Automating Access Governance in a Cloud-Based Landscape

Re-Evaluating SAP GRC in a Cloud-Based Landscape

by Pierce Owen, Vice President of Research and Publishing, SAPinsider

An increasing number of SAPinsider Community members have implemented at least one instance of SAP S/4HANA (34%) or at least one of SAP’s cloud-based business solutions (78%), as evidenced by SAPinsider’s 2020 research report, “GRC for SAP S/4HANA and Cloud Applications.” Doing these cloud-based implementations raises several new risks and challenges. Integrated SAP Fiori apps, third-party solutions, and new flows of data through consolidated financial tables or SAP S/4HANA for central finance foundation do not necessarily present greater risk, but rather different risks, from legacy systems.

The most popular GRC solution being used by the SAPinsider Community is SAP Access Control, according to 66% of respondents. And yet more than half (63%) said that their current GRC solutions do not meet the need to effectively handle risk analysis and mitigation for cloud-based products without some sort of connector or bridge to a cloud-based access governance solution. As a result, most members of the SAPinsider Community now need to reassess how to manage access governance, risk, and compliance, and align their GRC strategies with their long-term enterprise technology strategies.

When asked about the top drivers impacting their GRC strategies, 43% of survey respondents indicated that the need to respond to risks in real-time drove their approach to GRC, and 39% said that the need to mitigate the risk of SAP S/4HANA deployment drove their approach to GRC (see Figure 1).

Figure 1 Top Drivers for GRC

Figure 1—Top drivers for GRC

Cloud-based business solutions have become much more prevalent, but many organizations lack the technology needed to manage the risk that accompanies them. Technologies such as cloud-based access governance and more intelligent user provisioning tools should help alleviate some of these concerns, but while 54% of survey respondents have started evaluating or implementing cloud-based access governance, only 20% already use such tools.

Three Scenarios to Help You Take a Proactive Approach

For their GRC capabilities to keep pace with their enterprise technology strategy, SAPinsider Community members must take a proactive approach to GRC. In speaking with survey respondents, the need to respond in real-time often really meant the need to take proactive action and recognize potential risks before they cause problems. In other words, respondents want to catch and prevent access risk violations before they fail an audit or face a fraud situation. Beyond simply processing access requests, SAPinsider Community members need to constantly analyze and monitor roles and segregation of duties (SoD) because an employee’s role or access can change day-to-day, and if a company misses a change, it might miss a risk. Therefore, organizations need real-time data to prevent and respond to risks.

To address governance, risk, and compliance needs for SAP S/4HANA in a cloud-based landscape of business solutions, members of the SAPinsider Community need to implement one of the following scenarios:

  • SAP Cloud Identity Access Governance
  • SAP Access Control 12.0 and SAP Cloud Identity Access Governance with the bridging concept
  • A third-party solution with intelligent user provisioning for both SAP S/4HANA and cloud-based business solutions

SAP Access Control 12.0 has the functionality that SAPinsider Community members need for the on-premise version of SAP S/4HANA. The solution, however, does not effectively handle risk analysis and mitigation for cloud-based business solutions. Additionally, we found that although almost two-thirds of the SAPinsider Community uses SAP Access Control as their GRC solution of choice, only 22% of those companies already use version 12.0, despite the fact that SAP will end mainstream maintenance for the previous version — SAP Access Control 10.x — at the end of 2020.

SAP Cloud Identity Access Governance does effectively handle risk analysis and mitigation for both SAP S/4HANA and cloud-based business solutions, but it still lacks some of the functionality of SAP Access Control, such as firefighting access. Originally, pricing made it almost prohibitively expensive to run both SAP Access Control and SAP Cloud Identity Access Governance. However, because a number of customers need to preserve the functionality they have in SAP Access Control and handle risk in integrated cloud-based SAP products, SAP made it possible for most members of the SAPinsider Community to run both GRC solutions with a more affordable licensing structure.

In interviews, a few survey respondents reported that they still found the SAP solutions to be too expensive and preferred third-party solutions. Several said that, depending on their functionality requirements, they could fulfill their needs with only one of the SAP solutions or a third-party solution.

GRC Must Keep Pace with Business Technology: Strategic Guidance

Current usage of on-premise access governance solutions remains high (75%), but the highest levels of investment lean toward cloud-based access governance, more intelligent user provisioning tools, and robotic process automation (RPA) for rules-based transacting, reporting, and monitoring, as shown in Figure 2. Together, these tools support the requirements of detection and prevention of access risk, reviews and sign-offs of different types of access, continuous control monitoring, detailed insight into risk drivers, accurate scans of large volumes of data, and multi-regulatory compliance

Figure 2 Popular technologies and GRC solutions

Figure 2—Popular technologies and GRC solutions

To respond to risk in real-time and mitigate risks associated with a SAP S/4HANA deployment, almost two-thirds (66%) of SAPinsider Community members prioritize automating user provisioning while continuously monitoring users and applications for risk.

Our research reveals that members of the SAPinsider Community should apply the following key steps to execute their GRC strategies:

  • Align GRC strategies with the overall SAP S/4HANA migration and cloud strategies to mitigate risk associated with a deployment of SAP S/4HANA and cloud-based applications. Implementing SAP S/4HANA and cloud applications will impact the effectiveness of organizations’ GRC strategies. Given that the majority of the SAPinsider Community feels that their current GRC solutions do not effectively handle risk analysis and mitigation for all their SAP products, managing these new solutions will only add to the challenge. These Community members need to re-examine how they plan to manage and mitigate risk in the long-term, and ensure those strategies are aligned with planned technology investments.
  • Evaluate the organization’s needs for user provisioning for SAP S/4HANA and SAP-integrated products, both on-premise and in the cloud. If the organization is leveraging cloud-based SAP products currently, like 78% of respondents, or at least has a strategy to do so on its roadmap, then it needs either a cloud-based access governance solution or some sort of product integration tool. If the organization needs firefighting capabilities, it should consider not yet migrating all access governance operations to SAP Cloud Identity Access Governance because the solution lacks these capabilities. Instead, it should consider sticking with SAP Access Control, implementing both SAP Access Control and SAP Identity Access Governance with the bridge, or implementing a non-SAP solution that integrates with SAP’s cloud products.
  • Before automating user provisioning, choose a set of solutions that effectively monitor and prevent risk. While 66% of respondents chose automating user provisioning as their top strategy and 70% have at least started evaluating RPA for GRC purposes, 83% selected detection and prevention of access risk as an important or very important requirement of their GRC strategy. Organizations should not automate user provisioning unless they can also monitor, detect, and prevent access risk violations as part of that provisioning.
  • Implement the set of solutions that minimizes risk and ensures compliance while meeting business users’ needs. Organizations can accept occasional increased levels of risk for certain types of access if it empowers the business to fulfill critical processes. To avoid fraud and stay compliant, however, SAPinsider Community members should evaluate their needs for access governance functionality and integration, process control, risk and audit management, and tax compliance. Then, they can choose from the set of both SAP and non-SAP solutions that fit their constraints and requirements of legacy systems, IT architecture, and available budget.

Following this guidance will help SAP customers get the most out of their evaluations of GRC solutions for SAP S/4HANA and move toward a successful future in the cloud through stronger risk management.