Solved: SoD problems during S/4 migration

The agricultural company U.S. Sugar cultivates sugar cane, citrus fruits and sweet corn and processes them for well-known American brands. As part of the migration to SAP S/4 Hana, the company was looking for a solution to check segregation of duties conflicts for its approximately 2,500 employees. It chose to work with Pathlock, the global market leader for access governance and application security. A success story.

Companies are increasingly relying on a mix of on-premises and cloud applications for their business applications. And with the increasing spread of networked applications, whether in procurement, accounts payable/receivable or customer relationship management, security risks are also on the rise. This applies in particular to segregation of duties (SoD) conflicts. In order to counter current and future SoD risks, companies need to develop a cross-application view of their access management that includes cloud applications as well as securing and monitoring on-premises applications.

Matthew Miller, Senior Director of IT Business Solutions & Benefits at U.S. Sugar, took the upcoming S/4 Hana migration as an opportunity to introduce measures in good time to prevent the SoD risks that had grown over time and were exacerbated by the hybrid system landscapes. In its search for a way to monitor compliance, resolve SoD conflicts and document controls, the company compared numerous alternative solutions with the result that Pathlock's software suite covered exactly what was required.

One advantage of the Pathlock solution is that it offers predefined, quickly customizable and dynamic SoD rules for almost all leading business applications. U.S. Sugar's goal was to customize the proven Pathlock rules and implement them with an effective alert system. It should effectively enforce user rights and either make the necessary corrections or contain control mechanisms to be able to react immediately to violations.

Early detection of SoD risks

U.S. Sugar IT first compared its own segregation of duties conflicts from previous years with the risk classifications of Pathlock's predefined rules and regulations. The results were then analyzed for their relevance to the company's accounting and finance departments. As a result, company-specific risk classifications were adjusted, criticalities of authorizations were removed or lowered and others were added or raised.

Finally, all identified conflicts with a high critical rating were individually reviewed and either compensatory controls were integrated into the system or problematic user rights were removed from roles altogether. With the help of the adapted Pathlock Suite rules and the automation of the processes, it was crucial not only to maintain the newly achieved status quo, but also to identify potential SoD risks in future before new authorizations are granted.

Comprehensive security checks

What U.S. Sugar particularly liked about the Pathlock Suite was that the software not only fulfills all operational and legal requirements, but is also extremely user-friendly. Pathlock identifies potential SoD risks when a new access request is made, at the time of granting and also during the review cycles.

As a result, U.S. Sugar is now able to detect SoD violations at an early stage and initiate appropriate control measures in situations where immediate remediation is not possible. In addition, user accounts, permissions and data are linked and analyzed across all business applications, making it easier to manage SoD conflicts. Thanks to cross-application interfaces, CRM applications such as Oracle's PeopleSoft could also be seamlessly integrated into the new compliance process.

No fear of the audit

This not only eliminates the need to work with tables and test samples, but also the need for external consultants, thus reducing both risks and resources. In addition, detailed reports ensure that every step is documented, which makes regular audits much easier. Matthew Miller emphasizes how much more relaxed his team is now about the annual audits, knowing that they can present the auditors with system-generated reports and compliance conformity, including a list of all compensating controls, at the touch of a button. The audit now runs much more smoothly overall thanks to the high level of automation.

Risks during the S/4 migration

Today, Matthew Miller sees the use of the software suite as a decisive factor in the successful transition. The changeover to SAP S/4 Hana was the perfect opportunity to take measures to protect the company even better against risks from critical user authorizations in the future. Even if it is not a problem of segregation of duties, it is crucial for his company to monitor who has access to critical transactions. U.S. Sugar also uses Pathlock's Superuser Management. This means that all activities carried out by privileged users are monitored, fully documented and made available for review.

Seamless SoD analyses

The importance of cross-application SoD is currently being demonstrated for U.S. Sugar by the acquisition of a refinery in Savannah that uses PeopleSoft. With the Pathlock Suite, says Matthew Miller, it is now possible to incorporate their safety rules into a centralized reporting system. This enables analysis to identify segregation of duties conflicts across the board - and where SoD risks cannot be eliminated ad hoc, to find a good compensating control.

Pathlock's solutions offer a dashboard-based display of the current risk status, including cross-application SoD analysis. The use of pre-configured and customizable Pathlock rules and regulations eliminates the need for spreadsheets, test samples and external consultants, thus reducing not only risks but also the resources required. The automated SoD and risk analysis as well as the automated reporting for all common business applications enable the legal requirements to be met easily and quickly, whether SAP ERP, S/4, cloud applications or non-SAP IT systems.

In this way, companies can use a central, user-friendly platform to identify, quickly resolve and continuously monitor segregation of duties conflicts across their entire application landscape. Such a strategy stands up to all audits and forms a solid basis for GRC.

To the partner entry.