hot topics in grc access control 10.0
DESCRIPTION
AccesscontrolTRANSCRIPT
Hot topics in GRC:SAP BusinessObjectsAccess Control 10.0Scott Enerson, PwC14 September 2011
PwC
Agenda
Objectives Of This Session
Governance, Risk, and Compliance Trends
SAP BusinessObjects Access Control 10.0 Overview
Hardware Landscape
Upgrade/Migration Path
Questions
2
PwC
Objectives Of This Session
• Understand the capabilities of SAP’s Access Control solution
• Understand the key differences between previous versions of AccessControl and version 10.0
• Understand how the Access Control solution can help addressoperational and compliance challenges
• Know where to find additional information resources on the Internet
3
PwC
Governance, Risk, and Compliance(GRC) Trends
4
PwC
GRC Technology Maturity - Recent Trends
• Optimizing access control
• Control repository as a platform
• Multi-compliance framework
• Continuous controls monitoring (CCM) technology is maturing
• CCM is being considered in a wide context
• Integrating GRC solutions
5
PwC
Benefits of Integrated GRC
Visibility Confidence Efficiency
6
PwC
Top 5 Areas of Interest in Version 10
• Improvements in functionality and usability
• Migration from older versions (including VIRSA) to GRC 10.0
• Connectivity beyond SAP – use of 3rd party vendors such asGreenlight Technologies
• Timing, cost and level of effort for upgrade
• Value proposition for new implementations
7
PwC
SAP BusinessObjects Access ControlsOverview
8
PwC
SAP GRC Suite: Access Controls, Process Controls,& Risk Management
SAP GRC Process control
Business drivers
• Continuous monitoring
• Sustainable cost of compliance
• Stronger alignment across theassurance community & lines ofbusiness
• Better insight & timely decision making
• Greater transparency & accountability
Value proposition
• Automation of control activities throughcontinuous control monitoring &auditing.
• Multi-compliance framework enablesenterprise wide regulations.
• Centralization of risk & controldocumentation/testing/remediationacross organizations and complianceinitiatives.
SAP GRC Risk management
Business drivers
• Common definition of risk across the lines ofbusiness
• Faster & timely response to riskanomalies/violations
• Increase level of automation across the “riskmanagement” value chain
• Increase visibility of risk to shareholders &board
Value proposition
• Alignment of risks to strategic priorities andbusiness objectives.
• Proactive risk monitoring through defined keyrisk indicators and standardized early warningsystem.
• View of consolidated risk exposure resultingfrom risk analysis and correlation.
Enterpriserisk
Businessprocess
Security
SAP GRC Access control
Business drivers
• Inefficient & inconsistent utilization ofaccess control across the organization.
• Inflexible & inefficient role build model.
• Inability to embed ‘preventative SoDanalysis’ within the user accesslifecycle.
• User provisioning is a time consumingand slow process.
• Better insight & transparency
Value proposition
• Real-time insight into access andsegregation of duties violations.
• Reduction of critical access risksthrough control mitigation anddashboard reporting.
• Preventative user provisioning throughidentification of user conflicts prior togranting access.
9
PwC
Overview of SAP Access Controls
Centralized analysis and mitigationof access risks.
Centralized platform for managingand reviewing emergency accessactivities
Centralized request and approvalprocess from hire to retire access.Automated re-certification of existingaccess
2
3
4
Differentfunctionality
layers
SAP GRCAccess
Controlplatform
Centralized access risk repository for multi-application landscapes
1
10
PwC
Access Risk Analysis
SA
PB
OA
ccess
Contr
ol
RoleManagement
Access RiskAnalysis
Provisioning
Identity
Managem
ent
SuperuserPrivilege
Management
Auditing andreview
SAP NetweaverIdM
IBM SUN …
HR
Self-service
Authoritativesource
Applications
11
PwC
Access Risk Analysis Comparison
Access Controls 5.3 Access Controls 10 Key Differences
• Multiple user analysisrequires repeated manualinput
• Reporting is static and theoutput requires manualdata manipulation ineither Excel or Access.
• One report type peranalysis. Multiple reportsmust be run to evaluateboth SOD and sensitiveaccess risks
• User list uploadfunctionality; Ability toexclude values and ranges
• Reporting engine is basedon Crystal Reports.Customize reports viafilters, changing columnorder, hiding columns
• Ability to run multiplereport types at the sametime
• More complexselection criteriaavailable
• Reduces effort tomanipulate reportsinto readable formats
• Ability to run multiplereports at once to havea complete picture ofrisk
12
PwC
Access Risk Analysis Comparison
Access Controls 5.3 Access Controls 10 Key Differences
• Mitigating controls needto be assigned to a userone at a time and are notshared with processcontrols.
• Transaction code usage isavailable only through theuse of the Alert function
• Rule set changemanagement procedureswere performed outside ofAccess Controls.
• Mass mitigation isavailable and control datais shared with ProcessControls.
• Transaction code usage isnow a part of variousreports.
• Native SAP workflowengine to help drive thechange managementprocess.
• Shared controlsrepository withProcess Controls
• Transaction codeusage is integratedinto the reportingfunctionality
• Embedded changedocumentation in ruleset changemanagementprocesses
13
PwC
Emergency Access Management
SA
PB
OA
ccess
Contr
ol
RoleManagement
Access RiskAnalysis
Provisioning
Identity
Managem
ent
SuperuserPrivilege
Management
Auditing andreview
SAP NetweaverIdM
IBM SUN …
HR
Self-service
Authoritativesource
Applications
14
PwC
Emergency Access Management Comparison
Access Controls 5.3 Access Controls 10 Key Differences
• Manual log reviewprocess with noelectronic signoff
• Requires master data tobe setup in multipleenvironments.
• Firefighters are requiredto logon to multipleclients
• ABAP and Java reportingfunctionality, withlimitations on detail
• Workflow for the logreview and signoff process
• Centralized setup ofmaster data
• Centralized access pointfor firefighters
• Additional reports areavailable, for exampleoperating system reports,audit log, and debug andreplace
• Electronic record ofthe log review process
• Centralized source foraccessing andconfiguring Superuserfunctionality
• Consistent reportingformat for allemergency activities
• Enhanced reporting
15
PwC
Access Request
SA
PB
OA
ccess
Contr
ol
RoleManagement
Access RiskAnalysis
Provisioning
Identity
Managem
ent
SuperuserPrivilege
Management
Auditing andreview
SAP NetweaverIdM
IBM SUN …
HR
Self-service
Authoritativesource
Applications
16
PwC
Access Request Comparison
Access Controls 5.3 Access Controls 10 Key Differences
• Relies on internalworkflow engine toinitiate and routerequests.
• Limited options fordetermining workflow.
• Automated user accessreview (UAR) thatallowed for managers orrole owners to perform areview.
• SAP native workflowengine that providesenhanced functionalityand logic for routingapprovals.
• Complex requirements canbe met using businessrules framework (BRF+)
• User Access Reviews(UAR) can be routed todifferent approvers
• Utilizes native SAPfunctionality to routeaccess requests andmanage workflow.
• Increased flexibility indefining workflow
• Ability to route UARapprovals to otherapprovers
17
PwC
Access Request Comparison
Access Controls 5.3 Access Controls 10 Key Differences
• Role master data foraccess requests can bemaintained in both theERM and CUP database
• Limited customization ofend user request forms
• Integration with IdentityManagement tools
• Roles available forprovisioning are nowmaintained in the RoleManagement application
• Ability to create end userrequest forms;Introduction of templaterequests
• Enhanced integration withIdentity Management
• Centralized repositoryfor roles available forprovisioning
• New customizability inend user experience
• Flexibility in choosingwhether AC or IdMaccepts requests orperforms finalprovisioning
18
PwC
Role Management
SA
PB
OA
ccess
Contr
ol
RoleManagement
Access RiskAnalysis
Provisioning
Identity
Managem
ent
SuperuserPrivilege
Management
Auditing andreview
SAP NetweaverIdM
IBM SUN …
HR
Self-service
Authoritativesource
Applications
19
PwC
Role Management Comparison
Access Controls 5.3 Access Controls 10 Key Differences
• Used as a design solutionfor technical roles.
• Internal workflow engineto manage processes
• Real time SoD can beperformed with a singlerule set .
• For SAP there is theability to define rolecontent in both ERM andSAP
• Introduction of businessrole concept
• Utilizes traditional SAPworkflow to routeactivities and approvals.
• Real time SoD can beperformed on multiplerule sets.
• For SAP role contentdefinition only performedin SAP
• Business role concept
• More flexible SAPworkflow
• Ability to test rolesagainst multiple rulesets
• Leverages existing SAProle creation andmaintenanceprocesses
20
PwC
Harmonization on a Unified Platform
SAP GRC Process control
Business drivers
• Continuous monitoring
• Sustainable cost of compliance
• Stronger alignment across theassurance community & lines ofbusiness
• Better insight & timely decision making
• Greater transparency & accountability
Value proposition
• Automation of control activities throughcontinuous control monitoring &auditing.
• Multi-compliance framework enablesenterprise wide regulations.
• Centralization of risk & controldocumentation/testing/remediationacross organizations and complianceinitiatives.
SAP GRC Risk management
Business drivers
• Common definition of risk across the lines ofbusiness
• Faster & timely response to riskanomalies/violations
• Increase level of automation across the “riskmanagement” value chain
• Increase visibility of risk to shareholders &board
Value proposition
• Alignment of risks to strategic priorities andbusiness objectives.
• Proactive risk monitoring through defined keyrisk indicators and standardized early warningsystem.
• View of consolidated risk exposure resultingfrom risk analysis and correlation.
Enterpriserisk
Businessprocess
Security
SAP GRC Access control
Business drivers
• Inefficient & inconsistent utilization ofaccess control across the organization.
• Inflexible & inefficient role build model.
• Inability to embed ‘preventative SoDanalysis’ within the user accesslifecycle.
• User provisioning is a time consumingand slow process.
• Better insight & transparency
Value proposition
• Real-time insight into access andsegregation of duties violations.
• Reduction of critical access risksthrough control mitigation anddashboard reporting.
• Preventative user provisioning throughidentification of user conflicts prior togranting access.
21
PwC
Access Controls Harmonization & UnifiedCompliance Platform
Access Controls 5.3 Access Controls 10 Key Differences
• Applications are deployedboth JAVA and ABAP
• Web interface looksdifferent than ABAPinterface
• Security is maintained inthe JAVA UME, withlimited granularity
• Configuration is managedby importing andexporting data.
• Standardized ABAPplatform
• Harmonized user interfacefor all applications
• Native ABAP securityallows granular security tobe implemented
• Standard SAP transportand archiving is embedded
• Only the SAP ABAPskill set is necessary
• End users experience aconsistent look
• Traditional SAPapproach to security
• ABAP platformsupported by Basisprocesses already inplace
22
PwC
Access Controls Harmonization & UnifiedCompliance Platform
Access Controls 5.3 Access Controls 10 Key Differences
• Access Controls 5.3,Process Controls 3.0, andRisk Management 3.0have their own individualmaster data.
• Access Controls 5.3leverages its own workflow
• Common master datarepository for AccessControls, ProcessControls, and RiskManagement
• Leverages standard SAPworkflow
• Single repository ofmaster data for allapplications
• Wider variety ofworkflowconfigurationpossibilities available
23
PwC
Connectivity beyond SAP with Greenlight
24
PwC
GRC 10.0 Hardware Landscape
25
PwC
Access Control 10.0 Architecture
26
PwC
Upgrade/Migration Path
27
PwC
Migration/Upgrade Paths
Migration / Upgrade Paths for earlier releases of GRC solutions
28
PwC
Migration/Upgrade Paths (continued)
Migration / Upgrade Path for Multiple GRC solutions
29
PwC
Summary
30
PwC
Key Benefits of Version 10
• Easier GRC technical system implementation and management
• Better reporting improves visibility to segregation of duties andsensitive access controls
• Can help lower the cost and effort of security operational activities
• Improved flexibility in workflow
• Enhanced integration with Identity Management tools
• Improvements in role concept management functionality
31
PwC
Further Help
32
PwC
Where to find more information
PwC SAP Security and Risk Management Services
http://www.pwc.com/se/sap
SAP BusinessObjects GRC Solutions Overview
http://www.sap.com/grc
General help with SAP Governance Risk and Compliance
http://help.sap.com/content/bobj/sbu/index_grc.htm
33
PwC
SAP BusinessObjects Access Control 10.0
Live Demonstration
Thursday
10:45 – 11:05
13:15 – 13:35
PwC Booth
34
PwC
Questions
35
Boost Your Vision
© 2011 PwC. All rights reserved. Not for further distribution without the permission of PwC."PwC" refers to the network of member firms of PricewaterhouseCoopers International Limited (PwCIL), or, as the context requires, individual member firms ofthe PwC network. Each member firm is a separate legal entity and does not act as agent of PwCIL or any other member firm. PwCIL does not provide anyservices to clients. PwCIL is not responsible or liable for the acts or omissions of any of its member firms nor can it control the exercise of their professionaljudgment or bind them in any way. No member firm is responsible or liable for the acts or omissions of any other member firm nor can it control the exercise ofanother member firm's professional judgment or bind another member firm or PwCIL in any way.
Tack för att du lyssnade!