sap access governance practical practical guidelines to ... · pdf filecommon pitfalls common...
TRANSCRIPT
SAP access governanceSAP access governanceSAP access governanceSAP access governance
practical practical practical practical guidelines to successfully manage value at guidelines to successfully manage value at guidelines to successfully manage value at guidelines to successfully manage value at riskriskriskrisk
Wouter Janssen, axl & traxWouter Janssen, axl & traxWouter Janssen, axl & traxWouter Janssen, axl & trax© 2014© 2014© 2014© 2014
SAP Security SAP Security SAP Security SAP Security 2014201420142014Protecting Protecting Protecting Protecting Your SAP Systems Your SAP Systems Your SAP Systems Your SAP Systems
Against Against Against Against Hackers And Industrial EspionageHackers And Industrial EspionageHackers And Industrial EspionageHackers And Industrial Espionage
topicstopicstopicstopics
introduction
moving from management to governance
common pitfalls & risks
practical guidelines
what’s next?
questions & answers
introductionintroductionintroductionintroduction
introduction: axl & traxintroduction: axl & traxintroduction: axl & traxintroduction: axl & trax
fact sheetfact sheetfact sheetfact sheet
17 years expertise
consultants, advisers, trainers and keynote speakers
over 20 dedicated GRC, IAM, authorizations and security experts
more than 250 customers served
Wouter Janssen
partner @ axl & trax
c-range advisory
consultancy
audit and security
governance, risk & compliance
training
tailor-made solutions
biometric authentication
identity and access management
authorization concepts
roles building
workflow
security/risk content (SOD)
ABAP coding security
vulnerability assessment
payment flow security
process controls
quality assurance
licensing (cost control)
our expertiseour expertiseour expertiseour expertise
affiliationsaffiliationsaffiliationsaffiliations partnershipspartnershipspartnershipspartnerships
affiliations and partnershipsaffiliations and partnershipsaffiliations and partnershipsaffiliations and partnerships
maturity in SAP securitymaturity in SAP securitymaturity in SAP securitymaturity in SAP security
doing the right thing isn’t enoughdoing the right thing isn’t enoughdoing the right thing isn’t enoughdoing the right thing isn’t enough
what’s the right thing?
what is considered in SAP secuity and by whom?
process? people? technology?
moving from heroic; to managed; to optimized & controlled
interesting mapping possible using the CMMI (process) maturity model levels
the challenge the challenge the challenge the challenge iiii
why are SAP landscapes treated
differently from other IS/IT?
the the the the challenge challenge challenge challenge iiiiiiii
safeguarding company assets against threats
things that make SAP security a worthy challenge:
thousands of users world-wide
business-critical system & process operation
different processes and configuration in different sites
multi-dimensional roles and responsibilities
standard is a concept, not practice
multi-layer, multi-component security
interconnectivity, customizing and custom developments
integrated systems, non-integrated organizations
“Uncertainty is the only certainty there is, and knowing how to live with insecurity is the only security” – John Allen Paulos
the challenge the challenge the challenge the challenge iiiiiiiiiiii
some of the problems we see:some of the problems we see:some of the problems we see:some of the problems we see:
business risk or IT risk?
integration of different technologies and OSI-layers
“not just an application running on a server”
information security experts work “around” SAP,
SAP experts work around established standards & good
practices
referencing frameworks for SAP access governance
governancegovernancegovernancegovernance
governancegovernancegovernancegovernance
define
• goals & Objectives
• tone in terms of values & standards
• timeline / Priorities
• risk appetite
delegate
• appoint leadership & major roles
• give orientation & preference
review• performance reviews
Patrick Sury’s Governance model, 1999
IT & security governanceIT & security governanceIT & security governanceIT & security governance
CobiT – Third Edition - 2000
access governanceaccess governanceaccess governanceaccess governance
SAP access governance strategy
access policies
access management
process
user management
role management
managing change
exception handling
security organization
tools & technology
QA & compliance
in SAP security governance
risks & pitfallsrisks & pitfallsrisks & pitfallsrisks & pitfalls
common pitfallscommon pitfallscommon pitfallscommon pitfalls
common misconceptionscommon misconceptionscommon misconceptionscommon misconceptions
we are in control of that because:we are in control of that because:we are in control of that because:we are in control of that because:
we have an SoD matrix
we run SAP GRC
we have a process, so don’t worry
we do the right things, so why bother
we did a security project 5 years ago
consultants of company X did that for us
that’s all outsourced to company Y
we act directly stuff when the auditors give red lights
we’ve never had any issues
… (not limitative)
practical steps towards practical steps towards practical steps towards practical steps towards SAP security governanceSAP security governanceSAP security governanceSAP security governance
practical guidelinespractical guidelinespractical guidelinespractical guidelinesiiii
stick to and adopt common standards & frameworkscommon standards & frameworkscommon standards & frameworkscommon standards & frameworks
define logical roles & responsibilitiesroles & responsibilitiesroles & responsibilitiesroles & responsibilities
start from what you readily havereadily havereadily havereadily have
document document document document what you have/do/control todaytodaytodaytoday
make an inventory inventory inventory inventory of today’s practice
learn learn learn learn from others/peers/externals/…
practical guidelinespractical guidelinespractical guidelinespractical guidelinesiiiiiiii
think big, start think big, start think big, start think big, start smallsmallsmallsmall
work toptoptoptop----downdowndowndown, don’t recreate Wikipedia
define a programprogramprogramprogram, not a project
stay in control, even when hiring externalsexternalsexternalsexternals
consider systemsystemsystemsystem----specificsspecificsspecificsspecifics, don’t forget or
overrate them
work cross-disciplinary
consider the “hands-off” principle
so where do we start?so where do we start?so where do we start?so where do we start?
first stepsfirst stepsfirst stepsfirst steps1. define the Governance model
2. ensure adequate quality of “as-is”
3. find out what’s missing & decide on those gaps
4. further optimize; define new; implement; improve what’s there
highhighhighhigh----level starting positionlevel starting positionlevel starting positionlevel starting position
questionsquestionsquestionsquestions????
Thank you for your attention Thank you for your attention Thank you for your attention Thank you for your attention
wouter janssenwouter janssenwouter janssenwouter janssenpartner axl & traxCISA CISSP CISM CGEIT CRISC CFE
T +32 16 311 00 00