Application GRC: Why Point Solutions Are Not the Answer
Earlier in my career, I held several positions, inside and outside of the Big 4, where I was relied upon to manage or respond to an organization’s IT Audit. It wasn’t too far into my career when I had one of those “a-ha” moments that altered the course of my work in this industry and changed my mindset as to how I would dedicate my efforts moving forward. I noticed auditors are well trained at finding problems, and in rare cases, some of them are even adept at providing solutions. However, I continually observed their continued inability to see the forest from the trees that has caused so many companies to fall short of truly tackling the problems at their doorsteps with inspired vision. Too often companies put band-aid solutions on their deficiencies instead of trying to apply a systemic, process related solution.
It isn’t necessarily the auditor’s fault that a company doesn’t find a way to improve their processes or design controls that will ensure the successful execution of a processes’ intended design. For decades, organizations have focused on getting over that low bar the auditor has decreed to be the minimum passing grade. For years, organizations have let their auditors dictate what should be considered as important without ever taking the time to define what’s important on their own. You may be reading this thinking that’s not true about your company, but in my experience, it probably is and your company is focused more on meeting minimum standards than they are about developing mature programs that improve the company’s ability to protect from and respond to cybersecurity events; whilst remaining agile to adapt to unexpected nuances that could alter their projections or the achievement of their goals.
It often doesn’t take very much to derail the mechanisms in place that have been designed to help a company stay on track towards achieving its goals. A smart company has used a risk-based approach in analyzing what could go awry for each business activity within critical processes designed to help the company meet their objectives. A recent study showed that almost 75% of all frauds committed at over $1M had some internal involvement. I would venture to guess many of the companies that were subject to this fraud believed their control environments were effective. Yet, fraud still happened. Why? Is it about culture? Must we expect that there are always going to be a few bad apples? Were their controls ineffective? Was their approach to security to respond instead of to prevent? Were controls only applied to a subset of the critical applications as point solutions? Were controls only effectively evaluated when auditors came at the end of the year instead of continuously throughout the year? There are probably signs that each of these reasons are partially to blame. What can a company due to avoid these mishaps going forward by way of efficient and cost-effective means when that company doesn’t really know the full extent of their security posture in the first place? How can a company effectively take compliance issues and elevate them as business risks to avoid fraud?
Developing mature security programs
There are a lot of different capability maturity models (CMMs) out there that a company can use to provide a roadmap on how to improve and mature their security programs. The key is putting the program in place and having appropriate governance to not only guide these programs but to also legitimize and provide tone from top support. For many companies, this starts with understanding their “As-Is” processes across the several information security domains. Before a company can understand where they would like to be tomorrow, they need to make an exhaustive assessment of where they are today. To get where you want to go, you always need to know your starting point. Sounds simple, but you would be surprised at how few companies have performed exhaustive risk assessments across their enterprise and more surprised by the number of companies that have performed such assessments and have done little to address their vulnerabilities months after their assessments have been performed. An example of a capability maturity model is provided in the figure below.
Mature programs are in a constant state of optimizing their controls to prevent cybersecurity events from happening. Immature programs are most often reacting to findings or events. They respond to audit comments by purchasing point solutions to rectify exceptions on an ad-hoc basis. Rarely do you see these organizations building IT programs with steering committees and built-in governance activities aimed at going beyond minimum standards or passing grades for different regulatory initiatives.
How Saviynt can help
Solutions, such as offered by Saviynt, can be very effective in accelerating a company’s maturity level for these domains and can drastically improve an organization’s security posture in mere months. The controls bulleted below show the capability of the solution to provide comprehensive coverage for multiple IAM, SOD and regulatory compliance specific controls. Most organizations tackling these issues today have required multiple products to provide a comprehensive solution. Now there are options that can provide all of these controls within one product reducing the burden of administration and cross-application capabilities that are found when point solutions are utilized to solve a systemic problem.
Here are some of the key areas a product, such as Saviynt, can help improve information security process capability maturity by enhancing the overall security posture and not just meeting the compliance checklist:
SOD AND CRITICAL ACCESS ANALYSIS AND REMEDIATION
- Companies struggle to improve their ability to analyze critical access and segregation of duties (SoD) conflicts for their critical business processes across the entire enterprise. As many business processes are moved to niche applications in the cloud, companies continue to struggle and their access governance controls remain immature. Tools are purchased as point solutions for specific applications, but none of these solutions provide a holistic look at access across applications or across the entire enterprise. Saviynt offers an extensive library of SoD and critical access rule sets across a multitude of applications (e.g. SAP, SAP HANA, Oracle EBS, Oracle ERP Cloud, PeopleSoft, JD Edwards, Microsoft Dynamics GP, Workday, Salesforce, Epic, etc. and can be customized to govern access for custom applications as well). There is no other product in the marketplace that can singularly address SOD analysis for as many applications or across applications within one product, making Saviynt the most mature solution in this space. Read Gartner’s 2017 Market Guide for SOD Controls Monitoring Tools to see how Gartner recommends Saviynt for Organizations looking for a centralized SOD controls monitoring approach with advanced role mining and user provisioning requirements across multiple ERP platforms and complex authorization systems, including SaaS applications (Gartner login required).
PRIVILEGED ACCOUNT AND EMERGENCY ACCESS MANAGEMENT
- Companies are still tackling their challenges to manage privileged access. It has been challenging to find a mature solution that fits for more than just one or two of the products that exist across their enterprise. Saviynt provides a mature solution to manage emergency, break-glass procedures across multiple applications and provides time-bound, privileged access (on demand) without having to add more point solutions to satisfy requirements. Additionally, when privileged access is granted, Saviynt can provide visibility into transacted activities to provide assurance inappropriate activities were not transacted, as well as alert control owners in case of failure so that the process is not reactive and evaluated only months later. Emergency procedures can be tied in with change management processes all within one tool to help manage this highly sensitive process.
TRANSACTION AND CONFIGURATION MONITORING
- Companies continue to struggle with configuration changes and transaction analytics for processes that may span across multiple applications. As with many of the other controls mentioned in this paper, companies continue to rely on point solutions to provide them with the insight to better control highly sensitive transactions and configurations. Tools that can provide across application analytics require complete data dumps and analysis in another tool making the process cumbersome and tedious. Saviynt provides a mature solution with several analytics that can provide insight for multiple applications at a time and can easily be customized to provide preventive transactional monitoring that is typically only provided by detective reports or audit logs. Fraud Risk Assessment analytics or basic transactional analytics are provided real-time for process owners to assimilate and take action.
- Companies are improving their ability to provision and govern identities with point solutions for applications that get tested for regulatory initiatives, however, they are still struggling to implement a process and solution that solve this problem systemically; therefore, their processes remain immature. Companies are challenged to implement a solution that can govern identities and access to critical data and processes across the entire enterprise whether it is in the cloud, on-premise, for critical applications or for user intensive applications. Saviynt has enabled several organizations to manage access across scores of applications within their enterprise and to solve maturity challenges across the entire enterprise by making the process repeatable and less inconsistent.
RISK-BASED ACCESS CERTIFICATION
- Companies continue to struggle with access-based certifications. Immature processes create hours of intensive overhead to achieve compliance. Companies continue to struggle to create user access lists, identifying the appropriate role or process owners, archiving email-based approvals, and avoiding rubber-stamping across their enterprise. With Saviynt, organizations no longer worry about managing spreadsheets through large email campaigns or where to find approvals in order to certify access as it is all performed within Saviynt.
To catapult an organization’s capability maturity across information security domains, solutions that address several control objectives in a cost and time effective manner are what organizations are demanding. Costly point solutions that address only a portion of an organization’s enterprise are quickly fading and paving way for comprehensive solutions such as provided by Saviynt.