Practical GRC: Reduce Risks, Enhance Control,

Minimize Authorizations

Xpandion, 2018

About Xpandion• Established in 2007

• Based in Tel Aviv, Israel

• Partners in Europe, USA, Asia Pacific

• Independent software vendor (ISV) with expertise in

ERP usage inspection

• Xpandion Software:

– Security

– Authorizations

– GRC

– SLOE

• Answering Needs:

– User Monitoring

– Authorization Management

– Compliance

– Workflow Processes

– SAP licensing

– Reduced Resources

ProfileTailor™ Dynamics

1. Infrastructure

2. Segregation of Duties

3. Control Management

4. Role Management

5. Additional Info

1. Architecture

Data SourcesERP etc.

SQL SERVER

SMTP MAIL

Server

Data SourcesERP etc.

IIS – Web Server

Worker Process

ProfileTailor Service

ProfileTailor Dynamicsuser interface

End user

Access via web browser over HTTP

Web Collector

Data Extractor MSMQ

Data SourcesERP etc.

ProfileTailor Suite in Details

Supported Platforms

• ProfileTailor Suite is currently able to connect to ERP systems (SAP, Oracle Apps, Priority), Active Directory, Windows file systems, VMS based systems, AS/400 based systems and various proprietary systems

• Connectivity is done using built-in out-of-the-box connectors or with open API, assisted by a graphical Interface Builder software

2. Segregation of Duties

Segregation of Duties

• Tier-1 solution with unique behavior inspection

• Identifies SoD violations by roles and users

• Simulates granting authorizations and recommends the best role to allocate

• Alerts when new violation is created

• Collaboration infrastructure with consultants and auditors

SoD Rule

Activity Groups

Activities in Groups

Activity Modes For Auth. Object Level

Introduction to SoD operation

“Create & Approve Purchase Reqs”

Create purchase reqs / Approve purchase reqs

ME51N, ME52N / ME54N

Valid for create & change (but not display)

SoD Rule

Activity Groups

Activities in Groups

Activity Modes For Auth. Object Level

Introduction to SoD operation

• SoD Rules

• SoD Reports

• SoD Violations

– Role

– Authorization (Static)

– Actual use (Dynamic)

• Conflict Resolver

Sharing: Correspondence

Well documented correspondence for later review by auditors

Alerts can be received immediately or via scheduled report

Alerts when Violating SoD Rules

Options: adding activity to user, role to user, activity to role

Several objects can be analyzed together

Simulation for Granting Authorizations

Simulation for Granting Authorizations

Simulation before granting groups from Active Directory.

RoleAdvisor™

Choosing most suitable role to grant in seconds, according to (1) activity (2) company code/plant/Pur.Org/Etc. (3) number of SoD violations (4) minimum risks

Mitigate Risks

Quick and easy methodto mitigate risks and document compensating controls

SoD Conflict Resolver™

3. Control Management

• Alerts

• Authorization Review

• Workflows

• Automated Controls

Alerts

Using alerts, it is easy to react immediately

• Event-driven system; all events can be sent as an alert depending on severity

• Alerts can be sent to different people

• Some alerts can require acknowledgement from recipient

Alerts (1)

Alert example: granting sensitive authorizations

Alerts (2)

Alert example: granting authorizations that violate SoD rules

Authorization Review

• Process for reviewing employee authorizations; performed periodically

• Approvals by managers (org. structure) or by data owner (Finance, Logistics, etc.)

• Approving only sensitive or all activities, only certain groups of employees, etc.

• Fully documented for audits

• End-user screen supports multi-language

Authorization Review (2)

Each manager receives

email and reviews only

relevant employees

Authorization Review (3)

Ticket to cancel authorization is automatically forwarded to Helpdesk

Authorization Review (4)

Overview screen displays review progress; ability to send reminders to managers

Authorization Analysis

Who can do what…

High Risk Activities

High Risk Groups (Active Directory)

Unused High Risk Activities in Roles

Workflows

• Cross-platform integrated workflows

• For example:

– Authorization request

– Self service password reset

– Emergency Access (Firefighter)

– Employee life cycle: Hire, position change, terminate

Authorization Request

• Authorization request portal

• From user request to closure of Helpdesk ticket

• Integrated interface to automatically perform change (in SAP, Active Directory)

• Well documented process for auditors

• Elaborate process for preventing bypass

• End-user screen supports multi-language

Authorization Request (2)

User Request:1. Add activity (+free

search)2. Add authorization3. Free request

Authorization Request (3)

Authorization Manager Approval

Authorization Request (4)

Documentation: Complete control over the process

4. Role Management

• Role building

• OrgSet Management

• Emergency Users

• Role Reports

• Role Simulator

• Role Advisor

• Role Splitter

IT/Emergency Access

• Emergency access requested via browser

• Opens user with timely access, or allocates temporary authorizations to existing user

• Detailed report of user activity is automatically sent to manager

• Business rules are available (e.g., automatic approval after business hours if rule passed security tests)

Web-based process enables: unlocking username, adding extra authorizations to existing user, sending detailed report on activities performed after completion of process

IT/Emergency Access (2)

Request for IT access (screen is fully customizable)

IT/Emergency Access (3)

Well documented request and activity log

5. Additional Info

• Implementation options

• Authorization concept

• Data Security

• Privacy

Implementation options

Feature Cloud On-premise

SoD Control Only authorization based Yes

Usage analysis X Yes

Immediate alerts X Yes

Role management Without usage insights Yes

Authorization Review Yes Yes

Emergency Access Without provisioning Yes

Implementation options

Feature Cloud On-premise

SoD Control Only authorization based Yes

Usage analysis X Yes

Immediate alerts X Yes

Role management Without usage insights Yes

Authorization Review Yes Yes

Emergency Access Without provisioning Yes

Authorization concept

• Role based

• Each role has access to a set of menus

• A user may have multiple roles

• Additional limitation by user groups

Menus Users

Data Security

• Data repository on corporate SQL server

• Single sign on utilizes Active Directory security

• Access is limited & monitored

• Configuration changes are monitored & audited

Privacy

• No personal HR data is retrieved

• Data on transaction usage and not content

• User data can be segregated

• Imported data fields can be controlled

10 Differences that Make ProfileTailor Better

1. Dynamic SoD

2. Quick implementation // Quick time to realize

3. Conflict Resolver™ to eliminate SoD risks

4. Role Advisor™ to advise best role

5. Cross platform SoD with Active Directory and additional systems

6. Shared folders Access Control monitoring

7. In-depth activity monitoring in each T-Code

8. Role usage and recommendation regarding role changes, Role rebuilding capabilities

9. Power users SAP_ALL replacement – dedicated authorization role based on user monitoring

10. Additional Workflow Processes: Self-service password reset, Employee Lifecycle Management (with AD)

10 Differences that Make ProfileTailor Better

ROI-focused Implementation

• Multi-system authorization request process• Automated periodical authorization review• Authorization Insights (analysis of who can do

what, who did what)• Alerts when sensitive authorizations are granted• Proactive, ongoing protection from SoD

violations• Controlled IT/emergency access to production

environment

http://www.xpandion.comhttp://www.adsotech.com