Johan Hermans, CEOThe vulnerabilities in SAP applications are a matter of grave concern for enterprises today as the proliferation of disruptive technologies—IoT, big data, cloud, and mobile—have substantially broadened the SAP attack surface. “Manual processes, document-centric approaches to Segregation of Duties (SoD), inherited rights, critical security controls, and super-user privileges, are all time-consuming, prone to errors, and often leave the businesses exposed,” enunciates Johan Hermans, CEO of CSI tools. With more than two decades of experience in delivering dynamic analytics solutions focused on Governance, Risk management, and Compliance (GRC) for SAP environment, Herent, Belgium-based CSI tools continues to further their vision of efficaciously securing the SAP environments.
According to Hermans, “Organizations need to establish an access control and SoD strategy and processes supported by technology.” He adds, “By automating access controls, organizations take a proactive approach to avoid risks while cutting down the cost and time required to maintain controls, be compliant, and mitigate risks.” CSI tools’ GRC suite makes the security for SAP environments more efficient, effective, and agile. The firm combines their comprehensive GRC suite with a unique four step approach— analyzing the environment, auditing who has access to critical data, removing access to critical data for unauthorized users to enforce compliance, and facilitating ongoing compliance—to effectively secure SAP environments.
Taking into account, the strict enforcement of the European Commissions’ General Data Protection Regulation (GDPR) from 2018 onwards, businesses will have to adhere to GDPR to ensure their SAP systems are protecting Personally Identifiable Information (PII). “The focus of CSI tools’ solutions encompasses full support for the entire risk mitigation process in addition to reporting the GDPR risks,” emphasizes Hermans. When auditing on GDPR using CSI Authorization Auditor (CSI AA)—an audit and monitoring application for authorization and role setup in SAP environments—the focus is on the data elements related to personal data. Furthermore, CSI AA facilitates the analysis of other important aspects of SAP application security such as the profile parameters and system settings in addition to storing results and auditing evidence and defining full monitoring/ audit cycle.
The focus of CSI tools’ solutions encompasses full support for the entire risk mitigation process in addition to reporting the GDPR risks
As a result, all the processes, sub-processes, risks, control measures, findings, and controls will be in one central place. The audit on users, roles and profiles using CSI AA gives full insight into all elements that give access to personal data and how they can be removed. To remediate these security risks and prevent unwanted access from users, CSI Role Build & Manage (CSI RBM) offers functionalities such as automatic role building, creating derived roles for non-organizational levels, and reverse engineering.
With predefined checks on access to critical personal data on role level, organizations get insights into undesired authorizations, accumulation of access rights, and cross-system segregation of duties. To keep the SAP system compliant for user-role assignment changes, every change should be approved before the access to the data is granted. For user change requests, CSI Automated Request Engine has the functionality to approve stages and pre-defined checks for scenarios where the newly requested roles for users will lead to unauthorized data access.
With the release of a SaaS version of their GRC suite for SAP environments, CSI tools has begun to fully automate the “Get Compliant” phase for companies. The SaaS version also includes automatic analysis and reporting functionalities to identify gaps and facilitate actions to help businesses get GDPR compliant and S/4HANA ready. “Our aim has always been to keep SAP security simple with a specific focus on core authorizations to regulate user access to enterprise data,” concludes Hermans.