Let's Talk Data Security

Future-proof your governance and risk in SAP

Written by Roy Topham | Mar 10, 2023 10:50:01 AM

If you are moving your SAP system to the cloud, managing Access Risk should be top priority, whether you are implementing SAP SuccessFactors, S/4HANA or RISE with SAP®. This blog explores the impact of your future direction on your ability to manage Access Risk.

Are you thinking about what the next technology enhancement is that your organisation needs to stay competitive? At EPI-USE Labs, we work with thousands of clients to support their journey, whether it is migrating their Payroll to SAP SuccessFactors® Employee Central Payroll or finding a data strategy for their non-production system (and many other challenges in between). Today, I’m focusing on the impact of your future direction on your ability to manage Access Risk, whether you are implementing SuccessFactors, S/4HANA or RISE with SAP®.

 

As businesses move to the cloud, the importance of maintaining the integrity, confidentiality and availability of data has become increasingly important to improve agility, reduce costs and achieve better scalability. Governance, risk and compliance (GRC) should also remain a top priority. With functionality moving off premises and maybe out of SAP, it’s essential to ensure that all your systems meet the necessary security and compliance requirements, and that you can detect conflicts in Segregation of Duties (SoD) across them. Implementing effective GRC practices and a robust security strategy are key factors in mitigating the risks (external and internal) associated with operating in the cloud.

 

Protecting your system from internal threats

Although external hackers have become more focused on targeting SAP systems in recent years, by far the greater threat remains from internal actors. According to the last Benchmark Study of Ponemom, insider threats have increased in both frequency and cost over the past two years, now costing an average of US$15.38 million.

 

These threats may be deliberate acts by disgruntled employees, curious individuals testing the limits of their access, or just mistakes made while making powerful transactions. The likelihood of any of these scenarios occurring is much higher now that most of the workforce is working from home, away from the scrutiny of their peers and supervisors.

 

These growing threats – such as increased regulatory scrutiny, complexity of business processes and the importance of reputation management ‒ are some of the multiple reasons why GRC is becoming increasingly important in today’s rapidly-changing business landscape.

 

The implementation of GDPR and other data privacy legislation means that we must also put much more emphasis on the confidentiality of the data in our SAP systems. GDPR’s concept of ‘Privacy by Design’ requires that only people who need access to specific data to do their jobs have access to that data.

 

The new scenario: SAP systems in the cloud

In the case of SAP, the decision to move to the cloud has become even more urgent in recent years, because of multiple drivers including:

  • Cost savings
  • Scalability
  • Improved data security and recovery
  • Agility

In addition, SAP itself is putting pressure on companies to move to the cloud. Standard support for SAP’s on-premise Enterprise Central Component (ECC) is ending in 2027, making the decision even more urgent. SAP’s recommended first choice for this transition is RISE with SAP. Their salespeople are not recommending any on-premises solutions right now.

 

Which path are you choosing?

So, given this general movement to the cloud, let’s examine some of the challenges faced on some of the more popular routes. Choose your option, and learn more about managing the risks in your path to the cloud. 

Access Risks in SAP SuccessFactors

Migrating your SAP HCM system to the cloud is a big step towards modernising your HR processes and becoming more efficient in responding to business needs. By choosing SuccessFactors, you will benefit from many advantages, such as improved data accuracy, faster reporting, and increased collaboration between HR and other departments.

 

That said, we cannot forget that we are dealing with sensitive and personal information (salaries, personal identification data and so on). If this data is hosted in the cloud, where more people might access it with less control, it might be more vulnerable to unauthorised access and cyber-attacks. We will also have to consider SoD conflicts between actions that a user may execute in SuccessFactors, and actions that they might execute in ECP, for example. This adds to the complexity of managing security and access risks in our system, and you will face some extra challenges with SuccessFactors.

 

The authorisation concept has changed from SAP HCM to SuccessFactors, moving from ABAP based, to Permission based, and this concept is still evolving. Consequently, many GRC solutions do not have a mature ruleset for SuccessFactors and are not able to assess risk there properly, or cross-system risk between EC and ECP. We must also be aware that HR data replication between EC and ECP adds additional risk, as data must be protected in both systems.

 

Another challenge in managing access risks in a cloud system, in general, can be the limited visibility of logs. We used to be able to monitor all actions through the SM20 audit log, but this option will no longer be available. This lack of visibility of what is happening in the SuccessFactors’ environment makes it difficult to detect and respond to risks in the system, driving the implementation of costly security monitoring solutions that can detect and respond to security incidents.

 

Interestingly, Soterion offers one of the few GRC tools that has a rule-set for SuccessFactors. Many organisations are trying to develop their own, but the fact that the Permissions’ concept is still evolving means that maintenance is high.

 

As you can see, there are many challenges and peculiarities you may face during your move to SuccessFactors, so you'll be glad to hear that Soterion can help. Soterion can detect potential security threats and unauthorised access to sensitive HR data, giving you more visibility into your system. It can also check SoD risks across EC and ECP. With Soterion, you can be sure of the confidentiality, integrity and availability of your HR data in the cloud-based system and reduce the risk of security breaches and compliance violations.

 

S/4HANA: manage security risks from the start

When it comes to S/4HANA projects, security often receives less attention than other factors such as functionality and user experience, and time constraints can often lead to the classic statement, “We’ll fix security later.” However, since security on S/4HANA is a lot more complicated, this attitude can create huge risks and threats to the system, which are much more difficult to remediate.

 

Not only should we consider security as a key element from the beginning of the migration, but we must also make sure that personal data is protected by design, as required by GDPR's ‘privacy by design’ principle. This means that data protection must be integrated into the design and architecture of the system, rather than being added as an afterthought. This includes carrying out access controls, data encryption, and regular monitoring and auditing of system’s activities.

 

When we talk about S/4HANA, it is imperative to consider the Fiori apps. This new interface, although modernising and improving the user experience, is an added complication for security.

Fiori apps have a different technical architecture to traditional SAP GUI-based transactions, which means that the security mechanisms used to control access to the system must be adapted and updated. In addition, it is designed to be accessed from mobile devices, with additional risks related to device security, such as lost or stolen devices, unsecured wi-fi networks and unencrypted data. Another point to consider is that some transactions are replaced in S/4HANA. The replacement of master data maintenance transactions by the BP transaction requires extra attention.

 

We must also look at the current SoD risks in the existing SAP system, and any mitigating controls that may have been applied to ensure that the same or better controls are in place in the new S/4HANA system. By performing this review, we will be able to ensure that risks that will be carried over are controlled, and identify potential new risks before migration.

 

Having discussed the challenges your company may face when migrating to the cloud with S/4HANA, you may have realised the importance of early detection and management of access risks. However, this may not be particularly easy. Functional teams often don’t have the knowledge or tools to do this by themselves, so the best solution for companies is to rely on a data security partner ‒ like EPI-USE Labs ‒ who can provide guidance and support to functional teams in implementing security controls and best practices.

 

RISE with SAP and GRC?

After a slow start, the take-up of RISE is improving as more information and client experiences become available. If your company has opted for RISE with SAP to migrate your system to the cloud, you will already know that you have access to a range of services and solutions bundled into your contract, either by default or choice. A lot of Basis and administration tasks will be performed by SAP, but it is important to note that roles and security administration will still be the client’s responsibility. In companies where Basis and security expertise are held by the same resources, it may be a challenge to retain them.

 

SAP seems to be bundling SAP GRC licences into RISE agreements by default, but this is not compulsory and it is crucial that you analyse and consider your proposed landscape before deciding what to include in your bundle. Even if you currently use SAP GRC, you need to consider that an expensive upgrade may be needed. Also, bear in mind that GRC has a limited lifetime and will eventually be replaced by IAG. If you will be using cloud solutions, such as SuccessFactors or Ariba, bear in mind that SAP GRC will not connect natively to non-ABAP-based systems and you will need to purchase the IAG bridge. In these cases, in might well be advantageous to opt for a GRC solution like Soterion’s solution, which will be able to extend risk analysis across your wider cloud landscape.

 

As with any migration to S/4HANA, it is crucial to get started as soon as possible on reviewing your current role methodology and design, the alignment of users’ access with their job requirements and the extent to which Fiori will be used.

 

Want to find out more about how essential it is to futureproof your governance and risk in your SAP systems, and how we can help? Watch our webinar or get in touch for a free demo today.