Today’s entry in our series of the perpetrators of access risk in your SAP environment is the Lack of Access Management Governance. While coordinating a companywide access management program can be a daunting task, Lack of Access Management Governance can be crippling, resulting in:
- Undetected Access Risk
- Excessive Access at Role and User Levels
- Unmonitored Super User or Administrator Access
- Provisioning and Deprovisioning Access Violations
- Moving Segregation of Duties and Critical Access Targets
- Significant Deficiencies and Material Weaknesses
Establishing Continuous Access, Risk, and Controls Governance
There are many quotes of wisdom related to plans and planning for success. Some of my personal favorites are Benjamin Franklin’s “if you fail to plan, you are planning to fail” or Mike Tyson’s “everyone has a plan until they get punched in the mouth.” These words of wisdom can be applied to many facets in life, including compliance. There have been more times than I can remember when I was called in after a new client had metaphorically been punched in the mouth by an audit team. In almost every instance, there was a lack of documentation on how to manage access or the associated risks.
Many organizations today have a risk universe and threat landscape that is rapidly expanding and changing. Developing a “plan” for governing access and the associated risks must be comprehensive and scalable. What does a “plan” entail? Essentially these are the policies and procedures followed for processes such as defining security roles, user provisioning, emergency access, periodic certifications/reviews, and much more. In addition to processes, other components such as ownership frameworks, risk tolerance levels, compensating control requirements, technology, and much more should be considered. These items should be reviewed on an established cadence to account for the shifts in the technology, regulatory, and workforce landscapes.
Below are some of the components that should be considered when developing a continuous access, risk, and controls governance plan:
Ownership Framework – Defining ownership for managing access and the associated risk to an organization can be quite a daunting task. When is the last time you inventoried approval requirements or who should perform those approvals? This involves establishing stakeholders and accountability across the critical processes and frameworks.
Let us take application role ownership as an example. There are multiple layers of ownership which can include role content owners (approving the composition of the role), role provisioning owners (responsible for access requests), and access certification reviewers (approves periodic access certifications). Some of the best programs host an ownership framework and security architecture with a symbiotic relationship. This is illustrated below:
- Role Content Owner – Approves the composition of master roles and/or role templates
- Role Provisioning Owner – Approves derivations of master roles and/or role templates
Role management is just a small piece of the puzzle when defining an ownership framework. Other components entail segregation of duties (SoD) and critical access ruleset ownership, risk owners, Emergency Access or “Firefighter”, and more.
SoD Framework – This is a critical pillar to identifying and managing access risk across the enterprise application landscape. Understanding your organization’s risk universe and appetite is critical when defining overarching frameworks. Focusing on the SoD and critical access ruleset, below are some questions we should be asking:
- What are the applicable risks to my organization?
- Which application or applications are in scope based on my processes?
- How should we classify the criticality of a risk?
- Does the ruleset consist of application-specific customizations?
- What is my ownership framework (i.e., ownership of the ruleset, risks, controls, etc.)?
- How often should the ruleset be reviewed or re-certified?
It is important to consider how the framework decisions could impact the organization. Looking at risk tolerance or criticalities, we should ask:
- What does a specific risk criticality mean to your organization (critical, high, medium, and low)?
- If it is critical, can it only be granted via firefighter with activity logging enabled?
- Is it a requirement that high risks must be remediated?
- Are mitigating or compensating controls sufficient for medium risks?
- Are we comfortable with residual risks or low risks present in the environment?
While there is not a right or wrong answer to these questions, the main purpose is that you are defining, identifying, and managing access risk according to your environment and organization. However, answers to these questions could have serious implications. As an example, you define a policy that all medium risks must have a compensating control. What if you have 10K medium risks? Does this result in several hours of validation work on top of day-to-day business activities until the access can be remediated? Is this a feasible solution or approach?
Security Role Management – This is where we define role architectures, security design principles, change management procedures, and much more. Well-defined role management programs provide organizations with preventative access control governance capabilities such as role simulations with access impact analytics at the user and role levels. Another example would be trigger events to update the SoD and critical access ruleset when new functionality is being introduced into the security model.
In role-based access control (RBAC), a compliant security role is the key to success. If a role contains an SoD conflict, every user assigned that role will obtain that access risk at a minimum. I like to look at security roles as building blocks to defining user access. Each block should be SoD conflict-free and only introduce risks when paired with an incompatible or conflicting block. This is the catalyst to building a compliant security architecture.
Emergency Access/“Firefighter” – Temporary escalated access could be referred to as privileged access management (PAM), firefighter, or emergency access (EA), but the concept is consistent. Sometimes we need to grant access that should not reside in day-to-day access. Perhaps a colleague is out of the office and backup duties need to be assigned, or there is a production issue and IT needs to perform break/fix activities. In either scenario, the access is required to continue business operations and, if granted, it should be controlled and monitored. Below are some key considerations when establishing an emergency access program:
- Catalog the access that should be restricted to emergency access
- Establish the ownership framework for approving access and audit logs
- Define the provisioning/de-provisioning requirements or standing access validity periods
User Provisioning – A generalization of a user provisioning process consists of a trigger event, ticket, approval(s), and corresponding actions. This is one of the most critical components to a continuous access, risk, and control governance program. Think of the provisioning process as the gatekeeper of access risk for your application landscape. When performed effectively, it should serve as a preventative access control with an auditable repository of user modifications and corresponding approvals. Without an effective provisioning process in place, your remediation efforts or compliant environment could end up being a forever moving target, with each audit period resulting in new risks and the fire drills that come with them. Some of the key questions to ask when evaluating or defining your application provisioning may consist of:
- Does our process support workflow-driven approval routing and preventative SoD diagnostics?
- Can we apply mitigating controls as part of the provisioning request?
- Is provisioning/de-provisioning automated once the approvals are given?
- Is the provisioning process auditable?
- Can tickets from external ticketing systems be included in the audit records?
Access Certifications – Let’s break this detective access control into two parts: “access” and “certifications”. Here, “access” can be designated as role content, role assignments, SoD conflict or critical access, or even access to an overarching business process or application. “Certifications” is essentially reviewing and approving access on an ad hoc or periodic basis. Many organizations today are still relying on manual processes, struggling just to complete the periodic role assignment reviews. By leveraging technology-enabled processes, organizations can collect application data, distribute it to appropriate reviewers, collect responses, provide an auditable repository, and deliver real-time insights into review statuses. These organizations tend to have the most effective and efficient processes. This level of automation streamlines a process that has traditionally been resource-intensive and error-prone.
There are many layers of complexity within SAP, and establishing a continuous access, risk, and controls governance program is no easy feat. Do not try to boil the ocean (as they say) if you are just getting started. Develop a prioritized roadmap with realistic timelines and milestones building on each other.
How Fastpath can help you get Access Management Governance under control
- Leverage tools to assess access risk as detective and preventative controls. The SoD and critical access analysis can be performed on a defined periodic basis utilizing tools such as Fastpath’s Access Risk Monitor (ARM). Other modules within Fastpath’s security and compliance platform, such as Security Designer and Identity Manager, enable a more proactive approach to help organizations implement preventative controls.
- Access Risk Monitor includes Fastpath SoD and Access Reviews to help you identify potential SoD security risks before they occur through risk analysis, access reviews and certifications, and audit trail reporting. Fastpath can analyze who has access to critical data by user, role, and privilege down to the lowest levels of access. Fastpath can also integrate across many of your critical business applications and assess user risk vulnerability between applications as well.
- Security Designer enables administrators to model security and perform SoD and critical access analysis on security roles prior to making the change in the system. Once validated, the role can be published into the SAP development environments automatically from withing Fastpath’s single pane of glass UI.
- Identity Manger enables organizations to evaluate risk at the user-level during the provisioning or de-provisioning processes. Utilizing an automated workflow-driven process with integrated SoD and critical access checks prevents risk from entering the system. A mitigating control can be applied if the access risk cannot be remediated before completing the request.
- Fastpath’s Emergency Access grants authorizations to users on a temporary basis. This is often referred to as “firefighter” or even Privileged Access Management (PAM). This can be an effective tool for delivering those critical authorizations or sensitive access by layering in controls. These can include approvals of access, defined periods the access is permitted down to the minute, and even activity logs for review and approval once the access is removed.
- SaaS and Scalable – Fastpath is a scalable and agile SaaS solution enabling the deployment of new integration packs in hours, not days.
- Seamless Upgrades – Upgrades are seamless and require little to no effort from our customers. No additional licensing or hardware costs for new versions or upgrades.
Tips to Catching the Culprit: Lack of Access Management Governance
- Establish Ownership and Accountability
- Document Key Policies and Procedures
- Perform Periodic Reviews and Access Certifications
- Define SoD Ruleset Reflective of Risk Universe
- Implement Detective, Preventative, and Responsive Controls
- Utilize Technology to Streamline and Automate Compliance Activities