The landscape of cyber security has seen a dramatic shift in recent years, with privilege abuse emerging as a central concern. This concern is amplified for SAP Ariba, considering its prominence in managing sensitive financial processes. A staggering 90% of security incidents involve some form of malicious privilege abuse, as reported by IBM Security Services in 2020. This stark reality necessitates heightened vigilance and proactive strategies to mitigate privileged user risks within Ariba. Every Ariba customer must be prepared to demonstrate a comprehensive approach to monitoring, controlling, and mitigating these risks, particularly when facing auditor scrutiny.
Regardless of how risky privileged access is, having an “ALL” access is critical for various reasons. Applications need to be tested, upgraded, patched, customized, and modified. These activities, in many cases, require full access to the application. Unfortunately, SAP Ariba does not grant customers the needed capabilities to monitor and control superusers.
Since most Ariba customers are also SAP customers, the controls, processes, and policies that are targeted toward achieving compliance are housed and enforced using SAP Access Control (SAP AC). SAP Ariba, however, operates outside the purview of SAP AC, giving SAP customers no oversight on privileged Ariba users.
What about transaction logs? Like most cloud applications, SAP Ariba also maintains logs. But to answer questions posed by audit, customers need to go through thousands of rows of log data to find the relevant entries that prove compliance and satisfy audit inquiries. This calls for significant time, involvement, and effort from your internal audit team and application owners.
To sum it up, Ariba’s privileged users are granted unlimited access without any supervision, controls, or monitoring. This is a significant security and audit concern as it creates opportunities for various threats and fraudulent activities within an application that plays a central role in your organization’s procurement.
When access to the rest of your ABAP-based applications is governed by SAP Access Control, cloud solutions like Ariba are left out of the scope of compliance. Connecting SAP AC with cloud applications like Ariba demands considerable technical proficiency. The procedure typically entails the establishment of connectors, the oversight of user mappings, and the configuration of access controls. The other option is to monitor privileged Ariba users manually which isn’t practical.
Pathlock offers a simple yet efficient integration that enables you to provision, control, manage, and monitor Ariba superusers. A detailed log review that is maintained via Pathlock Cloud provides privileged access log reviewers with a single interface to manage all privileged sessions in Ariba and other cloud applications. It also alerts security teams if privileged users perform a policy violation. Additionally, the integration ensures audit readiness (out-of-the-box) with reports that meet internal and external audit requirements.
Along with privileged user management, Pathlock also enables you to extend processes like provisioning, access certifications, separation of duties, and policy enforcement to SAP Ariba, saving your IT administrators, business owners, and audit teams from the time and effort required to make Ariba secure and compliant.
Learn more about extending SAP Access Control to mitigate privileged Ariba user risks and gain consistent compliance across applications. Get in touch with us for a demo.
Related reading: Managing Separation of Duties in Ariba Using SAP Access Control
Share
Managing user identities and access privileges across multi...
As organizations transition to modern, cloud-centric enviro...
When it comes to granting access, following the principle o...
In today's dynamic business environments, maintaining secur...