Ensuring SOD Compliance in your Hybrid Ecosystem

Your organization is constantly growing and evolving. Whether through mergers and acquisitions or implementation of best-of-breed technologies, organizations of today are required to manage a diverse set of applications – sometimes each with their own unique security model. Having the appropriate tools in place to ensure Segregation of Duties compliance in your hybrid ecosystem helps protect you from compliance violations, fraud or the misappropriation of financial statements while better securing your data. 

Why Organizations Struggle Managing Segregation of Duties in Hybrid Ecosystems

As organizations undertake digital transformation initiatives, they can open themselves up to a variety of new risks. While ERP vendors like SAP and Oracle have developed their own GRC solutions to manage security and compliance risks within their ecosystems, organizations have struggled to extend these risk management capabilities beyond a limited set of core applications. With the current trend of business processes spanning multiple applications, both in the cloud and on premise, auditors are requiring companies to understand and mitigate potential SOD violations they may have across applications. In addition, management is struggling to get a clear view of security risks across the entire enterprise, hindering their capability to make effective investment decisions.    

Heterogeneous IT Architecture

Whether through M&A activity or digital transformation initiatives, IT departments are burdened with managing an ever-expanding heterogeneous IT environment both on premise and in the cloud. This diverse ecosystem of IT applications may have different security models, protocols, integration capabilities or account naming conventions making the job of a Security and Compliance Analyst next to impossible. Trying to manage SOD and sensitive access risk across these different applications can be a daunting task and may even require the help of experts familiar with each individual technology.  It is critical to have the capabilities to take a standardized approach with a tool flexible enough to meet the requirements of a multitude of different technologies. 

Lack of Centralized Identity Governance Capabilities

Identity Governance and Administration (IGA) solutions can provide a centralized view of what a user has access to, in applications across the enterprise. In most cases, an organization’s current IGA initiatives lack the proper visibility into the complex security models of applications to effectively manage application security risk. For example, these systems may lack visibility into what Transaction Codes and Authorization Objects make up a role in SAP or Security Classes and Security Points are included in Templates in Epic.

Mission Critical Access

In most organizations, there is a tendency to over-provision users with more access then may be required in order to minimize disruptions to the business. They have a job to do at the end of the day. This can happen for a number of reasons including, but not limited to the following:

  • A difficult to understand application security design
  • Overly broad Role-Based Access Control model
  • Rarely used Administrative privileges assigned to a user’s everyday account
  • Lack of controls to remove legacy access upon job changes or an insufficient user access review process

Without the proper tools in place to identify potentially risky access assignments, it can be hard to determine where to start.

The Cloud Accelerated Silos of Data

Some applications provide their own stand-alone governance solutions required for customers to meet compliance requirements. This vendor-specific solution approach has created silos of security and governance-related information that prohibits management from gaining a holistic view of access-related risk across the enterprise. This problem has been exacerbated by the emergence of the Cloud. The number of IT applications has increased dramatically because the Cloud allows business users to easily procure SaaS applications with just a credit card. In addition, as companies migrate workloads to cloud providers like AWS, Azure and GCP, it can be hard for organizations to gain visibility into these environments and manage access control related risks effectively.

Helpful Tips for SOD Compliance in Your Hybrid Ecosystem 

As you face these new identity access challenges in a hybrid environment, consistently managing access control risks across the enterprise is more important than ever. Standardizing your enterprise risk management processes allow you to identify SOD and sensitive access violations within all of your applications and even identify risks in business processes that can span multiple applications. The following are some tips to help manage application security risk in a hybrid environment. 

Implement a Modern IGA Platform

Implementing a modern IGA platform is critical in order to efficiently manage application security risks in hybrid IT environments. An Identity Governance and Administration solution enables you to have a single source of truth for what access a user has in applications across the enterprise by correlating accounts in disparate systems that may have different user ID naming conventions to one authorized identity. In order to properly manage SOD risks from an IGA solution, it is critical to ensure that the platform has the capability to consume the full entitlement hierarchy from connected applications and define SOD and Sensitive Access Rulesets that include these fine-grained entitlements (For example: Transaction Codes and Authorization Objects in SAP or Security Classes and Security Points within in Epic).

Regularly Review Business Risks and SOD Rulesets

As new applications are introduced into your environment through digital transformation or M&A activities, do not forget to take the time to evaluate the impact to risks within your business processes. Time and time again I have witnessed organizations fail to allocate sufficient resources to security and controls in new implementations only to have to spend more time and effort to address these concerns at the last minute in a less efficient manner.

Leverage the resources available to you and use out-of-the-box SOD and sensitive access rulesets provided by your vendors, consulting partners or system integrators. However, remember that these rulesets are not one size fits all and must be customized to your specific business processes and incorporate any customizations that you may have in the application. Be sure to hold formal workshops with key business process owners to review high level risk definitions, identify any missing or unique risks and define the criticality of each risk to your specific business. This step is crucial because it allows you to efficiently allocate resources during remediation activities.

Make sure to take a step back and identify any potential SOD risks that may span multiple applications or business processes. It may be beneficial to include risk management professionals or consultants in this ruleset review process because they can bring a wealth of experience and project accelerators to make this exercise more impactful. 

Enable the Business to Take Ownership

At the end of the day, the business is responsible for any potential SOD or sensitive access risks within their business processes. The IT department plays a very important role by providing technology solutions to manage application security risk and helping the business representatives translate risk definitions into technical security permissions within each application. An IGA solution should allow organizations to define application or entitlement owners and easily incorporate them into governance processes.

In order to take full advantage of a governance solution, all entitlements that are assigned to users should have owners defined and those owners should be responsible for maintaining relevant metadata. At a minimum, this entitlement metadata should include a risk criticality and a business-friendly description. A governance solution should allow business owners to easily view who has access to their Information assets and remove unwanted users quickly. In my experience meeting with business process owners, they always desire this capability, but it is up to IT to enable them to take ownership.

Manage and Remediate Access Risk Violations

Managing and remediating SOD violations is an ongoing process and not just a one-time effort. Risk owners should be defined, and processes should be formalized to alert them when new risk violations are identified. 

By customizing the risk criticality to match your organizations business processes (Critical, High, Medium, Low), you can more efficiently focus resources on remediating the most critical risk violations first. Another very important activity is working with internal audit to document mitigating controls and ensuring that they are uploaded into the Governance platform. SOD and sensitive access violations should be remediated in a systematic fashion and may require different actions depending upon the particular situation. Risk violations can either be remediated by removing unnecessary access assignments, making adjustments to the security design or a combination of these items. All other high-risk items should have an approved mitigating control documented.

Incorporate Identity Risk Analytics into Business Processes

One of my biggest takeaways from Gartner’s latest IGA Magic Quadrant (2019) was that companies who focus on Governance and Identity Analytics to perform cleanup activities first will be more successful and show a better ROI than organizations focused on automating provisioning activities. I could not have agreed more. I have always believed that organizations should focus on removing excessive access assignments and cleaning up your application security design prior to investing money into automating provisioning activities. Without performing these cleanup activities, you will just increase your risk exposure at a much faster pace.

Once all of your data has been aggregated into one platform, risk signatures like SOD violations and Outlier Access can be incorporated into the User Access Review process. A very common issue we hear from customers is that Reviewers experience an overload of information during the Access Review process. I have seen a lot of success in driving better behavior from reviewers during this process (don’t just “select all – approve”) by including risk analytics with business-friendly descriptions and entitlement criticalities.

Why Saviynt? Assured Compliance-as-a-Service for SOD Management

Saviynt’s Governance solution provides a platform for organizations to manage SOD compliance across your hybrid ecosystem. Not only can organizations manage SOD and Sensitive Access risks within their main ERP systems (i.e. SAP or Workday), but they can identify and manage risks that span multiple applications (Cross Application SOD violations).

We provide customers with a single pane of glass to view and manage application security risks across the entire Enterprise. This allows them to move away from siloed Governance platforms that struggle to extend visibility outside their technology stack. Our goal is to provide “Assured Compliance-as-a-Service” from one platform that spans legacy technologies (yes, even mainframes), Cloud applications like Workday or Salesforce, collaboration suites like Office 365 or Box and even public cloud infrastructure providers like AWS, Azure, GCP, Alibaba and IBM. The Saviynt platform is designed to be delivered from the Cloud, thus allowing your organization to forget about managing a large on-premise infrastructure footprint and focus on providing value to the business by executing on your governance and compliance goals.

Fine-Grained Entitlements

Today’s Enterprises require both IGA and GRC (SOD management) capabilities to meet compliance requirements in hybrid environments. There is a clear trend in the Industry where these two markets are converging. I believe that fine-grained SOD Management capabilities will be available in most IGA solutions in the future because they (should) have all of the data. Identity Governance and Administration products are developing tight integrations and go to market strategies with GRC vendors when unable to provide fine-grained SOD capabilities. GRC vendors are adding traditional IGA capabilities and leveraging 3rd parties to build integrations to other applications outside of their technology stack. Saviynt has had this vision since the beginning and has purposefully built our platform to be flexible enough to consume multiple complex application security architectures regardless of the technology vendor. 

Saviynt’s Control Exchange

Saviynt’s Control Exchange is a library of out-of-the-box SOD rulesets and continuous controls that customers can leverage when deploying our solution. Saviynt provides SOD rulesets for all of the major applications including SAP, Epic, Oracle EBS, Oracle Cloud, Workday, Microsoft Dynamics, PeopleSoft and Infor to name a few (this is not an exhaustive list). You can also easily import any existing SOD rulesets that you may have, customize our out-of-the-box rulesets or create new risks from scratch.

SOD Workbench

Saviynt’s SOD workbench provides a single place to manage risk violations for all applications across the Enterprise. From this workbench users can filter or search for specific SOD violations, apply mitigating controls, view violation details, and remove unwanted entitlements causing the SOD violation. Saviynt also provides dashboards to quickly give a high-level view of the health of your application security risks.

Cross-Application SOD

Because Saviynt integrates with your HR system(s) and correlates all of the accounts a user has in applications across the enterprise, Saviynt provides the capability to identify SOD violations across multiple applications.

Risk-Based Access Request System

Being able to seamlessly include a preventative risk analysis before an end-user even submits an access request is a key feature in any Identity Governance solution. Saviynt provides the capability to identify a number of different risk factors during the access request process including SOD violations, sensitive or privileged access and peer group analytics. The approval workflow can easily be set up to route the request differently based upon the risk posture of the access request.

To summarize, organizations today are saddled with hybrid IT environments and are struggling to manage application security risks across the varying technologies. Saviynt can help provide a platform to standardize your risk management activities by managing SOD violations across the Enterprise regardless of the technology vendor.

For more information about how Saviynt can streamline your SOD compliance, contact us today or request a demo.

Connor Hammersmith

About author

Connor is the Application GRC Lead on Saviynt’s Solutions Engineering team. He specializes in helping customers solve complex Identity, Security, and Governance related problems. In the past, Connor was in professional services advising clients on their IAM and Governance programs while leading teams implementing IGA and GRC technologies, remediating segregation of duty risks, and designing application security in ERP environments. His experience has helped him advise customers on how best to integrate their IGA and GRC programs to design more efficient risk based Governance processes.

Leave a Reply

Your email address will not be published. Required fields are marked *