It is amazing how many SAP systems we see where there are numerous people not just able to directly access personal data, but are also able to export it or download it directly out of SAP tables and/or via reports. It is not uncommon to hear of support people being called to provide ad hoc data exports so that managers can process the data in Excel. Suffice to say, as soon as your data has been downloaded or exported out of SAP then you have lost ALL control over it.
As soon as your data has been downloaded or exported out of SAP then you have lost ALL control over it
Therefore our absolute number one action on this list is that you should place real-time access monitors on the personal data you're custodians of to ensure that it is staying within SAP except for bona fide verified processes and interfaces. With ProfileTailor Dynamics we can do this by specifying which tables contain personal data and then getting the system to tell us every time that data is being accessed. We can tune any false-positive alerts by creating a white list of processes and users, and also by monitoring only for specific keystrokes. We would recommend that any access other than in the white list is made available only via a properly governed Emergency Access procedure (see 4). Not only does this give you full auditing of when ad hoc personal data access is granted but it also provides protection to employees ensuring that their high risk accounts are not under undue risk or threat of being compromised.
Access Review is the process of not only capturing real-time access to personal data (as discussed on 1) but of also capturing those employees and processes that could access that data. Real time access monitoring can be achieved very quickly but Access Reviews, on the other hand, can be complicated and time consuming. They often require a lot of manual digging into SAP roles, then creating numerous reports to send out to business process / data owners, and then trying to manage and co-ordinate voluminous eMails around the organisation. Unfortunately though it is a crucial exercise and in fact one that must be undertaken at least every 12 months if your business comes under Sarbanes Oxley (SOX) compliance regulations.
Automating this process is one of the most popular requests that we get from our customers - and fortunately it is something that we can typically implement within a couple of weeks.
When we look at SAP access we see a relatively common theme which is that employees carry around their access and authorisations as they move around the organisation. This causes segregation of duties issues and wildly high levels of sensitive access. Sometimes, this is because proper processes are not in place, and sometimes it’s because no-one really knows what access each employee actually needs so they over compensate and give them too much.
Automatically detecting when an employee moves roles or leaves the business and then taking action on it is therefore crucial. As an example, an automated leaver process is an incredibly quick win and can often be implemented within a week, ensuring that anyone leaving your organisation will immediately get all access revoked from, not just SAP, but ALL systems including 3rd party cloud systems.
SAP_ALL access is still rife! This is such a well documented topic that it needs no further comment here. For us, Emergency Access processes are really quick and easy to implement and there should be no reasons whatsoever for any accounts, whether employee or system accounts, to have SAP_ALL.
The Principle of Least Privilege is the notion that each employees’ access is restricted down to only that which is required to carry out their day-to-day job. Achieving this however is often a longer term goal as it requires a proper project to design and implement such a security model. A model based upon Job Roles is a great place to aim for and we discuss it at more length in a separate article here if you want to know more about how to go about it. (Go to article)
Most of our customers have implemented all of the above processes using ProfileTailor™ Dynamics either on premise or in the cloud. With an installation time (including training) of less than a week, we’ve managed to provide some incredibly detailed insight and protection within very short timeframes.
We can also provide your organisation with a fixed-price Risk Assessment Consultancy Package where we will check for over 500 potential data and security risks including all of the risks indentified in this article. With our particular expertise in SAP then this is way beyond the checks that a typical external audit would examine within your SAP systems.
If you would like find out more about how we can help in this area then please do contact us.
You can also share this page via the following buttons:
Why not arrange a demo with us? Please use the following link to contact us and we will be happy to set something up