The global and independent platform for the SAP community.

With Industry 4.0, safety quickly falls by the wayside

A few years ago, I checked the authorization concept of a plant manufacturer with several thousand employees - and what did I find? The buyers of one plant could trigger payment runs in the other plants of the company.
Bernd Israel, Sivis
July 13, 2017
It Security
avatar
This text has been automatically translated from German to English.

In the case of the plant manufacturer, this combination of authorizations came about as a result of a historically grown authorization concept in which roles were always inherited and enriched with additional transactions.

Unfortunately, this approach is still common practice at many companies today and makes it easy for employees to enrich themselves at the expense of their own company.

Good SAP authorization management counteracts this. It reduces the risk of unauthorized access to critical data in SAP systems.

An up-to-date authorization concept is essential for data protection in companies and organizations. It shows who has access to which data in the company.

A sophisticated authorization concept also takes into account employee substitutions during illness and vacation. It takes into account the transfer of employees to other departments - or their departure. New users are automatically integrated into the authorization concept.

But another development worries me much more. New IT trends such as mobile devices and associated applications are thwarting the issue of security in companies - from the ground up.

Here, I am primarily alluding to direct networking at the device level through IoT and Industry 4.0. You have to imagine that: Suddenly, even devices are given access rights to personal data and process it automatically.

Everyone is talking about Industry 4.0 - and everyone wants to jump on the bandwagon. However, the issue of safety can quickly fall by the wayside.

In IT security, it is also increasingly important to check whether employees are really using their authorizations appropriately and not misusing them.

The German Federal Office for Information Security (BSI) addresses the topic of SAP role and authorization concepts in its IT basic protection catalog, which I can only recommend every IT manager to read.

The need for particularly careful assignment of critical authorizations and regular review of the existing role and authorization concept is explicitly pointed out here.

But how can this be implemented as simply as possible in day-to-day business? And what about critical authorization combinations, i.e. two authorizations that only become critical when assigned together?

The be-all and end-all here is a well thought-out authorization concept. Every CEO should ensure from the outset that no risks arise from the combination of authorizations.

Sensitive authorizations should only be assigned if absolutely necessary. SAP users can use the DSAG audit guide as a guide here. An internal control system (ICS) is also beneficial.

Changes, for example, can be automatically documented in a complete and traceable manner, provided that the SAP authorization system is completed with functions or tools from third-party providers.

Ideally, it should be possible to simulate the effects of assigning new authorizations in advance of going live. Only in this way can typical conflicts be detected and eliminated automatically and in good time.

Furthermore, all roles and authorizations can be checked in this way periodically or on an ad hoc basis without much effort. And one more thing is close to my heart: Your company will additionally benefit if you also re-evaluate the consequences of data outflows when implementing new compliance requirements for your authorization management.

Because these cause ever higher costs, as the 11th current Data Breach Study by Ponemon proves. According to the study, the total cost of data breaches in companies in twelve industrialized countries has risen from $3.8 million to $4 million.

Whether your company's authorization concept can withstand these many threat situations is something you should take a close look at sooner rather than later.

avatar
Bernd Israel, Sivis

Formerly Head of Point of Business at T-Systems Switzerland, Bernd Israel is now Managing Director of Sivis.


Write a comment

Working on the SAP basis is crucial for successful S/4 conversion. 

This gives the Competence Center strategic importance for existing SAP customers. Regardless of the S/4 Hana operating model, topics such as Automation, Monitoring, Security, Application Lifecycle Management and Data Management the basis for S/4 operations.

For the second time, E3 magazine is organizing a summit for the SAP community in Salzburg to provide comprehensive information on all aspects of S/4 Hana groundwork.

Venue

More information will follow shortly.

Event date

Wednesday, May 21, and
Thursday, May 22, 2025

Early Bird Ticket

Available until Friday, January 24, 2025
EUR 390 excl. VAT

Regular ticket

EUR 590 excl. VAT

Venue

Hotel Hilton Heidelberg
Kurfürstenanlage 1
D-69115 Heidelberg

Event date

Wednesday, March 5, and
Thursday, March 6, 2025

Tickets

Regular ticket
EUR 590 excl. VAT
Early Bird Ticket

Available until December 24, 2024

EUR 390 excl. VAT
The event is organized by the E3 magazine of the publishing house B4Bmedia.net AG. The presentations will be accompanied by an exhibition of selected SAP partners. The ticket price includes attendance at all presentations of the Steampunk and BTP Summit 2025, a visit to the exhibition area, participation in the evening event and catering during the official program. The lecture program and the list of exhibitors and sponsors (SAP partners) will be published on this website in due course.