With Industry 4.0, safety quickly falls by the wayside
In the case of the plant manufacturer, this combination of authorizations came about as a result of a historically grown authorization concept in which roles were always inherited and enriched with additional transactions.
Unfortunately, this approach is still common practice at many companies today and makes it easy for employees to enrich themselves at the expense of their own company.
Good SAP authorization management counteracts this. It reduces the risk of unauthorized access to critical data in SAP systems.
An up-to-date authorization concept is essential for data protection in companies and organizations. It shows who has access to which data in the company.
A sophisticated authorization concept also takes into account employee substitutions during illness and vacation. It takes into account the transfer of employees to other departments - or their departure. New users are automatically integrated into the authorization concept.
But another development worries me much more. New IT trends such as mobile devices and associated applications are thwarting the issue of security in companies - from the ground up.
Here, I am primarily alluding to direct networking at the device level through IoT and Industry 4.0. You have to imagine that: Suddenly, even devices are given access rights to personal data and process it automatically.
Everyone is talking about Industry 4.0 - and everyone wants to jump on the bandwagon. However, the issue of safety can quickly fall by the wayside.
In IT security, it is also increasingly important to check whether employees are really using their authorizations appropriately and not misusing them.
The German Federal Office for Information Security (BSI) addresses the topic of SAP role and authorization concepts in its IT basic protection catalog, which I can only recommend every IT manager to read.
The need for particularly careful assignment of critical authorizations and regular review of the existing role and authorization concept is explicitly pointed out here.
But how can this be implemented as simply as possible in day-to-day business? And what about critical authorization combinations, i.e. two authorizations that only become critical when assigned together?
The be-all and end-all here is a well thought-out authorization concept. Every CEO should ensure from the outset that no risks arise from the combination of authorizations.
Sensitive authorizations should only be assigned if absolutely necessary. SAP users can use the DSAG audit guide as a guide here. An internal control system (ICS) is also beneficial.
Changes, for example, can be automatically documented in a complete and traceable manner, provided that the SAP authorization system is completed with functions or tools from third-party providers.
Ideally, it should be possible to simulate the effects of assigning new authorizations in advance of going live. Only in this way can typical conflicts be detected and eliminated automatically and in good time.
Furthermore, all roles and authorizations can be checked in this way periodically or on an ad hoc basis without much effort. And one more thing is close to my heart: Your company will additionally benefit if you also re-evaluate the consequences of data outflows when implementing new compliance requirements for your authorization management.
Because these cause ever higher costs, as the 11th current Data Breach Study by Ponemon proves. According to the study, the total cost of data breaches in companies in twelve industrialized countries has risen from $3.8 million to $4 million.
Whether your company's authorization concept can withstand these many threat situations is something you should take a close look at sooner rather than later.