Our last post discussed the strengths of ERP Access Management 1.0. This first roll-out of access management tools radically improved risk visibility through comprehensive reporting, improved compliance, and prevented a lot of nasty stuff from happening. Now comes the next wave of innovation – ERP Access Management 2.0.
With ERP Access Management 2.0, previously overlooked user activity data is being used to help businesses make better and more timely decisions, provide unprecedented forensic evidence, and take the guess work out of role design. For example, imagine being alerted to access violations when suspicious transactions cross a materiality threshold so the right people can mitigate risks long before serious damage is done.
Actually, you don’t have to imagine it – you can see it in action through the many innovative tools that are part of ERP Access Management 2.0., like Security Weaver’s new SAP access management module, Automated Mitigations. With the help of tools such as Automated Mitigations and others, ERP Access Management 2.0 is more business oriented and has the following design objectives:
1. Improve collaboration across IT, Audit, and Business users: Ask yourself, what is the root cause behind those frustrating conversations when IT, auditors, and business users try to define SAP access management policies and processes? It stems from lack of a common language to discuss risk.
ERP Access Management 2.0 is all about improving those conversations. It is about providing a unifying concept to align stakeholders so they can find a common understanding of access risks, agree on what efficient user access management looks like, and make proper role design less challenging. In one of our future posts, we’ll talk about how Automated Mitigations eliminates these go-nowhere conversations around access risk management.
2. Drive better decision making: ERP Access Management 2.0 seeks to achieve this design goal by providing better data, exploiting overlooked data, and improving how data is analyzed and visualized. For example, auditors and IT security administrators can review user actions to determine if there is a material risk with a suspicious transaction – not just a theoretical risk that wastes time in research and debate.
Enterprises will use software like Automated Mitigations to eliminate wasting time on inconsequential risks and instead help teams focus on material risks, and they will use tools like Transaction Archive to ensure they have the user data they need to make informed decisions.
3. Reduce administrative work: By using data more effectively and automating administrative workflows based on defined policies, ERP Access Management 2.0 reduces the administrative burdens of IT, auditors, and business users. Furthermore, because ERP Access Management 2.0 adds a process or workflow orientation on top of comprehensive reporting, administrative work once eliminated stays eliminated with each process optimization iteration. We will spend more on this in a later post; suffice it to say there are many inconsequential risks and tedious actions required by IT security administrators that can be eliminated in a way that results in more secure and less risky business operations.
4. Enhance auditability: Remember the old joke about Captain Kirk dictating a reminder to have Star Fleet develop an automatic date stamp so he doesn’t have to say the star date every time he makes a log entry? Kirk would love ERP Access Management 2.0! With this new wave of innovation, automated logging is finally getting beyond emergency access management.
For example, it is common practice for mitigations to be assigned to every user, role, or user group that has an SOD conflict. But how do auditors know the risk owner assigned to execute the mitigation actually did their job? If a suspicious transaction was found, how do they know that it was properly addressed? Imagine those happy auditors who can now see all of the suspicious transactions in one place – when each case was opened, who worked on it, what they did, who commented on it, who reviewed the case, and why it was ok to close it. That certainly beats the old way of tracking cases through an email chain – assuming they were tracked at all.
Again, future posts will deal with specifics such as how Security Weaver’s new module, Automated Mitigations, delights auditors by finally giving them the case-based tracking solution for mitigations that they have always dreamed of.
5. Embrace market and organizational change: The pace of change driven by user provisioning, application development, M&A activities, reorganization, and new regulations (and their enforcement), is relentless and accelerating. To embrace change, companies around the globe are using lean IT principles to improve access management, taking a modular and agile approach to building and implementing their compliance roadmap. Moving away from a “big bang” approach and toward an ERP Access Management 2.0 approach has led to significantly faster cycle times.
6. Manage risks as needed: Managing risks through detective controls has many problems but one advantage: users have more freedom to do their job. Managing risks through preventative controls has many strengths but at least one big weakness: it can prevent or delay users from doing their job. ERP Access Management 2.0 is a hybrid model that balances the best of both. It advocates preventative controls that are optimized based on point-in-time snap-shots of user access risks, but it also enables detective controls with continuous monitoring so that preventative controls do not have to be overly complex, overly restrictive, or constantly spawn escalated requests for exceptions.
This hybrid approach manages both what might be done today as well as what has been done across time. The result: nothing is missed, nothing is over-complicated, escalations for exceptional approvals are reduced, and alerts are raised immediately whenever material risks are imminent.
Stay tuned for future Security Weaver posts, in which we will drill down and get specific about how the design goals of ERP Access Management 2.0 are being realized both through new tools and through new features in established tools.
To learn more about Automated Mitigations or any of Security Weaver’s other solutions, Click here to request a custom demo.