Consistent GRC for SAP cloud applications

Whether in procurement, accounts payable/receivable or customer relationship management, the joint assignment of rights in different applications can lead to SoD conflicts, especially with cloud solutions. To counter this, companies need to develop a cross-application view of their access management that includes cloud applications such as SAP SuccessFactors, Ariba or Concur in addition to securing and monitoring on-premises applications.

However, as Holger Flint, Head of the SAP Basis Competence Center at IT service provider Akquinet, points out, this is easier said than done: "Implementing a cloud strategy appropriately is no trivial task due to the complexity and in-depth processes involved." The provider of SAP security and compliance services therefore relies on tailor-made software from its long-standing partner Pathlock.

Holistic solutions such as these offer a joint cross-application SoD check with dashboard-based display of the current risk status for both on-premises and cloud solutions. Potential segregation of duties risks are continuously identified during the application process, at the time of allocation and also during the test cycles. Automated SoD and risk analysis as well as automated reporting for all common business applications - whether SAP ERP, S/4 Hana, SAP cloud applications, Microsoft Dynamics or Salesforce - help to meet legal requirements in a time-saving manner. The preconfigured sets of rules are ready for immediate use and can be easily customized.

Focus on superuser concepts

Ralf Kempf, IT Security Evangelist and Managing Director of Pathlock Germany, emphasizes: "The growing complexity makes it essential to keep SoD concepts up to date, present them transparently and harmonize them. It is important: Emergency concepts can no longer be viewed in isolation." This is because they are still rarely considered together and cause a significant and unnecessary security gap if super users have far more authorizations than they should according to the SoD concept. "This is neither expedient nor practicable for a holistic security strategy," explains Kempf.

Exploiting strategic opportunities

Identities and access are at the heart of IT security and compliance. The challenge, according to Kempf, is to integrate all business applications in such a way that consistent and secure access governance is guaranteed - whether on-premises or in the cloud. Careful analysis and implementation enable the right design and configuration, the establishment of new automated processes for assigning access authorizations, the creation of transparency and the necessary compliance.

Flint sees decisive advantages for the seamless integration of modern business applications with the involvement of Pathlock's specialists: "Companies should use this strategic opportunity to modernize their infrastructure and improve their cross-application IT security." Last but not least, the end of support for SAP IDM also offers the ideal opportunity to introduce new functionalities, a transparently measurable risk analysis and Continuous Control Monitoring (CCM) for the continuous monitoring of the quality and effectiveness of internal controls.

To the partner entry: