Upload
suren100
View
150
Download
21
Embed Size (px)
DESCRIPTION
dd
Citation preview
www.pwc.com
Strategic Tips to Align SAP Solutions for GRC with Your Enterprise Identity and Access Management Solution and Bridge the Gap Between Compliance and Security Sandeep Poonen PwC
PwC
In this session …
• This session will provide information about integrating and extending the automated provisioning of SAP GRC with other applications in the enterprise landscape
• We will examine:
- Putting SAP GRC in the context of the enterprise IT landscape
- Key functions and capabilities that are available in SAP GRC that assist in integration with IAM solutions
- Ways in which to make your SAP Access Control with IdM integration successful
- Increase visibility of your GRC program to the enterprise level
2
PwC
What we’ll cover …
Introduction
The business need for integrating SAP Access Control with an enterprise IdM solution
Architectural aspects of integration between SAP GRC and enterprise IdM products
Making an SAP Access Control with IdM integration successful
Wrap-up
3
PwC
Enterprise technology — GRC maturity
6
0.00%
20.00%
40.00%
60.00%
80.00%
100.00%
SoD & SA mgmt.
Emergency access
User provisioning
SAP roles mgmt.
75% of companies use Access Control technology to manage segregation of duties, critical and emergency access only
45% have implemented Access Control technology to manage user provisioning
PwC
Key terms
• SAP GRC = SAP Governance, Risk, and Compliance
• IdM = Identity Management
- LDAP = Lightweight Directory Access Protocol
• IAM = Identity and Access Management
• Roles
- Single roles
- Composite roles
- Business roles
- Enterprise roles
7
PwC
The business need for integrating SAP Access Control with an enterprise IdM Solution
• SAP Access Control 10.0 overview
• Questions for your SAP Access Control implementation
• Benefits of an Integrated Access Management (IAM) program
• How SAP GRC and IdM complement each other
9
PwC
SAP Access Control 10.0 overview
10
SAP GRC
Access
Control
platform
Centralized platform for
managing and reviewing
emergency access activities
Centralized request
and approval process
from hire to retire access.
Automated certification of
existing access
Centralized management of
business roles
Centralized analysis and
mitigation of access risks.
Access Risk
Analysis (SoD)
Super User
Privilege
Management
Business Role
Management
Access Risk
Management
(Compliant
User
Provisioning)
PwC
Questions for your SAP Access Control implementation
• Do you have non-SAP applications and IT systems?
• How do you provision non-SAP systems?
• How do you provisioning SAP and non-SAP systems?
• How do you gain an enterprise view of a user’s access?
• How do you enforce control over a user’s enterprise access?
11
PwC
Benefits of an integrated Access management program
• Reduction in audit (internal and external) and compliance costs
• Reduction in ad-hoc requests to IT for information extracts to support compliance requests
• Greater comfort over fraud prevention
• More automation of compliance and control activities
• Improve service levels for access provisioning
• Provide more holistic analysis information for risk violations in access requested
• Proactively prevent the introduction of new risks when provisioning user access
• Allow for more options in building workflows with dynamic and conditional routing and detours
• Continuous audit trail maintained for the entire life cycle of user access
12
PwC
How SAP GRC and IdM complement each other
13
SAP GRC
Strategy
IdM
Strategy
Integrated IdM/
SAP GRC Solution
Improved
end-user
experience
Support for
dynamic
secondary
approvals
Better SoD
information
Increased
metrics
and visibility
Alignment
with both
the business and IT
strategic directions
Allows a consistent
look and feel. IdM
end-user interface
integrated with the
SAP GRC SoD and
workflow routing
capabilities
Optimal solution to
meet the critical
business
requirements
PwC
Architectural aspects of integration
• Typical provisioning process
• Potential integration scenario
• Key questions to address
15
PwC
Typical provisioning process
16
Access
Request
Manager
approval
Role owner
Analysis
Risk
Analysis
SOD
Review Remediation Provisioning
Birthright roles and
other org-based roles
(based on HR triggers)
Conflicting access
either removed
or mitigated
Affirms that
request is
legitimate
Affirms that
data access
is acceptable
Analysis and
review done to
authorization level
Automatically
performed
PwC
Key questions to address
17
Question Question to ask
Initiation Point What will be the starting point of the user access
management request?
Notes
Companies have chosen to use either IdM or SAP Access Control for supervisors to approve user access
management requests.
Factors determining which product is used:
• Breadth of applications being provisioned
• Maturity of the IdM product within the enterprise
• Overall IT landscape
For companies that have a multi-application environment, access management requests should ideally be initiated in
IdM. But for smaller companies with a heavily-weighted SAP footprint, SAP Access Control can also be used.
PwC
Key questions to address (continued)
18
Question Question to ask
Supervisor Approval Where will a user’s manager approve the request?
Notes
Companies have chosen to use either IdM or SAP Access Control for supervisors to approve user access
management requests.
Factors determining which product is used:
• Application that stores HR organizational reporting relationships
• Level of integration of HR with provisioning products
• Does the company have an enterprise-wide directory (e.g., Active Directory) that also houses the managerial
approval relationships synched with HR
Major IdM solutions and SAP Access Control integrate with Enterprise Directory systems
PwC
Key questions to address (continued)
19
Question Question to ask
Role Approval Where will a role approver approve the request?
Notes
Companies have chosen to use either IdM or SAP Access Control for supervisors to approve user access
management requests, although the majority seem to rely on SAP Access Control
Factors determining which product is used:
• SAP Access Control 10 or 5.3
- “Harmonization” of four sub-products of SAP Access Control 10 facilitates integration.
- To implement Access Request Management (ARM) in SAP Access Control 10, basic role information needs to
be set up through Business Role Management (BRM)
• Distribution of role approvers throughout organization
- IdM for supervisor and SAP role approvals provide a consistency in user experience
PwC
Key questions to address (continued)
20
Question Question to ask
Risk Analysis Where will the risk analysis review and mitigation
process occur?
Notes
SAP Access Control is equipped to seamlessly perform a detailed real-time SoD analysis that goes all the way down to
the authorization objects. Implementation questions to be asked:
• Is Risk Analysis required before request submission?
• Who will be SOD approvers?
• Can a request be approved and closed with unresolved SODs still present?
• Who provides the mitigating controls?
Deployment Options:
• SAP GRC ARM is set up with a risk remediation and mitigation workflow
- SAP GRC provides a final “result” back to IdM
• IdM can retrieve SoD results by polling the risk analysis Web service, and any mitigation process is
managed manually
Most companies seem to implement this automation workflow with SAP GRC ARM
PwC
Key questions to address (continued)
21
Question Question to ask
Provisioning Roles Who performs the actions in the back-end SAP systems?
Notes
Companies have chosen to use either IdM or SAP Access Control for supervisors to perform the “commit” action for
user access management requests.
Factors determining which product is used:
• What does it take for the IdM product to have “connectors” to each of the back-end SAP systems where users
need access to?
• Does the enterprise architecture philosophy prefer a centralized provisioning concept or a more distributed
provisioning concept?
PwC
Key questions to address (continued)
22
Question Question to ask
Role Source Which system is considered as the official source for
SAP Roles?
Notes
Both SAP GRC 10 and IdM offer functionality to address this:
Options:
• SAP GRC 10
- SAP GRC 10 offers Business Roles functionality, allowing for various roles across the different systems
connected to SAP GRC to be combined
• IdM
- SAP Roles can be associated to “groups” with LDAP
- IAM solutions include Enterprise Role Management capabilities
PwC
Key questions to address (continued)
23
Question Question to ask
Request Status Which system contains the latest status of a
change request?
Notes
Implementation questions to be asked:
• Which fields are required to be viewed natively in SAP GRC versus IdM?
• Where will the audit trail for user requests reside (IdM, SAP GRC, or both)?
PwC
Potential integration scenarios − Model 1
24
Key Use-
Cases
Workflow Key Steps/Functionalities
Access
request
Manager/
Owner
Approval
Role Owner
Approval
Risk Analysis SOD review
and Risk
Mitigation
Automated
Provisioning
Auditing
Request New
SAP Access
Modify
Existing
SAP Access
De-provision/
Revoke
Access
Request Fire
Fighter ID
Access
GRC IDM
IDM
IDM
IDM
GRC GRC GRC
GRC
IDM
GRC
IDM
GRC
IDM
GRC
IDM IDM
IDM
IDM GRC GRC GRC GRC
GRC
GRC
IDM
GRC
PwC
Potential integration scenarios − Model 2
25
Key Use-
Cases
Workflow Key Steps/Functionalities
Access
request
Manager/
Owner
Approval
Role Owner
Approval
Risk Analysis SOD review
and Risk
Mitigation
Automated
Provisioning
Auditing
Request New
SAP Access
Modify
Existing
SAP Access
De-provision/
Revoke
Access
Request Fire
Fighter ID
Access
GRC IDM
IDM
IDM
GRC GRC IDM
GRC
IDM
GRC
IDM
GRC
IDM
GRC
IDM
IDM
IDM GRC GRC GRC IDM
IDM
GRC
IDM
GRC
GRC GRC
GRC Key changes from the Model 1
PwC
Making an SAP Access Control with IdM integration successful
• Clearly identify the people, processes, and technology prerequisites for the implementation
• Have a clear grasp of the GRC Access Control web services
• Managing typical implementation challenges
• Understanding that integrating SAP Access control with IdM is just the beginning
27
PwC
Typical prerequisites for implementation
• A data source is available for user authentication
• A naming convention has been established and deployed to uniquely define SAP user IDs
• Synchronization between the Enterprise Directory user name and the SAP user name
• SAP Access Control (preferably 10.0) is installed and connectors are configured to integrate with the SAP back-end systems
• GRC plug-ins are installed within the in-scope SAP systems for automated provisioning
28
Lesson
PwC
Typical prerequisites for implementation (continued)
• The following areas have owners who have been clearly identified:
- Technological ownership of the SAP GRC tool
- Ownership of the SAP business risks
- Ownership of the SAP target system roles
- Ownership of the mitigating controls
• Access Risk Analysis (ARA) is configured to have a functional SAP GRC rule set
• Mitigating controls have been identified for risks and the master data configured in ARA
29
Lesson
PwC
Typical prerequisites for implementation (continued)
• There should not be any unmitigated SoD in the SAP roles
- All SoD violations at the individual role level have been completely addressed
- Best practice would be to remediate (separate) SoD actions that exist within a single SAP role
• All existing users should be either remediated or mitigated manually in ARA for any known SoD before deployment of the integration
30
Lesson
PwC
SAP GRC 10 Web services − General
31
Web Service Web Service Technical Name Web Service Description
Lookup GRAC_LOOKUP_WS Returns possible values for a
particular object (e.g., Request Status) -
Lookup feature
Select
Applications
GRAC_SELECT_APPL_WS Returns a list of application systems
configured within SAP GRC
Search Roles GRAC_SEARCH_ROLES_WS Returns SAP roles before submitting
a request to SAP GRC. Additional
filtration capabilities are also provided to
narrow down the search as a part of this
Web service
Search
Role Details
GRAC_ROLE_DETAILS_WS Returns the detailed role description
and other attributes for a particular role
User Existing
Assignments
GRAC_USER_EXISTING_ASSGN_WS Returns detailed information about
the existing user's roles in SAP back-
end systems
PwC
SAP GRC 10 Web services − Overall request
32
Web Service Web Service Technical Name Web Service Description
User Access
Request
GRAC_USER_ACCES_WS Submits an access request in SAP GRC
User Access
Request Status
GRAC_REQUEST_STATUS_WS Returns the request information
(creation date, priority, current status,
list of approvers, etc.) for the
selected request
User Access
Request Details
GRAC_REQUEST_DETAILS_WS Returns the request information
(creation date, priority, current status,
list of approvers, etc.) for the selected
request – Along with the Risk Analysis
as well
Exit from IdM GRAC_EXIT_FROM_IDM_WS Service called by SAP GRC to inform
IdM about provisioning results
PwC
SAP GRC 10 Web services − Risk analysis and audit
33
Web Service Web Service Technical Name Web Service Description
Risk Analysis
with Request
Number
GRAC_RISK_ANALYSIS_WITH_NO_WS Performs Segregation of Duties (SoD)
analysis at the user or role level, along
with Request information
Risk Analysis
without Request
Number
GRAC_RISK_ANALYSIS_WOUT_NO_W
S
Performs Segregation of Duties (SoD)
analysis at the user or role level
Provision Logs GRAC_PROV_LOGS_WS Returns all the provisioning information
for a user – User ID changes, role
assignment changes, etc.
Audit Trails GRAC_AUDIT_LOGS_WS Returns workflow (paths, stages,
stage approvers, etc.) and
provisioning information
PwC
SAP GRC 10 Web services − Additional
34
Web Service Web Service Technical Name Web Service Description
Org
Assignments
GRAC_ORG_ASSGN_REQUEST_WS Enables the assignment of roles to HR-
OM Objects such as Organizational
Unit, Job, and Position
Firefighter GRAC_FIRE_FIGHTER_WS Returns the list of Firefighter IDs and
the Firefighter Owner details
EUP
Configuration
GRAC_EUP_CONFIG_DATA_WS Returns End User Personalization
configuration details for a user
PwC
Managing typical implementation challenges
• Scope
- Which systems will be managed in SAP GRC?
- Are there SAP back-end systems that do not natively integrate with SAP GRC?
- What is the implementation approach to manage cross-system SoD risks?
• Requirements to Reality
- Is the implementation subtly promising more than the technology is capable of delivering?
- Can the enterprise architecture support the proposed design?
35
Caution
PwC
Managing typical implementation challenges (continued)
• Integration
- How will data be transferred between SAP GRC and IdM?
- How is data leakage prevented?
- Have you ensured that data elements have a single source of record?
• Security
- Are communications between applications and end users properly secured?
- Are roles clearly defined to protect the integrity of the process?
• Change Management and Training
- Are users up to speed on potential changes in the access management process?
- Has training documentation been updated?
- Has a support team been established to ease the transition?
36
Caution
PwC
Integrating GRC Access Control with IdM Is Just the beginning
• Provisioning
- One provisioning source for all enterprise logical access – Extend to non-SAP applications as well
- One provisioning source for all enterprise physical access – Swipe access cards, badges, etc.
• Roles
- A holistic view of role access – with Enterprise roles
• Controls
- One controls system that manages risk, controls, and compliance for all applications – SAP GRC 10!
37
! Heads-Up
PwC
Where to find more information
• GRC How-to Guides:
- www.sdn.sap.com/irj/scn/articles-grc-all
• SAP GRC Help
- https://help.sap.com/grc
• SAP Community Network:
- www.sdn.sap.com
◦ Solutions Analytics Governance, Risk and Compliance
• SAP Netweaver IdM documentation
- help.sap.com/content/documentation/netweaver/ docu_nw_idm_design.htm#idm72
39
PwC
7 key points to take home
• Your IdM solution and SAP GRC are not in competition
• There are significant advantages to be gained for the business community by integrating SAP GRC with IdM
• Design the overall process to let SAP GRC do what it does best, and let the IdM solutions do what they do best.
• Clearly determine the integration points between SAP GRC and IdM early on, and continuously review them
• Leverage HR data as a source of record for user information
• Avoid duplication of data across IdM and SAP GRC
• Considered other integration options as well
40
PwC
Your turn!
41
How to contact me:
Sandeep Poonen
Please remember to complete your session evaluation
?
Questions?