As organizations using SAP undertake large digital transformation projects, including the transition to SAP S/4HANA, customers must increasingly move to secure their data in the face of rapidly evolving business processes.
With security incidents including cyber-attacks and data fraud on the rise across this past decade, running the potential of significant financial and reputational damage for those companies impacted, the need to bolster security is clear.
As audit firms and regulators increasingly focus on SAP-run control environments, imposing strict measures to ensure compliance, it’s more important than ever that customers take steps to secure their SAP environments and adopt the proper Government, Risk, and Compliance (GRC) measures to safeguard their futures.
Soterion, which specializes in helping organizations become more effective in their access risk management activities with their business-centric GRC solutions, recently published its 2023 Trends Report, titled “A New Era of GRC for SAP Customers.” In the report, which you can read in full here, Soterion shares four pivotal insights and predictions expected to shape the future of GRC for companies running SAP.
1. Shortage of skilled SAP security resources can increase risk exposure.
The anticipated increase in SAP security complexities, coupled with a global skills shortage, may expose organizations to increased risk as they struggle to find adequately skilled SAP security resources, according to Soterion’s report.
The already-demanding nature of managing SAP authorizations has been compounded by significant changes to how security is managed in SAP S/4HANA (Fiori, Catalogs, Spaces, Pages, etc.). This added complexity can result in inferior role designs and role methodologies being implemented and/or the recommendation to use standard business roles, which may result in wide and inappropriate access being assigned to SAP users.
The added complexity of managing SAP S/4HANA security means it now takes even longer to upskill an SAP security resource to become proficient. Coupled with this, work-from-home policies mean that many projects are delivered remotely, which can negatively impact the upskilling/learning process.
2. The drive towards standard business processes will cause widening of access.
Amid the push for adoption of standard business processes and pre-defined roles, organizations may be forced to assign multiple standard business roles to users, consequently broadening access and increasing organizational risk.
As SAP emphasizes a fit-to-standard approach for its customers to get the most value out of their investment in SAP technology, organizations with unique business processes and requirements might not be well suited for pre-defined business roles. To prevent potential operational bottlenecks, organizations may allocate users multiple business roles to ensure they have the necessary access to perform all their functions. However, this approach can result in access privileges being wider than necessary, increasing organizational fraud risk.
3. As cloud adoption increases, clarity on ownership and risk exposure becomes blurred.
The increasing adoption of cloud solutions, all with vastly different security concepts, introduces additional security challenges. As access control solutions often lack the capability to perform comprehensive access risk analysis on cloud solutions, it is imperative for security teams to be familiar with security protocols for all solutions integrated with their organizations and to have the resources to manage them effectively.
As SAP incentivizes customers to transition to cloud hosting via RISE with SAP, Soterion also foresees challenges relating to ownership and responsibilities for various activities, from basic system administration to security, between SAP and RISE customers.
4. The rise of the hybrid IAM/GRC model.
As organizations weigh up the benefits of Identity and Access Management (IAM) and Governance, Risk and Compliance (GRC) solutions, more will consider a hybrid model that leverages the strengths of each system.
With IAM solutions existing to manage an identity across an IT environment, enabling workflow, provisioning, and user access, many of these solutions lack the ability to analyze SAP access at a detailed or technical level or to assess the risk impact of assigned roles. With this in mind, GRC solutions that are better equipped to show detailed risk information may be considered by organizations for the task of defining business roles.
Soterion’s report reflects the reality that SAP S/4HANA migration signifies, beyond a technology upgrade, also a major shift in operations and control. As such, it’s vital that organizations using SAP keep security at the center of project planning and execution, empowering business users to navigate the future of their SAP environments safely and responsibly.