Webinar Recording

Transforming Governance, Security and Compliance


Log in and watch the full video!

The number of companies investing in modern “Big Data”-type SAP products and cloud-based SAP deployment models is growing constantly. Having formerly been stored in standalone database silos, SAP information from CRM, ERP etc. for Big Data deployments is now being migrated to a central high-volume and high-performance database. Deploying traditional SAP environments in the cloud and leveraging new cloud-based SAP applications introduce new groups of customers to SAP services and shift the focus of existing SAP users.

Log in and watch the full video!

Upgrade to the Professional or Specialist Subscription Packages to access the entire KuppingerCole video library.

I have an account
Log in  
Register your account to start 30 days of free trial access
Register  
Subscribe to become a client
Choose a package  
Good morning or good afternoon, ladies and gentlemen, welcome to this webinar, transforming governance, security, and compliance new strategies for securing modern SAP technology approaches like Hannah. This webinar is supported bys. The speakers today is me. My name is Matthias I'm senior Analyst with Ko a Cole, and I will be presenting the first part of the webinar and doing the moderation. And in the second part, aha, COO with Sian will join us before we start some housekeeping. And of course, some general information about co a Cole. As an Analyst company, Ko a Cole is providing enterprise it research advisory services, decision supported networking for it. Professionals. We do this through our research services where we provide several types of documents, including our leadership compass documents, comparing market segments, advisory notes, looking at various topics, vendor reports, executive views, et cetera. We do this through our advisory services where we provide advisory to end user organizations and to vendors.
And we do this through our events like webinars or seminars. And our main event is the EIC, the European identity and cloud conference. And this year's E I has been held just two weeks ago in Munich. And in case you've missed it, I highly recommend checking out our website. Some of the brilliant keynotes are available as online videos, and you should really check the layout. Please consider having a look at our website for all our events, our seminars, and upcoming webinars, the guidelines for the webinar, you are muted centrally. So you don't have to take care of this. We are recording this webinar with the recording and the slide deck going online on our website tomorrow and important. There will be a Q and a session at the end of the webinar, but you, as the participants, you can enter your questions during the presentations at any time using the questions panel of the, of the go to webinar software, please do so, so that we can really start out the Q and a session right away with a good set of your questions.
The agenda for today, it consists of three parts. The first part will be my introduction as an Analyst and introduction into cloud and big data with SAP, the benefits, the challenges, and the security requirements, then AIT will take over and he will do a more, we'll have closer look at designing and implementing security solutions for S for Hannah and other critical cloud and enterprise applications for SAP and beyond. And part three will be, as I already mentioned the questions and answer section with where we will answer your questions later on. So please, please enter your questions whenever they arise during the, during the webinar.
So that's it for the introduction. And let's start with our first part, which is my first part first historical view at traditional enterprise software. And you all know that with this enterprise software, which is of often of high importance to the organization, it comprises barriers, components like enterprise resource planning, software human resources system is one of the key management platforms within an enterprise business intelligence software, which provides additional insight into your business processes, customer relationship management, which is an important part when you are dealing with your end customers with tickets and with support supply chain management as a major functionality for your supply chain and many others. And all these types of software were traditionally also delivered by SAP and other vendors. And these were traditionally held on premises and as they were held on premises cybersecurity for those systems always was defined in analogy to conventional security. So the first assumption was that cybersecurity is possible and that cybersecurity reaches can be prevented. As long as you spend enough efforts, there was a clearly defined attack surface because everything was on premises. So the SA subsystems actually were either subject to attacks by the malicious insider or the external attackers, but that was the two main attack surfaces. So one important factor was perimeter protection. So firewalls and the protection of on premises, it through network segmentation. And the main idea was to keep the bad guys shut out.
We all know that in the meantime, enterprise enterprises have changed and enterprise environments and applications for enterprises have changed and they have changed in, in various ways. So today's SAP systems are no longer, only on premises. They are distributed platforms and SAP is running in hybrid environments. And although they're still running on premises, this has changed completely. We are looking at virtualized platforms on premises. We are looking at enterprise app applications, which are really changing their purpose and their functionality extending it to areas where they have never been. And we have other people and other users actually accessing the SAP systems on premises. And these might be employees as traditionally, but also partners and even customers and consumers, or who look at who work with your systems on premises. So there has to be an adequate level of security for that as well. We are looking of course at the area era of IOT, the internet of things, and this moves SAP into environments into an area where they're actually operating at an internet scale.
So we are no longer talking about 20,000 of 30,000 users for large deployments, but we're looking at billions of potential devices within such a system. Of course, we look, we are looking at the area of mobile communications with various types of devices being used by end users and by the, the users within organizations. So we have different types of, of devices from ranging, from smartphones, from smartphones to tablets, to notebooks, and many others. And they actually access your SAP enterprise application. For example, with Fiori applications and important factories, you no longer know which type of device they are using, unless you take further steps from probably managed devices. So bring your own device is also at your front door and this needs to be handled adequately and last but not least. And this is something that we will talk about later is of course the cloud and all the changing offerings by, by vendors like SAP, when, when it comes to software as a service, but also as a platform for, for newly, for new types of, of platform deployment.
And if we talk about cloud and we talk about SAP, we know that there is vast range of solutions available from SAP and all of this has to be handled adequately when it comes to enterprise security. I will pick out Hannah as a, as an important factor within that. And so actually Zhan is not only a new piece of software, it's actually a new platform paradigm. And it started out only a few years ago. We are talking about 2007 or 2008, where actually a new platform was designed from scratch. And it was, or it was entitled to a high performance analytics appliance or nicknamed Tassos new architecture. But in, in the core, it was an in memory database, which aimed at very high performance. And it was aimed at processing big data. So large amounts of data constantly changing today, just a few years data, if we're thinking of the calendar it's eight years or something like that, we have a completely changed environment when we look at SAP environments.
So as of now, Stephan is a, a platform for both transactional and analytical use. So real realtime business and analytics based on existing information or TP and or business intelligence and analytics with this platform apart from many other solutions today, we are able to use subhan enterprise platform managed services. So we are moving our existing platforms, ER, PBI CRM into the cloud on top of a H enterprise cloud service. And Zhanna cloud platform is also provided as a platform, as a service to give access to, to the database, to the in-memory analytics, for designing completely new solutions on top of this new platform. And one of the most important recent steps was the publication of the sub business suit for Sapp Hannah. So, which is EP S for Hannah. And this is something that Amit will have a closer look later on because this is a real challenge for traditional and for upcoming security scenarios.
If you have a closer look at, at set Hannah, the concept is quite twofold. So on the one hand, we have the database, the traditional database, when we look at a Hannah enterprise, so we still can talk as well or SQL to, to the database. And we have a complete high performance solution for data processing, but also for application service and data integration service, and very important. The solution is designed from ground up to be multi-tenant. So we have a large scale high performance multi-talent database system, but Hannah, on the other hand is actually also an application platform. So it is a on the one hand, a built in application server, which can be accessed by HTTP and per open data protocol. And it allows to create extended application services as a separate component. So this changes the landscape completely. So it's no longer, only a platform for database processing, but it is also a platform for developing and running applications.
So when we look at example scenarios, which are possible with these components, then we have various op opportunities to deploy this. And a few of them are described here as, as example scenarios. One would be the three application, the traditional database role with an application platform. On top of that, we could have an additional application on SAPAna extended application services as described. So as described here. So we really run the application within the cloud platform, which is Shan. So we have application server in various scenarios, and we have various types of integrated scenarios, for example, a reporting deployment based on E R P or BW data, which might help then in, in providing deeper insight into existing data. And the final solution that I want to show as an example here is the data Mart solution, which is the scenario or scenarios for individually designed analytic reportings, where people can really leverage the power of Stephan for their own new business deployments and business processes.
So when we look at that, we see that this is no longer your traditional enterprise applications that we were used from systems like SAP, some say 10 years ago. So it is much more an, a, an enabler for emerging technologies as it has been before. And this means we are looking into the integration of customers and consumers. So new types of users with everything that comes with it from social login and social media, and we are looking into the area of mobility we will have. And we do have mobile applications which interact with Stephan systems through open protocols based on the traditional platforms like iOS, Android, or windows phone, we have, of course Zhanna as an enabler for actual deployment of big data scenarios. And this leads to advanced analytics. And this is really an enabler for new customers, also looking into SAPAna and thus into SAP for their solutions in general, the cloud and the SAPAna is a platform for actually getting a faster time to market for achieving faster deployment and design and implementation of solutions than before.
And it might lead. And we can see that in various scenarios already to the decline of traditional data centers. So I think these, this move away from traditional tra technologies over to emergent technologies is also something that needs to be covered by adequate security. And I, I know that amid will have a closer look at that. And this leads actually to multidimensional changes to many types of changes, which all contribute to a constantly changing and evolving application environment. When we look at SAP environments. So if you look at the technological changes, we have seen some of them already by now, and this is very important to understand how applications are deployed as of now and in the future. So we have a shifting focus with an existing user organization. We are always talking about the digital transformation, but actually these tools are the basis for achieving that.
And for shifting the focus when it comes to using the existing platforms and additional platforms amending the functionality. So we have a real shift in the focus for users who have been using probably SAP for 10 or more years, and we have a changing infrastructure landscape. So we are moving from traditional on-premises infrastructure to the cloud, to hybrid environments, to IDPs in various scenarios. So it's really changing and it's getting more hybrid. And this reflects directly also changing business processes with, with more customer and consumer involvement with director channels, to your supply chain and to your partners and all the companies that you're working closely together. On the other hand, when this gets more in international, and this might lead to changing legal and regulatory requirements on the one hand, within your own country, we're talking about the changing EU data protection landscape. On the one hand, on the other hand, we have lots of business regulations that need to be adhere to, and this is an important factor for many organizations and most probably the cloud can actually help in achieving this. And an important factor is that we see new user organizations who probably never thought of moving to SAPs. One of their core platforms are actually looking into using these software solutions, and this will be a new type of enterprise applications.
So if you look into cybersecurity for enterprise applications in general, this mainly means achieving security, applying risk management and achieving compliance to the requirements that are raised towards you. So we have, on the one hand, we have technology challenges and these are directly derived from what we've been talking be before. The second is we have these regulatory requirements in various combinations, and this might add up to a large set of requirements, especially when you are a multinational or global organization providing services based on cloud infrastructures. So we have an additional set of legal requirements, which are actually NA national, or for example, EU based on top of this very important many organizations understand that only fulfilling legal and regulatory requirements is not enough working through the auditor is mainly boring and tedious. They understand that implementing, defining, and, and actually leveraging corporate policies for achieving their business goals. And for actually maintaining an adequate level of privacy or security is actually an asset that they should maintain. And all this combines for the requirements for cybersecurity, for enterprise applications. And of course the last part is the evil internet out there. So if we are actually working within a cloud based scenario, we are thrown into a rather hostile environment. So that means we have to make sure that all these aspects, including an adequate response to the ever changing threat landscape is in place.
If you look into enterprise application security, then we need, and we looked at, at that for, from an SAP environment, we are typically thinking of the traditional aspects that solutions like, for example, a GRC access control are looking into. So it's access governance. It's all that is connected with roles and with individual entitlements, with recertification, with sod and a risk based approach towards critical privileges. But today in a changing application environment, this is not enough. We need much more. And we are just having a short look at, at what is also relevant for providing an adequate level of SAP security in this changing cloud environment before I hand over to Amit. So this is my first, my last slide. And I would like then to hand over, but just to have a short introduction of what we might have to look at is of course, the factor of privileged accounts.
So who are the people who actually administer the system on a technological point of view and from the, from the business point of view, who can add customers, partners who can create new product families within the system, we have to look at platform security. So everything that goes from the, from the hardware to the, to the operating system and up to the individual deployed solution, we are looking into the system landscape. So the combination of all the SAP systems that together form your SAP system landscape. So it's a more infrastructure approach, a more holistic approach. We are looking at network security. Of course, we have to make sure that everything that we protect in the traditional environment needs also to needs also be to be protected in a cloud environment. And this is also true for SAP. Of course, we are looking into very interesting aspect, like user activity, monitoring, understanding what people do if they do what we expect them to do, or if we can identify outliers behavior.
And we're looking at code security, understanding what our homemade or acquired code is actually doing, if it is developed in a secure manner. And there are various platforms that we have to look at, including SAPAna, we have to look at mobile security and all the devices that we're looking into. And we have to look at that also for the new SAP platforms like the mobile fre platforms. And my last point at that slide. And my final slide is the integration with enterprise security. So understanding that SAP enterprise infrastructures are part of a bigger construct, which is the enterprise application framework. And that we have to look at this framework from a more global point of view by integrating SAP into systems that provide functionality for realtime security or seem, and are all operated, hopefully into one in, within one central SOC. And with this set of open questions, which it is I would like to hand over to our meet. And I will, I'm really interested in, in seeing what his experiences are when it comes to modern SAP security. And first of all, Joe, or my last part, actually, please don't forget to at your questions to the questions panel so that we can answer them in the Q a session. Am are you there?
Yes, ma yes, I'm here. Thanks Matthias for the great introduction. And I think you touched upon the right points here as for Hannah introduction within an enterprise is changing the technology landscape as well as it is introducing a lot more changes when it comes to security itself. What I wanted to touch upon through my slides is to really talk about what changes from a security standpoint, because no longer we are limited to transaction codes or authorization objects, but the security model is different. And more importantly, like you alluded to because as for its on canted on cloud, or it can be accessed through mobile devices. So yeah, so, you know, obviously, you know, with the changing landscape for SAP, the security model has changed when they look at, you know, moving away from transaction codes, authorization objects, and moving more toward a privileged design model.
And I will talk about that in detail. However, one thing I wanted to really touch upon was given that, you know, SAP was limited to enterprise boundaries or the traditional perimeter security. It was okay probably for security to be an afterthought, right? However, in case of because your solution could already be on the cloud, or it could be being accessed from mobile devices, which might not be even your corporate devices, it has to be made clear that security has to be looked at from a grounds up standpoint. It is not no longer an afterthought. However, you should look at securing security into your implementation, right from, so let's look at, you know, what has changed from a security standpoint for SPO and then look at options of how do we secure it. So this is a very high level simplified architecture of SPO. Obviously we have the ha as we backend system, and like my peers pointed out, there are two flavors of the HANA implementation itself.
One is the traditional database where organizations are replacing their Oracle or other JC platforms with HANA as a traditional database. And then more interestingly, you have HANA as an application platform and that introduces a different set of challenges when it comes to security, all data in HANA is exposed through different types of views. And all of these, these three types of views are secured by ha what we call as privileges and hierarchical ha role model. If you look at the privileges here, we are depicting at least six types of privileges, but there could be different types. For example, within analytical privileges, you have the dynamic and static analytical privileges. You have XML based privileges and so on and so forth. So there is a lot of complexity when it comes to ha's native security model itself. And on top of that, you have got two different implementations or two different mechanisms of extracting this data out of HNA.
You have the traditional SAP applications like ECM, HR, SPM, all accessing through the traditional JDC BPI mode, the data consuming the data from those different views and they interpret or leverage privileges in a different way as compared to the new generation purity. And as for apps for, as that SAP is launching, they use BI view in a completely different way where privilege model is much more prevalent in that kind of a scenario similarly, because ha is the next generation enterprise warehouse data warehouse. You will also have, if not now later down the line, you will have a lot of enterprise and applications also accessing the database itself. So given that there are two different types of models of HANA system, like I said, they present different types of security challenges. And I have just noted some of those here. First one is in terms of, you know, even though I have built my SAP applications on top of H I have deployed them.
If you recall, natively SAP applications use the transaction codes and authorization objects to manage it entire security, you have got your segregation of all built around managing these kind of entitlements. However, with coming in the backend, what we will quickly realize is, you know, although SAP provides a great tool, which is a HANA live authorization assistant, which automatically translates your existing peoples or objects into the H privileges and provides an out of box mapping. It runs short when you have custom objects or custom transaction codes defined within your SAP platform. The authorization assistant is unable to do that. That means whenever you are, you know, which is normal case, whenever you have custom objects are defined in your SAP platform, you need to be able to map, map those manually, you know, the transaction codes and authorization objects to the different privileges. Similarly, when we look at, from the top down standpoint, you have got the fury and the now fury uses a net gateway architecture and all it, it supports both a code grain and certain amount of fine grain authorization as well within the app.
Now all of these also need to be translated to the different types of privileges. So one of the big challenges that we are seeing organizations ask is how do I really design and authorization models that can easily scale from the fine grain traditional model of transaction code authorization objects? How do I leverage that as well as how do I seamlessly that authorization model to encompass code grade authorization models that theory and export apps are using similar to what we call as the net rules? There has to be a very simplified mechanism where I can maintain this mapping in one single place. Okay. On top of that, what you will see is that there are limitations in the current solution provided in terms of how do I really manage my P access or emergency access to SAP. And, you know, just to extend the different types of users when it comes to SAP itself, what we have realized is, you know, when we talk about in its two, two different implementation models, they themselves present two different entitlement or privileged model when it comes to SAP HANA itself.
So on the left hand side, what you'll see here is if I am using SAP HANA as a traditional database, then predominantly the user so will access. My ha system would be the technical users who are performing DBA activities who are performing. These are application accounts who are actually logging onto HANA and consuming their data. And the privileges that they will typically use are the system object application, and package privileges, as they need to maintain the HANA database, as they need to consume data from BI database. However, when we extend Biana as a PLA as an application platform, as you start building your applications and directly interface with the HANA database, you will see that you are quickly extending and getting into the realm of attribute based access control, or context based access control with the introduction of dynamic analytical privileges. And we will look at, you know, how do we go about securing it, right?
And this is where HANA has typically business users logging onto its repository and directly consuming the data. But in a sense, all type of users, access is, is very critical when it comes to ha repository, each has got their owns in terms of how they address and access the repository itself. So let's now look at how do we go about securing the ha platform itself? So what we have done is simplified the whole security management into three capabilities. The first one is to start with providing visibility into the H repository itself to figure out, you know, who, who actually has access to my H repository. It might be an existing application implementation, or it might be a new implementation of Hannah that you are doing. But the first step is to have complete visibility into the ha repository in terms of who has access to my different tables, different views within ha and more importantly, what are they doing with the access that has been granted to them?
So that then I can identify where are my risks, who are my riskiest users, and S have got access to my critical data within the repository. Once we go through the visibility phase, the second phase is around protection. Here we are looking at bringing in all the best practices that you would have implemented as part as part of your SAP system. Things like segregation of duty management, emergency access, or firefighter access management, as well as the whole privilege design management. So this is where we bring in all those capabilities from preventive or a proactive security management standpoint, and then last but not the least is the manage, which is the, how do I ensure that my system stays current? It has always kept clean. I don't have rogue access in my HANA environment. And how do I stay ahead of the challenges, the security challenges that keep cropping up within my HANA platform.
So with these three topics in mind, let's start with the first one is in terms of how do we go about bringing in visibility into the Haar platform. So for this, what we have seen organizations do is really go back to the roots and build what we call as a security warehouse. The intent here is, you know, you have SAP as the core platform or that then in and itself has got a whole set of applications and you have one repository before SAP. Then on the other side, you have non SAP systems and you used to have different ID stores for those non systems. I think from a next generation standpoint, it is essential to bring all of these different entitlements privileges all in one single place so that you can address security in a uniform and a cohesive manner across all these different platforms and create what we call as a single chain of glass of users, access and users activity across enterprise, as well as cloud applications.
So in this case, you know, what we have enabled organizations is to not only bring in their SAP access details like the transaction codes, authorization objects, the roads, but more importantly, also the activity data. So things like the firefighter logs are the SM 20 logs, as well as the different configuration parameters. The QDS B the C PS and the monitorable logs is what we are bringing into the security warehouse. But in addition, we are bringing in the ha roles, different type of privileges that you would have already designed are using something like ha studio. And more importantly, you are also bringing in the fury or the gateway entitlements and roles into the same platform in, in the same vein, you would like to maintain a copy of, you know, your either SAP or non SAP cloud and enterprise applications also in the same security warehouse.
So that all the effort that I am putting in to build my roles or design my enforce my segregation of duty policies, they are applied more consistently across all these different applications. So security warehouse is the cornerstone of the overall platform. Once you have built this out, the second thing is to identify where my risks are, where my security gaps and for here, what we have seen organizations do is leverage what we call as a best best practices, security, compliance, controls framework. What in essence has got a whole set of controls, things to identify who are the users who have got ed access. And not only that, but who have accessive access as compared to their peers, or who are the users who are still active in my SAP or ha system, but they have been either terminated in my HR system, or I am not able to even identify who the owner of that particular account is. Right. So how do I start off by cleaning my existing deposit risk so that even if I'm deploying, HANA as a new platform, introducing it as a new platform in my enterprise, or if Hannah is already present, the attempt is to clean it so that then you can enforce the policies in a more effective manner.
So once we have started with the visibility and ensuring that we have a cleaning platform to build upon the security controls, that's when the next step comes in play. So what we have observed is a lot of organizations have spent number of years, building out and really fine tuning their SAP segregation of beauty sets. What it essentially is that they have customized the rule sets to include their custom transactions, sorry, custom authorization objects, and ensure that they have, you know, these are tailored made to their compliance requirements. So one thing that we have looked organizations do is introduce the concept of business functions. So essentially a risk constitutes two or more business functions that should not belong to one single user, or they should not be performed by the user on the same transaction at the same time. And those functions in turn are mapped to the authorization objects and values within SAP.
So how do we extend this? The intent here is how we need to seamlessly extend this to both Hannah and fury applications. And in this case with the abstraction that the business functions provide, we have enabled organizations extend those business functions to include now privileges. These intern could be either your system or analytical privileges. So these could be your basis type users, or could be your business type user privileges that we have included into the same business function. Now, I have got one rule set that can, that is not only addressing SAP security requirements, but also Hannah authorization model as well. And in the same way, we can also automatically derive the privileges or, you know, the risks as it comes to fury applications. What I mean by this is fury applications in the backend, you are using all the old data services, which in turn are calling the, you know, the B the BPI calls and using the traditional authorization objects.
What we have helped organizations do is do a bottom up approach to look at those authorization objects, see which business functions do the map to correlate that to the fury apps or the tiles that fury exposes, and then build an all income rule set, build an all encompassing rule set that, you know, now is more comprehensive and you have one rule set for both my SAP systems, as well as Myana and fury applications going forward. And all of this is achieved by extending these abstraction of business functions. And the great thing is that these business functions can also be extended to even non E systems or other ER, systems that I might have in my environment or cloud applications for that matter. And really, you know, simplify the sod management within an organization. Another important aspect that we have looked at organizations really leverage is, you know, the SAP HANA live authorization assistant, like I said, it works great when you have out of box codes and objects, and it provides you the outbox mapping to the ha privileges in the back end.
However moment you have your side car applications or moment you have your own fury applications anding your custom view on. So I think, you know, one of the key things that we have enabled organizations is to really derive the existing authorization object model that they have defined in SAP and extend that to automatically build the dynamic analytical privileges in the ha system. And as part of that, we have leveraged what we call as context based or attribute based access control policies. I have included some examples out here where, you know, what we are essentially saying is if user has access to a particular SAP role, or if user has access to a particular transaction code that has got, you know, VA zero one V zero two and three values, then the person needs to have access to a particular view in SAP. And the data that the person can see is automatically derived from the SAP authorization object, which is the Booker's value in this case.
And then how do we, what we have held automations do is leverage those bookers, the lookup of those bookers values from the system in real time without really impacting performance. So that is one of the, you know, great challenges that we have overcome in terms of really extending the Han live authorization assistance framework, and use that to drive, you know, security management within your custom applications as well. Okay. Now, moving on, you know, one of the other things that has been very extensively looked at by the auditors is firefighter access management for SAP. This is one of the, you know, most frequently audited aspects. They usually ask for a lot of audit reports, evidence that you have the right controls big in place. So one of the things that we have observed within the H platform itself is that, you know, and this is one of the best practices, is that to stay away from using catalog or runtime rules to define the H privileges.
And the reason behind that is if users are, or if my administrators are using catalog rules, building out those catalog rules. So, and if I then end up deprovisioning that administrator access because of these tight linking of the creator of those roles, to the user who has created those roles, anytime I drop those users or the creators, it automatically goes, and deprovision all the roles and the authorization model that I would've created in SAP. So word of caution here is to move away from catalog roles and move into repository roles. And more importantly, also build a framework or extend your SAP firefighter management or emergency access framework to also encompass HANA access. Another spective that we have observed in this space is to move away from leveraging firefighter IDs and rather move towards what we call as firefighter rules. And the reason behind this is when you, when a user request temporary access to firefighter IDs, all the audit logs that are created are generated with the firefighter ID instead of the end user itself.
That means I now have to correlate between two different platforms, the audit locks coming in from the SAP or the HANA system, which have firefighter ID doing the activity and correlate that back to the actual user who requested and who got approved that firefighter access. So instead of, you know, doing all this correlation, another word of best practice would be to move to firefighter roles where the user assumes an elevated access within the HANA system itself. So that it's much more easier for you to correlate and identify any vulnerabilities in my environ. Another great aspect is to really leverage and enterprise wide roles based access control framework. The reason behind this is now we are dealing with different depths or different levels of access roles. You have really fine grained, as well as composite single roles that you have built out in the system. And then you have the ha roles which have privileges underneath them.
And you also have core grain roles that you might be building for your applications. So this really is a great time to look at and enterprise grade roles management engine, where you are able to define those enterprise or functional roles that can seamlessly both fine grain and access across all these different environments in one single place. And the intent here would be that what moment you have all this roles defined in one single place, you can easily enforce your role governance, best practices. So things like if a role changes, I need to go through appropriate approvals. I need to go through version control. I need to go through appropriate review, ensure that there are no inherent, so violations in a role as it, as it changes now, coming to the last part of the presentation. How do I ensure that I stay clean in my environment?
And in this case, you know, what we are really saying here is to integrate Hannah access as well as your fuel applications, access and tightly link that with my HR seed. So what happens when I employee or a, a person changes jobs or an employee leaves organization, I am immediately able to deprovision or revoke their access in time. Similarly, by having constant, even based triggers going against the repository, it also essential to identify any out of band exception access. So if you recall, many of the users in the HANA system would have admin or elevated privileges, and they would have the ability to create new accounts or rogue accounts, right? So it's essential to identify when any of those access have been created without undergoing the appropriate approvals and ensure that we are on top of it and able to maintain a clean environment at any given point in time.
And I think the changing paradigm of Hannah, what we'll also see is that organization trust also started leveraging analytics or access analytics in a big way, where based on the machine learning algorithms, you are able to automatically generate recommendations to users in terms of what kind access they should have. And this is very similar to what Netflix or provides you today as part of their user experience. Similarly, one of the data techniques that organizations have been leveraging to stay clean in their environment is to really embed policy evaluation as part of their AC access request process itself. So not only are you looking at, you know, if, if a new access is granted to a user, whether it be a H role or a pure role at any given point in time, I'm evaluating the so risk that this might create. And also we, because of the same analytics engine, you can also identify, does this create an outlier kind of a situation in my environment, and more importantly, use that information to drive the behavior of your workflows wherein make the workflows more risk aware.
So if the access that has been requested by the user is low risk, if it is low risk, then the access that's auto approved. But if it is introducing a high risk in my environment like violating sod rules, then I need to go through additional approvals, go through a mitigating control assignment. So to summarize the presentation, I think because of the fragmented approach that SAP has in terms of introducing SAP cloud applications, introducing SPO applications, where you have point applications now being delivered to organizations, as well as the H warehouse that is bringing in aggregation of data, it is very important to consolidate centralized and aggregate us security controls onto one single platform, create that entitlement or security warehouse and implement all your best practices when it comes to security management in a cohesive manner, across all your SAP applications, as well as extended seamlessly to non SAP applications that might be in your enterprise or on your cloud environment. So with that, I wanted to open up the forum for questions. Matthias, have you received any questions through the chat channel?
Yes. Thank you very much. First of all, for your great presentation and for, for sharing your best practice recommendations, I think this is very important that people can really take away your recommendations, how to deal with the changing landscape and with the fragmented landscape. As you said, first of all, my reminder, please add some more questions to the questions panel within go to webinar, but there are already some questions and we have only few more minutes for our Q and a session. So let's just start right away with the question. First question is if you compare your solution or your position, your solution within an existing environment, how does your solution work together or replace subhan studio or sub GRC access control or, or sub authorization assistant? How do, does this play together or what is no longer necessary?
Sure. So I think that's a great question. You know, given that organizations have spent a lot of effort in building the security model around the SAP GRC platform or any other, you know, GRC platform within the SAP system itself. So one of the things that we have taken into consideration is to create a very modular architecture where, you know, you can leverage all the sod rules, all the access control techniques that you have built onto your SAP platform. And what, where we come in is to extend that seamlessly to your fury, your as well as the SAP platform itself. And more importantly, also extend it to your non-SAP systems where now you can have these same job function or business rules we find for SAP. This can also be used to control your access in active directory and those kind of platforms. Similarly, when it comes to ha studio, you know, obviously ha studio is not going anywhere. It is used to do a lot of things within the ha platform. However, what we really see is that it is not the right platform for implementing governance when it's security governance for your platform. And that's where we are. We look at augmenting it and potentially replacing some of the security management task and doing it through a platform like,
Okay, okay, thank you. Understood another question in a typically as for Hannah solution, there are lots of different applications available and to make sure, and this is an important factor for many of our customers and the people that we talk to is to make sure that every user has only access to the right entitlements. And, and, but does have that, how, where should you try to, where should organizations try to manage the security for all these applications across all these as for applications?
Sure. So, yeah, again, you know, one of the things that I alluded to in my presentation is that you now need to have a security platform that can easily traverse between fine grain, as well as security authorization model. I think a lot of effort has been put in by the organization within their SAP authorization object model. A lot of customs have also been developed to suit their business requirements. So I think it is imperative to leverage that as my foundation for security management, and then extend that through discovery, through entitlement mapping to figure out what are the appropriate privileges that now need to be derived from that SAP authorization object model, or how do those object or authorization model now relate to my fury applications, access or roles, gateway rules, which are at a level. So I think having that ability to maintain that mapping and really leverage the authorization object model of SAP and extend that across SAPs, you know, and cloud applications that is going to be key. And that's what we are helping organizations build that case.
Okay. Okay. Thank you. One final question, one topic, which was a real hot topic at the EIC is still managing privileged access and privileged user activities is your still for, for monitoring privileged accounts, either technical and on the business level when, when it comes to adding a new set of, of privileged accounts of, with which is the subhan privileged accounts.
Absolutely. And I think, you know, it is important to understand the scope or the propensity of privileged access in this scenario, right? Because now, already I have got SAP cloud applications. That means my data is already being consumed on the cloud. I have got different types of users sitting on HANA. I need to have a mechanism to monitor user activity and more importantly, with privileged activity and understand if the access that has been provided to them is being used in the appropriate manner, based on whatever business specification was provided at that point in time. And also, you know, bringing additional techniques like user behavior analytics on top of the access or the privilege activity that is happening to really identify those suspicious activities, understand, you know, long drawn sod violations that might be happening within my enterprise or understand, you know, if anyone is creating rogue accounts with their privilege access without the right approvals and trying to settlement the sod rules or business policies in my environment, I think it is important to look at privilege access governance in a realistic way, especially now that my applications are sitting out on cloud or, you know, I have got a lot of aggregation happening of my data in one single day.
Okay. Thank you. So as we're running out of time, I would like to thank the participants of today's webinar. And of course I would like to thank you, Amit from Sian for sharing your expertise and experience and your best practices and your thoughts about integrating large scale hybrid SAP environments. Thank you for that. I think that was really a great look into the real live aspects of securing essential corporate infrastructure. We are very much looking forward to having you all as participants in one of our next webinars or seminars or events. And that's it for today. I would like to say goodbye. Thanks for being with us for this webinar and goodbye.

Stay Connected

KuppingerCole on social media

Related Videos

Interview

Unifying the Perspectives - Application Access Governance

The application landscape in organizations is getting more and more complex. Applications from vendors are more plentiful - or they differ very much from each other - and the combination of on-prem and cloud applications is no longer unusual. It's easy to lose track of all the different…

Event Recording

Standards & Regulatory Frameworks Are Static, Security Isn't

Current frameworks from Cyber Essentials in the UK, to the NIST Cyber Security Framework, HIPPA, PCI-DSS and even ISO27002:2022 often take at least 18-24 months to agree by their governance bodies. The world is much faster moving that that, the fact many regulatory frameworks will take…

Event Recording

Effects of Malware Hunting in Cloud Environments

Webinar Recording

A Comprehensive Approach to Solving SaaS Complexity

As businesses adopt cloud-based services as part of digital transformation programs to enable flexible working, boost productivity, and increase business agility to remain competitive, many IT and security teams are finding it challenging to gain oversight and control over the multitude of…

Analyst Chat

Analyst Chat #141: What Defines Modern Cybersecurity Leadership

How do you implement modern cybersecurity leadership between compliance, threat protection, privacy and business enablement? To answer this question, Matthias invited the CEO of KuppingerCole Analysts, Berthold Kerl, who was and is active in various roles as a leader in cybersecurity.…

How can we help you

Send an inquiry

Call Us +49 211 2370770

Mo – Fr 8:00 – 17:00