Soterion's report on GRC trends - a new GRC era for SAP customers

As companies working with SAP undertake major digital transformation projects, including the move to SAP S/4HANA, customers increasingly need to ensure their data is protected in the face of rapidly evolving business processes.

Security incidents such as cyberattacks and data fraud have increased over the last ten years. The financial and reputational consequences can be considerable for the companies affected. The need to increase security is therefore obvious.

With audit firms and regulators increasingly focusing on SAP control environments and imposing stringent measures to ensure compliance, it is more important than ever that customers take steps to secure their SAP environments and implement appropriate GRC (Government, Risk and Compliance) measures to safeguard their future.

Soterion specializes in helping companies to make their access risk management more effective with its business-oriented GRC solutions. Soterion recently launched a Report on GRC trends with the title A New Era of GRC for SAP Customers published. In this report, which you can read in full length herewe outline four key findings and predictions that are likely to shape the future of GRC for companies using SAP.

1. scarcity of qualified SAP security resources can increase risk exposure.

The expected increase in SAP security complexity combined with the global skills shortage may increase the risk of organizations struggling to find sufficiently skilled SAP security resources.

The already challenging management of SAP authorizations is further complicated by significant changes to security management in SAP S/4HANA (Fiori Catalogs, Spaces, Pages, etc.). This additional complexity may lead to the implementation of inferior role designs and role methodologies and/or the recommendation to use standard business roles. As a result, SAP users may be assigned broad and inappropriate access.

The added complexity of security management in SAP S/4HANA means that it now takes even longer to train a suitably competent SAP security resource. In addition, many projects are being worked on remotely due to home office guidelines. This can have a negative impact on the training/learning process.

2. the pursuit of standardized business processes will lead to an expansion of access.

Amid the push to introduce standard business processes and predefined roles, organizations may be forced to assign multiple default business roles to users. This expands access and increases business risk.

Because SAP takes a fit-to-standard approach to help its customers get the most value from their investment in SAP technology, organizations with unique business processes and requirements may not be well suited to predefined business roles. To avoid potential operational bottlenecks, users are assigned multiple business roles so that they have the necessary access to perform all of their functions. However, this can lead to unnecessarily broad access rights. This increases the risk of fraud within the company.

3. as cloud usage increases, the clarity of ownership and risk exposure blurs.

The increasing use of cloud solutions brings additional security challenges, as all of these solutions have very different security concepts. Access control solutions are often unable to perform a comprehensive access risk analysis for cloud solutions. It is therefore essential that security teams are aware of the security protocols for all the solutions used in their organization and have the resources to manage them effectively.

SAP is offering customers incentives to transition to SAP cloud hosting via RISE. Soterion also sees challenges ahead in terms of ownership and responsibilities for various activities: from basic system administration to security between SAP and RISE customers.

4. the emergence of the hybrid IAM/GRC model.

When weighing up the benefits of Identity and Access Management (IAM) and Governance, Risk and Compliance (GRC) solutions, more and more organizations will consider a hybrid model that leverages the strengths of both systems.

While there are IAM solutions for managing identities in an IT environment that enable workflows, provisioning and user access, many of these solutions are not able to analyze SAP access at a detailed or technical level or assess the risk impact of assigned roles. To define business roles, organizations may therefore be inclined to consider GRC solutions that are better able to display detailed risk information.

Soterion's report highlights the fact that migrating to SAP S/4HANA is not just a technology upgrade, but also a significant shift in processes and control. It is therefore critical that organizations using SAP put security at the heart of project planning and execution so that business users can navigate the future of their SAP environments securely and responsibly.

" Download the Soterion trend report here.

An advertorial by: