Mastering Sap Security & Risk

M A S T E R I N G S A P S E C U R I T Y & R I S K C O M M U N I T Y S N A P S H O T 2 0 2 0

I N T R O D U C T I O N

For 24 years, The Eventful Group has specialised in developing technology, and particularly SAP-Centric communities of practice for both business and IT professionals. Intense research is conducted with these communities via a process known as the Circle of Customer Engagement, where both the challenges faced and opportunities perceived are identified through roundtable discussions held across Australia.

P A R T I C I P A N T P R O F I L E

The roundtable discussion groups brought together business leaders, business analysts and IT teams who leverage SAP’s technology stack of tools from a wide variety of industry sectors including mining, financial services, media, pharmaceutical, retail, healthcare, telecommunications, pulp & paper, energy, utilities, transport, manufacturing, technology consulting and the public sector. Over the course of these groups we met face to face with 170+ SAP professionals from over 100 organisations who shared their stories regarding process optimisation and the use of SAP solutions to support that. These insights are captured in this report.

Some of the job titles of participants include:

Solution Architect - Security IT Security Manager SAP Security Lead Senior SAP GRC and Security Analyst Cybersecurity Analyst - SAP ERP Governance & Applications Security Cybersecurity Consultant - SAP Security

N O T E O F T H A N K S

In recent years SAP environments have become increasingly complex, and with this comes the commensurate challenge of securing these environments. Many organisations have begun or are planning their migration to SAP S/4HANA, a platform that brings a brand-new set of security considerations due to its underlying architecture. In addition to this there are often cloud based solutions implemented alongside SAP S/4HANA, such as SuccessFactors and Ariba, resulting in hybrid landscapes for the foreseeable future. If security is not considered early in an implementation and built in by design, then there will almost certainly be remediation work required after go-live. Once live, managing security aspects such as the user life-cycle and privileges, configuration and patching across disparate systems is no easy task. There is an ever- increasing raft of regulatory and audit requirements which must be adhered to. The cost of non-compliance, or worse, a cyber incident, could have devastating consequences for an organisation.

Customers shared with us that they wish to discuss 11 major themes:

1. A Culture of Security 2. Aligning Roles with Organisational Security Structure 3. Security by Design 4. The Roadmap & S/4 HANA 5. Tools 6. Cloud 7. Cyber Threats 8.Bots & Identity Management 9. Access Reporting 10. Data Privacy / GDPR

11. Governance & Testing

1 . A C U L T U R E O F S E C U R I T Y

Organisations need to shift their old school security mindset. Cyber incidents and threats are a very real issue and the implications of a breach can be staggering for any organisation in terms of financial loss (loss of revenue and regulatory fines), reputation and market share. In some organisations participants feel like management is yet to wake up to this risk being materialised, instead adopting a false sense that the likelihood of these events is lower than that represented by reality on the ground. Yet it only takes one person, or one click, or a configuration setting left unchanged to knowingly (or unknowingly) create a major cyber event.

The security team and indeed those other parts of the organisation involved with security need to help elevate the importance of security and what is required to keep the organisation safe. Organisational security culture is usually a reflection of leadership within an organisation. The tone at the top is set by the Board and cascades down accordingly

How does one elevate cyber security awareness to the same ‘cultural status’ as physical safety irrespective of who leads? How do we get senior level leaders to power sponsor our initiative? How do you direct spend that benefits the entire organisation? How do you link management performance to security outcomes? If the security team is perceived as a ‘blocker’ or a function that slows the business down, how do you demonstrate to management the pain associated with an attack or breach?

2 . A L I G N I N G R O L E S W I T H O R G A N I S A T I O N A L S E C U R I T Y S T R U C T U R E

We cannot find a common governance model with reference to role design, there is no “one size fits all”. We need better tools and methodologies to improve Identity Access Management. Often the HR organisation hasn’t defined job roles which cover the entire organisation. This may be because there is no perfect role design. We must be able to adapt to changing business and organisational requirements. · What methodology / tools are used successfully by organisations to map processes and roles at enterprise level? How do we keep the broader team’s access aligned as business users change roles and requirements? Keep their access live and fit for purpose in real-time so to speak. Is the principle of least privilege the right risk mitigation tactic or are detective controls a better strategy? That is, give everyone broader access and detect threats as they occur. Can you balance operational needs through broader access rights while focusing your restrictions only to those that have a direct impact to your financial, cyber or privacy threats? How can I keep other systems, such as Ariba and Hybris aligned with Core ERP? People are acquiring software products at a rate of knots. How do we manage user access and security across all the landscapes? How do we manage this across Development, Test and Production Environments? Are there enterprise-wide identity management tools which can manage access at each app level?

3 . S E C U R I T Y B Y D E S I G N

Businesses implementing SAP often have their focus firmly set on realising the operational benefits and fail to identify security as one of the project’s key elements. Failure to identify risks and build security into the foundations of the solution can have damaging consequences for the business going forward. For a robust, secure system to be delivered, it is essential to have business input into the security design, but this input has to be informed by the overall security posture, policies and governance the organisation is trying to maintain.

Systems Integrators and project teams are typically focused on the delivery of functionality, with set milestones to hit along the project timeline. This can lead to corners being cut, and security being overlooked – with SI’s reluctant to carry out the extra layers of testing that may slow down delivery. Where SAP security is overlooked in the initial stages of implementation, the most likely upshot is a raft of costly retrospective changes. Often, these fixes have to be made in a live SAP environment – only increasing the risks of downtime. · Within a digital transformation project has security been front and centre to the design and is the future governance model established? How do we adapt security to an agile model given that stability is low when agility is high? Can automation help make security more agile? Development to Operations is so fast. How do we keep up with the pace and embed security into the development lifecycle? Can you use your digital transformation program of works as an opportunity to re-set your approach to security from an end to end standpoint?

4 . T H E R O A D M A P & S A P S / 4 H A N A

Organisations are battling with selling the business case for moving to SAP S/4HANA. They need to be able to demonstrate what the additional value is to the business. Within SAP Security decisions and tools to select and upgrade, there are many possible and often conflicting roadmaps. The roadmap to SAP S/4HANA is only one of them. How confident are you that the current security model will meet your future requirements irrespective in which direction you go? · What is the roadmap for SAP S/4HANA Security? SAP S/4HANA Upgrade path - what do we need to do for each of the roles in terms of security? Is it just a lift and shift? What are the different layers of security in SAP S/4HANA, and how does it differ from ECC? Can Fiori tiles be used to enhance security and mitigate risk?

5 . T O O L S

SAP Access Control and SAP Process Control are automated tools to manage an internal security model, remediate compliance issues, and monitor potential business risks within an SAP system. With reference to GRC, the feeling was that there exists a lack of integration outside of ABAP, with Java, Fiori and SaaS and a lack of rulesets for external systems. Documentation and training material is hard to come by or is missing from a post implementation (run) perspective. Customers also questioned the flexibility of the tool.

Business needs to invest in additional reporting. We need tools that can help with segregation of duties, access control and role & user provisioning. And for these three primary needs, customers want to see an independent comparative analysis between the various tools offered by SAP and third party providers. Other questions that cropped up:

SAP IDM – what is SAP’s way forward with this tool given the new Identity and Access Governance (IAG) tools in the cloud? With GRC 12, IDM & IAG what is the integration between them like and where do they overlap? What tools cater to audit? Privileged Access Management (PAM), is their a tool that can assist with password rotation for technical users?

6 . C L O U D

Many customers are moving to the cloud but at this stage also have an on prem core ERP system or a Hybrid Landscape. They are managing security in a hybrid scenario and experiencing integration challenges. Organisations must therefore consider security across multiple points of connection with other systems and look at the overall identity and access management life cycle.

This changes the game for vendor access, which might be contrary to your IT Policy. A mind-shift is required from the old on prem thinking. You are 'renting' your applications from the vendor and it is logical that they will want access to support them. An integrated identity management system is a huge advantage in a cloud environment.

What is GRC cloud connectivity to on prem technology like? Is Cloud based security with on prem systems the way to go? Are the SAP solutions the best tools to use? What are the alternatives? Will IAG be the solution we are all hoping it will be? How do you adapt out-dated policies for the “new world”?

7 . C Y B E R T H R E A T S

All too often, an organisation’s consideration of SAP security extends only to authorisations and roles. More resilient protection of SAP infrastructure is required, such as Privileged Access Management at database and operating system level, and ‘hardening’ the SAP environment from external threats.

One of the primary concerns customers are thinking about is the notion of linking SAP security and cyber security, often there is a void in between. Whether it’s a cloud app vulnerability or SAP service support that leads to you opening your system, how to manage this and allow access is what one needs to consider. POCs that are spun up and spun down also create an opening, especially given the need for speed. Vulnerability and penetration testing to understand external threats was discussed at length. Other conversations were:

Patching and their disruptive impact; Evaluating whether data needs to be protected and managing that protection, including in non-production environments; Code security - checking to ensure that custom code is developed securely; Device security especially when one is going mobile.

What is best practice? With regards threat detection capabilities, what tools are worth exploring?

8 . B O T S & I D E N T I T Y M A N A G E M E N T

Customers wanted to know what the next generation of identity management tools look like. In addition, the idea of integrating the SAP landscape with an Identity Management landscape was discussed and the idea of non-human (bot) identity. These bots must have human like access, but does your security policy and framework cater for management of non-human identities?

How do you mitigate this policy and policy change - defining ownership for the bots? What are the licensing implications of using bots? Where does the accountability lie for actions performed by bots? How do Segregation of Duties apply in bot age?

9 . A C C E S S R E P O R T I N G

Given the heterogenous nature of SAP applications there is no single tool to provide a single view of your users, roles, authorisations, risks and compliance activities. SAP doesn’t give customers adequate dashboard reporting with reference to access and hence they have to develop these solutions themselves.

Where reports do exist, customers felt they were too technical to interpret (e.g. Firefighter Log Reports). Customers wish they were easier to use with more business oriented language, so that ones best resources are not the only ones who can follow this. An additional reporting issue is that when one has e.g. Ariba and Fieldglass you can’t report from one central system, which causes a challenge. In other words the whole landscape cannot be monitored from a central point.

Where should organisations be moving to get this and what is available in the marketplace to start piecing this puzzle together? Is there a best practise approach? Given that Reporting is often not fit for purpose, what alternatives are available?

1 0 . D A T A P R I V A C Y / G D P R

Meeting the requirement for the Privacy Act and changing legislation causes a security headache. Customers need reporting around who received information about other people. Data Classification determines that they are having to consider where their PII (Personally Identifiable Information) data is (at rest or in transit) and this is hard to do.

How do you start with GDPR - "the right to be forgotten?"

1 1 . G O V E R N A N C E & T E S T I N G

While testing is one of the most crucial aspects of SAP security, it’s rarely afforded enough time. When testing is carried out, it’s almost always rushed, or left to the very last minute. Many projects specifically suffer from limited negative testing, which is vital for role design to ensure it’s meeting the criteria for the business.

Audit wants all these tick boxes ticked, and this too slows us down. We are audited by how closely we are sticking to policy. We need to create policies that fit our processes.

Is it best practice to demonstrate compliance relative to policies in a world changing so quickly or is there a better way? How do you stay in step or ahead of ever-increasing audit requirements?

12 - 13 OCTOBER, 2020 CROWN PROMENADE MELBOURNE

Bringing together Security, Cybersecurity and GRC professionals to talk:

A Culture of Security; Aligning Roles with Organisational Security Structure; Security by Design; The Roadmap & SAP S/4HANA; Tools; Cloud; Cyber Threats; Bots & Identity Management; Access Reporting; Data Privacy / GDPR; Governance & Testing

WANT TO FIND OUT MORE?

https://www.masteringsapconference.com/msap/aus/sec/

Call Steve Morris on +61 2 9955 7400 BUILDING COMMUNITIES AT THE EVENTFUL GROUP

At The Eventful Group we are all about building communities, creating value for the members, and immersing ourselves in their world to ensure that members walk away from one of our community events with knowledge and connections they will not, and cannot, get anywhere else. To do this, we know we need to listen to our customers and create an exciting, unique event based on solid, in- depth and collaborative research.

We have been successfully building communities for over 20 years. We don’t just put an event together in a couple of weeks based on phone calls to consultants and reading a few articles. We invest a lot in our research process – typically a whole year for a new community. At the heart of everything we do is a fundamental belief in the power of people. We invest our time, resources and knowledge into developing something that’s far more than an event. This philosophy sets a climate where ideas and people grow. Where minds and hearts open up to fresh thinking and new faces. https://www.theeventfulgroup.com/