Founder & CEO of ERP Maestro. Jody is a trusted advisor and security thought leader who is a CISSP, a CISA, and former director of KPMG. Follow him on Twitter @JodyCPaterson.
How SAP’s Digital Transformation Impacts Access Controls
This article originally appeared on e3zine in July 2019.
With all of the talk about SAP S/4 Hana migrations, one thing often gets lost in the conversation. What happens to access controls in this digital transformation and migration to S/4 Hana?
Unequivocally, SAP has made some big strides in digital transformation with the powerful combination of the new Hana database and its latest iteration of ERP, S/4 Hana. Leveraging big data is a major component of digital transformation, and SAP has hit the mark with faster processing and analysis due to the Hana in-memory database and S/4 digital core. However, with all of the talk about S/4 Hana migration, one thing often gets lost in the conversation. What happens to access controls and GRC in this digital transformation and migration to S/4?
Additional access control migration
For users of SAP’s Access Controls (SAP GRC) and those who continue to use it, an additional migration is required from GRC 10 to GRC 12. However, with S/4, some functionality, such as HR, supply chain, etc., that used to reside within SAP’s ECC ERP, now sits outside of the S/4 Hana digital core in the form of cloud apps, like SAP SuccessFactors, SAP Concur, SAP Ariba and SAP Fieldglass.
In order to have access controls and visibility into access risks beyond the digital core and across the cloud application ecosystem, users of GRC 12 also will have to implement SAP’s Identity Access Governance (IAG) solution, which serves as a bridge for the on-premise GRC 12 solution. This enables connection to and access analysis of the applications external to the digital core.
What happens after GRC 12?
SAP has said that GRC 12 was not going away. Conversely, however, another source reports that end of maintenance for GRC 12 will be as soon as December 31, 2024, meaning only a four-year gap between end of life for GRC 10 in December 2020 and end of life for GRC 12.
Access control on parallel path with digital transformation
To take advantage of the existing and growing number of cloud applications within SAP’s ecosystem – as well as those external to it but that connect to S/4 Hana – while also being able to have a cross-application view of access risks across all systems in the enterprise, SAP customers need to think about how to do that as simply and cost-effectively as possible.
In a perfect world, there would be a future-proofed solution that could eliminate the upgrade trap so that customers can be assured that wherever SAP takes its ERP in the future, access controls go right along with it without additional migrations and fees. The good news is that in the real world today, such solutions do exist and can be implemented quickly, even in less than 60 minutes.
It’s a common best practice that for any new system an organization installs, it should deploy a compatible security solution right alongside it to stay protected before, during and after implementation. Access controls are internal security to protect against the increase in fraud and the growing number of internal attacks. Companies considering or in the process of a move to S/4 Hana should be choosing their internal controls solution at the same time.
They need to take into account the options: implement two additional SAP solutions to handle access risk management and also accept the ambiguity over what will change in those solutions in the years ahead or step outside of SAP and select a future-proofed cloud solution that eliminates the continuous upgrade cycle for the long haul.