The world has been passing through the toughest time in its history. Enterprises worldwide are going through a stage of extreme turbulence and dramatic changes in the aftermath of the COVID-19 pandemic. Employees are being laid off or compelled to shoulder wider responsibilities. Also, the magnitude of the transition is huge. A huge percentage of the workforce is working remotely. These changes must be expressed in the organizations’ ERP framework of access policy management and areas such as SAP access policy management.
The increased provisioning of users puts additional pressure on the SAP policy management and IAM teams, considering the fact that they are already burdened with maintaining remote access to apps for people working from home.
The Three Employee Types
In the user provisioning process, three separate scenarios basically arise when employees are onboarded, when they internally switch positions/departments, and when employees leave the business. Under such circumstances, organizations are vulnerable to an onslaught of cyber threats if provisioning is not done correctly.
Thanks to an extended remote access threat surface, a compromised account can cause serious damage before it is identified. This risk is only multiplied by higher privileges, particularly where duty segregation (SAP SoD) is at play. If additional roles that include new positions have been delegated to an employee, it is likely that potential issues associated with the segregation of duties (SAP SoD) are ignored.
Improving SAP Access Policy Management: Three Ways
With an unprecedented number of cyber-attacks going on during recent times, it seems it is the perfect time for investment in technology to improve data security and provide more granular control of access. Here are three measures for effective SAP policy management:
1. Attribute-Based Access Controls (ABAC)
Companies with identical roles spread through many business units turn to role derivatives in order to ensure that access is properly segmented. While efficient from a control perspective, management of these positions proves burdensome as each branch-off multiplies the number of role derivatives. For your SAP policy management and security squad, this sheer scale can be overwhelming.
Organizations should expand their existing role-based access control (RBAC) model with attribute-based access control (ABAC) to make things simple and lighten the burden on IAM teams. ABAC helps you to easily incorporate fine-grained ‘attributes’ into your decisions on authorization.
The ‘Least Privilege’ principle is a basic tenet of data protection. The aim is to lessen the risk by providing a minimum level of access for users to perform a task at hand. The current RBAC model aims to do so.
Organizations may reduce their accepted risk by applying granular business policies and access controls to improve security at data and transaction levels. Risk-aware controls can be introduced using ABAC to limit what users can access, from where, when, how, and what they can do with the information within your application. ABAC provides an extra level of security by incorporating additional contexts, such as geo-location, time of day and IP address, etc. This ensures users have adequate access and prevents users from getting more than what they really need.
3.User Activity Monitoring
Organizations should always carry out the monitoring of user behavior. Behaviors which need monitoring include:
- Identification, during periodic monitoring and auditing, of sensitive transactions and high-privilege user activity.
- Continuous access control by peer group activities for insight into who altered what in terms of roles and permissions.
- Setting risk-aware alarms, such as network accessing systems, user locations, etc. This streamlines threat detection and alleviates the manual process normally necessary for threat response.
Do not forget to supervise the IT and security departments while you track user behavior. You will do well to assign accountability and openness to staff who respond to requests for access to temporary team members and review access. Keep specific records of whether authorizations have been given or modified. Do it in a way that is easily audited.
Taking advantage of technology and solutions that can reinforce the SAP access policy management of an enterprise can go a long way in securing sensitive data and relieving the stress of IT and security teams. Enterprises should leverage these systems to achieve a better security posture.