Are You Doing Enough to Prevent Access Risk and Fraud?
Study Finds SAP Customers Are Too Reliant on Manual Access Controls
SAP ERP customers were recently surveyed by insiderRESEARCH to determine how they manage their access risk. The good news is that SAP customers are serious about protecting their critical applications from the risks associated with user access. In fact, the vast majority — 69% — said managing access risks is “very” or “extremely” important to senior leadership in their organizations (see Figure 1). And, in fact, the study found that the top driver for these programs is internal policies, whereas traditionally, access risk programs have been driven more by regulatory compliance (see Figure 2).
||Importance of access risk management to senior leadership
||Top drivers for access risk management programs
The survey also revealed the challenging nature of establishing and maintaining a comprehensive program for managing access risk. 58% of survey respondents found the challenge to be “difficult” or “very difficult.” In in-depth interviews, security professionals said that maintaining a balance between application security and business flexibility is a real challenge for many reasons.
“It’s certainly not easy,” said one security specialist at a large consumer goods company. “The biggest challenge is keeping the number of violations down and not adding additional risk to the business, while at the same time enabling users to perform their jobs, especially in smaller locations where we don’t have enough people to have proper segregation of duties.”
So why do companies struggle to manage activities that are so important? The answer is that they rely on manual processes that are pieced together to satisfy auditors and meet bare-minimum internal requirements. These manual solutions are often perceived as “good enough” — but are they really good enough? We found that many companies are exposed to undue risk and unmeasured expense. Moving beyond today’s manual processes and using a centralized, automated solution is key to ensuring companies can prevent undue access risk.
Why Your Existing Solution Isn’t Doing the Job
Our survey revealed that most companies rely on a combination of basic SAP security reports (using the various SUIM transactions) and Microsoft Excel or Microsoft Word to enable their access risk management programs (see Figure 3).
||Top technologies used to manage access risk management programs (multiple responses allowed)
Over time, companies using Microsoft Word, Microsoft Excel, and email have realized that these solutions expose their applications to unnecessary risk and may cost more money than implementing an automated solution such as SAP BusinessObjects Access Control. Companies using solutions based on manual processes and spreadsheets reported serious challenges to managing access risk (see Figure 4).
||Top challenges to manual access risk management programs
Many of the challenges cited in Figure 4 can be solved with a dedicated, automated access risk management solution. Below are four questions every SAP customer should ask to evaluate how well they are covering the access risk they face in their environment.
“Simply stated, this activity is viewed regularly at the board level. It’s something that’s got the highest level of interest in our organization.”
— IT Security Manager (Pharmaceuticals)
1. What Risks Are You Missing?
Relying on manual processes and basic tools is not only time consuming and costly, but is likely to leave critical business applications more vulnerable than most companies realize. Compared to an automated, rules-driven solution, a manual solution can yield inaccurate or misleading results, leaving companies with a false sense of security for a number of reasons.
First, manual processes cannot deliver a true picture of risk. The SAP ERP security model is complex, and simply running SAP security reports and checking them against a Microsoft Excel matrix may not tell the whole story. In addition, this approach only accounts for SAP applications, when nearly every corporation runs multiple applications from numerous providers. To effectively manage access risk, companies must be able to assess risk not only within each application, but across all applications.
Second, SAP security reports can identify access violations that have already occurred, but they cannot identify risk introduced by security changes on a daily basis. Some survey respondents only checked for segregation of duties (SoD) violations every six months — meaning serious risk issues could be months in the rearview mirror by the time a security team caught sight of them — by which time costly errors or even fraud could have already occurred.
Finally, manual processes are subject to human error and complacency. One public sector security administrator surveyed said the demands of repeating the same manual processes — in this case, reviewing a daily custom report about user access — caused her to worry about the integrity of the company’s processes.
With an automated, rules-driven solution, companies can easily identify comprehensive access risk and have an enterprise-wide view of the relative risk each user poses.
“You can miss things if you’re just running report after report after report and looking through them. It’s user error. If someone is having a bad day or is tired, they can miss things. It’s easy.”
— SAP Security Administrator (Public Sector)
2. What’s the Real Cost of Your Current Solution?
One reason so many organizations rely on manual processes is the perception that they are cheaper than an automated solution. However, very few customers we interviewed could offer any estimation of what their current programs cost. Often they said the resources responsible for maintaining the program were divided among several departments and job roles, making accounting difficult. Reviewing SoD violations, for example, might require three weeks per year from an IT security specialist, one day per quarter for several application managers, and six months from two full-time SAP security analysts.
Additionally, there might be several hidden costs. For example:
- What is the total cost of unidentified risk?
- What is the cost of performing internal and external audit activities from scratch every year instead of relying on a proactive system?
- What is the total cost of the internal and external audit processes?
Once the cost of the entire access risk management program is added up, companies will gain a clearer perspective of their current spend in this area. They may realize that the cheaper solution may be more expensive than they thought. An automated solution offers centralized, workflow-driven processes that not only reduce costs associated with managing access risk on a daily basis, but also save time and money through the audit process.
3. Are You Preventing Risks or Chasing Them?
As the saying goes, an ounce of prevention is worth a pound of cure. When it comes to safeguarding critical business applications, a preventive approach is more secure and efficient than a detective one. And the manual solution at most companies is entirely detective.
Consider the risks associated with user provisioning throughout the life cycle of a typical user. Each time that user changes positions or responsibilities, someone in the security or IT team must assess the risk associated with the change in access. This is a time-consuming process that often only happens after the user is given new access, or when an audit raises the red flag. A preventive approach, in which access risk analysis is embedded into the provisioning process, allows companies to prevent unmitigated SoD violations rather than continue the cycle of analysis and remediation. Access risk analysis can also be embedded in the role design process to help companies assess risks associated with changes to roles, and identify the impact on users to whom those roles are assigned.
4. What Other Problems Are Not Solved with Your Current Solution?
The research shows that security professionals at companies running SAP ERP systems understand the deficiencies of their manual solutions when compared to automated solutions. Figure 5 shows that customers rated SAP BusinessObjects Access Control higher in several key areas compared to their current solutions, including ease of use, ability to automate critical functions, performance, and integration with both SAP and non-SAP applications.
||Current solutions versus automated solutions
Benefits of Automation
A common misperception among those surveyed was that automated risk management solutions are next-level solutions — appropriate only for the largest and most sophisticated companies. However, the benefits of a comprehensive access risk solution apply equally to companies of any size in any industry.
The first step in evaluating a company’s readiness for an automated solution is to engage in an honest assessment of whether the current access risk management programs meets the company’s standards for risk tolerance. Next, conduct a thorough accounting of the total cost of ownership of the current solution — including all software license costs and resource requirements, taking into consideration the cost of unidentified risk — and compare that TCO against a fully automated replacement. Many companies have found, through very similar analysis, the value of an automated access risk solution is worth more than the cost.
Every company is unique, but several SAP customers have reported dramatic improvements in efficiency and cost reductions since moving from manual processes to SAP BusinessObjects Access Control. Some have enjoyed significant reductions in the time required to provision user access, eliminating a backlog of requests. Others have reported time savings thanks to elimination of human error in provisioning, reporting, and other activities. For these reasons and more, companies should ask themselves whether their current solution for managing access risk is really the solution they want to use to prevent errors and even fraud moving forward.
4 Organizations Weigh in on Automated Access Risk Management
Many companies struggle with the same access risk management challenges — slow provisioning, inaccurate monitoring, and manual processes that can only fix issues, not prevent them. These four organizations moved from manual legacy processes to automated solutions (each uses SAP BusinessObjects Access Control). Here they share the benefits they have realized so far.
Manager of Information Security,
Westinghouse Electric Company
Westinghouse Electric Company
Global provider of nuclear fuel, services, technology, and plant designs for the nuclear power industry. 15,000 SAP ERP users at 80 sites in 23 countries. Matt Tolbert, Manager of Information Security, says:
“Westinghouse’s legacy SAP compliance controls were effective, but required considerable time investment from business process owners to maintain and verify through periodic manual reviews. Compliance reporting was also based on an in-house developed controls application that was proving costly to sustain. Dependence on this manual legacy process and application made it increasingly difficult to accommodate Westinghouse’s rapid business growth and to quickly respond to new business opportunities.”
Westinghouse’s investment in SAP’s solution for governance, risk, and compliance (GRC) to automate security controls saved $224,000 in its first year. Westinghouse also projects additional significant internal labor cost savings over the next two years. “Westinghouse’s implementation of SAP solutions for GRC achieved our company leadership’s commitment to ensuring continued controls compliance,” says Tolbert. “And by automating controls and compliance reporting using SAP solutions for GRC, Westinghouse is now more proactive in identifying potential compliance issues before they are introduced, and more agile in responding to new business opportunities.”
SAP Center of Excellence GRC
and BI Lead,
Global security company engaged in the research, design, development, manufacture, integration, and sustainment of advanced technology systems, products, and services. Ken Lauver, SAP Center of Excellence GRC and BI Lead, says:
“As we analyzed all of the possible combinations of transaction code and object-level permission combinations, it became clear that the workbook solution wasn’t powerful enough for the task. Our existing method didn’t allow us to perform object-level SoD analysis, so the risk was that some legitimate SoD conflicts could go undetected.”
Since implementing SAP BusinessObjects Access Control, Lockheed Martin has been able to boost the efficiency of its access risk management processes. The company’s external auditors now rely on the internal audit team’s process audits, reducing the time and expense of an external audit. The company has also expanded its use of SAP BusinessObjects Access Control to manage emergency access and ensure that new users privileges are Sarbanes-Oxley compliant before activation.
Director of SAP Security and Controls,
Operates one of the largest railroad networks in North America. 48,000 SAP ERP users including employees, contractors, and others. Cynthia McConathy, Director of SAP Security and Controls, says:
“Our previous process would not have been adequate to monitor the complex interactions of security roles and access change requests in our new SAP environment. Now our controls are preventive, with new access requests being evaluated for security-related risks prior to assignment. Once the request is evaluated for risks and approved by the role owner, SAP BusinessObjects Access Control auto-assigns the user access and sends automated emails."
Financial and Business Management System (FBMS) Program Management Office (PMO) Security Manager,
US Department of the Interior
US Department of the Interior
Federal government department with 8,300 SAP ERP users. Martin Kessler, Financial and Business Management System (FBMS) Program Management Office (PMO) Security Manager, says:
“We recognized an opportunity for process improvement and greater efficiency since the previous access request process was paper-based and required a great deal of manual effort by requestors, approvers, and Security Points of Contact (SPOCs)."
The department was able to reduce the average time required to register a new user and provision access to that user in its enterprise financial and management system. It also allowed SPOCs to spend more time acting as business analysts (working directly with requestors and approvers to ensure users receive the right level of access) and less time performing manual security administration tasks.
January 02, 2012