Why security and controls in ERP implementations

Security and controls ERP implementation
Security and Controls in ERP projects

Why you should review your security and controls before ERP implementation

Cloud transformations are happening at incredible rates. According to Gartner, the shift to the cloud will drive $1.3 trillion in IT spending this year. Organizations are moving to the cloud with the hopes that they will reduce costs, increase agility, and improve profits. However, moving to the cloud presents challenges that must be overcome before the organization can realize the full benefits of cloud transformation, and, more often that not, security and controls are often overlooked.

In part one of our cloud transformation series, we discussed the differences and considerations between on-premise applications and the cloud. In this blog, we will take a deeper dive into managing security and controls risks and solutions that can manage those risks throughout the entire lifecycle of your cloud application.

Why you need access governance for security and controls


Access governance aims to reduce the risks associated with excessive access privileges to company resources. Access governance has become necessary as organizations move to the cloud to comply with regulations and strategically manage risk. The Identity Management Institute explains that access governance is concerned with managing risks and ensuring compliance consistently, efficiently, and effectively.

On-Prem vs. cloud

Setting and upholding access governance is particularly important when moving to the cloud because of the architecture's complexity and the many nuances in how roles interact with each other when combined. For example, the “Finance Manager “ job role may consist of four application roles in Oracle ERP Cloud. When these roles are combined, they have inherent SoD conflicts. These differences between on-premise and cloud make role analysis much more challenging. Identity access governance tools will help you identify potential inherent conflicts or excessive access. In the cloud, it is especially important to understand: 

  • How roles are configured, and
  • What access they grant, especially when combined with other roles

This level of understanding requires a significant effort and investigation into the role, its entitlements, and its privileges. But without a thorough understanding of each role, you could be using a toxic combination of roles with excessive privileges, creating risk.

How identity access governance can help


Effective identity access governance should be one of the enterprises' biggest security concerns when moving to the cloud. Implementing an identity access governance solution in the beginning stages of your move to the cloud can help ensure that your security and controls are embedded into your security model and business processes.

A platform such as SafePaaS can eliminate the challenges described above by allowing the design, creation, and simulation of roles while providing cross-application segregation of duties controls. Once the roles are created, user certification and access recertification are ongoing tasks in the cloud. If you're using ServiceNow or any other provisioning system, one of the challenges is that they're based on catalogs. If you are using a catalog for your on-prem solution, you must create a Cloud ERP catalog as part of your cloud go-live. That catalog is typically at the abstract role level (AP Manager, Systems Administrator, etc.). For example, the Finance Manager may have four different roles in Oracle Cloud ERP: payables, inquiry, AR inquiry, and GL. And then, there are data groups and contextualized access by business units. 

Data access challenges posed by a new security model in the cloud and complex regulations require organizations to manage identity lifecycles and create data groups to limit access to company resources. Access constraints in on-premise applications are now data groups in cloud applications that limit what a user can see. These data constraints construct the context of your data. SafePaaS can orchestrate identities across the enterprise to ensure proper governance in the cloud and use those security models to cross-link them when the user receives an action or violation, whether an SoD or provisioning request. You can see the complete picture in SafePaaS and pull data from its various sources to create a clear vision of your access architecture. With SafePaaS, you will know how access was requested, approved, certified and how it was granted in Cloud ERP. This visibility eliminates one of the significant audit findings for cloud customers: provisioning systems that do not cross-check for SoD conflicts. Identity access governance can help you during your cloud implementation by proactively managing risk and making your entire operation more sustainable. 

If your provisioning system only checks for SoD conflicts in one application or business system, it's not providing the complete picture. To solve that problem, SafePaaS built a platform with eight different integrations. These integrations create a converged IAM solution that takes away years of effort and cost. If you're considering moving to the cloud, this is one component of risk in your project that you can eliminate by adding the automated capabilities of SafePaaS. Or, if you're already live and operating your business on the cloud, you can reduce the risk of audit findings and remediation if you ensure that your provisioning system sends fulfilment requests that are SoD tested across all applications and infrastructure. Cross-checking all end-points for SoD conflicts across the organization provides auditors with the assurances they need, and your enterprise needs to ensure risk is mitigated. Converged Identity access governance solutions should consistently apply access request policies to ensure that the access requested is the access that is provisioned. If access requests are not fulfilled according to policies, it can create gaps and chaos, especially in the cloud, because you have limited ability to query data. 

Access governance and user access are incredibly complex and critical in managing security risks in cloud transformations. However, technology is integral to success and should be correctly leveraged to support an organization’s security objectives and strategy. Effective access governance also requires granting and removing access, detecting suspicious activities, and keeping unauthorized users out of the systems. Flexible technology and automation can help organizations achieve operating efficiency and optimal security.

Case Study

In this case study, our customer is a legacy on-premise user moving to Oracle Cloud ERP. The client has a complex application environment with hundreds of applications and vertical solutions. They currently use Microsoft Azure as their IDM solution and ServiceNow for IT service management.

The customer was struggling with user access certification across the enterprise and used a manual, error-prone process to perform the certification process. The customer wanted a policy-based access control solution that could provide fine-grained visibility and integrate with their current applications, including Microsoft Azure, ServiceNow, and Oracle ERP Cloud.

SafePaaS was able to pull source data from the Cloud, vertical solutions, and applications to extract security model information from a legacy IGA and ServiceNow to achieve consolidated identity orchestration. With a consolidated identity orchestration solution in place, the customer could perform user access certification to validate the access levels of each employee. 

After integrating the customer's cloud, vertical solutions, and applications, user access certification is now performed in SafePaaS by opening a ticket in ServiceNow. Once access is granted, revised, or removed, the ticket is closed in ServiceNow. During the fulfilment cycle, the process owner receives a notification from SafePaaS via another interface providing clear, complete details for the security control. The end-to-end user access certification is entirely automated, providing all the details of which accesses should be removed. You also have details of which tickets were actioned. So, it's a one-stop shop as an audit platform. And that's what the market is demanding. The adoption of the cloud is creating new challenges. Other integrated systems need to be incorporated into key controls. And SafePaaS can work closely with internal audit, compliance, and control teams to perform these integrations.

Recommended Reading 

Converged IAM

Converged IAM - Identity security in the cloud

Today’s digital world revolves around technology, and technology revolves around identity. By 2025, Gartner estimates that 70% of Identity Access Management adoption will be through converged IAM platforms.

SafePaaS Blog Box

PBAC Access Governance

As organizations adopt an increasing number of business applications along with the expansion of data sources and devices, security risks are growing at unprecedented rates. Identity Governance and User Rights Management are more complex and the security design can impede the benefits of a modern digital business platform.

Fine-grained Access Certification

Considerations when selecting ERP Security Solutions

ERP is at the heart of your organization. Given the complexity of ERP, protecting them from both internal and external threats is a challenge without the right solutions, know-how and expertise in place.