How to future-proof SAP Access Controls [VIDEO, AUDIO, TRANSCRIPT]
April 6, 2021
In this episode of The Cloud Forecast™ Scott Goolik, our VP of SAP Security and Compliance, and Kevin Dunne, our VP of Sales – ControlPanelGRC, discuss the factors at play when future-proofing your SAP Access Controls. Other Resources, video, audio, and transcript below.
The Cloud Forecast is a Managed Services Podcast from NTT, where we talk about the latest topics in cloud services, application services, consulting, security, and anything else that effects the core technology of your business.
Be sure to subscribe to our YouTube channel!
Be sure to subscribe to The Cloud Forecast™, a podcast by the Managed Services Division of NTT Americas.
Welcome to the Cloud Forecast, a Managed Services podcast from NTT. Today we’re going to talk about how you can future-proof your SAP access controls. My name is Chris Peralta, I’m the Marketing Production Manager at the Managed Services division of NTT Americas. And I’m very happy to be joined by Scott Goolik, our VP of SAP Security and Compliance, and Kevin Dunn, our VP of Sales, Control Panel GRC. So let’s get started. I’m going to ask you both this question, what does an organization need to consider to future-proof their investment in an SAP Access Control solution?
Thanks, Chris, I’ll take that one as we start out. We’re hearing a lot about future-proofs in the market today and we’re hearing that from existing customers and our prospects. So, most of our existing clients are on ECC and they’re going to be migrating S/4HANA and Fiori, cloud apps are on the horizon. So it’s important for our customers and prospects to invest in a solution that’s available today that solves their existing problems but isn’t an impediment to migrating to that future state. Again, they can’t afford a lengthy and time-consuming upgrade project, they want to make sure that the solution they have today is ready when they’re ready to make that next step.
Obviously when the client is going to start migrating from an ECC environment to S/4, or if they’re doing a Greenfield S/4 deployment today, the challenge here is they’ve already got a big project on their hands. So any time that they’re spending in upgrading or maintaining an access control solution to migrate to that S/4 environment is time that just shouldn’t be spent. So they need to figure out strategies to deploy an access control solution that isn’t going to require any sort of costly upgrade or significant project to get up to that next release.
Great. Thank you both. People spend a lot of time, money, and resources on their solutions, and it is of the utmost importance to make sure that they can last for years into the future. Here’s your next question. As organizations migrate from SAP ECC to S/4HANA, what should they be thinking about?
Well, and as Kevin mentioned, a number of our particular customers are looking at that journey now where they’ve been on ECC for a number of years and S/4HANA is on the horizon and frankly it’s getting closer on the horizon. As they move into the S/4HANA environment the security model changes, we’ve got different concerns, databases change. So we’re not just looking at an Oracle database where people never had access, now we’ve got an in-memory sophisticated HANA database where we might actually have users running queries directly against data in that environment. That changes some of our security concern.
So, now not only are we concerned about what data people can access within the four walls of SAP, but we also have to be looking at the HANA database and understanding what permissions or system privileges they might have there that would allow them to view sensitive data or make changes to data in that database. The HANA database is one component of that. Another is that with that deployment of S/4 we’re starting to look at Fiori apps. Fiori apps change the entire user experience and obviously this is a different security model.
We’re no longer looking at just the legacy transactions to understand what someone can do in the environment, now we have to look at the service authorizations and understand what OData services they have that will allow them to activate those Fiori tiles to process business-related transactions. What does that mean for access controls? Well, actually that changes everything because now we need to make sure that segregation of duty rules are incorporating both the legacy transactions and any Fiori apps that are either delivered by SAP or custom ones that are deployed specifically by the customer or their implementation partner.
In addition, we’ve got to be concerned about emergency access rights. So as we start looking at an S/4 environment we of course still have the need to elevate access in a firefighter type scenario inside of the gooey, but we have to be able to do that inside of a Fiori interface, the Fiori user experience, where maybe a user is getting additional capabilities inside of that web browser. And then one more dimension to it, we start having to look at that S/4HANA database. We may have the necessity for someone to elevate rights within the database, but we still have to do the same sort of tracking that we’ve always done with our emergency-type access where we’re monitoring what they’re doing with the elevated rights and wrapping workflow around that entire session.
Thank you, Scott. Onto the third question, how do we enable an organization to future-proof their investment in an access control solution?
Well, Chris, with the Control Panel GRC platform what we’ve tried to do is make it so it’s very simple for a customer to deploy our solution inside of ECC and then utilize that same solution in S/4. We’ve essentially written the software to have different on-ramps and off-ramps so that when a customer upgrades they don’t need to upgrade the control panel platform. Instead control panel interprets what version of SAP the customer is running, and then it actually routes the code to appropriate areas based on what they’re using and what they’re leveraging.
So what does that mean? Well, if a customer is running S/4HANA, we already have rules that are checking for the Fiori apps. So, we’re looking for those underlying OData services to understand not just the legacy transactions that customers might be running but also the tiles, the Fiori tiles that they might be using to activate and access business-critical functionality. In addition, the rule sets come with checks for various pieces of sensitive data at the HANA database level.
So again, with now users actually getting into the database we’re needing to look at system privileges or sensitive pieces of data to make sure that they don’t have too much access there. And it was something we just really didn’t have to consider back in the old days of the Oracle database or where the users weren’t getting into it. In addition, we need this to just be easy for them. We needed to so that when they’re going through the upgrade as I mentioned earlier, they’ve got a large project in hand there, we need this to be seamless for them. So it’s something that they’re able to do immediately and take advantage of immediately.
Scott, let me ask you this just for clarification. The control panel juicy is ready to go for their current environment. It’s also enabled for the future state, so what you’re really saying is there will not be a lengthy reimplementation or upgrade project in order for our customers to take advantage of our solution when they migrate to their new version of SAP. Is that really what you’re saying?
That’s correct. When a customer does migrate to that new version, control panel essentially adapts itself. The same version that they deployed in the ECC environment is applicable in the S/4 environment. In that scenario, we’ve got automated processes that are going to go out there and discover what Fiori apps are being used and compare those to our rule sets so that any custom Fiori apps can be pulled in automatically and mapped into existing functions where audit or financial data might be modified. So it greatly simplifies that path for upgrading to an S/4 deployment.
Awesome. Thank you for covering that for us, Scott, and thank you, Kevin, for chiming in. Here’s the last question, should organizations consider integration with applications beyond their ERP system?
Well, I think the trend that we’re seeing as our customers and our prospects are expanding their SAP footprint, it is including some of these cloud applications that SAP has acquired over the past few years, Ariba, Concur, SuccessFactors, various platforms, and that data is integrating with the S/4 environment. What’s critical here is that we do have the audit essentially expanding. The four walls of S/4 are no longer where all the data is maintained, we’ve got employees being hired in SuccessFactors, or we’ve got purchase orders being cut inside of Ariba.
These different activities are occurring in different places. So to get a holistic view of segregation of duties all of a sudden that shifts, it shifts our view to what the scope needs to be from an analysis perspective. And it’s a really good question and we’re definitely hearing customers talk about it, and frankly, I think it’s a great topic for the next podcast.
Thank you, Scott. We’ll definitely touch on that in a future podcast. And that brings us to the end of this episode. Thanks again, Scott and Kevin for joining me today. And to our listeners, thank you for tuning into the Cloud Forecast. If you have any questions, feedback, or would like more information, we’re currently using Secure-24 domains, so reach out to us at [email protected] Or give us a call at +1 800-332-0076, and we’d be happy to talk to you. Until next time, thanks for listening.