practical grc - adsotech scandinavia€¦ · 1. dynamic sod 2. quick implementation // quick time...
TRANSCRIPT
Practical GRC: Reduce Risks, Enhance Control,
Minimize Authorizations
Xpandion, 2018
About Xpandion• Established in 2007
• Based in Tel Aviv, Israel
• Partners in Europe, USA, Asia Pacific
• Independent software vendor (ISV) with expertise in
ERP usage inspection
• Xpandion Software:
– Security
– Authorizations
– GRC
– SLOE
• Answering Needs:
– User Monitoring
– Authorization Management
– Compliance
– Workflow Processes
– SAP licensing
– Reduced Resources
ProfileTailor™ Dynamics
1. Infrastructure
2. Segregation of Duties
3. Control Management
4. Role Management
5. Additional Info
1. Architecture
Data SourcesERP etc.
SQL SERVER
SMTP MAIL
Server
Data SourcesERP etc.
IIS – Web Server
Worker Process
ProfileTailor Service
ProfileTailor Dynamicsuser interface
End user
Access via web browser over HTTP
Web Collector
Data Extractor MSMQ
Data SourcesERP etc.
ProfileTailor Suite in Details
Supported Platforms
• ProfileTailor Suite is currently able to connect to ERP systems (SAP, Oracle Apps, Priority), Active Directory, Windows file systems, VMS based systems, AS/400 based systems and various proprietary systems
• Connectivity is done using built-in out-of-the-box connectors or with open API, assisted by a graphical Interface Builder software
2. Segregation of Duties
Segregation of Duties
• Tier-1 solution with unique behavior inspection
• Identifies SoD violations by roles and users
• Simulates granting authorizations and recommends the best role to allocate
• Alerts when new violation is created
• Collaboration infrastructure with consultants and auditors
SoD Rule
Activity Groups
Activities in Groups
Activity Modes For Auth. Object Level
Introduction to SoD operation
“Create & Approve Purchase Reqs”
Create purchase reqs / Approve purchase reqs
ME51N, ME52N / ME54N
Valid for create & change (but not display)
SoD Rule
Activity Groups
Activities in Groups
Activity Modes For Auth. Object Level
Introduction to SoD operation
• SoD Rules
• SoD Reports
• SoD Violations
– Role
– Authorization (Static)
– Actual use (Dynamic)
• Conflict Resolver
Sharing: Correspondence
Well documented correspondence for later review by auditors
Alerts can be received immediately or via scheduled report
Alerts when Violating SoD Rules
Options: adding activity to user, role to user, activity to role
Several objects can be analyzed together
Simulation for Granting Authorizations
Simulation for Granting Authorizations
Simulation before granting groups from Active Directory.
RoleAdvisor™
Choosing most suitable role to grant in seconds, according to (1) activity (2) company code/plant/Pur.Org/Etc. (3) number of SoD violations (4) minimum risks
Mitigate Risks
Quick and easy methodto mitigate risks and document compensating controls
SoD Conflict Resolver™
3. Control Management
• Alerts
• Authorization Review
• Workflows
• Automated Controls
Alerts
Using alerts, it is easy to react immediately
• Event-driven system; all events can be sent as an alert depending on severity
• Alerts can be sent to different people
• Some alerts can require acknowledgement from recipient
Alerts (1)
Alert example: granting sensitive authorizations
Alerts (2)
Alert example: granting authorizations that violate SoD rules
Authorization Review
• Process for reviewing employee authorizations; performed periodically
• Approvals by managers (org. structure) or by data owner (Finance, Logistics, etc.)
• Approving only sensitive or all activities, only certain groups of employees, etc.
• Fully documented for audits
• End-user screen supports multi-language
Authorization Review (2)
Each manager receives
email and reviews only
relevant employees
Authorization Review (3)
Ticket to cancel authorization is automatically forwarded to Helpdesk
Authorization Review (4)
Overview screen displays review progress; ability to send reminders to managers
Authorization Analysis
Who can do what…
High Risk Activities
High Risk Groups (Active Directory)
Unused High Risk Activities in Roles
Workflows
• Cross-platform integrated workflows
• For example:
– Authorization request
– Self service password reset
– Emergency Access (Firefighter)
– Employee life cycle: Hire, position change, terminate
Authorization Request
• Authorization request portal
• From user request to closure of Helpdesk ticket
• Integrated interface to automatically perform change (in SAP, Active Directory)
• Well documented process for auditors
• Elaborate process for preventing bypass
• End-user screen supports multi-language
Authorization Request (2)
User Request:1. Add activity (+free
search)2. Add authorization3. Free request
Authorization Request (3)
Authorization Manager Approval
Authorization Request (4)
Documentation: Complete control over the process
4. Role Management
• Role building
• OrgSet Management
• Emergency Users
• Role Reports
• Role Simulator
• Role Advisor
• Role Splitter
IT/Emergency Access
• Emergency access requested via browser
• Opens user with timely access, or allocates temporary authorizations to existing user
• Detailed report of user activity is automatically sent to manager
• Business rules are available (e.g., automatic approval after business hours if rule passed security tests)
Web-based process enables: unlocking username, adding extra authorizations to existing user, sending detailed report on activities performed after completion of process
IT/Emergency Access (2)
Request for IT access (screen is fully customizable)
IT/Emergency Access (3)
Well documented request and activity log
5. Additional Info
• Implementation options
• Authorization concept
• Data Security
• Privacy
Implementation options
Feature Cloud On-premise
SoD Control Only authorization based Yes
Usage analysis X Yes
Immediate alerts X Yes
Role management Without usage insights Yes
Authorization Review Yes Yes
Emergency Access Without provisioning Yes
Implementation options
Feature Cloud On-premise
SoD Control Only authorization based Yes
Usage analysis X Yes
Immediate alerts X Yes
Role management Without usage insights Yes
Authorization Review Yes Yes
Emergency Access Without provisioning Yes
Authorization concept
• Role based
• Each role has access to a set of menus
• A user may have multiple roles
• Additional limitation by user groups
Menus Users
Data Security
• Data repository on corporate SQL server
• Single sign on utilizes Active Directory security
• Access is limited & monitored
• Configuration changes are monitored & audited
Privacy
• No personal HR data is retrieved
• Data on transaction usage and not content
• User data can be segregated
• Imported data fields can be controlled
10 Differences that Make ProfileTailor Better
1. Dynamic SoD
2. Quick implementation // Quick time to realize
3. Conflict Resolver™ to eliminate SoD risks
4. Role Advisor™ to advise best role
5. Cross platform SoD with Active Directory and additional systems
6. Shared folders Access Control monitoring
7. In-depth activity monitoring in each T-Code
8. Role usage and recommendation regarding role changes, Role rebuilding capabilities
9. Power users SAP_ALL replacement – dedicated authorization role based on user monitoring
10. Additional Workflow Processes: Self-service password reset, Employee Lifecycle Management (with AD)
10 Differences that Make ProfileTailor Better
ROI-focused Implementation
• Multi-system authorization request process• Automated periodical authorization review• Authorization Insights (analysis of who can do
what, who did what)• Alerts when sensitive authorizations are granted• Proactive, ongoing protection from SoD
violations• Controlled IT/emergency access to production
environment
http://www.xpandion.comhttp://www.adsotech.com