by Annie Kennedy, Contributing Writer, SAPinsider
Organizations today are entering more intricate landscapes, whether they are transforming to a cloud environment or adding new applications and business functionalities to improve user experiences. As a result, the modern company is faced with a complex situation: getting the right people the right access to mission-critical systems and programs. This challenge has been further compounded by the global pandemic, as users previously inside company networks require seamless authentication and access experiences from non-traditional locations. How can today’s organizations best manage access across remote environments and varying landscapes, enabling users to do their jobs while helping the business run efficiently? This article will discuss how strategic human decision making, empowered by identity and access management (IAM) technology and automation, can help your enterprise efficiently and compliantly govern IAM.
Not Just for IT: Manage Your User Identity Lifecycle Holistically
As SAP’s Chief Product Manager for Access Governance, Sarma Adithe handles many customer questions regarding IAM, and he recommends foremost that decisionmakers — including those in a human resources, managerial, and security role —know before an employee onboards what functions s/he will perform and what access s/he will need to perform those tasks and functions throughout the user access lifecycle. Adopt technologies that support single sign-on and cloud authentication and provisioning, Adithe recommends, to ensure a unified approach for IAM and to provide seamless access for users.
“Once you have that access, then your organization can stay within the boundaries of compliance, while adopting an integrated solution can enable users to have seamless access within the business function.” IAM is less about onboarding an employee and more about defining what the user is responsible for viewing and doing, Adithe says. To support IAM in complex environments, SAP Cloud Identity Access Governance can provide seamless and adaptive access control throughout the user identity lifecycle across companies, domains, and devices. The solution can also serve as a primary IAM platform for new deployments and implementations.
“Identity, access governance, and getting people the right access are not conflicting or mutually exclusive statements,” says James Roeske, CEO of Customer Advisory Group. “Getting people the right access in an automated, safe, and Segregation of Duty (SoD)-free way helps everyone.” IAM should be integrated with business processes and policies, says Roeske. Processes can be put in place with periodic access reviews to help ensure that users aren’t carrying forward any legacy access, or that cloud access hasn’t been granted for life if a cloud environment doesn’t have a verify period. For successful IAM and insight into SoD and critical access, organizations should coordinate, centralize, and document decision-making in a way that makes sense to non-IT people that are essential in taking user access from hire to retire, as well as visible to auditors, says Roeske.
Leveraging Tools and Automation to Improve Compliance and Reduce Risk through Efficient Provisioning
Many companies are running multiple SAP production landscapes that are subject to changing audit requirements and rapid, pandemic-fueled shifts in employment and delivery models.
Organizations must prioritize efficiency when it comes to access provisioning or else risk noncompliance in response to the need for sudden and widespread access changes, such as onboarding or offboarding thousands of people. “You need an interface that makes sense to non-security individuals, supported by a technology and platform that can cross all your landscapes and provide the insight and provisioning capability in a safe and secure way,” says Roeske. Many businesses have goals of acquiring new companies and expanding further, he says. As companies grow, so too does the need for self-service capabilities enabled through automation that allow users to become more productive and less dependent on IT. For example, tools such as SAP Access Control empower users to track their access requests, while automatic delegation intervenes if an approver’s absence is holding up the process. Automation can also help reduce risky behavior caused by delayed access, such as loaning out log-in credentials to another user.
For maximum efficiency, says Adithe, IAM should be centrally managed via self-service forms, with an auditable access-request workflow and an integrated user provisioning process. Access request forms can be designed for end users to request the role they need and can improve the transparency and accuracy of access assignments, simplifying internal audits, says Adithe. In SAP Cloud Identity Access Governance, an auditable access request workflow can include a built-in audit trail tracking approval requests and changes to show auditors how and when access was granted, changed, or removed.
Adithe lists three ways organizations should enable IAM automation to decrease access risk:
- Add or extend business processes which may introduce a new application in the process, so that a user is automatically onboarded with access to adopt new functions;
- Enhance or alter access automatically to fit the new responsibility whenever the organization learns that an employee will be promoted or moved to another position or location; and
- Have an automated mechanism in place to clean up and lock down user accounts once an employee leaves, retires, or is terminated.
Adithe also advises organizations to be sure their controls monitor for fraudulent or suspicious activity. “The cycle should be to identify risk, associate mitigation control, and apply Continuous Control Monitoring (CCM) to help ensure mitigation controls are still effective,” says Adithe. For on-premise and transitioning organizations, Adithe says, SAP Access Control facilitates the detection and remediation of access risk violations using role management, emergency access, user access review, and user provisioning capabilities. SAP Access Control users can continue using their existing SAP Access Control 12.0 environment as the primary system for access control while having the SAP Cloud IdentityAccess Governance bridge extend the SAP Access Control services or applications for the cloud environment.
Privileged access — the administration of temporary permissions in order to perform critical tasks — is another challenge for organizations that both Adithe and Roeske note can be simplified through an automated approval workflow, risk assessment, and granting of access, while automation can monitor and identify any privileged access anomalies.
Power IAM by People, Supported with Technology
Automation should be supported with human-instituted policies and controls to protect organizations, meet regulatory needs, and provide regular maintenance and cleanup of access, according to Adithe. At the same time, Roeske says that automation isn’t a tool to assign access, but to facilitate it. “Thoughtful decisions made by humans is a prerequisite for applying automation in most cases,” says Roeske. He encourages organizations to think about the processes around IAM and have security policies in place. “Maybe someday we’ll have artificial intelligence that can make those decisions,” he says, “but right now we need real people to do it.” For example, Roeske notes that many organizations moving to SAP Access Control love the automatic provisioning, but they sometimes assume that everything can be done without their participation. Technology should relieve people of as much burden as possible, Roeske says, but people still need to understand and do their job when it comes to approvals.
Roeske notes that organizations in a state of flux from transitioning should not become complacent about their legal, audit, and access requirements and must plan ahead. “You need the right tools to facilitate not only what you have today, but also what you’ll have in your future,” Roeske says. For organizations that plan to migrate from ECC to SAP S/4HANA, IAM remains a constant evolution that can improve with a centralized, simplified approach that is supported by technology but driven by humans. Roeske explains that clicking to assign a role doesn’t take a lot of intelligence. “The challenge, reserved for humans, is picking the right roles and understanding what risks are involved for the system. This responsibility should fall across managers, business role owners, and security. Combining these perspectives creates a well-rounded decision-making process that can help account for real-time corrections and risk management.”
Leverage Technology to Design Roles and Update Your Security Architecture
To make role design easier as businesses become more complex, Adithe suggests harmonizing access, or defining employee responsibilities and roles in a simple and standardized way. For example, a large organization could have 15 accountants with 10 roles each, creating 150 assignments to be administered. Instead, consolidating that access by building across a role harmonizes access management and also reduces managing 150 assignments down to administrating only 15 assignments (with one business role per accountant), simplifying access control. Policies should define roles according to the responsibilities and tasks required to complete the job, and the roles should be assigned to containers, across the system and the SAP HANA cloud, so that once access is granted or reassigned, that access is immediate to the new user. “Assigning access that honors all the required policies and regulations from a compliance standpoint should be an inherent process,” says Adithe. He advises organizations to define business roles that are granular enough to not introduce SoD or conflicting access within a single business role and yet fulfills a business function across the board and across applications.
Roeske recalls his time as a security administrator many years ago, when he only had to juggle a development system, a QA system, and a production R/3 system when designing roles and assigning access. “Times have changed, customer’s environments are much larger, far more complex and utilizing different technology platforms today resulting in convoluted security structures from the end user’s perspective.” With the “one-stop shops” available in SAP software solutions, organizations can simplify the process for access requests and approvals by implementing applications with a user-friendly interface, according to Roeske, who says, “You shouldn’t have to be a security expert to request the access you need to do your job.”
Solutions that simplify role design and empower end users with self-service allow users to make the right decisions based on what access a business role needs. Today, interfaces allow the bundling of business roles across multiple systems using business-friendly language that end users can understand. That means one business role can be selected for one set of responsibilities across multiple systems, rather than needing to request many little pieces of security access across your IT landscape. This makes life easier for the end user, speeds up the approval and provision process, and also helps identify and reduce access violation risk as people change responsibilities within an organization.
Consider the risk associated with assigning a new accounts payable clerk the same access as an existing accounts payable clerk, for example. The existing clerk’s multi-role access level may have been granted based on evolving and expanding responsibilities over years or decades with the company, which may not be reflective of the access level that a new employee should receive. In this case, rather than replicate the access level of another user with the same title, says Roeske, as a best practice, organizations should design roles that can be selected for the user to do a specific job. Bundling and self-service are moving security architectural design to more efficient, lower-risk levels, and Roeske explains how applications such as SAP Access Control and SAP Cloud Identity Access Governance are facilitating those transitions. “SAP Access Control users have the capability of not only maintaining their existing systems,” says Roeske, “but also accessing SAP’s cloud bridge in order to add in the features of the SAP Cloud Identity Access Governance platform. The tools are there. Making sure you have these tools for consistency is important.”
Security must evolve along with role design in the intelligent enterprise, adds Roeske. Instead of planning role design after a go-live to a new technology platform, organizations should have designs in place before upgrading or migrating, he advises, planning and prioritizing security for the new system rather than cutting and pasting from the old system. To avoid migrating old problems over as new problems, Roeske advises organizations undergoing a transformation to explore the new technologies and new authorization concepts that are coming in with the cloud applications and consider where they are headed when it comes to the technology platform. Customers using SAP Access Control for their ECC can use it for SAP S/4HANA, says Roeske, but they need to allocate resources, time, and attention to ensure that security is not forgotten during the transformation journey.
What Does This Mean for SAPinsiders?
In summary, SAPinsiders should consider taking the following steps to meet regulatory requirements and protect against risk:
- Automate provisioning for maximum efficiency. Seek solutions that empower users with self-service administration and that monitor for SoD and other risks.
- Practice good access hygiene and role design. Ensure that your systems support and monitor critical capabilities and accounts while designing business roles for specific tasks.
- Leverage human decision making. Involve multiple departments in access management policies and decisions, and then use technology to facilitate and empower security administrators and provide cross-divisional visibility.
- Take advantage of transition tools. Leverage SAP Identity and Access Governance in new deployments or to serve as a bridge to extend your current SAP Access Control capabilities into the cloud.
- Have a new plan for a new process. If transitioning to new platforms or the cloud, allocate resources to defining and executing new security processes to avoid bringing old issues to the new environment.