Support  |  1-800-620-4210  |  

Enabling Successful SAP S/4HANA Migrations

SAP S/4HANA is getting a lot of discussion these days. Control is key for a successful S/4HANA Migration. There are several ways Security Weaver can help.  Below is a simple outline of some areas where Security Weaver can help organizations reduce the risks associated with migrating to SAP S/4HANA and ensure they are always in control and meet compliance requirements before, during, and after migrating to SAP S/4HANA.

Licensing costs: Don’t be surprised by what it will ultimately cost to run SAP S/4HANA. Changes to indirect licensing can be trivial or material. Don’t be surprised by what it will cost you this year, next year, or the year after you move from counting indirect users to counting different document types. In addition to changes for how indirect access is licensed, many companies are also considering moving from activity-based licensing to access based licensing. What will that cost you? Click here to learn more.

User access risks: Whether doing a green field, brown field, or blue field migration, with thousands of new transaction codes and different tables, get the SAP S/4HANA matrix you need to understand your user access risks for your new SAP platform. Security Weaver is continually updating its Segregation of Duties (SoD) ruleset and has one that can help you manage SAP S/4HANA risks.  Click here to learn more.

User transaction history and RFC calls: When migrating to SAP S/4HANA, know what to test, who should test particular areas of SAP S/4HANA, and, equally important, know what doesn’t need attention and who shouldn’t be assigned to test something. At Security Weaver, we call this building a Goldilocks test plan – a test plan that does not test too much nor does it test too little. A Goldilocks test plan also ensures the right block of testing is assigned to the right tester. Further, knowing what integrations exist and are active in your current ERP and knowing if your ERP integrations are working as expected after cutting over to S/4HANA is a critical success factor for any migration project. Click here to learn more.

Business and technical role management: With the thousands of new transaction codes in SAP S/4HANA as well as the many table changes, inevitably roles will need to be resigned. But, how can organizations redesign roles efficiently and effectively so that the right access is provided to the right users? Security Weaver offers multiple capabilities to help companies accelerate and control their role design projects. Click here to learn more.

Streamline migration testing: Moving to SAP S/4HANA, means new roles and modifying existing roles. Once a new role is created or an existing role is modified, it needs to be tested, but testing takes time and is often not done properly by those assigned to test roles. When roles are not properly tested, they often fail to provide the access required. However, without clear test documentation, it is hard to know where the testing process failed and how to improve it and who to hold accountable. Security Weaver automates test documentation and even automates some testing activities, consequently, it ensures new roles are properly and efficiently tested. Click here to learn more.

Quickly resolve authorization incidents: With new transaction codes, new tables, new roles, and modified roles, the move to S/4HANA might impact users. Streamline resolving access related incidents by automatically creating help tickets, standardizing data collection, and simplifying research. Click here to learn more.

Eliminate password reset requests: Why have your staff distracted during one of the most important projects they will undertake this year? Moving to SAP S/4HANA requires diligent attention and daily interruptions by users who have forgotten their password hinder this. Instead implement a self-service tool that eliminates password reset requests. Click here to learn more.

There are other areas where Security Weaver can help. If you would like to talk with a Security Weaver consultant on these or other strategies and tactics for ensuring a successful move to S/4HANA, contact us today.  Click here to request an advisory session for migrating to S/4HANA.

What is segregation of duties and why is it important? | Security Weaver
Support  |  1-800-620-4210  |  

What is segregation of duties and why is it important?

If you’ve recently implemented an SAP ERP platform, congratulations! It means your company is growing and you now have a fantastic ERP tool at your disposal. Your approach to how you manage access to this platform, however, is vital. It can mean the difference between a secure, well-run organization and an enterprise that suffers fraud and material misstatements of its financials.

Many new SAP ERP administrators start out granting broad access to users in order to ensure the system can be fully utilized. But there is great risk involved in easy, broad access – the risk of fraud, accounting errors, and general mismanagement; all of which can cost millions of dollars. And when auditors come knocking, they want to see a strong balance between access and control. Auditors like to say, “trust is good, but control is cheaper.”

An important control to implement in your SAP environment is segregation of duties (SOD). SOD ensures that key processes are performed by different people to prevent fraud and financial misstatements. For example, if an employee is responsible for both creating and paying vendors, it would be easy to create fake vendors and route the payments to her own bank account. Separating these two tasks and assigning them to different people creates a natural barrier to fraud.

Establishing rules that identify SOD violations can be a complex and time-consuming process but is essential for assessing access risk and properly segregating functions. In SAP ERP environments the SOD ruleset (a.k.a. SOD matrix) must handle authorization objects and not merely look at transaction codes available to a user. Otherwise false positives will occur and make the reporting questionable.

False positives occur when a report shows SOD violations that are not really violations. For example, perhaps a user has access to two or more transaction codes that together would constitute a violation, but because the user only has the authorization objects with field values for display access for those transaction codes, the reported conflict is an error.

Often auditors have unique requirements based on a company’s unique operations, market factors, or regulations, and the ruleset must accommodate these auditor specific requirements. SOD-relevant custom transactions as well as SAP standard transactions must be accounted for by the ruleset. These complexities mean that when done manually, identifying, updating, and enforcing SOD rules can be expensive in both staff time and service fees.

Fortunately, there are tools that can eliminate much of this work. Security Weaver’s Separations Enforcer is particularly effective in helping to manage access risk in SAP. It enables rapid analysis of users across the entire SAP landscapes for both SOD conflicts and sensitive access risks, offers a function -based SOD matrix that is easily customizable and can automatically report on SOD-relevant custom transactions even if those transactions are not explicitly included in the ruleset, and provides reports that are fast, readable, comprehensive, and avoid false positives.

Security Weaver’s internationally proven and well-documented rules matrix makes it easy for organizations to rapidly implement a complete solution. Rules are easily maintained and updated and can handle complex logic at both the transaction and authorization level, and the solution can manage a wide variety of concurrent rule sets, making it adaptable for any organization structure.

Veteran managers of SAP ERP environments know they need a way to reduce access risks without causing productivity issues. Separations Enforcer is the solution to that challenge. For more information on this and other access management solutions, visit or request a free demo here. Don’t leave the security of your new SAP ERP environment open to unnecessary and unacceptable risk. Put SOD safeguards in place today to keep your data secure, your reporting correct, your assets safe, and your auditors happy.

How to make better management decisions with user data | Security Weaver
Support  |  1-800-620-4210  |  

How to make better management decisions with user data

With the SAPPHIRE NOW and ASUG annual conference underway  – and the theme of “Building an Intelligent Enterprise in the Experience Economy” – I have been thinking a lot about the intelligent enterprise.

One thing intelligent enterprises know how to do is make good decisions. But being decisive is not enough –decisions must be right. Going with the gut doesn’t cut it anymore. Good decisions need data. Decisions about what to sell, how to sell it, and how much to sell it for need market data. Decisions about how to make something and what tools to use to make it need operational data. And, decisions about how to manage SAP access, how to design a new role or change an existing role, and whether someone should retain their access, all require data. User activity data is especially useful when making decisions about SAP compliance and security.

User activity data enables businesses to make better decisions, faster, with regard to their SAP applications while simultaneously avoiding:

• unacceptable risk
• higher costs
• confused managers
• angry (and waiting) end users

Unfortunately, even when user activity data is available, it can be challenging to interpret and use effectively. Two management gurus, Megan MacGarvie and Kristina McElherann, in their book HBR Guide to Data Analytics Basics for Managers, explain that where there is an abundance of data but insuffient time or resources for extensive analysis, people rely on simplified procedures to help them make decisions. These shortcuts often lead to poor decisions and systematic mistakes.

It doesn’t have to be this way for SAP user management. Security Weaver’s Transaction Archive offers a solution to the challenges of gathering, analyzing, and archiving user activity data. 

First, it captures detailed user activity transaction histories and then allows managers and auditors to see, over years, detailed records for each user based on the transactions exercised in a given time period. Data can also be presented based on user group membership and other criteria. This provides an unprecedent level of data for detailed forensic reviews. Which means better decisions by security and compliance managers.

Second, Transaction Archive uses detailed user activity history to analyze the existing role environment. Transaction Archive determines which users are assigned a given role and what percentage of the role’s transaction have been executed by a single user, a group of users, or across the entire user population. Through advanced role analytics, administrators can understand role utilization based on the historical data. Using this data, administrators can confidently redesign or alter roles knowing that SAP end-users will not have their work impacted. In other words, with Transaction Archive administrators can make decisions about how to improve security and compliance without users feeling their freedom and productivity are, once again, being sacrificed in the name of security and compliance.

In short, better data = better decisions. And better decisions are at the heart of transforming an average company into an intelligent enterprise. 

For more information on how Transaction Archive can help you make better security decisions for your organization, visit

Prevent $1.77 billion in fraud with automated controls | Security Weaver
Support  |  1-800-620-4210  |  

Prevent $1.77 billion in fraud with automated controls

India’s banking community was rocked last year with the news that Punjab National Bank (PNB), India’s second largest government-owned bank, was defrauded of $1.77 billion over a seven-year period. It is the biggest case of bank fraud in India’s history.

It started when Nirav Modi, an international businessman and high-profile jeweler to the stars, needed loans to purchase oversees diamonds and other precious stones for his business.  His company requested LoUs from PNB to secure these low-cost foreign loans to pay suppliers across the globe. The Brady House branch in Mumbai, managed by Deputy Branch Manager Gokulnath Shetty, granted him LoUs with no cash margin (it is usually 100%), no credit limit, and no required 90-day repayment terms.  When the loans came due, rather than pay them off, Modi simply requested another LoU from PNB and Shetty would send it, allowing Modi to continue to receive funds to import his goods.

Because Shetty operated directly through the SWIFT system without registering the transaction with PNB’s Core Banking System (CBS), there was no history of any of these transactions. Furthermore, Shetty was responsible for both making and checking entries, a segregation of duties conflict that allowed him to operate undetected. This could have been prevented with a segregations of duties tool such as Security Weaver’s Separations Enforcer.

There were multiple additional violations, including Shetty sharing SWIFT code passwords with other employees to approve transactions while he was on leave, and Shetty’s multiple transfer orders to other branches being ignored or overturned. This went on for seven years, with no repayment of the loans and the oversees banks continuing to accept LoUs on the promise of PNB’s good name.

The internal controls PNB was using to manage its banking processes were inadequate. There was no mechanism in place, for example, to ensure that SWIFT transactions were being recorded in the system, and no way to check that those transactions were matched to the appropriate LoUs. Here are a few more examples of some controls that, had they been implemented and monitored appropriately, would have prevented PNB’s $1.7 billion loss:

1. Flag any LOU issued without collateral
2. Flag any LoU issued with more than a 90-day repayment period
3. Flag frequent release of LoUs to the same beneficiary
4. Flag a high number of LoUs issued to the same beneficiary
5. Flag any SWIFT transactions for LoUs without collateral

How many other banks are sitting on a similar time bomb? Beyond their own losses, how will that affect their supply chain? Remember, PNB’s partners are potentially on the hook for some of those losses. Do you know If the partners you do business with have adequate controls in place? What will it cost you if they don’t? And are your controls sufficient to protect your company from similar cases of fraud or mismanagement?

Security Weaver’s Process Auditor offers an automated, continuous controls platform designed to help organizations visualize and catch risk patterns within their system at the core process level. Process Auditor’s 130 out-of-the-box templates allow companies to streamline the design, development, and documentation required to deploy process controls for Order to Cash, Procure to Pay, Development to Production, Hire to Retire, and Financial Reporting. For example, enterprises can immediately detect and prevent duplicate payments or detect and alert whenever an employee and a supplier have the same bank account.

Click here for more information about how Process Auditor can help you create a secure, continuously monitored controls environment.

How could automated controls save you $122 million? Ask Google. | Security Weaver
Support  |  1-800-620-4210  |  

How could automated controls save you $122 million? Ask Google.

Through a sophisticated and increasingly common scam called “Business Email Compromise,” Evaldas Rimasaukas, a Lithuanian national, recently tricked Google and Facebook employees into wiring $122 million dollars to fraudulent bank accounts.

First, Rimasaukus registered a company in Lithuania with the same name as Quantas, a computer hardware company out of China that does legitimate business every year with Google and Facebook. Rimasaukas then opened bank accounts associated with his fictional company and sent emails to Google and Facebook employees that appeared to be from employees of Quantas, followed by invoices and wiring instructions to the fake accounts. The emails and invoices sufficiently mimicked previous Quantas invoices – enough to fool the Google and Facebook employees – that they complied with the requests. Once the funds were wired, Rimasaukas quickly siphoned them to various accounts around the world.

How could this happen to two such large and presumably well-run companies? Both Google and Facebook were using manual controls in their ERP system – manual controls that could not prevent major fraud.  When Rimasaukas created fake bank accounts for his fake company, he made sure that the account numbers were close enough to actual Quantas account numbers that the differences were difficult to detect without close inspection. He counted on the accounting department using manual controls and being overwhelmed by work.

Had the process involved sufficient controls, the fraud would have been detected immediately and prevented. A great strength of automated controls is that they work well for small companies and can scale to companies as large as Facebook or Google. Not only do automated controls reduce time spent on conducting and supervising financial processes, but they also eliminate human error.

Automated controls have several additional benefits beyond employee time and error prevention. They ensure that processes are better defined, they enable companies to measure important quality metrics for their processes, and they help process owners improve them. They also reduce the time and costs of audits because auditors can test the controls which can materially reduce the substantive testing (sampling) requirements.

Process Auditor from Security Weaver provides an imbedded continuous control monitoring platform that supports custom control and risk management requirements. It offers an extensive template library of over 130 controls with a workbench to change existing controls or develop new ones. Process Auditor functions across both complex and heterogeneous environments and allows companies to leverage their existing expertise in ABAP and Java technologies. As it supports environments from SAP R/3 to SAP S/4 HANA, there is no need to buy, deploy, manage, or secure a separate database.

Visit for more information on how Process Auditor can strengthen your controls environment and prevent business losses.

By the way, how much of the $122 million did Facebook and Google recover? Less than $50 million. Bummer. If only there had been $300K in the budget for automated controls a couple of years ago.


Mastering SAP Sydney: Don't miss out! | Security Weaver
Support  |  1-800-620-4210  |  

Mastering SAP Sydney: Don’t miss out!

Security Weaver is pleased to announce our sponsorship at Mastering SAP this year in Sydney Australia on March 19th - 20th. Don't miss out on the exciting line-up of speakers, including two presentations sponsored by Security Weaver:

Tuesday March 19th at 1:05 pm: Jitendra Singh, CIO of JK Cement

Join Jitendra Singh as he shares how his company tackled the issue of internal risk by implementing an effective and user-friendly tool that allowed them to automate risk management tasks - including proper provisioning, eliminating SoD conflicts, capturing and maintaining an audit log, and periodical review of roles and responsibilities of users in the system – resulting in easier and less expensive risk management within the organization.

Tuesday March 19th at 4:00 pm: Kapish Rathi, Senior GRC Implementation Leader at Security Weaver

Kapish Rathi will demonstrate how near real-time detection combined with case management and rich analytics offer unparalleled productivity and a robust audit trail. Kapish has almost a decade of experience with GRC solutions and implementations.

Are manual mitigations killing your ROI around access controls? | Security Weaver
Support  |  1-800-620-4210  |  

Are manual mitigations killing your ROI around access controls?

Some seasoned access management professionals are starting to wonder if the way they manage segregation of duties (SOD) is hurting their organization’s bottom line. They understand the need for proper SOD management, and they also understand that every organization has a few (hundred? thousand?) SOD conflicts. However, when they sum up all the time spent each month performing manual mitigations to see if anyone exercised one of those conflicts, they feel bad about all the time spent just to discover that no one had exercised a material SOD conflict.

Furthermore, because the individuals required to mitigate conflicts spend so much time each month doing work that results in finding nothing of value, there is often a push by business leaders to have IT own the work. After all, if there are no real business issues arising from these reports, isn’t this work really about managing application risks? Also, since auditors will be going directly to IT to see how well access is being managed, why can’t IT run the reports, catch when the technical permissions they provisioned are abused, and only then alert (or bother) the business users?

Seasoned IT security managers know that SOD risk management needs to be owned by the business, but how can IT encourage the business to be more enthusiastic about managing SOD risks?

On the surface, it is simple: automate the discovery and alerting of material transactions that violate SOD rules and let risk owners prioritize their work.

Implementing such a solution, up until now, has been a challenge – which is why Security Weaver developed its Automated Mitigations solution. This application runs within SAP – it’s written in ABAP and is a simple add-on to R/3, ECC, or S/4. It identifies any suspicious transaction pairs, as defined by your SOD ruleset, and alerts the appropriate risk owners. Since risk owners know they actual financial exposure, they know the risk is material and, since they can easily click into the actual transactions in SAP, they can immediately and efficiently remediate it.

With Automat Mitigations, whenever a material violation is found, a case is automatically created. Because of this, managers and auditors can see every risk that has occurred due to access violations, the exact exposure of the risks, and what was done (or not done) to address the risk.

Because of its strong case management capabilities, auditors have the luxury of knowing every material SOD violation was caught and documented. From there, a simple report can quickly identify any violations not properly addressed. Not only does this reduce audit risk for internal and external auditors, but it also helps risk owners learn and share best practices for mitigating risks so that the risk of fraud is also reduced.

The cost of access controls can be excessive. Sometimes this is due to risk management activities being more theoretical than pragmatic. However, with Automated Mitigations from Security Weaver, risk managers know exactly the risks they are handling, can easily click down to the actual transactions, can avoid the hassle of applying theoretical values to prioritize their risk management activities, and have a single place to document their findings and actions. Auditors know where to look to see how risks are being managed and can prioritize their reviews based on the actual value at risk. And, perhaps most importantly, IT can better engage business users to manage and mitigate the access risks business managers had previously reviewed and had felt were necessary to take.

To learn more about Automated Mitigations and some exciting announcements about our new Role Guru solution, please visit with our CEO at the upcoming Sapphire event in Orlando, Florida June 5th-7th, 2018. Our CEO, Terry Hirsch, will be announcing a new product that automates designing and building SAP roles. He will also be discussing how to improve the ROI of compliance. Stop by our booth, 889A, to say hello and see firsthand how we can help you use Automated Mitigations to reduce the costs of compliance!

If you have any questions about Security Weaver’s Automated Mitigations product, click here for more information. 

Ask our CEO how SAP License Management makes a difference when migrating to S/4 HANA | Security Weaver
Support  |  1-800-620-4210  |  

Ask our CEO how SAP License Management makes a difference when migrating to S/4 HANA

Companies have been weighing the costs and benefits of migrating from ECC to S/4 HANA. While S/4 HANA promises many benefits, some companies have concerns about the costs and risks they could incur. The good news is, having a solid license management program in place can reduce the costs and risks of migrating, and make the S/4 HANA platform even more compelling.

Here’s how:

  • First, a strong license management program means you won’t pay more than you need for S/4 HANA licenses.
  • Second, a strong program allows you to predict the financial impact of any changes to your licensing terms once on the new platform.
  • Third, a strong program reduces user access risk.
  • Fourth, a strong program reduces migration project risk.

If you are overpaying for user licenses on your current platform, you will continue to overpay when you move to S/4 HANA. But, if you have optimized your licenses on your current platform, then you will pay for only what you need. Furthermore, as you forecast your S/4 HANA budget requirements, you can confidently predict how many user licenses you will need, what kind of user licenses you will need, and when you will need them.

A weak or manual license management program often results in over-licensing.  Compliance reports often inappropriately include expired or locked users and expensive license types are often assigned to users that would be adequately covered with a less expensive license type. For example, someone may have a Full Professional license assigned to them, but upon closer inspection of their past activities or current authorizations, they may only require a Limited Professional license.

The skills and tools for optimizing user license allocations can be utilized to predict the financial impact when changes happen to the licensing model. So, those with a strong license management program can foresee the cost implications of moving to S/4 HANA.  This means budget surprises are avoided. Additionally, customers have the information they need to be powerful negotiators since they understand the full cost of migrating as well as any benefits from new or custom license terms.

When considering the move to S/4 HANA, many companies wonder if they should move from an activity-based licensing model to an authorizations-based model. There are significant benefits in doing so: 1) license costs become more predictable, 2) licensing and access control processes can be efficiently combined, and 3) there is a quantifiable financial benefit for implementing the principle of least privilege across all users. However, such a move could be a costly decision if the change from activity-based licensing is not understood.

A strong license management program automates the discovery and management of indirect SAP users. Thus, a strong program helps architects understand the integration landscape relative to their ERP application. The same discovery capabilities that identify license-relevant integrations can be used to help architects understand which applications and business processes might be impacted by moving to S/4 HANA. Understanding the complex application landscape means migration plans are more informed, expectations are better set, and project risks are lower.

Please visit with our CEO at the upcoming Sapphire event in Orlando, Florida June 5th-7th, 2018. Our CEO, Terry Hirsch, will be announcing a new product that automates designing and building SAP roles at this year’s event, and will also be discussing how to best move to S/4 HANA. Stop by our booth, 889A, to say hello and see firsthand how we can help you use license management to reduce the costs and risks of migrating to S/4 HANA!

To learn more about Security Weaver’s License Management solution, how it automates and optimizes user license allocations, how its simulation capabilities empower companies to predict their future licensing needs along with the value of custom licensing terms, and how its support for indirect users can help architects better plan their migration projects, click here.

Mobilize organization-wide SAP access management improvements | Security Weaver
Support  |  1-800-620-4210  |  

How EIS successfully mobilized organization-wide SAP access management improvements

Join our webinar on March 28th at 8:00 am (Pacific Time) to learn how Hiba Dagash, Security Analyst at EIS, leveraged the power of data and enhanced reporting tools to set realistic timelines for role re-design projects, build consensus about the work involved, and get business on board with needed changes.

Hiba’s story involves access management issues shared by many Security Analysts and IT Administrators. She needed to create SAP security guidelines and processes, create a shared vision for identifying and addressing Segregation of Duties (SoD) violations across her company’s SAP environment, and help EIS efficiently pass its upcoming SAP license audit.

She attacked these challenges by installing Security Weaver’s software modules: Transaction Archive, Separations Enforcer, Emergency Repair, and License Management. These tools gave her the information she needed to align the company, and the automation she needed to be efficient.
A comprehensive understanding of user activity and access risks provided by these tools enabled Hiba to define the scope and timeframe for a role redesign project to address structural access risks.

Before she started the role redesign project, she knew she wanted a fail-safe that would provide a hassle-free way to keep users happy and the business running smoothly during the project in case any single role was too restrictive. She solved this challenge with Emergency Repair, Security Weaver’s temporary access tool.

With the data she had collected and the roadmap she had designed, Hiba confidently approached stakeholders with her role redesign proposal.  She persuaded company stakeholders that change was necessary. She then successfully executed the much-needed role redesign project, increasing role efficiency and decreasing access risks for EIS.

Once she had access risks under control, Hiba deployed License Management to optimize the value of EIS’s SAP user licenses. This module gave her visibility into end user license costs and accounted for different license types. It is the latest example of how Hiba has leveraged understanding user activity patterns into a more efficiently run SAP landscape.

Click here to attend the webinar.

Or, for more information on Transaction Archive, Separations Enforcer, Emergency Repair, License Management, or any of Security Weaver’s other products, visit

Looking to improve role design and risk management in 2018? | Security Weaver
Support  |  1-800-620-4210  |  

Looking to improve role design and risk management in 2018?

Visit the Security Weaver Booth at GRC Vegas!

We are excited to exhibit at this year’s SAPInsider GRC/Financials conference in Las Vegas, Nevada February 12-15. We get enormous satisfaction in helping our current and future customers improve security, increase productivity, and save time and money. This year, we anticipate that people will be very eager to learn how to:

• optimize the value of their SAP and other complex license types
• automatically catch and address suspicious transaction combinations that pose a material threat
• reduce the time and frustration of managing user access risk
• easily create custom process controls that address their organization’s specific access challenges

In the past, Security Weaver has been a leader in access management solutions. Over the years, our products have helped customers achieve control through automation without sacrificing flexibility or security. Our customers love us because our products provide a modular, comprehensive solution that is quick and easy to install and accelerates the value of existing processes.

For example, Multiquip used Emergency Repair to save roughly 60 hours per month in providing temporary access for more than 300 users. And they cut down their audit preparation time by approximately 40%.

After installing Separations Enforcer, JMC Steel identified 20,000 total company-wide SoD conflicts, and quickly reduced them to 100 per system. Within 5 months, 100% of their critical conflicts were removed or mitigated.

In addition to our tried and true products like Emergency Repair and Separations Enforcer, we have some exciting new product developments coming in 2018. These new products will offer leading-edge innovations in role management, role design, role analytics and other role related processes.

What will the new year bring for you and your business? Do you envision the types of changes and improvements that will propel you toward better role design, easier access management, and greater overall productivity?

Make one of your goals this year to attend the Security Weaver booth at GRC Vegas and find out about all the ways we can help you achieve your risk management goals in 2018.
Or, for more information about our products, visit

Security Weaver demonstrates how to achieve mature, cost efficient IT compliance at SAP TechEd 2017 | Security Weaver
Support  |  1-800-620-4210  |  

Security Weaver demonstrates how to achieve mature, cost efficient IT compliance at SAP TechEd 2017

October 11, 2017

Security Weaver Demonstrates How to Achieve Mature, Cost Efficient IT Compliance at SAP TechEd 2017

Automated Mitigations and License Management increase productivity and reduce compliance concerns

LAS VEGAS, NV – October 11, 2017 - At this year’s SAP TechEd event in Las Vegas, Nevada, Security Weaver demonstrated to attendees how to mature their IT compliance processes in a cost-efficient way. Attendees were especially enthusiastic about Automated Mitigations’ ability to quantify and reduce risks, improve audit documentation, and move beyond primitive segregation of duties management. “Increased complexity requires more reliable and cost-savvy solutions,” says Stephen Dubravac, Executive Vice President of Marketing. “We offer a product suite that enables organizations to quickly adapt to changes in their SAP environment without completely overhauling their systems. Our customers appreciate how quickly and easily our products are up and running and how much time and money they save in the process.” The response to Security Weaver’s products was extremely favorable due to the implications for increased productivity and financial savings.

Security Weaver also provided booth demonstrations of another popular solution, License Management, a role-based module that optimizes the value of SAP licenses. The solution not only improves compliance and reduces the work required to manage SAP licenses, it can also dramatically lower SAP license and support costs. License Management identifies compliance issues, charts consumption trends against the inventory of acquired licenses, automatically allocates the correct license type based on each user’s activities and roles, and allows organizations to more confidently and efficiently prepare for SAP compliance audits.

Click here for a custom demonstration of Automated Mitigations or License management. Or for more information about any of Security Weaver’s products, visit


Security Weaver is a leading provider of governance, risk and compliance management (GRCM) software. Our flagship software suite, Security Weaver is engineered to give customers a unified view of their enterprise-wide application environment so they can reduce the risk of fraud, accelerate the efficiency of operations, and ease the burden of ongoing compliance requirements. 

SAP and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP SE (or an SAP affiliate company) in Germany and other countries.
All other product and service names mentioned are the trademarks of their respective companies.

For more information, press only:
Rebecca Callahan

The 5 most important post-GST tasks for companies running SAP: Part 2 | Security Weaver
Support  |  1-800-620-4210  |  

The 5 most important post-GST tasks for companies running SAP: Part 2

The 5 Most Important Post-GST Tasks for Companies Running SAP: Part 2

In our last post, we outlined the first three tasks that smart companies tackle after they’ve gone online with GST. The last two tasks are equally important, however, and give companies the tools to face new and existing GST requirements with confidence and security.

Automate emergency access management

Given the scope of GST compliance, it is worth noting that changes to IT and business processes are inevitable. Every major IT project leads to management better understanding their business and the more managers understand the business, the more ideas they will have to improve it – which means change. Furthermore, anytime there is chain of systems – from your IT environment to an ASP’s to a GSP’s to GSTN – there will be adjustments required to your IT systems. And anytime the government is involved there will be changes. So, with respect to GST, the question isn’t how to avoid every change, the question is how to be quick, efficient, and risk-free in making any required changes.

Smart IT teams already know that even the most knowledgeable people can be made useless if they lack the authorizations necessary to fix a problem or make a requested change to an IT system. Instead of having experts wait around for access, smart IT teams make it possible for those IT and business process experts to get the access they need as soon as they need it. The question asked by smart IT teams is: How do we make the change process efficient and risk free – especially since the first thing we did after going live with GST was to pull back exceptional access from various consultants, contractors, and staff with expanded privileges beyond their day to day responsibilities? 

Speed and security are the core values behind automated emergency access management. It is beyond the scope of this article to get into best practices around emergency access management and the ROI organizations can typically expect, but visit our resource center for various whitepapers and data sheets about emergency access management.

Additionally, to request a demonstration of how easy it is to automate emergency access management, click here.

Conduct an after-action review

Sometimes called post-mortems, an after-action review is essential for IT to mature and for a business to become more competitive. There will be another major IT project. Business and IT can rest assured that major IT projects are recurring events. The question is: Will the organization have matured so that the next major IT project will be done even better than the last? The only way to increase the likelihood that the ability for an organization to handle hard challenges is to learn from the last challenge.

There are several methodologies to formally review and learn from major objectives. Each has its advantages and disadvantages. They all share a couple of key requirements: The review should involve all stakeholders, should not be punitive but should focus on areas for improvement, should be immediately after the event, should be oriented on the persistent goals of the organization and aligned with its cultural priorities and values, and should be documented.

If you would like one of our facilitators to help you conduct an after-action review, click here to email us about your interest.


Our two-part series on the 5 most import post-GST tasks has been a short review of five areas every IT and finance team should consider before closing out their GST project. Whether GST registration and compliance was easy or all consuming, if a company was running SAP, then there’s a good chance access was granted to a wide number of stakeholders. Smart IT and Finance teams are now in the process of withdrawing the exceptional access so that risks associated with sensitive access, fraud, and compromised Segregation of Duties are no longer material.  They understand that GST did not remove the increasing enforcement of the India Companies Act of 2013 and other legislations which mandate access controls.

Companies know that granting access to new users or expanding access of existing users not only increases access related risks but also may trigger incremental license costs. Those running SAP also know that these licensing costs are not limited to just those with an SAP user ID, but include direct and indirect users.  So before shutting down their GST projects they assess the licensing implications of each integration and of every user. Only then can they be confident they are controlling the costs of their SAP platform under the new GST regime.

In addition to cleaning up access and licensing, Smart IT and Finance teams are also in the process of inventorying their process controls so that their new supply chain processes and tax credit capture strategies are optimized. These companies are looking at both manual and automated controls, but have a bias towards the long-term value of automated controls. With respect to automated controls, they are including both controls that are inherent with the SAP platform as well as automated controls which augment the platform required by the company to meet all its objectives. These teams see controls not only as a way to ensure consistent operational behavior but also to facilitate knowledge transfer and to help identify where positive changes can be made.

Speaking of change, companies realize going live with GST was not the end of change for GST but the beginning. They are now anticipating the inevitable changes coming as bugs are found in the new systems, as management discovers ways to further optimize their business under the new GST regime, and as IT systems come under increasing capacity constraints. These companies want to accelerate one obvious process: emergency access management. This process enables greater speed and security as change requests and troubled processes inevitably come.

Lastly, before closing the books on their GST project, companies are bringing together their people and partners and ensuring that everyone has a chance to both learn from others and to contribute to the learning of others. These post-mortems are happening while the project is still fresh in everyone’s mind. They follow agendas that support the company values. And, they are enabling good organizations to become great, and great organizations to maintain their competitive advantage in the market.

If you would like to know more about how Security Weaver can help your team with GST compliance, SAP License Management, or anything having to do with SAP GRC capabilities, click here.

Post-GST: There's more to do | Security Weaver
Support  |  1-800-620-4210  |  

The 5 most important post-GST tasks for companies running SAP: Part 1

India’s Goods and Services Tax, the most significant tax reform initiative since the nation became independent 70 years ago, was rolled out a month ago on July 1st, 2017. GST has impacted every enterprise IT team in India. It has reprioritized work for IT and business operations and has driven service offerings for accounting firms, system integrators, and supply chain consultants.

To implement GST, organizations have had to analyze and adjust operations based on cash flow implications from GST, re-engineer their supply chain as tax rates have standardized across states, pick the ASP/GSP that would best meet their unique needs, integrate their IT systems via their chosen ASP/GSP (or directly with the G2B portal), normalize invoice, purchasing, and other relevant data for upload into GSTN, and define their reconciliation reports and processes to ensure every tax credit was captured. No small task.

After all the work to go live on GSTN – months of dedicated focus and overtime and countless hours of managing consultants – companies might be tempted to celebrate going live and maybe even take a little break. But can a company who has gone live on GST consider that the end of the project?

Not if it is running SAP.

Why? Because doing so might leave the enterprise open to unnecessary risks and potentially harm the competitive position of the company – especially if it is running a modern ERP platform like SAP.

So instead of patting themselves on the back and risking complacency, smart enterprises quickly turn their focus to five key areas as soon as they go live with GST:

1. Cleaning up access risks to financial systems
2. Reconciling SAP user and indirect license allocations
3. Implementing process controls to ensure that GST compliance requirements are maintained in a cost-effective way
4. Automating emergency access management (EAM) so adjustments can be made quickly
5. Conducting an after-action review to learn from what went well and what could have been done better so that the next major change project will be even more successful

In this installment, we will focus on the first three key areas businesses should tackle post-GST:  cleaning up access risks, reconciling licenses, and implementing process controls. In a subsequent post we will finish with the final two key areas, automating emergency access and conducting an after-action review.


Clean up access

In preparation for the GST roll-out, many IT teams engaged contractors and consultants and gave them broad access to their financial systems to bring IT and accounting systems into compliance with GSTN registration and meet the ongoing requirements of GST. They also expanded the roles of existing IT staff and gave them exceptional privileges within SAP.

At the time, it was necessary to grant exceptional access to get the work done. But what about after the GST project wrapped up? Do those consultants and staff members still need the broad access given to them during the project? Consider the possibility that a disgruntled consultant or contractor decides to perpetrate fraud with that access. With such broad access, will they be able to effectively cover their tracks, or are there controls in place to alert someone to the issue?

And what about sensitive access? Are there people who now have access that gives them insight into the company’s performance and capitalization structure? And do any of those people have contacts within competing companies with whom they could share inside information? If your CEO and CFO knew about this risk, what would their reaction be?

These are all questions that must be answered even beyond GST compliance. When preparing for GST, many companies rightly worried about the sensitive financial data that would be uploaded to an ASP/GSP. These same companies insisted on knowing how the ASP/GSP would protect that data. Now that companies have gone live with the ASP/GSP of their choice, it is important that they ask the same question of themselves: What are they doing internally to protect access to sensitive transactions and data?

Understanding access risks is not the hard part. The hard part is deciding, as an organization, to put resources toward gaining that understanding. Once they understand their risks, organizations can then assess if they now have more risk than is acceptable.  If too much risk exists, then they can rationally start to pull back access to their financial systems and IT environments in a way that makes sense and does not impair user productivity.

To learn more about how to understand and manage access cost efficiently click here.

Also, stay tuned for upcoming posts covering topics on how to minimize the costs of access management by using a function based SOD rule matrix, how to efficiently manage custom transactions that are SOD relevant, how to delight auditors and your IT team with efficient “push-button” audits, and how to radically save time and money by automating mitigations and prioritizing access risks based on the actual financial exposure of each risk.

Reconcile license allocations

Granting access to SAP or other financially sensitive applications not only creates risks but also directly drives up costs if the additional access triggers a licensing requirement. If an additional user is added to a company’s SAP environment, they will almost certainly consume an additional user license. If that user is an active dialogue user with broad access, then the incremental license consumed will almost certainly be an expensive license such as a developer or full professional license type. And any time an existing user is given expanded authorizations and materially increases their interactions with SAP software, it is wise for IT and procurement to understand the licensing implications. They may need to move that user from a limited professional to a full professional license or change the allocated license type from full professional to developer. License reconciliation is further complicated for SAP environments because usually the quantity of a given license type must be kept within a ratio of the overall population of licenses. If that ratio is violated additional licenses may need to be purchased even if there are no users to allocate them to.

Few companies considered the licensing implications of opening their SAP environments to consultants and contracts before July 1st. This is no surprise. Everyone was focused on meeting the GST go live date. But now, smart companies are not claiming the GST project is over until they have cleaned up access and reconciled user license allocations. They know if they don’t do it now, they may fail their next software license audit and trigger a surprisingly significant budget expense that destroys both their credibility and their investment roadmap.

For companies running SAP, license compliance not only requires them to consider users with a user ID, the license type of each user, and the consumption ratio of different license types, but they must also consider any integrations with non-SAP software that may allow users of the application to change data in SAP indirectly. These indirect users must also be accounted for and properly licensed.  Consequently, smart IT teams are also cataloging every integration rolled out as part of GST and assessing the SAP licensing implications for any users of the integrated application.
To learn more about how to optimize your SAP licenses and reduce the work required to pass your SAP license audits, please read our License Management data sheet by clicking here.

If you would like to see a demo send us an email by clicking here.

Implement process controls

In addition to cleaning up access risks and licensing requirements, it is important to implement a reasonable set of process controls. A reasonable set of process oriented controls is the only way to ensure that compliance with GST requirements is maintained cost effectively, that new processes and supply chain requirements are followed consistently, that consultants and contractors fully transfer their expertise back to the company, that evidence proving compliance is easily and continuously produced so that audits are efficient and comprehensive, and that all tax credits are fully captured.

Smart enterprises understand that the set of controls they need will be a mix of automated and manual controls. Automated controls include those controls SAP offers as part of its platform and add-on controls that augment or extend the SAP environment.

In building a good set of controls, the first step is to identify where things can go wrong and then how to best prevent or quickly catch those deviations. Some examples are:

  • How will your enterprise ensure the proper GSTIN is used so that subsequent tax credits can be automatically matched by the government and ultimately credited back to your enterprise?
  • Where are the different places an error around GSTIN can get into the system and what controls can be applied to each?
  • What controls need to be added to ensure the newly engineered supply chain is functioning as designed?
  • Since small vendors are exempt from having a GST identification number (GSTIN), what controls will ensure that in three months, if they grow and are no longer small enough to qualify for the exception, you get their GSTIN and update transactions before having to forfeit a material amount in taxes?

Other areas where process controls can help involve identifying revenue leaks in the new supply chain , managing specific dimensions of your ASP’s performance, and monitoring credit worthiness and performance of supply chain partners.

Smart enterprises also know that manual controls may be necessary initially, but given the speed of business, they are not a sustainable solution. Only automated controls will provide alerts and remediation quickly enough. Also, manual controls are susceptible to human error and limited human capabilities, so they can never be as consistent, complex, or comprehensive as automated controls. Ultimately, manual controls are neither cost effective, trustworthy, nor something your people want to use. Most talented IT staff know that their career goes nowhere when they must spend time doing things that could have been easily automated.

Once an automated controls platform is implemented the cost to maintain it is fair less expensive than the cost to maintain a manual control. The incremental cost to implement one more automated controls goes down with each new control added to the controls platform, whereas the cost of each additional manual control goes up. This is due to the cost to train and manage the person responsible for the control as well as the ongoing cost of paying the person to run the control.

If you would like to learn more about how processes controls can help you cost effectively maintain GST compliance and optimize the value of your tax credits, we would be happy to share with you some of the best practices in the industry today. Send us an email to request a meeting by clicking here.

Next up: we will detail two more integral post-GST tasks that smart enterprises are implementing. Our next post will discuss the importance of automating emergency access and conducting an after-action review, and how these final tasks will give you the peace of mind to confidently close out your GST project and prepare for the challenges ahead.

Cost effective vs. costly SAP license reconciliation | Security Weaver
Support  |  1-800-620-4210  |  

Cost effective vs. costly SAP license reconciliation

There’s no way around it – you have to be compliant with your SAP license contracts if you don’t want to face legal and/or financial risks. Unfortunately, for some enterprises that means devoting weeks of staff time (or worse, consultant time) focusing solely on reconciling SAP licenses.

Why? Because preparing for an audit requires several heavy lifts. First, your enterprise must have a thorough understanding of their existing contracts. Second, you need to understand how the licenses in those contracts map to user activities so they can be optimally allocated or assigned to users. Third, you need to understand how each and every user has historically interacted with your SAP environment either directly by logging in and executing transactions or indirectly through some non-SAP application. And, fourth, you must assign the appropriate license type to each user either directly or based on role assignments.

This is no small task.

Then, once you’ve done it, you have to prepare so that in a 3 to 12 months you can do it all over again.

To stay on top of SAP licensing you need to forecast licensing requirements, adjust license type allocations as user interactions change, account for additional indirect licenses as new integrations are built between your SAP ERP platform and non-SAP applications, and maintain license allocation rules so that they meet all agreed-to specifications and are synchronized to any contract changes.

Staying on top of SAP licensing may include consolidating or updating license contracts (especially if M&A activities have taken place or if any new license types have been defined), tracking package or engine licensing metrics, and, in some situations, documenting all users for any application that has been integrated into your SAP environment along with how each class of users of each non-SAP application interacts indirectly with your SAP environment through the integration.

You will also need planning documents. For example, you will need an IT capacity forecast for the next 6-18 months. Don’t have one? You can create an IT capacity forecast by looking over your company’s business plan and translating it into an IT capacity plan. Another planning document you will need is an IT development and deployment roadmap showing all planned integrations with your SAP environment and any rollouts of your SAP environment to new user groups for the next 6-18 months. This includes internal user groups (like that plant in Latin America), as well as any groups of customers or suppliers who will be interacting with your SAP environment.

Once you have all consumption, planning, and contractual information, you can use it to reconcile past license type allocations with current allocation requirements, understand your current level of compliance, and build a licensing forecast.  You may drive your license management project by asking yourself the following questions:

1. What changes if any are there to our contracts regarding SAP user license types and how will these changes affect allocation algorithms?
2. How many direct SAP users do we have, how has each user’s interaction with SAP changed and how many will be added based on IT and business plans?
3. How many indirect users do we have and through which integration are they accessing SAP, how has each user’s interaction with SAP changed either because the user’s work has changed or the integration has changed, and how many indirect users by application will be added based on IT plans because of new or enhanced integrations and how many will be added as a result of your company achieving its business plans?
4. How will your engine licensing metrics increase or decrease based on the business activity levels that are laid out in the business plan?

You can ask yourself these questions and a few others, but the bulk of your work is going to come down to this: figuring out which user interactions with SAP have changed that dictate a change in license type allocations and whether or not user license type assignments are correct per your contract. Another big issue with SAP license management is going to be around how integrations should have been evaluated based on their licensing impact and not just productivity impact – but we will get to that later. For this post, it’s just about how costly SAP user license management can be and as I said, the rub is going to be figuring out a confident baseline in order to assess compliance and forecast when new licenses will be required.

When you have answered these questions, the next step is to analyze and predict direct user license requirements and define the rules to allocate them.

First, look at each user’s transaction history and remove inactive or duplicate users. Next, define your assignment rule set for allocating license types to users based on what access they currently have. Last, run simulations to figure out if there are enough licenses for your direct users based on the most likely (and most optimistic) business plan. It is better to overestimate than to underestimate when it comes to an SAP audit. But for the sake of your own business costs, ideally you should do neither. Paying for more licenses (or more expensive licenses) than you actually use can be a huge financial hit over time.

After you have analyzed your direct user needs and made predictions, you can move on to indirect users. This is a little more complicated. Start with the same steps you used for direct licenses – look at transaction histories and remove inactive or duplicate users. Then take the rules you created for direct users and figure out how each of the roles for a non-SAP application would match up to an existing SAP license type. Ask yourself the following: If the user were to read or change data in SAP directly instead of through the integrated application, what roles would they need and what license type would that require?

Compare this list with the list of direct users and their roles and their license type. This will give you a good idea of which license type you will need for your indirect users. Just make sure that every user with both an SAP user ID and access to the non-SAP applications has an SAP license type assigned to them that is equal to or greater than what they require based on their access to SAP through the third party applications. And for those with only indirect access, make sure that the SAP license assigned to them accounts for their access through the third-party application.

In addition to user licenses, you need to understand your engine licensing metrics. These metrics are generally different from one product to the next, so you need to do an analysis on each and every one. Compare these metrics with the metrics in your contracts to identify how they are expected to change based on the business and IT capacity plans. Then budget for expected changes.

If you think this sounds like a lot of tedious, time consuming detective work, you’re right. Reconciliation can be a nightmare, and if you do it using the methods described above, you can plan on spending an enormous amount of time, money, and resources to make sure you pass your audit.

Or, you can utilize License Management, an automated solution that does the work for you – a solution that captures and stores user histories and makes data-driven recommendations on how to reallocate license types to dramatically lower licensing and support costs and still maintain compliance. After all, wouldn’t you rather make your purchasing decisions based on actual usage and expected business growth rather than just taking a shot in the dark?

License Management from Security Weaver provides clear visibility into role-based end user license costs while taking into account different license types, different contract terms, and pertinent cost models.

Click here to request a free demo of License Management, or visit our License Management page for more information.

Why Diageo’s $70 million headache has the SAP community running scared | Security Weaver
Support  |  1-800-620-4210  |  

Why Diageo’s $70 million headache has the SAP community running scared

SAP Indirect user licensing has been a hot topic for awhile, but with the $70 million Diageo verdict in, the collective blood pressure of the SAP user community has gone up. CEOs and CIOs around the globe are wondering what the Diageo case means for them and are no doubt scouring their SAP contracts to size up their risk. Is their fear warranted? Probably.

Diageo certainly didn’t believe it was at risk when it added third party applications to its system through a product purchased from SAP. According to Diageo’s claims in court, they thought they had licensed software from SAP that gave them permission for users to access their SAP environment through the third party application by way of the licensed gateway.

Ironically, it was actually the gateway software sold to Diageo by SAP that created the financial exposure for Diageo. SAP Process Integration (now part of the Process Orchestration suite) was designed to enable integrations with SAP ECC. Without it, at least in this case, there would have been no indirect users and so no lawsuit. It is a very interesting example of giving someone just enough rope to hang themselves. 

And if it can happen to Diageo, it can certainly happen to others. According to Robin Fry, director at the software licensing firm Cerno, “If a corporate as responsible as Diageo can be hit with a £59m claim, then many corporates and public sector organizations will inevitably be carrying latent liabilities for software license costs.”

At Sapphire Now in Orlando, SAP’s CEO Bill McDermott outlined the company’s new pricing model based on orders and “static read” access. It was intended to calm the anxiety, but after his speech, conference attendees were still worried and a little confused about indirect licensing. And there is some speculation that the new pricing announcement may be designed more to drive migration to SAP S4 HANA than to reduce licensing worries. Furthermore, because his comments only mentioned integrations associated with the order to cash and procure to pay processes and the narrow case of static reads, it looks like indirect user licensing is here to stay – even for companies who move to SAP S4 HANA.

As businesses integrate third party applications with SAP in order to increase efficiency, better manage human resources, optimize IT processes, ensure adequate security, achieve compliance, and improve customer service, indirect licensing will still be tricky and businesses will still face financial risks. There is just no way around it.

Are more lawsuits on the horizon? Many customers and analysts think so. Win one lawsuit and you tend to become more confident that you can win the next one. No doubt winning the Diageo case will not make SAP less aggressive in going after what it feels is fair compensation for its IP.

So what’s an enterprise to do? Examining contracts and mapping every integration with an ERP platform takes time, is disruptive to staff, and may still not be enough to prevent a lawsuit; even hiring a cadre of expensive lawyers might not help since a precedent has now been set by the Diageo ruling.

But you can’t just sit back and do nothing. Risk Management 101 says that when facing a risk, you should address it by reducing exposure to it either by transferring the risk or by minimizing the chance of it happening (and the impact or consequences should it happen). You can also reduce the uncertainty of the risk and then accept and continue to manage it, pay to transfer the risk, or exit current operations and remove exposure to the risk. Whatever the decision, it will be based on new more confident expectations. But to get there, you need to know what the risks are, their potential impact, and where they are coming from. And, ideally, not have to pay a fortune for this understanding.

Fortunately, Security Weaver can help. So instead of spending thousands of man-hours doing license management or hiring expensive attorneys, install our simple ABAP transport that automates reconciliation activities, identifies where indirect license risks might be coming from, and automates continuous optimization and tracking of direct and indirect SAP user licenses.

With Security Weaver, financial risk mitigation around SAP licensing is straightforward and simple. Click here to request a free custom demonstration of License Management or visit our solutions page to find out more.

Security Weaver debuts automated mitigations solution at GRC 2017 in Las Vegas, NV | Security Weaver
Support  |  1-800-620-4210  |  

Security Weaver debuts automated mitigations solution at GRC 2017 in Las Vegas, NV

At this year’s GRC event in Las Vegas, Nevada, Security Weaver debuted Automated Mitigations, the newest module in our first-class line of access management solutions. The company’s Co-founder and Chief Architect, Sumit Sangha, demonstrated Automated Mitigations as part of his presentation titled, “ERP Access Management 2.0 – Simplify SAP access management, focus on what matters, and quantify the value of compliance.”

Attendees were especially enthusiastic about Automated Mitigations’ ability to quantify and reduce risks, improve audit documentation, and move beyond primitive segregation of duties management. Says Sangha, “The response to Automated Mitigations was extremely favorable. People are excited about the way this solution provides auditors and other stakeholders a clear and continuous view of material risks and then shows auditors how those risks were or were not mitigated. The implications for increased productivity and financial savings are enormous, and our audience responded positively to that.”

Security Weaver also provided booth demonstrations of another popular solution, License Management, a role-based module that optimizes the value of SAP licenses. The solution not only improves compliance and reduces the work required to manage SAP licenses, it also can dramatically lower SAP license and support costs. License Management identifies compliance issues, charts consumption trends against the inventory of acquired licenses, automatically allocates the correct license type based on each user’s activities and roles, and allows organizations to more confidently and efficiently prepare for SAP compliance audits. This product has garnered special attention of late in the wake of Diageo’s recent indirect licensing lawsuit that cost them over £54 million in additional licensing and maintenance fees. 

Click here for a custom demonstration of Automated Mitigations or License management. Or for more information about any of Security Weaver’s products, visit

6 Reasons to care about ERP Access Management 2.0 | Security Weaver
Support  |  1-800-620-4210  |  

6 Reasons to care about ERP Access Management 2.0

Our last post discussed the strengths of ERP Access Management 1.0. This first roll-out of access management tools radically improved risk visibility through comprehensive reporting, improved compliance, and prevented a lot of nasty stuff from happening. Now comes the next wave of innovation – ERP Access Management 2.0.

With ERP Access Management 2.0, previously overlooked user activity data is being used to help businesses make better and more timely decisions, provide unprecedented forensic evidence, and take the guess work out of role design. For example, imagine being alerted to access violations when suspicious transactions cross a materiality threshold so the right people can mitigate risks long before serious damage is done.

Actually, you don’t have to imagine it – you can see it in action through the many innovative tools that are part of ERP Access Management 2.0., like Security Weaver’s new SAP access management module, Automated Mitigations. With the help of tools such as Automated Mitigations and others, ERP Access Management 2.0 is more business oriented and has the following design objectives:

1. Improve collaboration across IT, Audit, and Business users: Ask yourself, what is the root cause behind those frustrating conversations when IT, auditors, and business users try to define SAP access management policies and processes? It stems from lack of a common language to discuss risk.

ERP Access Management 2.0 is all about improving those conversations. It is about providing a unifying concept to align stakeholders so they can find a common understanding of access risks, agree on what efficient user access management looks like, and make proper role design less challenging. In one of our future posts, we’ll talk about how Automated Mitigations eliminates these go-nowhere conversations around access risk management.

2. Drive better decision making: ERP Access Management 2.0 seeks to achieve this design goal by providing better data, exploiting overlooked data, and improving how data is analyzed and visualized. For example, auditors and IT security administrators can review user actions to determine if there is a material risk with a suspicious transaction – not just a theoretical risk that wastes time in research and debate.

Enterprises will use software like Automated Mitigations to eliminate wasting time on inconsequential risks and instead help teams focus on material risks, and they will use tools like Transaction Archive to ensure they have the user data they need to make informed decisions.

3. Reduce administrative work: By using data more effectively and automating administrative workflows based on defined policies, ERP Access Management 2.0 reduces the administrative burdens of IT, auditors, and business users. Furthermore, because ERP Access Management 2.0 adds a process or workflow orientation on top of comprehensive reporting, administrative work once eliminated stays eliminated with each process optimization iteration. We will spend more on this in a later post; suffice it to say there are many inconsequential risks and tedious actions required by IT security administrators that can be eliminated in a way that results in more secure and less risky business operations.

4. Enhance auditability:  Remember the old joke about Captain Kirk dictating a reminder to have Star Fleet develop an automatic date stamp so he doesn’t have to say the star date every time he makes a log entry? Kirk would love ERP Access Management 2.0! With this new wave of innovation, automated logging is finally getting beyond emergency access management.

For example, it is common practice for mitigations to be assigned to every user, role, or user group that has an SOD conflict. But how do auditors know the risk owner assigned to execute the mitigation actually did their job? If a suspicious transaction was found, how do they know that it was properly addressed? Imagine those happy auditors who can now see all of the suspicious transactions in one place – when each case was opened, who worked on it, what they did, who commented on it, who reviewed the case, and why it was ok to close it. That certainly beats the old way of tracking cases through an email chain – assuming they were tracked at all.

Again, future posts will deal with specifics such as how Security Weaver’s new module, Automated Mitigations, delights auditors by finally giving them the case-based tracking solution for mitigations that they have always dreamed of.

5. Embrace market and organizational change: The pace of change driven by user provisioning, application development, M&A activities, reorganization, and new regulations (and their enforcement), is relentless and accelerating. To embrace change, companies around the globe are using lean IT principles to improve access management, taking a modular and agile approach to building and implementing their compliance roadmap.  Moving away from a “big bang” approach and toward an ERP Access Management 2.0 approach has led to significantly faster cycle times.

6. Manage risks as needed: Managing risks through detective controls has many problems but one advantage: users have more freedom to do their job. Managing risks through preventative controls has many strengths but at least one big weakness: it can prevent or delay users from doing their job. ERP Access Management 2.0 is a hybrid model that balances the best of both. It advocates preventative controls that are optimized based on point-in-time snap-shots of user access risks, but it also enables detective controls with continuous monitoring so that preventative controls do not have to be overly complex, overly restrictive, or constantly spawn escalated requests for exceptions.

This hybrid approach manages both what might be done today as well as what has been done across time. The result: nothing is missed, nothing is over-complicated, escalations for exceptional approvals are reduced, and alerts are raised immediately whenever material risks are imminent.

Stay tuned for future Security Weaver posts, in which we will drill down and get specific about how the design goals of ERP Access Management 2.0 are being realized both through new tools and through new features in established tools.

To learn more about Automated Mitigations or any of Security Weaver’s other solutions, Click here to request a custom demo.

March SWUG Knowledge Forum: Did you miss it? | Security Weaver
Support  |  1-800-620-4210  |  

March SWUG Knowledge Forum: Did you miss it?

We would like to thank all who attended our most recent SWUG Knowledge Forum on March 16, 2017. The forum was titled “ERP Access Management 2.0 – Avoid wasting time on compliance and instead focus on what matters.”

Sumit Sangha, Co-founder and Chief Architect at Security Weaver, spoke about how enterprises are improving collaboration between IT, Audit, and Business, while reducing risks, improving audit documentation, and moving beyond primitive segregation of duties management. He discussed the history of SAP access management and demonstrated how customers are using a new solution, Automated Mitigations, to move beyond access management 1.0.

Mr. Sangha has been using or developing the technology behind effective and efficient internal controls and security policies since 1997.  While working with various organizations who struggled with manual controls for business and technical challenges, he recognized an industry-wide need for automation to address internal controls and compliance mandates. 

With experience in designing solutions and cutting edge applications for SAP systems throughout his career, he co-founded Security Weaver in 2004. Currently, Mr. Sangha is responsible for the company's portfolio development, strategic vision, and roadmap.  

If you missed the forum, but would still like to view it and/or listen, you can find the link here via our SWUG page on LinkedIn.

For more information about Automated Mitigations or any of Security Weaver’s ERP access management solutions, visit