By Brianna Shipley, Director of Editorial, SAPinsider
How long does it take a manufacturing company to safely develop a product? In the pharmaceutical world, it can take a decade, on average, for a company to produce a medicine or drug. In addition to experiencing a much lengthier development process than other manufacturing companies, businesses within the pharmaceutical industry are also subject to highly regulated business processes throughout its research, production, quality control, and sales and distribution — making for a unique environment when it comes to securing processes and technology landscapes.
Lundbeck, a Danish company headquartered in Copenhagen, is further differentiated within the industry by the specialty therapies that it develops for people with disorders of the central nervous system, including depression, schizophrenia, Parkinson’s, and Alzheimer’s. With the acquisition of two US companies in recent years, Lundbeck has been able to expand its research into new product areas, including treatments for migraines.
Just as the company’s research and development areas have evolved over the years, so too have security and technology trends. “Today, there is a much greater emphasis on having a global security system in place than there was 20 years ago, when it was not uncommon for key employees to have access to everything within the SAP system,” says Kirsten Kjerkegaard, Solutions Architect for Access and Security at Lundbeck, who has worked in the security space for her entire career and witnessed these changes first-hand.
Lundbeck has been an SAP customer since 2003. The company currently runs one instance of SAP ERP on premise for its procurement, supply planning, production, serialization, logistics, sales, finance, human resources, and business intelligence functionality. Six years ago, the company moved to a hybrid SAP landscape with implementations of SAP Ariba, SAP Concur, and SAP SuccessFactors solutions. Today, the company is undergoing a project — with an anticipated go-live of June 2021 — to implement SAP S/4HANA in a separate system to use the built-in extended warehouse management capabilities. In the future, it plans to convert its SAP ERP landscape to SAP S/4HANA.
Currently, Kjerkegaard’s role is to help Lundbeck select the right tools and processes for supporting the access governance and authorization areas, which include processes for user administration, segregation of duties (SoD), privileged access management, and re-certification (periodic access reviews). “For the SAP systems, specifically, I am also responsible for ensuring a healthy authorization concept that can stand the test of financial audits and health authority inspections,” she says.
The Pursuit of Automated Security
When Kjerkegaard joined Lundbeck four years ago, her mission was to help the business ensure smooth audits and identify and minimize security issues. “At that time, the company’s access provisioning process was digitalized, but the SoD and privileged access management processes were managed manually through spreadsheets, which created some challenges and cumbersome reporting,” she says.
To eliminate these issues, Lundbeck began investigating options for an automated security platform. A critical component of selecting a vendor was the ability for the platform to perform in a hybrid landscape. For SoD in particular, Lundbeck needed a solution that would integrate with the SAP Ariba solutions that run its commercial purchasing. According to Kjerkegaard, out of the nine solutions the business evaluated, most of them did not meet this need.
“After narrowing the list down to four vendors, our final choice was the Security Weaver platform due to the attractive price level, the technically easy implementation, the built-in application programming interfaces (APIs) that provided for easy integration to our existing access request system — and because it had the most advanced functionality in the privileged access management solution,” she says, referring to the Security Weaver Emergency Repair application.
“With the Security Weaver product suite, Corporate IT has ensured that we can support the business with future proof control processes around the SAP platform. Also, that our SAP access process is more standardized and efficient, reducing the manual workload through automated control processes,” says Preben Klavsen, Senior Director, Head of Business IT Delivery at Lundbeck.
Lundbeck also implemented the Security Weaver Separations Enforcer application to analyze, manage, and reduce SoD conflicts and the Security Weaver Secure Enterprise application to enable SoD analysis across the SAP Ariba solutions.
The project teams took an unconventional approach to the deployments by implementing the SoD process applications (Separations Enforcer and Secure Enterprise) before the privileged access management solution (Emergency Repair). “The reason for prioritizing this way was because we wanted to start with our biggest challenge compliance-wise, namely the SoD area itself, and because we had a reliable manual privileged access process running,” says Kjerkegaard.
Uncovering Vulnerabilities and Reducing SoD Conflicts
Prior to using Separations Enforcer and Secure Enterprise to perform cross-platform SoD conflict analysis, Lundbeck was performing repetitive tasks and producing static reporting. “We were doing the same access cleanup year after year; we were analyzing historic data and were not performing exact analysis because our reporting tools could only handle transaction-level reporting,” says Kjerkegaard. “As people working with SAP authorizations know, SAP access is much more complex than this, and proper reporting cannot be handled in spreadsheets.”
The project team responsible for digitizing Lundbeck’s SoD processes with Separations Enforcer and Secure Enterprise consisted of the company’s process specialists from the involved business areas, with Kjerkegaard serving as the solutions architect, authorization specialist, and project manager during the system implementation. “Security Weaver supported us on request with online configuration guiding and train-the-trainer courses,” she says. “The applications were implemented from scratch and were quite easy to install and configure so we were able to quickly complete that phase and enter test mode.”
The solutions are capable of cross-platform analysis, which enables Lundbeck to include SAP Ariba procurement processes when measuring SoD conflicts. Together with the preventive controls during the access, the analysis provides Lundbeck with a complete overview of which users have SoD conflicts and which authorizations are causing the conflicts.
“This information can be used to ensure that mitigating controls are placed exactly where they are needed,” says Kjerkegaard. “For example, if the same user is permitted to perform the tasks of procuring a material as well as paying for that material, the system ensures that a so-called mitigating control can be placed on this user to monitor that the access is not used inappropriately.”
Prior to the implementation, Lundbeck had adopted an SoD ruleset, otherwise known as the SoD conflict definitions, from a consulting partner. The ruleset differed from the pre-loaded definitions that came with Security Weaver Separations Enforcer. “We expected the two rule sets to be similar, but they were actually very different, requiring us to dig deeper,” says Kjerkegaard.
The project team therefore spent a lot of time on the ruleset, defining SoD conflicts to ensure that they met the unique needs of Lundbeck’s processes, an exercise that Kjerkegaard recommends other companies invest in as well. “If you define a ruleset that doesn’t apply to your business processes, then you’re creating unnecessary workload that doesn’t add value,” she says. “I would advise that businesses spend time to discover what standard rules will work for them out of the box, and what might need to be configured differently, and understand that mitigating controls are money out the window if they are not placed where the actual possibilities for fraud are.”
Sandra Ebbesen, Compliance Controller at Lundbeck and project manager for the implementation of the mitigating control process, adds: “Besides the waste of money implementing controls that are not mitigating actual risks, unnecessary controls will also increase the resistance from line of business against a project like this, and, in the end, result in controls not being properly performed. So, it is very important that businesses spend time on this task and acknowledge that it is not a one-size-fits-all.”
According to Kjerkegaard, having the company’s SAP business processes predefined in Separations Enforcer beforehand was a big help. “Technically, this made it very easy for us to create or remove SoD conflicts, so we could concentrate on the business part of the implementation rather than on the technical part,” she says. “Also, Security Weaver did a great job in expanding the ruleset to include business processes on the SAP Ariba side, ensuring that we had all relevant corporate business processes included in the SoD analysis.”
Lundbeck’s project team has defined up to 80 different ways that a user could access the SAP system and potentially commit fraud. “We now have complete transparency into where SoD conflicts exist in the company’s landscape, and which users have the conflicts,” says Kjerkegaard. “That’s a huge step from earlier, when we were using spreadsheets for reporting and we only had historical data to look at. Now we have real-time knowledge about our systems.”
Of course, not every conflict can or should be removed – especially for the organization’s smaller companies that only have a few employees. “To streamline control monitoring, we are now also implementing an e-mail-supported mitigation process so auditors (for example, local controllers or managers) can confirm the mitigating controls they are performing to document that a conflict has not resulted in fraud,” she says. “It is a big advantage that the mitigation process is also part of the Security Weaver Separation Enforcer application; unlike in competing products, where the SoD monitoring and mitigation process lies in different modules – hence a bigger investment.”
In addition to auditors, for projects such as this, she also encourages involvement by busines leaders: “With these kinds of compliance projects, most important is to ensure that top management is involved and supporting the project. As key competencies are needed from various business areas, it is critical that management supports that the project is prioritized – preferably that it is reflected in the delivery goals of the involved business areas. Otherwise, it can be a struggle to ensure project resources and keep project pace.”
Streamlining Privileged Access Supports Business Continuity
Privileged access is a term used for extended, temporary access to IT production environments, which requires monitoring (of an audit log) due to its critical nature. At Lundbeck, privileged access is obtainable for SAP project participants for cutover activities and hypercare in connection with project go-lives as well as for internal and external SAP specialists in connection with first- and second-level support activities.
“Prior to implementing the Security Weaver Emergency Repair application, we used unnamed privileged users which were manually handled, only in Denmark office hours,” says Kjerkegaard. “With 3,000 requests per year, this was of course a timeconsuming task handled by some of our most experienced specialists.”
Now, with the Security Weaver Emergency Repair application, the automation has resulted in significant time savings for key specialists in Lundbeck. Also, when it comes to giving privileged access to its offshore support partners, which operate in a different time zone, the Security Weaver application has meant a lot of waiting time saved. Because of the automation, Lundbeck’s partners receive access faster without having to wait for an administrator to wake up, open the computer, confirm that the request is appropriate, and provision the access.
Instead of reviewers having to manually review the audit log for discrepancies — which are uses of privileged access that do not match the stated intentions — the process is automated. Logs matching the requested access are automatically reviewed, saving 60 % of the review work. With 3,000 cases a year, this is a significant amount of time savings, according to Kjerkegaard. “Now, when discrepancies occur that need to be reviewed, the request is routed directly to the reviewer assigned to the privileged user — via email — to investigate and approve (or reject) the log,” she says. “This has given us the possibility of delegating the review task to the right specialists and provides a much more qualified review than we had before the system implementation when the review task was centralized due to manual processes.”
She adds, “With the implementation of Security Weaver Emergency Repair, there are so many wins, both economically and security-wise. The tool works seamlessly with the automatic log review in all system types and is easily adopted by users.”
Lundbeck has rolled out all three Security Weaver applications to the company’s main SAP ERP system, as well as to SAP Advanced Track and Trace for Pharmaceuticals and SAP Business Warehouse. According to Kjerkegaard, Lundbeck is looking forward to moving its Security Weaver applications onto SAP S/4HANA when that conversion is complete.
“We have already configured and tested Security Weaver Emergency Repair on our SAP S/4HANA system for extended warehouse management and haven’t seen any issues with it,” she says. “The user acceptance testing for extended warehouse management has run smoothly without any issues detected. Although Security Weaver had promised us that the system was SAP S/4HANA ready, it was a relief to see the test pass with our own eyes.”
Lundbeck plans to implement a fourth Security Weaver application, Secure Provisioning, in April 2021, which will allow the company to replace its custom code system with a standard access request and user provisioning system.
A word of advice to Kjerkegaard’s colleagues in the SAP security space: “Instead of only looking at one or two products, I suggest that organizations get a proper market overview and select a broader range of vendors during their evaluation process,” she says. “I have seen several Danish companies implement small, local SoD tools instead of looking at international vendors, such as Security Weaver who offers much more advanced and future-proof products for competitive price levels.”
Lundbeck Headquarters: Copenhagen, Denmark
Company details: Lundbeck — a global pharmaceutical company headquartered in Denmark — is driven by a call to find answers to the unsolved questions of neuroscience. The company fulfills its mission through state-of-the-art research and development and by engaging in the manufacturing, marketing, and sale of pharmaceuticals across the globe. Lundbeck has been at the forefront of neuroscience research for more than 70 years.
SAP solutions: SAP ERP (for procurement, supply planning, production, serialization, logistics, sales, finance, human resources and business intelligence), SAP S/4HANA, SAP Business Warehouse, SAP Advanced Track and Trace for Pharmaceuticals, and SAP Concur, SAP Ariba, and SAP SuccessFactors solutions.
Third-party solutions: Security Weaver Separations Enforcer, Security Weaver Secure Enterprise, and Security Weaver Emergency Repair.