Securing SAP Concur: Protecting Your Expense Data
and Bottom Line with Access Governance

Is Your Company's Concur Data a Security Soft Spot?

When you think about your company's identity security posture, where do "expense reports" rank on your list of concerns? It's understandable if they're not top-of-mind, as priorities often focus on protecting customer data or mitigating ransomware attacks.

However, your company's expense management system – specifically, SAP Concur – can represent a significant vulnerability if not properly secured. Concur handles sensitive financial data, employee Personally Identifiable Information, and travel itineraries. This makes it a valuable target for bad actors seeking access to your organization's financial and operational data.

SAP Concur itself incorporates security features. However, simply having access controls is not equivalent to actively governing access. Relying solely on built-in safeguards is often inadequate in today's threat landscape. A proactive and comprehensive access governance solution is critical to ensure that the right individuals have the right access for the right business purposes and only for the duration necessary.

This guide provides an in-depth look at the risks associated with access security in SAP Concur. It offers practical strategies to reduce those risks. We will deconstruct the security model, highlight common vulnerabilities, and demonstrate how to implement strong access governance capabilities to safeguard your company's data and security.

Understanding the Landscape: Concur's Role in Your Security

A. An Overview of SAP Concur's Access Security

SAP Concur provides integrated travel, expense, and invoice management solutions. While SAP Concur offers a range of access security features, their effective performance requires careful consideration. Key areas include:

Encryption: Concur encrypts data both in transit and at rest. However, the strength of this protection is contingent on proper key management practices and adherence to data security policies. Weak encryption algorithms or poorly managed encryption keys can negate the intended security benefits.

Multi-Factor Authentication (MFA): MFA adds a critical layer of security by requiring users to provide multiple authentication factors (e.g., password and a one-time code from a mobile app). However, consistent enforcement is key. 

Single Sign-On (SSO): SSO simplifies the login process by allowing users to access Concur and other applications with a single set of credentials. However, vulnerabilities in the SSO implementation can expose Concur to security risks. 

Mobile Security: The Concur mobile app includes security features such as PIN protection and remote wipe capabilities. However, these features are only effective if users keep the app updated, enable PIN protection, and promptly report lost or stolen devices.

Access Lockout: Automatic account lockout after multiple failed login attempts is a basic security measure to prevent brute-force attacks. However, it can also cause frustration for legitimate users who forget their passwords.

The Nitty-Gritty of Access Management in SAP Concur

Effective access management is fundamental to your identity security. SAP Concur's access complexity stems from its user permissions, data protection mechanisms, and resource access controls. A well-defined and consistently enforced access governance strategy is essential to strike a balance between strong data security and seamless user productivity.

A. Roles and Responsibilities

Role Hierarchy

Roles in Concur operate hierarchically. A user assigned to multiple roles inherits the highest permission level associated with those roles. For example, a user with both the "User Admin (Read Only)" role and the "Employee Administrator" role effectively operates with the privileges of the "Employee Administrator" role. This creates the need for careful role design and assignment to avoid unintended privilege accumulation.

Methods of Role Assignment

By User Name: Administrators can assign roles directly to individual users. This method is suitable for managing access for specific individuals with unique requirements.

By Role: Administrators can assign a specific role to multiple users simultaneously. This is efficient for managing access for groups of users with similar responsibilities.

Group-Aware Roles: Some roles are "group-aware," meaning administrators must specify one or more groups when assigning these roles. This allows for control over access within larger organizations, enabling the segmentation of responsibilities based on group membership.

Types of Roles

1. Administrative Roles

Role Administrator: Grants comprehensive access to the User Permissions menu and modules, including Expense, Invoice, and Request. This role possesses extensive privileges and should be tightly controlled.

Permissions Administrator: Manages user permissions but with a more limited scope than the Role Administrator. This role is suitable for delegating permission management responsibilities while maintaining a degree of control.

Password Manager: Enables password updates without granting other administrative privileges. This role provides a secure way to delegate password reset responsibilities without exposing sensitive data.

2. Functional Roles

Roles such as "Travel Policy Administrator," "Billing Administrator," and "Request Configuration Administrator" are tailored to specific operational needs. These roles allow administrators to delegate responsibilities for managing specific aspects of Concur functionality.

3. Approval Workflow Roles

Approvers are assigned based on predefined workflows. These roles determine who reviews and approves expense reports or requests at various stages. Approval workflows must be properly configured, and approvers should have the appropriate authorization levels.

Key Roles to Monitor

Role Administrator: Full access to User Permissions, Expense, Request, and Reporting. Consider this the "keys to the kingdom" role.

Permissions Administrator: Controls access to the User Permissions menu. Crucial for maintaining the principle of least privilege.

Request Configuration Administrator: Manages request features. While seemingly innocuous, this role can significantly impact workflow security.

Password Manager: Resets passwords without full admin rights. Useful but a potential attack vector if compromised.

API Scopes: The Integration Frontier

If you are integrating Concur with other systems (which is common), you will interact with API scopes. These scopes define the level of access granted to external applications. Examples include:

• `identity.user.ids.read`: Allows read-only access to user IDs.
• `identity.user.core.read`: Allows read-only access to core user profile information.
• `identity.user.core.sensitive.read`: Allows read-only access to sensitive user profile information (e.g., Social Security Number). Exercise extreme caution when granting this scope.
• `identity.user.enterprise.read`: Allows read-only access to enterprise-specific user data.

API scopes are only as secure as your API security practices. Implement strong access security mechanisms, regularly audit API access, monitor for suspicious activity, and follow the principle of least privilege when granting API scopes.

Real Risks: Common Vulnerabilities in SAP Concur

Relying solely on SAP Concur's built-in security measures can create a false sense of security. Recognizing potential weaknesses is crucial for proactively strengthening your defenses and reducing access security risks.

Cloud Complexity: Concur's reliance on AWS introduces inherent complexity. While AWS provides a secure infrastructure foundation, you are responsible for properly configuring and managing security settings within that environment. Misconfigurations in areas such as IAM, network security groups, and storage permissions can create significant vulnerabilities.

Software Vulnerabilities: Past vulnerabilities like Log4j serve as a reminder that software vulnerabilities are inevitable. Staying current with patching and updates is an ongoing imperative. Establish a rigorous vulnerability management program that includes regular scanning, patching, and monitoring.

Mobile Device Risks: Lost or stolen mobile devices remain a persistent threat. While remote wipe capabilities exist, their effectiveness depends on the device being online and properly configured.

Human Factor in Access Mismanagement: Access mismanagement, where users have excessive or inappropriate permissions, is a pervasive problem. This often results from outdated roles, inadequate access review processes, or a failure to adhere to the principle of least privilege.

Level Up Your Defense: Why You Need a Proactive Access Governance Solution

To effectively secure SAP Concur, a proactive approach to access governance is essential. This goes beyond basic access management practices. While features like role-based access control, encryption, and multi-factor authentication provide a foundational layer of security, they do not adequately address the dynamic risks inherent in complex environments and modern business operations. You must actively govern access through continuous monitoring, automated remediation, and access policy enforcement.

The Shortcomings of Basic Access Management Tools

Even the best access management tools have limitations. They automate processes and enforce policies, but they require manual oversight, configuration, and adaptation. These tools often lack continuous monitoring, analytics-driven insights, and fine-grained visibility.

Role Creep and Permission Glut: Over time, users accumulate unnecessary permissions. Without a governance solution to monitor, prune, and recertify permissions, your attack surface increases.

Orphaned and Stale Accounts: Accounts belonging to former employees or vendors remain active due to deficient offboarding processes.

Excessive Permissions: The principle of least privilege should be the foundation of your information security program. Continually adjust permissions to ensure they are just enough for users to perform their duties.

Manual Oversight Challenges: Poorly designed workflows or outdated policies can lead to improper provisioning or de-provisioning of access rights. Manual oversight can be error-prone and resource-intensive.

Why Access Governance Matters

Access governance transcends basic access management by introducing proactive measures like continuous monitoring, automated policy enforcement, and streamlined remediation workflows.

Automated Risk Mitigation: Automate the continuous identification of risks such as Segregation of Duties (SoD) violations, excessive permissions, inactive accounts, and unauthorized access attempts.

Comprehensive Visibility: Gain a unified, real-time view of who has access to what across all systems – cloud-based and on-premises.

Streamlined Compliance: Meet regulatory requirements like SOX, GDPR, PCI DSS, and HIPAA,  with strict control over user access. Automate certification processes, generate audit-ready reports and enforce policies consistently.

Dynamic Role Management: Enable agile and dynamic role design. Evolve roles based on actual usage patterns rather than static assumptions.

Seamless Integration: Integrate with your entire IT ecosystem – including legacy systems, cloud applications, and databases – ensuring consistent policies, controls, and visibility across all environments.

Addressing Common Pain Points

Access governance tackles challenges that traditional IAM tools cannot address, such as:

Reducing Noise in Alerts: Intelligently prioritize alerts based on risk levels, user behavior, and contextual factors.

Streamlining Recertification Campaigns: Provide automated, ad-hoc certification campaigns that are quick to launch, easy to manage, and deliver comprehensive audit trails.

Automating and Improving Offboarding Processes: Ensure that access is promptly revoked across all systems and applications.

Proactive Governance: The Key to a Secure SAP Concur Environment

To effectively secure SAP Concur, adopt a proactive approach to access governance that goes beyond basic access management practices. You need to actively govern access through continuous monitoring, automated remediation, and access policy enforcement.

By implementing an advanced access governance solution that enables dynamic role management, seamless integration across systems, and streamlined control efforts, you can effectively protect sensitive expense data, reduce potential threats, and maintain strong security.

Ready to Discuss Elevating Your SAP Concur Security?

Don't leave your organization exposed to unnecessary risk. Contact us to discuss a personalized security assessment and discover how our access governance solutions can help you gain enhanced visibility and granular control, and ensure the long-term security and compliance of your SAP Concur environment.