SAP GRC and Cybersecurity: Balancing Access and Security
SAP GRC and cyber security softare is provided among SAP’s ERP solutions. Most corporations and organisations require huge databases of information in order to function. This sensitive data has potentially been subject to unauthorised access since the birth of computer networking. Since the advent of cloud computing this area of IT has become increasingly important.
As part of our SAP news and commentary blog this week IgniteSAP is going to explore the area of data security and SAP’s security strategy, because the management of authorised access to sensitive information is now fundamental to the modern digital enterprise.
GRC and the EU General Data Protection Act
Companies residing in the EU are subject to the laws defined in the EU Privacy Bill of Rights and also the General Data Protection Act (GDPR) which applies since 2018. This regulation ensures that individuals’ rights to privacy are strengthened. It also clarifies the rules for companies and public organisations regarding data. In essence the data concerning individuals that is held in a database “belongs” to the individual to which refers. The GDPR is not the only limitation on the use of private data. Various other laws also regulate data held as part of financial transactions.
The legal framework protecting data is intuitively at odds with the instinct of digital enterprises to collect and act upon as much data concerning an individual as possible. It allows companies to increase the number of interactions and commercial transactions with that person. This is the case in especially with the Customer Experience platforms that are at the forefront of modern online sales methods.
Given the increasing pressures on both sides, companies like SAP have for some time been developing platforms that enable GRC. Thes necessity for careful management of data has been compounded by the meta-trend of moving IT systems to the cloud. So how has SAP reacted?
SAP Security Solutions
The SAP security solutions to help manage corporate and private data are based on a set of design principles which have developed over time.
According to SAP these concepts are: the segregation of duties (so no single person has full access), access control, encryption of data, user management, data locking, multiple authorisation roles, logging access, user authentication, development testing (in ABAP), debugging, field masking, UI logging, SSO (Single Sign On), SSL (Secure Sockets Layers) and SMAL (Monitoring and Alerting).
SAP security concepts which inform the design of SAP security solutions augment more generally adopted best practices for digital security: dual-factor confirmation and complex password requirements. SAP also conducts “vulnerability and penetration testing, multiple encryption types and monitoring” . SAP databases such as SAP HANA and third-party databases like Oracle and Microsoft SQL also have a set of solution specific security options.
We should mention here that there is an inherent contradiction between data collection and unification for the purposes of analysis, and the idea of segregation of duties. SAP has consequently produced a series of solutions for different tasks which allow monitoring of access and careful allocation of access privileges. As with shared spaces in the physical world, individuals legitimately interacting with the system space have the means to demonstrate their authorisation and are also monitored when present.
SAP Security Solutions
Here is a list of some of SAP’s previously developed security solutions, some of which were developed in-house and others initially developed by companies which have been acquired by SAP:
SAP Cloud Identity Access Governance
SAP Code Vulnerability Analyser
SAP Data Custodian
SAP Dynamic Authorisation Management
SAP Enterprise Digital Rights Management
SAP Enterprise Threat Detection
SAP Governance, Risk, and Compliance
SAP Identity Management
SAP Information Lifecycle Management
SAP MaxAttention & SAP ActiveAttention
SAP Trust Centre
SAP Watch List Screening
This is a substantial list and does not cover everything. Each of these solutions fulfils a variety of complex functions for businesses so we can see that SAP has invested a very large amount of time and money ensuring that they are in a position to help companies with all of their GRC requirements. Along with cybersecurity, the changing legislation on GRC will evolve further as the landscape of digital enterprises increasingly dominates the global economy. So how is this all going to develop further?
Drivers of SAP GRC and Cybersecurity
GRC is becoming so important primarily due to new data legislation and also the shift to cloud computing.
The key recent drivers of companies to cloud based ERP systems are:
A backlog of businesses intending to make the change but holding back until they saw others jump (and land) first.
The sudden need for increased agility to adapt processes like procurement to global events like the Covid-19 pandemic.
The connected need to provide for a hybrid workforce who could work from home as much as in the office.
As well as new data laws and increased cloud migration, we can see other reasons for a clear and irreversible trend towards dramatically increased GRC software use. For example, the vast number of software applications are expanding beyond the scope of purely human management: causing companies to deploy Robotic Process Automation, and this flood of input data needs security and compliance monitoring.
If companies and organisations want to expand in a way that can be sustained then they inevitably acquire more information, and this data legally requires the oversight that GRC provides. SAP have seen this trend coming and invested and researched in order to take advantage of this software market.
SAP Cybersecurity Is Evolving
SAP has been investigating and investigating in cybersecurity for over 20 years to adjust for the inherent security and access problems of networks and ERP. Without going in to the details of the history of this period in SAP we can say that along with other software systems there has been a continuous assessment of vulnerabilities as they arose during software development. This is an evolving area and today SAP groups it’s Cybersecurity solutions in four categories:
Enterprise Risk Compliance: including SAP Risk Management, SAP Process Control, SAP Audit Management, and SAP Business Integrity Screening
International Trade Management: with SAP Global Trade Services and SAP Watch List Services
Cybersecurity, Data Protection and Privacy: including SAP Enterprise Threat Detection and SAP Privacy Governance
Identity and Access Governance: which includes SAP Access Control and SAP Cloud Identity Access Governance.
As with other areas of SAP, today the emphasis of the solutions is on automation and AI to help manage the data security workload, and in the unification of enterprise risk and control activities to make continuous data security monitoring easier.
Training in SAP GRC and Cybersecurity
In previous articles IgniteSAP has demonstrated the value to SAP Professionals in extra training in different SAP solutions. We pointed out that SAP Global Certification will certainly add to the SAP practitioner’s ability to command substantially higher salaries. The benefits of completing a course and examination in GRC and Cybersecurity are only going to increase with time.
If you want to investigate these areas then there are free means of doing so in openSAP with courses on malware and digital identities, and the most comprehensive introduction to SAP GRC is the SAP Training shop course called GRC100 Principles of SAP Governance, Risk and Compliance.
This concludes our brief look at SAP GRC and Cybersecurity. It is clear from our overview that in the evolution of the digital enterprise a large component for ERP systems is cybersecurity and increasingly GRC as governments seek to put in place the checks and balances for the benefit of the rights of private citizens in the new digital economy.
In fact it has become so important for digital commerce and Industry 4.0 that we could say that even for those who are not IT professionals considering specialising in the area, it is important to get a good understanding of the laws, potential threats, and solutions available for business.
Security is the most fundamental need of humans, and as people in a digital world we should all take steps to help ourselves and those we live and work with to protect our digital identities, because in a world of uncertainty, knowledge is security.
Get In Touch
Do you work in Governance, Risk and Compliance? How have you found the changes in privacy legislation have affected your IT profession?
What are your experiences of SAP GRC and Cybersecurity?
Are you considering augmenting your skills as an IT professional with training in Cyber Security?
Get in touch and share your thoughts with the rest of the IgniteSAP community.