5 ways to stop wasting money on segregation of duties
Security is not cheap. It should come as no surprise that access management challenges lead many enterprises to adopt a few processes that may be costing them more money, time, hassles, and delays than necessary.
Here’s a list of five inefficient practices that we have seen after 100’s of interviews, proofs of concepts, pilots, and implementations. Stopping these today can save you a lot of money.
We’ll be taking a closer look at each of these suggestions in more detail in coming post, so check back for more great content.
1. Stop assigning mitigations to all conflicts regardless of risk
It takes a lot of effort and money to monitor and review assigned mitigations. The more mitigations assigned, the more time, team, and money it takes to manage them.
You can reduce the long-term effort and cost by properly classifying your conflicts as high, medium, or low risk within your SOD matrix. This allows you to focus your efforts on mitigating conflicts that pose real risk to your enterprise
2. Stop prioritizing hypothetical SOD conflicts over actual ones
Actual SOD conflicts (conflicts that have been exercised) pose more risk to your enterprise than hypothetical ones do (conflicts that exist but no user has exercised). Risk should drive how you prioritize your remediation and mitigation efforts.
Don’t get me wrong hypothetical SOD conflicts have their place – like when designing roles. But, it’s important to remember where that place is. It’s easy to get bogged down resolving hypothetical conflicts and use up resources (time, attention, and staff) on conflicts that haven’t been exercised and may never be.
3. Stop deploying compromised roles
SOD conflicts built directly into SAP security roles can cause recurring issues that expose your enterprise to unnecessary risk, kill your productivity, and waste your enterprise’s capital. Each time you assign a user a compromised role, you create an issue that you will need to investigate and either remediate or mitigate.
Even when specific users are approved for access to a specific SOD conflict, that conflict should not be contained within a single role. This limits the likelihood unauthorized users are accidentally given a conflict. It is also important to monitor closely role scope creep so that a clean role doesn’t become a conflicted role over time.
4. Stop thinking SAP is a poor environment for hosting your controls platform
If your enterprise is one of the many enterprises that runs its controls platform on a Java Stack, Cloud, or even a dedicated ABAP Stack outside of your existing SAP environment, ask yourself why.
By exporting data out of SAP to an external environment, your enterprise is opening itself up to unnecessary risk and is paying more than it needs to. Storage, servers, middleware, operating system licenses, space, power, IT management agents to monitor the performance of the stack, and so forth, all come with a cost that is either directly or indirectly paid by you.
The truth is your enterprise doesn’t need to pay for any more than it already is to run SAP. Your enterprise’s existing SAP environment is a great place to run its controls platform. In fact, it’s the best place to run your controls platform. Why? Because, besides being less costly, it also perfectly matches the SLA requirements of your SAP platform.
That’s why we designed Security Weaver to live inside of SAP. It doesn’t require you to export data and you don’t have to purchase additional hardware or pay a cloud vendor to buy storage to store data you already have stored behind your firewall and servers you already have to run any access risk or process risks analyses you may need.
5. Stop waiting for things to change
Enterprises delay implementing SOD conflict management solutions for various reasons. They’re concerned the implementation may be too heavy, costly, or complicated for their team, they can’t find a platform that has the customizations they want, they think they are saving money using point tools and manual processes instead of an integrated controls platform, and the list of invalid reasons goes on.
If you’re delaying moving your enterprise to an automated platform for any reason, then it may be time for you to rethink your situation. By choosing to delay, your enterprise is continuing inefficient manual processes that are putting a dent in your security budget and hurting career development.
SOD solutions like our Separations Enforcer module can easily automate 80 percent of your manual processes right out-of-the-box and can be implemented in only a few weeks. Furthermore, the out-of-the-box controls are built on industry standards giving you a stable and scalable platform but is architected in such a way that you can build out your own enterprise-specific customizations very efficiently.
Have other suggestions of how to stop wasting money on segregation of duties? Share them in the comments.