Companies adhere to governance policies to establish transparent, efficient, and resilient processes against fraud and cyber-attacks. Ivan Mans, co-founder and CTO at SecurityBridge, discusses how violation management can help.

Adherence involves always assigning permissions to limit users’ access, a.k.a. “principle of the least,” or just enough access so that employees can accomplish their daily tasks. In addition to limiting access, avoiding critical authorization combinations is essential.

Challenges With SoD

Every company needs to understand precisely which risks pose threats to the enterprise. Many organizations have developed so-called segregation of duties (SoD) matrices to make critical authorization combinations transparent. According to SAPOpens a new window , “A segregation of duties conflict occurs when a user has access to a set of work center views which could enable him to make an error or commit fraud, thereby damaging company assets. If there is a conflict, it is indicated by a red light and details of the conflict display under conflict description. Depending on the assignment, the system displays a list of conflicting work center views and a possible solution, for example, assign the two work center views to different users.”

An SoD matrix helps to prevent potential violations in the assignment of authorizations. However, unless a GRC (governance, risk, compliance) solution for SAP is in place, there may be a disconnect between the SoD matrix and the authorizing system. There are also many situations where clear segregation of duties is impossible. For example, both medium-sized companies and global corporations are familiar with the problem that a specific department may not have enough short or medium-term staff to enforce a complete separation of business-critical processing steps.

For reasons of efficiency, people often respect and trust operational regulations. As long as nothing harmful happens, such scenarios of explicit trust are usually retained, and there is no breach of trust. But what if this happens and the organization learns of a violation late?

See More: How Real-World Data Supports Pharmaceutical Drug Development

Need a Paradox

Companies need to recognize and respond to “can do” and “did do” violations in a prompt manner. The “can do” risk represents a theoretical issue: Account A has the authorization to perform two activities that should have never been executed. This single-person execution violates the policy and can be handled by many GRC solutions. A manifested problem occurs if this theoretical issue turns into a real issue, e.g., “did do,” or when Account A performs the actions. 

With this in mind, it is too late to intervene if you learn that budgets were transferred to the wrong account months after the incident. So now, organizations are facing two options:

1. Process the existing SoD matrix and keep it up to date with great effort and expense. 
2. Allow real-time monitoring of the SoD violations throughout the entire SAP environment.

Many organizations are reluctant to implement Option #1 because this solution requires considerable effort to install, integrate into various software silos, and operate within the day-to-day business – which would become unmanageable. In addition, there are massive barriers in configuration and implementation that require many weeks of external consultants to bridge the gap between the validation of an SoD matrix (theoretical risk) versus the actual detection of an SoD violation (potential incident).

Unsurprisingly, many companies are not monitoring these granular levels. Not tracking at this level is a massive mistake because many scenarios demand an exception from the SoD matrix. Exceptions are often caused by unforeseen shortages of employees, such as one employee left who needs to update a vendor’s bank details and release immediate payment.

Dangers of a Dedicated Solution

Companies subject to strict audit guidelines may decide to use a dedicated solution. Unfortunately, the following scenarios are often observed when this course is taken:

• The solution is only used at the time of the audit.
• Knowledge about the integration is missing because everyone with the information has left the company.
• Budgets are not thoughtfully utilized.
• Set goals are discarded shortly after the introduction of the solution because their achievement is too complex.

Make a Wish!

Imagine that you are challenged with segregating responsibilities by authorization in your company. What would be your wish? The question is not a one-size-fits-all scenario, and expert knowledge about the unique business processes is required to answer. 

Established processes, different authorization architectures, concepts, distributed teams, and responsibilities make it difficult to get a clear picture, and existing initiatives to increase SAP security must also be considered.

The topics of SAP CybersecurityOpens a new window , fraud detection, and governance risk and compliance (GRC) are very complex yet closely intertwined. Therefore – especially with complex or custom-defined business processes – it makes sense to look at these issues from a higher perspective. After intensive discussions with SecurityBridge’s R&D team and some reference customers, we came to the following conclusions:

• Existing processes, such as SAP GRC, must be interlinked.
• The existing SoD matrix needs to be consumed.
• Theoretical SoD conflicts must be detected and prevented promptly.
• Analyze user actions according to the business purpose.
• Executed SoD violations may lead to security risks and must be reported and analyzed.
• Seamlessly integrate everything with established monitoring processes in the enterprise, e.g., SOC/SIEM.
• The maintenance effort must be low, and the solution must be straightforward.

See More: 5 Things Your AI/ML Training Data Is Lacking

Augmenting Cybersecurity Solutions

The computer security resource center (CSRCOpens a new window ) – says SoD “refers to the principle that no user should be given enough privileges to misuse the system on their own. For example, the person authorizing a paycheck should not also be the one who can prepare them. Separation of duties can be enforced either statically (by defining conflicting roles, i.e., roles which the same user cannot execute) or dynamically (by enforcing the control at access time).” 

SAP provides a series of SoD rules to protect assets and prevent irregularities. If a rule violation should occur, the system provides details of the segregation of duties conflict, infringement details, possible solutions, and proposals for mitigating controls. However, there is still a lot more to it! 

What is needed is an integrated capability to augment SAP’s SoD abilities. This SAP complement must automatically analyze system vulnerabilities to automatically highlight any missing security patches. In addition, this integrated capability also needs to scan for code vulnerabilities. This type of add-on makes the perfect basis for a holistic process to protect business-critical enterprise solutions from SAP.

What are the key challenges you face with data access, and how are you tackling them? Let us know on FacebookOpens a new window , TwitterOpens a new window , and LinkedInOpens a new window .

Image Source: Shutterstock

MORE ON BIG DATA 

• Data Governance: It Takes A Village (And Good Infrastructure)
• Gaining Data Governance Flexibility in the Cloud
• 3 Steps to Ensure Data Governance of Your People Data