As a Berkshire Hathaway company, CTB, Inc. is required to audit its JD Edwards World security quarterly to ensure that its 650 users have appropriate access. The company also has annual external audits.
“Preparing for our audits was a nightmare,” says Jennifer Leatherman, Director of Business Systems. He added that was a moving target because their auditors look at something different every time. So they were usually reactive, focusing on the findings of the last audit to make sure the same issues didn’t come up again.
Their team was always worried about the JDE security. They found it difficult to pinpoint the weaknesses and decided to focus on Segregation of Duties. Leatherman worked with CTB’s accounting group to identify the key SoD rules. They defined a basic set of rules covering Purchase to Pay, Order to Cash and more. They knew they were only covering the basics. However, they lacked an access analysis solution and would only take measures when something showed up in an audit. Reviewing security was very time-consuming for the CTB team because:
These led to further challenges. The controllers didn’t understand JDE security and found it difficult to work with the reports. Finance responsibilities always took precedence, so it usually took about six weeks to complete each quarterly audit. The situation grew even worse when they upgraded from A7.3 to A9.3 and moved towards Role-based security. The transition proved to be very challenging, and it took the CTB team a lot of effort through 2017/18 to get their security into a manageable state. By then, they were on A9.4 and tried reporting with a third-party tool. This made report generation easier, but they still weren’t getting actionable insights.
“We could keep using our own reports and facing the same old problems; we could try and set up our own rules in A9.4, but we still didn’t have a good handle on what needed to be segregated. So we decided on the other option: implement a third-party auditing solution.” – Jennifer Leatherman, Director of Business Systems, CTB
“We could keep using our own reports and facing the same old problems; we could try and set up our own rules in A9.4, but we still didn’t have a good handle on what needed to be segregated. So we decided on the other option: implement a third-party auditing solution.”
– Jennifer Leatherman, Director of Business Systems, CTB
At INFOCUS 2018, Leatherman attended a session about Pathlock’s Access Analysis solution and wanted to explore further.
“It was a real eye-opener for us to realize how many security gaps we were overlooking because we didn’t know about them. Whereas with on-premise solutions we’d have the effort and expense of installing, implementing, and managing the software in-house, Access Analysis doesn’t need any of that, and the monthly subscription is very affordable. It was so easy to install, and after one day’s training, we were off and running. All I have to do is request an audit and get the results within 48 hours.” – Jennifer Leatherman, Director of Business Systems, CTB
“It was a real eye-opener for us to realize how many security gaps we were overlooking because we didn’t know about them. Whereas with on-premise solutions we’d have the effort and expense of installing, implementing, and managing the software in-house, Access Analysis doesn’t need any of that, and the monthly subscription is very affordable. It was so easy to install, and after one day’s training, we were off and running. All I have to do is request an audit and get the results within 48 hours.”
Pathlock automates the SoD analysis using a comprehensive set of seeded rules, and the team was surprised to see that it uncovered thousands of issues they could not identify earlier. Some of these occurred because the IT team had access to all areas of the system, but others highlighted areas where non-IT users had potentially risky access combinations. It tested for many things that they hadn’t even considered. For example, why would you allow someone who can adjust inventory to key in cycle counts?
The drill-down capabilities of Access Analysis make it easy for the controllers to see who can access what. They log in to review the results for the users in their own Business Units. If they see that someone has inappropriate access, they just request IT to make the changes.
“It’s very easy to understand what’s causing SoD violations – you just click on the user to find out the specific rule, the applications, and the security settings that are in conflict.” – Jennifer Leatherman, Director of Business Systems, CTB
“It’s very easy to understand what’s causing SoD violations – you just click on the user to find out the specific rule, the applications, and the security settings that are in conflict.”
Pathlock Access Analysis goes a lot further than SoD. It reports on a host of other useful items, such as users with access to Critical Objects that should be restricted, as well as many general security metrics. For example, a lot of people had Function Key security when they upgraded to A9.3. To overcome difficulties, they gave access to people so they could do their job, but often, they did not revoke it later.
Leatherman found that the summarized audit report was also very useful.
“It’s like a scorecard that shows you issues you need to clean up, and it gives you the information that you need to fix them; for example, too many people have *Public access, or these users are not assigned to any groups. And it’s great to be able to demonstrate our progress when the numbers go down in subsequent audits.” – Jennifer Leatherman, Director of Business Systems, CTB
“It’s like a scorecard that shows you issues you need to clean up, and it gives you the information that you need to fix them; for example, too many people have *Public access, or these users are not assigned to any groups. And it’s great to be able to demonstrate our progress when the numbers go down in subsequent audits.”