Debunking Access Control Myths

We’ve found access control myths at every organizational level and across hundreds of conversations, pilots, and implementations. When these myths go unchallenged, they wind up costing money and time. These myths are most often believed by companies that do not understand their risk appetite, fail to apply their understanding of acceptable risks to their access management function, or fail to appreciate what their SAP environment already offers. With so many different approaches to risk management, it can be hard to sift out the truth from the hearsay. Here is a list of five myths to avoid that often lead to inefficient compliance practices.

Myth 1: Every Risk Needs to Be Explicitly Mitigated

In an ideal world, every risk would be mitigated, but assigning mitigations means allocating time, personnel, and ultimately funding to manage them. Organizations can avoid overspending on mitigations by first classifying each segregation of duties (SoD) rule based on the risks involved in breaking the rule and then focusing on conflicts involving high-risk rules. A simple conversation between internal audit and business managers using a well-written rule set can help the organization identify which rules can be ignored and which rules (along with the conflicts that are revealed by their application) should not be excused.

Myth 2: All Access Risks Are Equally Likely

Access risks are neither equally severe nor equally likely. An SoD conflict that exists but that has not been exercised does not carry the same risk as a conflict that has been exercised by a user. Evaluate how you determine the likelihood of risk due to SoD conflicts, and before you focus on hypothetical SoD risks (a conflict that has not been exercised), focus first on conflicts that are being exercised.

Myth 3: Compromised Roles Are a Necessary Evil

Allowing SoD conflicts to exist within a single role can cause recurring issues, create unnecessary risk, reduce productivity, and hinder organizational change. Based on business needs, a user may sometimes be approved for an SoD conflict, but that conflict should not be contained within a single role. Consider redesigning role management processes and the role architecture to circumvent conflicts.

Myth 4: You Need a Separate Environment for Controls

An enterprise’s existing SAP environment is the best place to run its controls platform. It’s less costly, since no new hardware needs to be purchased or rented from a cloud vendor. More important, it inherits the service level agreement (SLA) investments made for the SAP ERP platform, so it will perfectly match your SAP systems for availability, performance, security, and disaster recovery. Furthermore, data security and data refresh issues tied to user access reporting are no longer a problem because analysis is done directly against production data. User data is never cached and never exported.

Myth 5: Compliance Requires Significant Resources

Enterprises will sometimes delay improvements to their current access management processes because they think significant improvements will be costly, complicated, or require broad, cross-functional support. However, delaying quick incremental investments protracts inefficient processes, hampers career development, and prolongs audits. In today’s market, many modular access management tools running inside SAP ERP applications can be deployed in a day with out-of-the-box controls built on industry standards, providing immediate support for almost any preexisting process. These solutions are stable, scalable, and usually can be efficiently built out to meet enterprise-specific customizations in less than a week.

To avoid misunderstandings about compliance, enterprises must evaluate their risk appetite and ensure their compliance programs are based on a shared understanding of how to prioritize risk management. Failure to achieve a shared understanding can lead to acting on myths, inevitably resulting in overspending, misuse of resources, and compromised security. While every enterprise differs in their compliance requirements, no program should be undertaken without qualified and competent auditors. To learn more about compliance myths, visit our blog at https://bit.ly/2cRFXV3 or www.securityweaver.com.