Access Governance to Secure SAP and Other Business Applications  
Jasmine Chennikara-Varghese
August 25, 2021

With sensitive data residing in SAP and other business-critical applications, users with access to these applications pose one of the biggest inherent security risks. As employees, contractors, vendors and customers access business applications to perform their routine and firefighter activities, they could intentionally or accidentally pose a threat to business continuity. In addition, as the organization’s application landscape grows and users cycle through, maintaining compliance and ensuring strict access controls to prevent fraud or data leakage is an ongoing challenge. Effective access governance can minimize risks and even deter users from performing potentially damaging activities. 

Why is Access Governance in SAP and other Business Applications essential? 

The reality is having users with access to critical business systems presents risk. User accounts are vulnerable to compromise and privilege escalation by internal or external attackers. In many organizations, privilege escalation happens under the radar through privilege-creep whereby employees end up with more access than needed as they move through the organization with different job roles and responsibilities. Additionally, there are third-party users such as vendors, customers or consultants who share accounts or require administrator-level rights to perform certain activities on behalf of the organization. Eventually when their employment, contract, or project ends, often the access is not terminated in a timely manner due to lack of an effective offboarding process, making departing insiders and their associated accounts a significant risk. 

How do I ensure access is properly managed across SAP and other Business Applications? 

Securing business applications requires securing user access. It is essential to have continuous and comprehensive understanding of user access and entitlements: 

  • WHO is being given permanent or temporary access into critical business applications. 
  • WHAT business and technical roles have they be given and are the associated entitlements appropriate to complete their job responsibilities. 
  • WHEN is the access they are given excessive or obsolete as job roles and organizational changes occur. 
  • WHERE does broad access or conflicting access have the potential to violate key controls, like Segregation of Duty controls. 
  • HOW are users utilizing these privileges or entitlements in the application. 

Access governance enables businesses to mitigate access risks for applications and secure the sensitive data that resides in them. One of the foundational concepts for effective access governance is the Zero Trust Security model which assumes that untrusted users can exist inside the enterprise landscape as well as outsideits boundaries. Access Governance aims to give users least-privilege access and non-conflicting access to minimize privilege abuse and misuse as well as to mitigate the impact of compromised accounts.  This encompasses policies, procedures, and processes for user provisioning, privileged access management, user access reviews, and access risk analysis which align with security and compliance requirements.   

What product capabilities are required to ensure proper Access Governance? 

Compliant user provisioning manages the granting/removal of access in order to safeguard the application. Access granted entails both coarse-grained authorizations related to functionality access as well as fine-grained authorizations related to data level and field level access. To ensure that new access entitlements do not result in non-compliance, checks for key controls such as Segregation of Duties (SOD) and Critical Access risks should be performed. With privileged users, when elevated access is granted, more oversight is needed. A full audit trail of activities performed by the privileged user is required to identify malicious activities linked to privilege abuse and to proactively remediate risk.  

User access and entitlements should be reviewed periodically to mitigate access risk, secure applications, and avoid non-compliance. User access needs will change over time as they onboard, experience job role or organization changes and offboard. Periodic user access reviews are required to verify that current access is appropriate and to remove obsolete or excessive entitlements.  In addition, review of assigned entitlements should be done to detect and remediate access conflicts for segregation of duties or critical access risk. 

How does Pathlock enable Access Governance across SAP and other business applications? 

Pathlock automates multiple access governance processes and provided insights to enable more intelligent access management. Pathlock aggregates access information from different applications including SAP ECC, Oracle EBS, NetSuite, Salesforce, and SuccessFactors, along with 140+ other business applications. The access data is analyzed and used to provide business-friendly insights into access controls. 

  • Access Certification Campaigns: Pathlock automates user access reviews across SAP and other critical business applications, enabling responsible persons (such as user managers or application owners) to perform scheduled or ad-hoc reviews of the current user access and auto-deprovision inappropriate access.  
  • Segregation of Duties Enforcement: Pathlock enables compliance teams to detect and remediate conflicting SOD and critical access risks for a single application well as cross-applications. 
  • Compliant User Provisioning: Pathlock automates the process for provisioning permanent and temporary access along with access risk simulation and auditable approval workflows.  
  • Emergency Access Management: Pathlock also has the ability to manage privileged accounts and firefighter credentials with audit review of user activity as well as alerting and prevention ofn unexpected and /unauthorized activities.  

Want to learn more?  Request a demo of Pathlock today to explore how you can enable Access Governance across the enterprise!