy regulations.

Appsian’s Identity and Access Management (IAM) simplifies and elevates user access management in dynamic multi-vendor ERP environments. It enforces the zero-trust principle, enables content-based, real-time, dynamic risk and trust analysis of user anomalies, and configures preventative controls at the business process, transaction, and field levels. Finally, it allows policy enforcement through the use of the ABAC security model. 

ProfileTailor GRC enables you to automate user provisioning to ensure effective role assignments to third-party vendors. The solution allows auditors and security managers to perform periodic user access reviews and recertification to maintain compliance and security within your ERP applications. With ProfileTailor GRC, a single SoD ruleset can be enforced across multiple ERP applications, simultaneously ensuring third-party vendors across your organization have controlled authorizations. In addition, the real-time monitoring capabilities of ProfileTailor GRC is an AI and machine learning empowered solution that conducts an impact analysis to alert you to violations as they happen while providing mitigating controls to prevent future violations.

Connect with our ERP security experts to learn more about how Appsian can enable Continuous Controls Monitoring to mitigate your third-party risk. Schedule a Demo.

As SAP ECC customers prepare for their migration to S/4HANA, they are assessing the pros and cons of this transition in terms of cost, compliance, and data security. A critical step in an S/4HANA migration involves a thorough SAP audit of the existing roles and authorizations and optimizing license spends for the current users. Organizations need to consider three key factors during a complete SAP audit for better role management before an SAP S/4HANA migration.

SAP Role Audits Can Optimize Your License Spend

Many organizations still view their SAP licensing as a black box. They are ready to spend millions of dollars on SAP without understanding which licenses are being consumed or which licenses are required for each user. A common mistake many organizations make without realizing it is misclassifying users due to the lack of visibility into the usage of each employee.

A comprehensive role audit in SAP can help classify all users, accounts, and roles and eliminate those not in use, including the following best practices for optimizing license spend before the SAP S/4HANA migration:

Combine Users Between SAP Systems 

Often, a single license is enough to access multiple SAP applications. Combining the same user across multiple applications frees up licenses that can be allocated to other users—preventing companies from paying double the amount.

Remove Inactive or Dormant Users

Certain users access the system only a few times a year, yet they are assigned Professional or Limited Professional License types. Since many corporations do not have visibility into the actual usage data for each role, account, or user, it is difficult to identify the inactive roles. By eliminating inactive and dormant users, organizations will be able to reallocate licenses to new users immediately, providing instant savings.

Classify All Users and Roles

Most SAP users utilize only a fraction of their allocated authorizations. Focusing on the actual usage of data based on the users’ roles ensures that companies will never be under or over licensed. In addition, by classifying all users, organizations can avoid the additional costs of Professional Licenses (used only by unclassified users).

SAP Role Audits Ensure Data Security Via Dynamic Access Controls

S/4HANA migration often opens up the “crown jewels” data to the security risks of the mobile world because the network firewall no longer protects it. You need to know what type of data is being exposed to your external users. That determines how you define the roles and how data is taken from the application and delivered to the users.

This requires applying protection to the user interface layer in terms of defining how you want the data to be viewed by different personas. Organizations conducting SAP audits need to enable dynamic access controls to gain visibility into:

• Where is a user coming from?
• What data are they trying to access?
• What device are they using?
• Is that device being used by the right person?
• What data are they trying to extract onto their device?

Periodic reviews and audits of the roles ensure that only the correct user having the proper roles can view the sensitive data that is otherwise encrypted or masked. For example, not every HR employee should have the role or access rights to view employees’ payroll data.

SAP Role Audits Are an Opportunity to Verify SoD Compliance

Organizations migrating to S/4HANA need to leverage SAP access controls or security monitoring solutions to perform periodic role and user analysis. The data collected during this audit can also help verify SoD compliance. Segregation of Duties conflicts, especially in financial and procurement transactions, are a significant reason for audit failures. Role audits could be used as an opportunity to collaborate with your organization’s compliance team to ensure that you’re securing your data and adhering to mandatory compliance requirements across your SAP ecosystem.

How Appsian’s ProfileTailor GRC Helps with SAP Role Audits

Migrating to S/4HANA remains a long and complicated process for organizations. The first big step is an exhaustive audit of the new and existing roles to facilitate effective role management in the SAP system. Role management offers access simulation capabilities, enabling administrators and role owners to perform a “what if” analysis at various stages of a role’s life cycle management and support compliant user provisioning. In addition, the system provides mechanisms for role design to reduce SoD conflicts and improve administration efficiency in SAP and other ERP and business applications. This usually includes a mechanism for transporting new or updated role definitions into appropriate application environments.

Appsian Security helps businesses with its ProfileTailor GRC Solution, ensuring cross-platform ERP data security, compliance, and SAP license optimization. It delivers unprecedented visibility of real-time authorization usage, helping companies optimize their spending before migrating to S/4HANA.

Want a secure and seamless transition to S/4HANA without spending a hefty sum on your licenses? Then, download our whitepaper, Critical Steps You Should Take Before Making the Move To S/4HANA, and reach out to schedule a demo with our SAP security experts.

Companies using SAP typically have some type of structured governance, risk, and compliance (GRC) strategy to manage their overall governance and enterprise risk management and meet compliance requirements. An essential component of any GRC strategy is detecting and resolving SAP segregation of duties (SoD) conflicts. 

SoD weighs heavily on financial management and reporting, especially for public companies or those receiving government funds. When unresolved SOD conflicts appear on audit reports, a company’s compliance with the Sarbanes Oxley Act (SOX) and data privacy regulations like GDPR are negatively impacted. 

Spreadsheets: The Traditional Approach to Managing Segregation of Duties 

For a long time, companies have relied on spreadsheets to track and maintain roles and authorizations granted to employees. While spreadsheets are great to get started on your compliance program, they can create several hurdles as your organization grows in size and complexity.  

• Human Error: No matter how meticulous, humans are prone to making errors, especially when dealing with thousands of rows across multiple sheets and files. Every new change can trigger a cascade of changes which is hard to keep track of manually. 
• Low Visibility: In most cases, it’s more than just one person working on the spreadsheet with no visibility into who is editing what and where. With multiple teams/members making changes, the probability of error also increases. 
• Reporting Delays: Collating, validating, and analyzing data that is spread across various tabs and files requires a significant amount of man-hours. This results in reporting delays and after-the-fact detection of SoD conflicts. 
• Lack of Audit Trails: Simply put, Excel sheets cannot maintain an audit trail. Even if you can track changes, getting into each version of the file to view changes is a long and laborious process.  
• Limited Insights: Spreadsheets are static and do not have the ability to cross-reference data to provide actionable insights. Also, manually sifting through large volumes of data makes it difficult to detect behaviors that impact risk. 

The reasons mentioned above make it abundantly clear that the spreadsheet method of tracking and resolving SoD violations is slow, inefficient, and error-prone. With regulatory authorities imposing compliance mandates and hefty fines on companies that fail to meet audit requirements, there is an immediate need to update your approach to GRC with tools that are equipped for the job. 

Segregation of Duties Conflicts Are Not Static 

An increasing number of companies who use SAP are realizing that segregation of duties conflicts are a significant cause of audit failures. This is mainly because SAP authorizations are not static, and neither are SoD violations. As employee roles and duties change over time, it becomes difficult to keep track of authorizations and SoD rules that govern the limits of each role. For example, when a procurement team member who is authorized to approve new vendors retires, this role could be assigned to someone on the team who is authorized to issue purchase orders. This immediately creates a conflict of interest and results in an SoD violation.  

In large organizations, such violations happen regularly, and without the tools to detect and resolve them immediately, an audit failure is inevitable. To address this challenge, companies deploy simulation solutions that allow them to see if granting an authorization could cause an SoD conflict. However, these results are generally ignored since most simulation tools do not offer options to resolve the conflict. The reality is that holding up authorizations can directly impact the operational efficiency of the business, which usually wins over compliance requirements in the short term.  

Automation is the Key to Resolving SoD Conflicts 

To be able to proactively detect and prevent SoD violations, organizations need to go beyond simulation and invest in solutions that can constantly monitor SAP roles and authorizations. In fact, solutions that can go one step further and offer options for resolution will allow administrators to quickly take action without creating further conflicts. Appsian Security ProfileTailor GRC was designed keeping in mind the challenges faced by companies who struggle with meeting compliance due to SoD conflicts. With real-time automated monitoring capabilities, ProfileTailor GRC enables you to immediately detect and resolve SoD violations within a matter of minutes.  

Whether you have new employees needing authorizations, current employees changing positions or roles, or someone leaving the organization, ProfileTailor GRC will do the heavy lifting for you and provide you with an ongoing, fully automated, and integrated solution. 

Download our white paper Quickly Resolve Segregation of Duties Conflicts to learn how automation can help enable GRC in your organization. 

There is no denying that SAP applications make it easy for large organizations in almost every industry to streamline their business processes. However, that ease doesn’t include SAP software license management, which by all accounts, is considered one of the most complex compared to other ERP vendors. This complexity results in companies buying more licenses than they need or inefficient management of their existing SAP license types, which significantly impacts the overall costs. Here’s why you end up spending more than you should on your SAP licenses (and a tool that can help you save some money).

Vague SAP License Descriptions

SAP license descriptions are not airtight, and it is mainly left to you, the customer, to decide the type and number of licenses you need. SAP licenses can be broadly categorized into three types.

• Professional License: A named user with a Professional License can perform operational tasks and has administrative privileges that allow them to make changes to the system – usually assigned to employees who are heavy users. 
• Limited Professional License: This license is ideal for employees who need to perform operational roles supported by the SAP software. It is a step down from the Professional License and is also cheaper.
• Employee License: With this license, users can perform tasks solely for their own use and not on behalf of anyone else. This license costs the least. 

An SAP license is always associated with a user who is called a named user. The ‘name’ in this context is not an actual user name but a unique ID linked to a license. There can only be one license associated with a named user at any given time. However, a named user can have multiple user names to access different SAP systems. 

This makes it increasingly complicated to assign the appropriate license type. For example, a single user could be using an ERP system for updating inventory, a second ERP system for monthly invoice approvals, and a third one for downloading reports. Which license would be applicable in such a case? Now imagine figuring out license types for thousands of employees accessing multiple systems. 

Improper User Classification 

User classification is a crucial exercise for SAP software license management that directly impacts your license cost and the recurring annual support fee. Most SAP customers classify their users with one of three parameters:  

• Amount of Activity: The amount of activity performed by the user can be one way to classify the user. SAP measures activity by ‘Dialogue Steps,’ which is the number of screens and keystrokes used. 
• Number of Different Activities: Users can also be classified based on the number of activities or the different applications they access on a regular basis.  
• Type of Activity or Activity Group: The type of activity can be used as a yardstick for license purchases. Under this classification, users are grouped together based on the type of usage. This requires customers to assess the type of activities a user needs to perform and create groups. 

Though this classification process appears straightforward, several gray areas occur when put into practice. For example, when classifying users by their amount of activity, a user could be using the corporate phone directory in the SAP system 1,000 times, but that does not mean he needs a Professional License. Or let’s say an employee is accessing multiple systems but only to generate reports. Under the second classification, this user would be eligible for a Limited Professional license, whereas an Employee License would most likely suffice since the user is only viewing and downloading data. 

Classifying users as mentioned above makes logical sense, but large organizations need to invest a significant amount of time and resources for using these methods. Also, employee roles keep shifting, and usage may vary significantly over a given period. This makes classification difficult and impossible to maintain manually without errors. 

That’s why SAP customers rely on automated tools like Appsian Security ProfileTailor LicenseAuditor to identify users based on their activities and distribute SAP licenses types accordingly. SAP software license management and auditing tools also help achieve compliance and manage SAP usage.  

Knowledge Equals Savings

SAP licenses are a huge investment for any organization. Gaining a better understanding of your overall license status, usage, and spend not only helps you manage your current licenses but also allows you to negotiate a better deal. With SAP announcing the end of support for classic SAP applications like SAP ERP, SCM, SRM, CRM, and Business Suite by 2027, all customers will eventually have to migrate to SAP S/4HANA. By auditing your current SAP usage and forecasting future license requirements, you can ensure significant savings for your company as you go through with the migration.

Appsian Security ProfileTailor LicenceAuditor provides control over your SAP licensing by combining user inspection, user behavior-analysis methods, and best practices. The solution enables you to effectively utilize your licenses by offering a clear view of licensing possibilities for optimized models and savings of 50%-90% per classified license. 

To learn more about SAP software license management, read our complete guide 5 Simple Ways to Reduce Your SAP License Spending.  

Or contact us today for a ProfileTailor LicenceAuditor demonstration. 

Taken from Moshe Panzer’s May 4th blog post on xpandion.com:

For 14 years, Xpandion has been on a mission: to help organizations create better alignment between user permissions, authorizations, and security best practices. Xpandion’s innovation originated from our deep roots in SAP and developed alongside the market’s enterprise business processes that steadily increased in complexity. This challenge ushered in the creation of ProfileTailor Dynamics, a platform that combines authorization management and segregation of duties (SoD). The goal was to simplify GRC.

Further product development would focus on the entire authorization workflow – from authorization request to provisioning/de-provisioning to authorization monitoring – as it became clear that our customers were also challenged with bottlenecks in the authorization process. Our customers embraced this holistic solution but quickly requested the same functionality be cross-application (E.g., Microsoft Dynamics, Oracle EBS, Active Directory, SalesForce).

In addition, we developed tools designed to further streamline and optimize the authorization process: Role Advisor, Conflict Resolver, Role Remover, and Role Splitter. All designed to reduce the authorization workflow process from months to minutes.

The ERP Market’s Evolving Security & Compliance (GRC) Requirements

While we are proud of what we’ve accomplished, we couldn’t help but realize that the ERP community faced security and compliance challenges we could not solve. Primarily, the limitations of native identity governance, access control, and business process controls that become a requirement once access beyond the firewall became commonplace. In short, remote access demands created risks that the ERP community was simply not prepared for.

Joining Forces with Appsian

With this in mind, we are excited to be joining forces with the global leader of ERP data security, Appsian. Like Xpandion, Appsian is a best-of-breed technology and firmly rooted in ERP. The Appsian Security Platform enables organizations to tightly integrate their identity and access management solutions, employ attribute-based access controls, expand their use of data masking, and provide critical security analytics around ERP data access and usage. In essence, Appsian is an extremely comprehensive ERP data security solution, and their technology is unmatched in the market.

By joining the Appsian family, Xpandion will provide the holistic GRC technology currently missing from the Appsian platform.

The future is bright, and we’re thrilled for what is to come!

For more information about Xpandion, visit www.xpandion.com