CTB, Inc. Improves Security Audits With Pathlock’s Access Analysis

Overview & Challenge

As a Berkshire Hathaway company, CTB, Inc. is required to audit its JD Edwards World security quarterly to ensure that its 650 users have appropriate access. The company also has annual external audits.

“Preparing for our audits was a nightmare,” says Jennifer Leatherman, Director of Business Systems. He added that was a moving target because their auditors look at something different every time. So they were usually reactive, focusing on the findings of the last audit to make sure the same issues didn’t come up again.

Their team was always worried about the JDE security. They found it difficult to pinpoint the weaknesses and decided to focus on Segregation of Duties. Leatherman worked with CTB’s accounting group to identify the key SoD rules. They defined a basic set of rules covering Purchase to Pay, Order to Cash and more. They knew they were only covering the basics. However, they lacked an access analysis solution and would only take measures when something showed up in an audit. Reviewing security was very time-consuming for the CTB team because:

• While identifying SoD issues and generating reports, they ended up with pages of information that was difficult to interpret.
• Their auditors insisted that they needed to shift the responsibility for reviewing security to their business controllers, rather than the IT team.

These led to further challenges. The controllers didn’t understand JDE security and found it difficult to work with the reports. Finance responsibilities always took precedence, so it usually took about six weeks to complete each quarterly audit. The situation grew even worse when they upgraded from A7.3 to A9.3 and moved towards Role-based security. The transition proved to be very challenging, and it took the CTB team a lot of effort through 2017/18 to get their security into a manageable state. By then, they were on A9.4 and tried reporting with a third-party tool. This made report generation easier, but they still weren’t getting actionable insights.

“We could keep using our own reports and facing the same old problems; we could try and set up our own rules in A9.4, but we still didn’t have a good handle on what needed to be segregated. So we decided on the other option: implement a third-party auditing solution.”

– Jennifer Leatherman, Director of Business Systems, CTB

Solution

At INFOCUS 2018, Leatherman attended a session about Pathlock’s Access Analysis solution and wanted to explore further.

“It was a real eye-opener for us to realize how many security gaps we were overlooking because we didn’t know about them. Whereas with on-premise solutions we’d have the effort and expense of installing, implementing, and managing the software in-house, Access Analysis doesn’t need any of that, and the monthly subscription is very affordable. It was so easy to install, and after one day’s training, we were off and running. All I have to do is request an audit and get the results within 48 hours.”

– Jennifer Leatherman, Director of Business Systems, CTB

Pathlock automates the SoD analysis using a comprehensive set of seeded rules, and the team was surprised to see that it uncovered thousands of issues they could not identify earlier. Some of these occurred because the IT team had access to all areas of the system, but others highlighted areas where non-IT users had potentially risky access combinations. It tested for many things that they hadn’t even considered. For example, why would you allow someone who can adjust inventory to key in cycle counts?

The drill-down capabilities of Access Analysis make it easy for the controllers to see who can access what. They log in to review the results for the users in their own Business Units. If they see that someone has inappropriate access, they just request IT to make the changes.

“It’s very easy to understand what’s causing SoD violations – you just click on the user to find out the specific rule, the applications, and the security settings that are in conflict.”

– Jennifer Leatherman, Director of Business Systems, CTB

Pathlock Access Analysis goes a lot further than SoD. It reports on a host of other useful items, such as users with access to Critical Objects that should be restricted, as well as many general security metrics. For example, a lot of people had Function Key security when they upgraded to A9.3. To overcome difficulties, they gave access to people so they could do their job, but often, they did not revoke it later.

Leatherman found that the summarized audit report was also very useful.

“It’s like a scorecard that shows you issues you need to clean up, and it gives you the information that you need to fix them; for example, too many people have *Public access, or these users are not assigned to any groups. And it’s great to be able to demonstrate our progress when the numbers go down in subsequent audits.”

– Jennifer Leatherman, Director of Business Systems, CTB

Results

• For every quarterly audit, it used to take at least five days to collate all the relevant information and produce the reports to send out to the controllers for review. Now the team just logs in to Access Analysis to request an audit and the results are available within 48 hours.

• The business controllers spend much less time reviewing the reports, so they can turn them around much faster. Previously, the audit cycle could take up to six weeks. During the last audit, they all responded within a week.
• In the first 6 months of using Access Analysis, CTB has reduced the overall number of security issues by 50%.
• With Pathlock, they can analyze SoD much more rigorously and perform a comprehensive security audit across the whole system, enabling them to be proactive, rather than just focusing on the specific areas that had arisen in previous audit findings.
• The team now feels a lot better prepared for their audits and believes that the auditors will be impressed with the progress they’ve made.