Detecting Threats in Oracle ERP Cloud

Detecting threats in Oracle ERP Cloud
Detecting threats in Oracle ERP Cloud

Organizations are embracing the capabilities of Oracle ERP Cloud at an unprecedented pace. However, many fail to realize the price they’ll pay for failing to manage the associated security risks.

Cloud introduces new threats businesses are unaware of and as a result are experiencing exploits targeting known vulnerabilities in ERP cloud applications.

Join thought leaders Jeff Hare and Donna Curtis, ERP Risk Advisors, and SafePaaS' Adil Khan as they discuss the top 5 threats to Oracle ERP Cloud and how you can address them with risk solutions, security, and controls.


Emma: Hello everyone, and welcome to today's session, Detecting Threats in Oracle ERP Cloud. I'm delighted to be joined by veteran industry experts today from ERP Risk Advisors, Jeff Hare and Donna Curtis, along with SafePaaS CEO Adil Khan.

So just a few housekeeping items before we jump into the session. The session will be recorded for on demand viewing and all attendees are on mute. We'll hopefully leave some time at the end of this session for Q&A. So, feel free to pop out with those questions in the control panel for our speakers.

This is the agenda we'll be following today. So we'll start off with some very brief introductions for those of you who don't know us, followed by our top five threats and solutions, and please do stick around until the end as we do have a complimentary offering for all attendees today.

So let's dive right in, Jeff.

Jeff: Well, welcome, everybody. My name is Jeff Hare. I am CEO and founder of ERP Risk Advisors. ERP Risk Advisors is a risk content company, look and feel a lot like a risk and risk advisory firm, but we have some proprietary methodologies around implementing and evaluating.

So securing access controls, we can get into it a little bit later, But, rules, roles, reports and learning, lots of learning for companies that are interested in this as well, on the administrative side and the audit side. So, excited for the topic today and I'll turn it over to Donna to introduce yourself.

Donna: I'm sorry, I didn't realize I was introducing myself! I'm Donna Curtis. I've been working with Oracle for about 20 some, I won't date myself, 20 some years, working with cloud for about 7, 8 years now. My area of expertise is Role Design, and controls, and whatever Jeff tells me he needs me to do. So, yeah, that's who I am.

Emma: Thanks for that, Donna.

Adil: Yeah, thank you, Jeff and Donna. I’m Adil Khan the founder, CEO, SafePaaS.

We're really delighted to have a great panel today and all of you attending.

So, yeah, I mean, most of you follow us, so, you know, who SafePaaS is and to my personal experience. I've written a book called Governance Risk and Compliance Handbook for Oracle Applications many years ago, now, almost a decade ago.

And I've been involved with Jeff for many years, and Oracle user groups, and so forth.

Just communicating, the importance of internal controls governance.

It's really 2002 since Sarbanes Oxley. My background is in finance and technology, enterprise technology specifically around Oracle. So, yeah, obviously, Oracle Cloud is a really important topic for our customers. SafePaaS provides a platform that helps you govern access across Oracle and all other major parts of your organization and infrastructure, cloud infrastructure, databases, provisioning systems, ITSM systems.

We go across the enterprise and that's our mission is to help customers govern their enterprise better to reduce risk.

And, most importantly, audit findings are the knowing audit findings that take up a lot of your time, We’re recognized by Gartner as one of the most complete platforms.

We work with all the major audit firms that are external auditors that view our results from SafePaaS and rely on those results.

We have over six million users that we monitor on our single platform. I think that makes us the most widely used platform for monitoring access for ERP systems in the market.

Emma: So, let's dive into this session, which is why everybody is here today. So top threat, number one, access risk. Jeff?

Jeff: All right, well, my favorite topic, we’ve been talking about this topic for a long time since the beginning of Sarbanes Oxley. Like Adil said, we've been around for a long time in this space. And the interesting thing about kind of looking at access control risks is the lack of maturity, I think, in some respects. Where the market, where are the auditors and the implementers and the SI side sit related to this in terms of maturity, and there's a lot of aspects of things haven't matured as much as we would like to think they should be. I guess we're going on almost 20 years now since the onset of Sarbanes Oxley.

So we typically see a lot of emphasis on segregation of duties conflicts. And those are, what we think, what I traditionally think of as compliance risks. So it's looking at the separation of something like entrer POs and goods, receipts, or the, the ... entry of journals and the approval of journals. And those are all really important things to look at, from a compliance perspective.

In modern ERP systems, like Oracle ERP Cloud, what we're seeing, there's a lot more automation of those separations through workflow processes. So if you're coming off let’s say, PeopleSoft JD Edwards, or E-Business Suite or another kind of legacy on -prem solution, you're finding a lot more automation. And in the cloud, that's that a lot of the value companies are getting out of implementing ERP applications into SaaS applications.

So a lot of the reality is, a lot of  traditional SoD conflicts are remediated or mitigated through the implementation of workflow. Of course, you have to evaluate the design of the workflow processes. You've got to walk through and evaluate the configurations. There are cases where systems can be implemented for, to allow somebody to enter and approve their own transaction, whether that's a journal entry or a purchase order or an AP invoice. So, that does require a validation of those segregation of duties, those mitigating controls we talked about in your workflow. In many respects, I mean, although, you have to really validate that are very important from a client's perspective, they're less of what we do today, compared to what we were doing 10 or 15 years ago, is focusing on segregation of duties. A lot of what we do is look sensitive access risks. Having the ability to be able to look at risks across all roles and for all users. So, like, we would look at who has the ability to enter maintain purchase orders, or the ability to enter and maintain vendor master maintenance. And we're going to do that through a sensitive access risk evaluation. And traditionally, if you're thinking about somebody has an SoD conflict to enter POs and enter goods receipts, you're ultimately normally going to remediate one side or the other. You're going to either remediate the enter PO side or the enter goods receipt side to be able to relieve the SoD conflicts. So when we take an approach for our clients, we may do look at those sensitive access risks, independent of, and really, prior to looking at SoD conflicts.

So like, for example, if someone that who has vendor master maintenance that shouldn't

and they have vendor master maintenance that’s in AP invoices, or vendor master in POs,  if we look at enter vendor master maintenance. We're going to identify that there's people that potentially haven't unauthorized access to vendor master maintenance.

So, that's how we will about a lot of engagements. We say that we're a sensitive access risk organization first and an SoD conflict organization second. We have to get to SoD for sure, but we're solving most issues, and a lot of times what we identified through sensitive access risks is ineffective role design.

So, we're finding, like in ERP Cloud, there are lots of abilities within seeded roles that provide end users access to do things that they shouldn't, and those can only really be identified through a sensitive access assessment, and a very broad risk library, like our ERP Armor Risk Library for evaluating sensitive access roles.

The one challenge that lots of organizations have, is the ongoing patch process, and Oracle continues to add risks and add new functionality into the application.

So, that's one of the challenges organizations have is just making sure that they consider that in their quarterly patch process. And they have a tool like SafePaaS to be able to evaluate SoD and sensitive access rights. And they can do that proactively during the quarterly patch process, and you really want to stay current with the risks being introduced. We're going to talk about, if we have time at the end of this session, a couple of new risks Oracle introduced in 23A. Donna has done some research on those, and we looked for those kind of new things, on an ongoing basis, as the patches come out. So we've already looked at 23A and have some comments on that.

So you'll want to make sure that you have not only a tool to evaluate those risks throughout the quarter, but during the quarterly patch process. And the ideal scenario is to get updates. Either do that internally, or you can rely upon a company like ours that does that for a living. And we're constantly looking at scanning for those and getting feedback from our customers on what they're seeing as well. So you can update those rules, and engines.

So if you're already using SafePaaS, that may be an enhancement for you. Or if you haven't, and you're wanting to implement a tool, you can implement the SafePaaS platform and work with us to be able to put a program in place to be able to evaluate on a one-time basis and a program that does it on a proactive basis, as we're going to talk about throughout the rest of this.

Privileged access risk. We kind of combine privileged access risk, sensitive access risk, in many respects, in the same assessment. They are looking at who has privileged access from an audit perspective, thinking more about the context of who has elevated access or administrative access. Certainly, that's the case that for non-SaaS applications, you're looking at who has OS access, or database role access.

But there are definitely some privileged access elements within the application tier and that's no, frankly, it's kind of an art define that. We probably extend that more broadly than most organizations do because risk is risk. So, what we're trying to do through the Privileged Access assessment is make sure we've got a pretty good comprehensive understanding of who has the ability to override controls and who would be considered administrative access.

So, there, those abilities are found in a lot of implementation roles, like the application implementation consultant role, HCM implementation roles as well.

Those are definitely things you want to restrict. And, frankly, the challenge that lots of organizations have is the SI doesn't always guide the organizations through  a good process of evaluating what those risks are going to be. Or how they're going to be managed after Go Live. And so, a lot of SIs will come in, assuming that they're going to have full access to highly privileged roles like the EIC Role, the application Implementation consultant role. So management really needs to, as part of the process of designing controls, they need to design and define what they view as privileged access. And then often what we're seeing is, we're seeing a revalidation of users with those privileged access risks as part of the user recertification process on a monthly basis as opposed to looking at the rest of the user population on a quarterly basis.

So, those are, kind of a brief, high level summary of access control risks. I know that Adil is going to share some information on how SafePaaS can be used to evaluate and mitigate these risks.

Adil: Yeah, thanks, Jeff. There's a great oversight on, where to where to start for your program. And so, once you start with an expert, like Jeff is, for many years, we’ve worked together, as I said before, you'll get a list of, basically, key risks. Essentially a risk assessment. So, you'll know in your business by process, Jeff mentioned many of the key processes at the activity level. But if you think about your major, significant processes that support your business, record to report, source to pay, order to cash, et cetera. Hire to retire, each of these processes have risks.

And where SafePaaS comes in, is working with experts like Jeff, is to basically help you control that risk on a sustainable basis. Whether it's segregation of duties, privileged access, or sensitive access. We have the ability to create rules within the system, so we'll take the content Jeff’s talking about that, his company provides, and, I would strongly recommend looking at that, because you can spend five, many years building some of this content, It's a very detailed process, because you’ve got to  go down the privilege level, you've got to understand the risk level for your company.

So, you start with that. We have the ability to take the content that Jeff has put together, or if you have content already that you want to start with, those are called access rules.

So we pulling those rules for sensitive access, privileged access and segregation of duties, and basically create a test environment. It will take up snapshot, a picture, essentially, of your current security configurations. We also support many security models. So Cloud is a unique security model with inherited risks, as well.

So you have to be really careful that - the tools you're using are not ignoring some of those inherited privileges as something are customers have run into with, you know, some of the previous work they've done in this area and have ended up with findings.

So, you really need to when it comes to Cloud ERP, it's very different than E-Business Suite. Now we do support E-Business and all the family of Oracle products, so not just limited to Cloud ERP, that's our focus today.

So, that ability you're seeing in the first swim lane on the top box there, Application Security Model, that's what that means. We can take a hierarchical, or linear or, or more complex network security model and program, that,  configure that for all the tier one applications pre configured. But if you have a home-grown application and configured that we pull in the rules from Jeff, map them into your environment, and then run a snapshot of your current security settings. Basically, that's the starting point of your control environment testing. So that takes, sometimes it’s quick or a week, or a bit longer. A couple of weeks depends on how complex your environment is. Then, we basically run through the SoD analysis, or sensitive access analysis, against whatever policies you have. And it spits out the violations and then you have analytics capabilities within the platform. Instead of taking it down on very long spreadsheets, I've seen, when Jeff and I started that way. You know, looking at spreadsheets and go through a million or more lines of code. Because you have a permutation problem with these complex security models.

So a user may have access to many privileges through many roles. And that creates the number of iterations through which are paths, if you will, to which a user can violate a policy. And that creates some anxiety for folks that are responsible for remediation.

So, we provide the analytics to help quickly, for example, take out the false positives.

Let's say one of your business units is not currently in scope. You could do it as a separate test. I mean, obviously you care about all risks. But not all risk is equal, so you can look at your high-risk items, your mid-range at risk, low risk, and segregate that risk out by violations, right, so you can slice and dice the violation through analysis.

We also provide you the ability to validate that your security configurations are right.

Often I hear from customers when they first look at results, is that, hey, we don't think we had that problem. Why are these users showing up there? For example, implementation folks, we didn't think they were going to get access to suppliers, but the first time you run it, you see that 100 people from your SI, can around the globe can have access to your supplier bank account, right. So, those are those kind of surprises: that that may come up when you first run the the analysis. And you can validate that within our platform, We provide you all our security reports. We can, you can see the hierarchies in a more organized way, because we come from that controls and governance perspective. So, we will give you all the level of detail that you sometimes don't get from the ERP system. Specifically Oracle Cloud has great reporting, but not the reporting from an audit perspective. So, we provide you that audit level reporting, and then you can apply corrective actions to really the areas where the risk is unacceptable. You cannot tolerate the risk, you may have to except some risks because you have compensating controls or you just have business constraints where you are forced to accept the risks and you have a negotiation with your audit.

So, there are a lot of flavors of risk remediation that I won't have time to get into here, but login and I can talk to you more about it through a demo or set up a demo for you. But, yeah, so there's global false positives. There are exceptions, because of IT controls you may have in place tend to be business constraints. And what's left over is, really the corrective actions. The corrective actions are also, can be overwhelming.

If you try to do it in a spreadsheet, because you're passing the spreadsheets full of errors, and you may take away access from someone that's super productive, and they can’t do their job anymore.

So, it needs to be really organized. So, what we have done is build workflows around all that. And we can assign, basically divide and conquer that problem by assigning out the corrective action responsibility to multiple owners of those activities or roles within your organization.

For example, if you're in the payables team, and you're the head of the payables team, a process owner, as we call it, you might get all the payable clerks, and the payable supervisors, across the globe, if you're a global company, or in your department, for a local company. And then, you'll be able to see, “OK, I want George to be able to pay the invoices, but not to create those invoices or approve them. And, I want Mary to do that, so you'll be able to kind of do that in a simple byte size effort.

If you're a global company and you're spread out many business units, you can see that the divide and conquer really works well through workflows. And so it speeds up your process and you can stay compliant, and you can govern your enterprise better. Then your IT folks that are responsible are your partners, in many cases, managed service providers, they're responsible for remediation or changing the roles themselves.

They can also use roles tools that we have for simulating the changes, verifying that it is functionally useful, and also protects you against the policy violations without ever having to touch your ERP system. We're all under extensive STLC controls right now and have been for many years. Especially with cloud with all the cloning that has to happen every quarter with the patching. So, it's pretty tedious to just throw out a change into a role, straight into prod. But even that STLC cycle. Let's say, I've seen an average about six weeks of delay, and when you decide that you want to make a change, when the users are actually using that change to reduce the risk, you have a quarter window to do all that work. So, you can imagine the pressure, our customer's face, and by using this, you can really narrow down that six weeks into a few hours. And just, if you extrapolate that, you can calculate the ROI yourself, But it's definitely north of 300% or more. So that's where the value we bring in, is to help you streamline that process by taking the expertise that Jeff has, the technology that you have. And combine them into a process that is more sustainable, which you can monitor, and your control owners can be confident that their financial statements and disclosures, as well as their operations, are working in a manner that can be governed, and aligned with your governance policies.

Emma: Top threat number two, insider threats.

Jeff: Yeah, great, great summarization of how technology can be of value to an organization. And I, like, how you tied into the challenge of the change management process, and as most people would probably come to logical conclusions on, it's always best to do role remediation, the role design right at the front end. So that's, just, before we move on to this next topic, I just want to make sure that people really understand that's not kind of the typical role for SIs. A lot of SIs, if they're going to do some role customization, as part of the project gets going to be thin, it's going to be light.

It's not going to be fully baked into the project plan, and there may not even be the budget timeline, and the project have done, most of the work needs to be done.

As Adil pointed out, it's it's a lot more work to go through the change control process, And it's a lot more cost in the long run.

So just keep that as kind of a, that's what we consider, like a systemic challenge in the SI industry is they're not always transparent about the breadth of work that needs to be done to do the roles properly prior to going live.

And that kind of leads us to this next topic, which is insider threats. Insider threats are people that have access to something within an organization, ultimately, that they shouldn't have access to. Or it could be that they have authorized access to something, and they still pose a threat. So the way I always think about this, and I'll break this into two buckets, I'll talk about authorized users, then I'll talk about unauthorized users.

But just because you have users that are authorized and there, and you can verify that the access they have is what's intended, doesn't mean you don't have to have controls in around them.

So, the obvious thing that probably most people understand, the context that people like to talk about a lot is fraud risk, and vendor master maintenance. Um, so you could have a vendor master team, for example, that has end user access to be able to maintain vendors and the front end. There's kind of two different flavors of how controls were implemented based upon either workflow process or based upon a manual review of the audit logs related to vendor master maitenance, so those are two different types of controls.

In some cases, both a workflow based process of onboarding suppliers and validating the data. And a manual process is implemented or allowed within an application. So, it could be that your primary objective is to have suppliers set themselves up or go through, provide initial data for them. And then they're giving you, like the W9 and bank account information on top of that. And there may need to be some vendors need to be set up manually. And so you have vendor master team that also has the ability to  maintain vendors apart from what happens in the workflow. If that's the case, then you really have two different risks, set of risks, and two different set of controls that have to be in place. And management may only look at this as one risk, but there's really two different processes have to be managed separately. One would be validating the workflow design, process and making sure that that doesn't get doesn't change if it's, deemed to be effective from a design perspective. And it's also then, validating the data entry that needs to be, that is done manually through the applications, by the vendor master group. So, you have some insider threats there. And that's, you know, everybody saw the article this last week, and it came out from the Justice Department on the fraud committed at Amazon. But, it was a fairly complex set of activities, it wasn't like one thing they did to be able to steal from Amazon. It was, that was a significant amount of money. So, ultimately, controls when you're designing things around, like vendor master maintenance, preventing fraudulent vendors, or preventing, try to prevent unauthorized access to current vendors or unauthorized changes to current vendors.

That's a series of complex controls that access controls are a part of that. It's a very critical part of it, but you have to make sure log in is enabled. You have to make sure log is never disabled, and then you have to make sure that both workflow processes and the manual updates to those activities are also viewed as a risk and have a separate set of controls.

Now, another topic on vendor master maintenance is all the modern SaaS systems they have integration abilities with, with, with other applications. So there, that's the benefit of, like the modern SaaS platform. And modern systems in general, as they come pre-built, to be able to do integrations with other ERP systems, whether it's off the shelf systems or custom systems within an organization. So they also come with APIs and web services, and other ability to do back end or mass updates to data. And that poses another set of risks altogether.

So, having said that, then our insider threat, we may have a group of users that have authorized access to all these activities. Yet, you still need to manage the risk even within that group. You can't just blatantly accept the risk, that's what Amazon did with their vendor master team. And they end up getting bitten that and to the extent of several, tens of millions of dollars I think it was in that fraud.

Then there was one other scenario. Like I want to present on insider threats before we get to the external threats in the next section and it's an insider threats. Another activity that does that perform on a regular basis. There's the mass update of either supplier data, bank account data suppliers' itself, or maybe invoices. And that's true what we call important processes, or specifically, within ERP Cloud, as FBDI, import abilities.

Those things are used by the SIs, as part of the implementation. So, they're used primarily for conversions. They can also be used to do manual interfaces have data on an ongoing basis, like, maybe, you're bringing on another company. You need to convert another series of suppliers. Both the supplier, the supplier bank account, or maybe you don't have an integration setup with a major vendor and they're sending you invoices via spreadsheets that need to be uploaded. Those you have to think about and treat it as a separate risk controls to be put in place, and that's part of what we do with clients, is we help make sure that type of control is, is it's put in place as well. So, insider threats, I talked about those who are authorized users, obviously unauthorized users as insider threats, or anybody else within the organization that has access to be able to do something that it shouldn't. And that's where it's important to have a tool to be able to evaluate that, and good content that can evaluate the, know the risks lately.

So, I'll cross those categories like FDBI privileges, APIs, Web services, end user, UI, user interface type privileges, and that's what we do using a product like SafePaaS.

So, it's a great summary slide here. There are a lot of good information on the average cost of insider threats or fraud. And I guess I haven't really talked much about contractors, but you can you can appreciate the fact that insider threats are also people that have, quote, unquote, access within the organization. That maybe, contractors or consultants and that's, I could probably talk about that for another half an hour.

So, I'm going to let Adil talk about how SafePaaS helps address these topics within their platform.

Adil: Thanks, Jeff. So, yeah, I mean, as I mentioned earlier, that SafePaaS in the introduction is really an enterprise end to end identity, lifecycle management solution.

So, we govern insider, external threats and all that, whether they're coming in through registration process as third party vendors. Or they’re your standard employee, getting on boarded to an on boarding process, like an ITSM system like ServiceNow, whatever that might be. So, we're going to talk about a couple of controls that we have in SafePaaS that help you mitigate that threat. And it's very timely, because, you know, the Amazon example is very fresh, in my mind, but I think we're seeing in general, as companies are concerned about recessions, they're having, especially in tech industries layoffs that you've all read about. Those are some of the symptoms or the trends that we have seen for many decades where insider threat just goes up.

So, if you haven't been thinking a lot about it, and you're concerned about it, this would be a good time to talk to Jeff and really dig into this topic on what he can do to help you really prevent, you know, something that is not just the fraud, but also reputational risk and stuff like that that gets out into the public. For example, we did another webinar with higher ed folks. So, for example, Yale University had situation last year around this time, where it was not as complex as the Amazon issue, but it was more about just taking the simple procure to pay cycle and not having any basic controls on who can create purchase orders and approve them and receive merchandise. I think Jeff touched on that briefly. So, you see, like, silly controls, us being controls folks.

It seems to us, like, obviously, some basic controls are missing in some very prestigious places that you will think of as very high reputational organizations. So, what we help you do is a couple of controls, I'll come back to this slide. One of them is to just monitor your activity and get the managers to certify, because as all organizations are becoming post COVID, more agile, more hybrid, we have this digital transformation that's going on in the tech world where everything is going on in the cloud, and today's topic is about Oracle ERP cloud. So many of you, they're using Cloud, does not include all your identities. Your Oracle ERP cloud will have majority of your identities but we also get involved with customers that are running Oracle Cloud infrastructure. They're doing some extensions, they're doing interfaces. So, there are many different ways the data slides into your organization, and that can become a red flag if it's not managed properly through identities.

So, the first swim lane, again, is very similar to the last one that I covered already that we have this technology called DataProbe. It can take the snapshot of your, identity - it can see across your enterprise. If you’re using Azure for authentication, Okta, or whatever you may be using. And then from there, using an ITSM system like ServiceNow, Remedy, to let users come in and request access, and then using Cloud ERP, or Workday, or some other ERP system, to conduct those transactions in CRM, that says Salesforce. So, all these systems, so now you have this, you know, a hybrid environment, and now you want to orchestrate governance across this enterprise.

So, to do that, you really have to take an end to end enterprise-wide approach. You can’t do it in silos, because one silo doesn't track what the next silo is doing. In other words, your Azure doesn't have all the information your Cloud ERP does, but you're using both systems, to rely on it.

So, a couple of problems happen. One of them is that you have that friction in the process itself. A bottleneck in the process so even for your normal course of business you have a friction, and we'll talk about a little later, but most importantly, you have a potential risk of a finding in your audit. Because, well, I've seen many times our customers are reporting that. Well, in Azure this user has these privileges and registration about the role and what they have in ServiceNow is a catalog which is an abstract version of what’s in Cloud, ERP. Cloud, ERP has all these detailed privileges, so how do I certify it? I have 300 different systems.

That's a typical example that we see among our enterprise customers, they have an IBM system, an ITSM system, and an ERP system, and all of these carry pieces of the identity information. So where do you start? So, what we do at SafePaaS is we're able to combine all that into a common metadata, if you will, and then assign reviewers and approvers.

That will review that access on a periodic basis most of our customers do on a quarterly basis. If there are multiple applications, it becomes even more challenging because they have to use a lot of manual labor to do all their scoreless reports and other spreadsheets and verify access, and spreadsheets are 90% incorrect, in my experience. And what the analysts are saying, that I've done research on this. So, they end up pulling their hair out. And it becomes a very costly error prone process. So, what SafePaaS does, because it automates the process through DataProbe ETL. It brings in data from across the board – it creates an identity hub in that first swim lane. The second swim lane, it assigns users and approvers who can review that access. So, there is an intelligent assignment.

We have built lot of AI and machine learning is coming to the market now. So, we're able to now sense that, who is, who approve this user access in ITSM, or who is the manager of a person, in your IDM system. So, you don't have to do all that manual work anymore. There's technology like SafePaaS, now that does that for you. It creates that all hub, a 360-degree view of your organization identities across the board. And then it automatically sends out the request to the managers, to their direct staff to verify that, and the staff, then the manager can go in and basically review the access.

Again, they can, if they're more familiar with the, let's say, a ServiceNow catalog name, called let's say, Procurement Manager, which, let's say, translates into 2 or 3 roles in Cloud ERP. They can see the details, what's in cloud, they can also see right next to it what’s in ServiceNow catalog and they can do their job more confidently. One of the complaints, symptom of the problem, is that customers will come to us and say, we just can't get our people to certify the access. And I'm like, Well, they're good people, they want to do the right thing, why aren't they doing that? Nine out of ten times, it turns out to be that what we're asking them to certify, they don't understand.

So, by taking this 360 view, we're able to provide them much more enriched data across the enterprise and then they can easily certify that. Or, for example, change the access, or to provide justification for termination of access. So, the remediation effort, then, is also very important. So, there's one thing for manager to say that, oh, yeah, this action needs to be that this person doesn't need access anymore. But here's another to actually make sure that happens. So, we have the ability to go into your provisioning, or de provisioning systems, and log tickets, requests, whatever your API is. We support all the major APIs and on premise and Cloud infrastructure and formats like JSON, XML, CSV, and all those. So, we're able to communicate, through messaging, using REST, SOAP and all that into your target system. So, you can use SafePaaS itself if you have a single business unit right. Within SafePaaS, you can connect the API directly to Cloud ERP and it will de provision that user role from that user reassign it or de provision it, so that you don't have to do any manual work. And that ensures that you are in sync between what's in your provisioning system and what's in your ERP system.

And that's a control that's being tested more often than I've seen in the past few years, especially with folks working in multiple environments and multiple cloud environments and so forth. So that's that last swim lane. It basically provides that ITSM IDM, IGA whatever you call your provisioning systems. And then the folks that are right now running around chasing spreadsheets and e-mails, can really focus on more strategic insight, looking at dashboards, in SafePaaS to see where we are relative to our compliance requirements for the quarter. How is our ERP operating in terms of identities versus our user population requests that are coming in? So yeah, that's basically how we streamline.

Again, from an ROI perspective, it takes out thousands of hours of manager's time, so if you have no, 10,000 managers, they're spending four hours a quarter, just add the number, and then add some friction to that number that goes on back and forth between the compliance group and the managers. So, it's a significant saving. And this is bubbling up as the top, a trend in our solution demand this year.

Emma: Next threat, seeded roles.

Jeff: Yes, All right. Yep, thanks. And we've covered quite a bit of this already in the first couple of topics, but I want to just recap a few other things maybe we haven't talked about yet. The number one reason audit findings are poorly designed, rolled stemming from seeded roles. Adil alluded earlier to the aggregation of roles or the role inheritance component. And the complexity of the roles. And how SafePaaS gives you the visibility to be able to see all the areas within a role that a particular privilege can be derived from. And, that's really a significant part of the remediation. And so, the challenge is getting visibility to that of all the areas where a privileged to be pulled out of a seeded role, a pretty significant challenge in of itself. So, I wanted to highlight that part of the technology, that was really critical.

And what we're seeing in the market is a lot of what we call partially customized roles, or what we refer to as hybrid roles, which is, which is a custom role with a lot of seeded the components related to. It's like seeded duty roles, or maybe even still some job inherent job role inheritance from other roles. Versus what we typically do in our engagements and what we have in our Roles Library that we deploy as ERP Armour roles to accelerate role radiation. We have, what we call fully customized roles, which is, every component of that role, even down to the duty roles were copied over and customized. And the benefit of that is that it inoculates those roles from being updated during the update, even during the patch process, and in the process of doing that customization well, obviously, also pull out the things that should not be in those roles.

So, like, APIs, Web services, and FBDI privileges, ability import files and some other things that would not be applicable. Like we find in end user roles many roles have the ability to profile option changes or descriptive flex field configuration changes. So, there's configuration activities within those roles. So that's where a lot of these audit findings are stemming from. It's not just that end users get access to end user activities that should have access to like transactions for a certain master data. But they have a lot of configuration ability as well. And what that leads to is the is the IT auditors asking the question, did they do anything with this activity? So, they really are forcing management to do look back procedures, which then means you really must have a comprehensive monitoring of the activities that should be tempted to change control process. So that's it, enabling and monitoring audit logs, so auto policies.

And there's, there's a lot of great audit policies Oracle has, there's definitely some gaps.

And the abilities that can be solved through the SafePaaS platform. And there are some cases where there are some known bugs related to that. So, seeded roles do cause a lot of issues. it's interesting to me the evolution of Sarbanes Oxley that like we haven't seen more audit findings over the years due to access of access that are created by either seeded roles or poor role design. But we're certainly start, certainly seeing more of that.

This are things, frankly, I expected to see in 2006, 2007. And now, fortunately, or unfortunately, they're just now getting more visibility into the audit programs of the external auditors.

I'm partially, because I would like to say that I've personally trained the PCOB a few times. And a big part of that training has been trying to give them an understanding of the risks and seeded roles, and how that ties into change management. How to audit the change management process as a whole. So, the last thing, and here, roles, do work for their intended use. And that's the challenge – that SIs say you should just use the seeded roles. And if they can get a client through a project using seeded roles because they are provisioned, according to what they should do, generally speaking, so they are provision for their intended use. But they're massively overprovisioned with sensitive access risks that are not appropriate for end users.

So, I'm going to move on and leave Adil to make some comments on this topic.

Adil: Yeah. So, we have, again, you know, Jeff, brings really good points around what you can do to improve your business, and I'm going to talk more from, how we can automate and make it more sustainable. So, right on, Jeff, I mean, seeded roles are not to be used. We have been saying that for 20 years. And I think it's the cloud, with time to market pressures, customers have to go up and running fast, it’s becoming a much bigger problem, both with enterprise customers and even SMEs that are looking to just cut cost with the digital transformation. And so, unfortunately, what they're missing is this on ongoing burden of correcting the roles. And, it's a lot harder to change the engine when the car is running. So, please get together with Jeff and help your organization get this right. Because, it's a much harder problem to solve and much costlier. I've seen as much as thanks and cost to go up when we ask customers to do that after they're live, because now you're going to disrupt the business. There is impact on your supply chain, your customers, or employees. So, it's always better to get it in. But with various pressures, it's not always possible. I understand. We work, we educate, our SI partners in the communities out there. And there are different levels of skill sets, and so forth.

So that's a key question to ask where SafePaaS can help you, is that part I was talking about is reduce that timeline of correction. So, let's say you find you have 400 roles, and I'm going to use an example of a customer we were just talking to this week that had 400 roles and they're going to roll out that same business unit. So, the rollout in one business unit, in a certain market, and now they're moving  another business to the cloud. And as they do that, they have obviously so few changes and they found that the roles that are in one view is not going to work in the other. And that's a common occurrence even back in the EBS days on premise, that you build though with good intentions, even though you've customized roles, they're not working. Or another business unit or you've added a different set of modules and they just don't have the bandwidth or the resource of the budget to get it all done manually. Even though they intend to do what Jeff's talking about, is not use the custom roles but as Jeff said, it's not in the SI budget. A system integrator that's helping you implement the product.

It's not in their budget, it's now on your budget, so you've got to figure out a way to get that done, without going to the board or the CFO and getting your head handed to you, for messing up the budget. So that's where SafePaaS comes in. So, what they're doing is, we're giving them a 90-day access, to try out, which will help them get through it, and then, as a sustainable solution, they'll continue to use it. So, our customers get evaluation period, where they can use these tools, especially for roles redesign, and I think, we have some offers at the end of this presentation. So, basically, it helps you simulate that, it generates the role. It can also be configured to actually deploy that role into the ERP system through our DataProbe technology. That Green Swim Lane, the third swim lane, you see here. And as a result, you can catch, what's very hard to do is the inherited risk because of this inherited concept in cloud ERP, you think you're solving a problem in the role, but because it's inheriting something from another role, that can mess you up.

And so that creates a lot of frustration, delays the projects, and it impacts your overall go live because if you are being audited by an audit firm, they will stop this from going into production. And your burn rate is going to be simply the impact. I don't want to bring bad news. I want to give you some good news. Good news is that you can go in there and simulate that and what you'd take six weeks to do you can do it in a few hours and get the project off your back.  And then, later on, once you're live up and running, Oracle is going to apply those patches every quarter, and your roles are going to change, every quarter. There's new privileges coming in. Even though it's been around since 2015 since we got involved with it, the Oracle Cloud ERP. It still has the bits and pieces that are not strong enough to, or there new features that are coming in.  So, all of that stuff is coming every quarter and we can help you avoid that overhead or cost of ownership by simulating as changes come in into non-prod environment and correcting those issues at the inherent risk level which is where it all starts. And then move that into assignment of users and roles. So, yeah, it's a great simulation tool. Reach out to us if you want to use it. Jeff can guide you through the process.

Emma: I’ll just mention that we just have 10 minutes left. So, our next top threat is ineffective provisioning.

Jeff: I'll be quick on this one. ERP Cloud does allow for some kind of backdoor ways of provisioning. One is the delegation of roles if a user has certain roles assigned to them, and they're flagged as delegable, they can allow other people to have access to that role and are essentially bypasses the workflow approval process, the provisioning process, and then there's impersonalization as well. Similar to manage proximity, yes, this is something we should be looking out for.

Adil:Yeah, so I'll be brief as well. So, I think I've covered, I mentioned earlier, there were two controls I was going to cover. So, the certification control, I talked quite a bit about this already, but this is that other control, which is the overall lifecycle management aspect of it. So, we were talking a little bit about how customers are using different systems to provision the basic identity into your environment and then it ultimately flows into your Cloud ERP, which is the topic of the day, through some sort of an ITSM system, IGA system. So, you may be using one of these systems in the first swim lane. We connect with all of them because they all are modern systems that support APIs. So, we have a hub on the SafePaaS side, that hub that we talked about in the previous automation around certification also can be used for lifecycle management, what I mean is, users can, directly or indirectly, through an ITSM system, request access to a role within Cloud ERP, or Salesforce, or Workday, whatever systems you have in the Cloud, or on premise. And it will do the analysis on the fly. It will simulate, just like I talked about, the Roles manager, that simulates the role. This will simulate the user request against the combination of roles. So, the first example was, OK, within the role, do I have any conflicts. This would be across the roles we call these intra role conflicts. So, let's say you're requesting purchasing and you're requesting payables. And now that gives you a conflict that you can create suppliers and pay suppliers.

So, this will flag those risks to you. It will also send it to your manager, who's supposed to approve your access, up to five levels. So, you might go to a manager, might may go to a process owner. So, it's a very flexible workflow, and then, once it's approved, let us say you didn't have any risks. You may not want to send it to five levels. You manually get to, manager, manager approves it, it also provisions that Oracle support these APIs for partners like us, where we can basically provision that straight into cloud ERP.

So, even though you may be using a request management system, like ServiceNow, or SailPoint IGA system or something else, but it's not necessarily provisioning. There are two gaps. It's not provisioning always into the ERP. So that's still a manual for fulfilment process, still manual, so we'll automate that. And then, we'll also automate the policy management side of it. So, they're not checking for the policy violations like the SoD policies, sensitive access policies, other policies. So, we'll protect you against those issues and that's where the treadmill effect comes in. So that's becomes part of your managed service. If you're using one of your internal resources, you're going to have people dedicated to Helpdesk doing eyeballing this unless you use a tool like this.

You can add up the numbers and cost and the ROI that SafePaaS brings to the table We have some tools to help you do that. This tool actually generates the highest ROI from where our customers tell us, even higher than the certification piece, because it eliminates a lot of rework and it also speeds up the time to market. So, you're adding hundred users to a new business you've just acquired, or whatever it is, or new modular you're deploying. This will streamline all that process.  So not only the cost of entry, but also the cost of ownership.

Emma: And our top threat number five configuration changes.

Jeff: Configuration changes. Yeah, I've mentioned a few of these already. Just the challenge of making sure that an introduction to Change controls, it does go through change control and it's tracked. And the challenge really is, you got to make sure auto policies are enabled, and understand how to review the data. We actually have a training class on this topic that Donna has put together and maintained on an ongoing basis.

So, organizations want to have good overall understanding of how to deploy audit policies and look at the audit logs. And information is available. Unseeded seeded reports. They could contact us on this topic. Lots of gaps, for sure, but certainly, what's available to Oracle should be deployed.

Emma: Do you want to say anything else Jeff, or are you done?

Jeff: Yep. Go ahead. Sorry.

Adil: Yeah. So, I think audits a great place to start. The challenges with audit right now, it's scattered. And so, when auditors actually want to use that, they have to go through lots of reports and then you're going to build custom reports on top of it to consolidate, but, obviously, there is cost to it. So, what we have done is the ability to integrate with cloud ERP we have, we pull in all that audit tables, or if you, let's say, there are gaps, and it's something really important, like releasing invoice holder something that I ran into few months ago. For clients, we also have the ability to do continuous snapshotting

You can set the frequency, and so what we can do is provide the change tracking capability around key changes. So, we'll go through, all those objects that Jeff has talked about. We can set them up in SafePaaS, whether it's enabled, or it's a non- auditable item. We can still take frequent snapshots based on, let's say, time that you decide based on your control frequency. And then, we bring that data in through DataProbe.

Again, our ETL tool that I keep talking about really useful for customers. So, you bring that data in and then you have what's called MonitorPaaS that basically provides the whole closed loop workflow. And that's what's missing with audit right now, that our customers are coming to us with requiring this kind of monitoring. They want to be able to say, OK, I had an incident and somebody paid change the AP terms, you know, what did we do about it? or what did our payables process owner do about it?

And what are we going to do to prevent it. So those kinds of audit findings are still happening. Even with the audit capability, which is great. We didn't have that in the on-premise world, unless we turn on the whole database audit, which nobody did. So yeah, you have some really good capabilities, but to take full advantage of it. Again, you know, you want to get away from as much manual and make it more self-service.

So, what we do is we create an incident log that auditors can come in and review that incident log and they'll see who treated this risk. So, AP turns who changed it, know. Who was the requester, who to question to change. Who approved the change, who then, completed that change, or let's say there's a ticketing system, again, ServiceNow is a good example, again, or, or, or, or Remedy or others.

The Jira, we use that, as well. So, you just say your ticket number, you want to tie that ticket number to that change. So, your auditors can say, OK, yes, I can verify now what's in my ticketing system for requesting that change matches with the change that was requested. So, you know, it's the level of detail that we won't have time to cover here, but if you want to dig into it, I know we're out of time. That's the kind of stuff we can talk to you about, or how you can really reduce the risks and headaches of managing controls and governing Oracle cloud ERP better. I'll end with that. Emma, back to you.

Emma: Great. OK, we do have a few slides that we've added at the end, do you want to go over these, Jeff and Donna?

Jeff: Sure. If people don’t mind staying on for a few minutes, we'd love to have Donna do some updates for the attendees related to what we're seeing in 23.

Donna: I'll go quick, hopefully, just five minutes. So, 23A great is one of the bigger patches, I think, from what they've updated for the users, as far as I'm concerned. They've added some stuff to the transaction console. So, if you haven't used the transaction console, let us know. We'd be more than happy to show you some of the things that it can do. But they've given you the opportunity to allow your users to have access to see what's happening in workflow, to see what’s stuck. What things you can look at. They don't have the ability to stop things or push things through or withdraw or reassign. But they can just view things if they need to show we have access to. Some different things that you can do now, you can change, show that you, when the archive is necessary.

You can also resend approval notifications, so if something's been sitting around for a little while or the notification has been stuck in someone's e-mail, and it's dropped down to the e-mail for a while, you can resend that e-mail notification to get that going. Again, that hasn't been available before, so now it is.

Next one. They've also added some new privileges. These are not part of the read meet, so unless you did an analysis of the privileges that came in, you would not see these.

So, some of these that are coming in for the IT Security Manager, two of these, that are huge, that we're really excited about, an update password for user account, and lock and unlock user account, the top, the first, and the third. Those will give you the ability to have a helpdesk type of a custom role, to give someone access to uptake passwords for users, and lock and unlock users without having access to provision the user.

Currently, before 23A, you would have to have the ability to edit a user. Should give him access to provision, update usernames, all kinds of edit capability that you don't want someone to have, just to be able to lock, unlock, or change password.

So now you don't have that. Now you can grant these two privileges to someone, and they can just reset passwords and just unlock users if they get locked out. So that's a great thing to be able to do. They're starting to enable two factor authentication for users. So, we think it's a future thing that's coming in, because we can't find where this exactly is utilized yet. So, I think they're starting to put things in place for our future, asked about future functionality.

So, this is the helpdesk role that I was kind of telling you about. It just gives you access to lock, unlock, and reset. My little square kind of got out of place there, so it doesn't give them access to everything.

If you open up the next slide, it'll show that you can't edit the role for the user, or you can just reset the password if you actually opened up the role. So, it's kind of or the user, it’s kind of nice to be able to do that.

So, go on to the next one trying to go fast. I apologize if I'm going too fast.

Two new privileges that came out is we've been talking to or quite a bit about FPGA access when you do imports being able to import things and pull in. So now they've created in the GL area two different privileges. Journal Entry without the import access for FTBI and run input channels program without the FTBI access. So, now, we can grant these two privileges to your accountant to be able to do these processes. And they pull in access for the FTBI. So, this is huge that we've been waiting for this.

And so, we're really excited that they finally gave us this access. So, these are these are great. They're not currently in any role. They're just privileges that are out there. You would have to customize and put them in roles. The roles that they seeded roles that they're currently have the other privileges that do allow the import access for ? , you'd have to customize these in place.

OK, and one more that came in that is not in a readme that we were a little concerned about backup, just isn't privileged. In the accounts payable supervisor and the accounts payable payment supervisor, if they allow payments with insufficient funds, this will allow creation of payments when funds are not available show. It's already come in, you're seeded. So, if you're using seeded roles, you have access to this after 23A, your people will be able to create a payment when the funds are not available. So that's kind of worrisome to me. We're probably not going to put this privilege in any of our customers unless somebody really wants it. But it's currently available in these roles.

Emma: Yeah, that was great insight there, Donna. For all our attendees and our registrants today, we are offering until March 31st examples of 2 custom roles, along with access to SafePaaS to manage it. So, if anybody is interested in this offer, then, please reach out. Either myself or Jeff will be happy to discuss the offer with you in more detail. And Jeff and Donna and I are always available for a one-on-one discussion. So, if anybody needs any further information about what you've heard today then don't hesitate to reach out.

Thank you