Complementing GRC - Testing the Forgotten Layer of SAP
For those of us old hands in the security industry we know that when security is done right processes flow smoothly, issues are rare, identified and mitigated before there is any real public perception of the potential for an issue; and businesses continue to achieve their goals of profitability and sustainability. In those circumstances security is often invisible; leading those not connected to the security team to speculate quietly or loudly about the value or worth of the security team to the business.
When security is done poorly the results are obvious and painful. Publicly announced loss of customer information or intellectual property; inefficient processes and costly internal remediation to shore up holes that are identified. Worse still is the effect on the relationship between security and the business; because security isn’t seen for the enablement function it can be the security team may have to force itself into projects – trying to force consistency and security where it didn’t previously exist. Because those (unfortunate) security teams are playing catchup the recommendations delivered for projects often come at the end of the project, causing delays in go-live dates and increased project costs. As a result the security team is seen as the “no-team”, gaining a negative imagine within the organization. So teams with projects try to hide them from security, only disclosing them to security at the last possible minute – causing the cycle of “security team generated delays” to continue.
When I am at conferences a common theme from my peers is to discuss how we can better show the business the positive results that a healthy relationship with security can bring. From more efficient processes, decreased risk and a healthier bottom line; consistently and intelligently applied security has numerous benefits any intelligent business would want to reap.
SAP is a company that understand the importance of security to its customers. It has introduced a regular monthly cycle of releasing patches, notes and other information about new vulnerabilities that effect their software components. Also, SAP proactively publishes security guidance for SAP software; providing customers with the information they need to ensure they are doing all they can to secure their SAP installations.
And for good reason, I am not sure it is possible to calculate the value of the business processed and enabled by SAP systems every day; but given the range of companies that run SAP I am sure it is a more than respectable percentage of the world’s GDP.
SAP recognizes there are two main threats to their customers SAP systems. The first is from legitimate users, the second from non-legitimate users. The legitimate user threat is the idea that a user with legitimate access to the systems could abuse their privileges – i.e. a user who can record invoices received and also approve payment could create fake invoices; approve them for payment and steal money from the organization. The threat from an illegitimate user is that of a person (inside or outside of the organization) who does not have a legitimate account on the SAP system but breaks into the technical or cyber layer of the system in order to gain control of the underlying system itself and then leverage that control to achieve their goals (theft of intellectual property; theft or pollution of the business data or fraud).
For the legitimate user threat SAP has armed its customers with their GRC platform. With a GRC implementation SAP customers have methods to automatically ensure users don’t have rights that raise the potential for fraud; and those that require those rights can be monitored and audited. However GRC is only able to monitor legitimate users; it is unable to identify or report on the risk to the business due to vulnerabilities or misconfigurations in the base or cyber layer of the technology. As a result SAPinsider has named Onapsis as a Top GRC Partner to watch in 2014. Through the use of Onapsis technology our mutual customers are able to detect and measure these underlying risks; as well as prioritize and communicate the remediation steps to the appropriate teams quickly and easily.
It is exciting have our work acknowledge and highlighted by SAPinsider in this way. It is also satisfying to know that we are providing ways to allow organizations to realize the benefits of security in a more efficient and cost effective way thanks to our hard work.
If you would like to learn more about how Onapsis X1 complements the security benefits of GRC let me know – I’d be happy to show you why we are named as SAPinsider’s top partner.