Transcript

Emma: Good morning, everybody, and welcome to today's session, “How To streamline Fragmented User Access Across Applications and Beyond with Automated User Provisioning.” I'm Emma, for those of you who don't know me, and welcome to our monthly webinar series. I'm delighted to be joined by Bob today, our VP Solutions Specialist. Before I hand over to Bob, just a few household housekeeping items. This session will be recorded. Hopefully, we'll leave time for some Q and A at the end of the session so feel free to pop any questions in the control panel and we’ll get to those at the end of the session. So, Bob, over to you.

Bob: Thanks. Good day everybody. My name is Bob Enders. I'm the VP Solutions Specialist at SafePaaS. First off, I'd like to thank everybody for taking the time to attend our session today. As Emma had mentioned, we're going to cover how to streamline user access across applications with automated user provisioning.

This is the agenda that I've got planned for today's session. Introduction of SafePaaS -  that's a little bit about us as a company and our solutions. We're going to look into the challenges with respect to fragmented access and what it means and some of the impact that has when you have certain reconfigurations with the different applications.

We'll talk about access policy compliance, That's where you identify your rules in your organization. Then we'll give you an example of Oracle User Security assignment, So those that are familiar with Oracle E-Business Suite, this might look somewhat familiar.

We'll talk about the self-service provisioning process that we provide at SafePaaS with iAccess™. I also want to introduce you to our Converged IAM platform, which user provisioning is a part of. But it's something that we've released recently that helps organizations with a single process around access management. Then we'll have a case study that we'll share that we have planned at the end of today's a presentation.

A demonstration of SafePaaS, then, as I mentioned, there's time for Q&A at the end of today's session.

SafePaaS is a software company that specializes in application, access management, and also continuous controls monitoring. We have several solutions that help organizations establish a solid controls framework, run their applications, policy management for segregation of duties. You can monitor, manage, and access based on your policies. Organizations identify individuals that have possibly too much access.

We also have roles, management capabilities, too. Design and rebuild  roles or responsibilities that are SoD compliant before you deploy those within your ERP applications.

What we're talking about today is the self-service fine-grained user access management request that we will cover in today's presentation and also a demonstration.

We have enterprise-wide, granular access certification. Privileged access management is for super users. Individuals who have broad access that is a necessity to the organization to help organizations manage their ERP applications, but it does create some risk to the organization and we have a means to address that.

The fine-grained identity access and administration, which is designed for our IDM partners that you may be using for provisioning, but we provide the ability for them to integrate into SafePaaS to do that fine-grained analysis.

Also, as I mentioned, we do continuous transaction, configuration and master data monitoring for transactions. Split purchase orders, duplicate invoices, manual journal entries above a certain dollar amount, configurations such as a three-way match, your payment terms. We can monitor, manage those, also master data monitoring, such as vendor bank accounts, which everybody wants to know when a vendor bank account actually changes.

So once again, we have a complete solution to help organizations for access management and CCM.

Now we'll talk a little bit about some of the challenges that you're faced with in terms of fragmented access. The technology landscape is continuously changing. I started out in the industry as a programmer. Everything was in siloed systems. There was a financial system, there was an HR payroll system, there were manufacturing systems, and they are all separated. As time progressed and moved into the ERP landscape where everything is included in one application. Thereby, major software providers, such as Oracle or SAP, or PeopleSoft.

Now, things are changing again with the cloud. The cloud is making it much more cost effective to rollout applications, that's also the best of breed approach. That's available because there are a lot easier ways to connect cloud applications.

There are also many individuals that are involved in the process of reviewing and approving access requests, there's the requester, there's the individual requesting the access, the reviewers and approvers, the policy administrators, the IT administrators for giving that person actual access.

As you look at the process, there's hundreds of user, edit, and changes, deletes every every day, so it's quite a challenge to keep up with those changes. It's inconsistent ad hoc and manual process. It's all platform dependent. As we have different applications, there are different means to provision users, this is what creates a challenge in order to understand all those and provide all those capabilities.

Disparate provisioning tools and workflows. Once again, it's tied to the different applications. Even though Oracle owns EBS, ERP Cloud, PeopleSoft JD, Edwards and others. Their provisioning solutions are all different across all their applications.

And as I mentioned, as many human touch points is there's the Business Manager, Helpdesk, possibly, your IT organization, your Policy Administrator. Once again, these are all individuals that may be involved in the provisioning process. So there are challenges with this approach. There's no consistent policy enforcement, once again, because each application is different. Policies are different then how do you manage across all of them. There's no common controls or audit trail. So, when an individual is given access, there’s no controls around a process. An IT admin or administrator gets an e-mail to add somebody’s access and most cases will allow that. There's no audit trail as to who approved reviewed and approved this person’s access, and it's also very difficult to ensure compliance and assess the risks.

A lot of applications have thousands of forms or functions  that they give access to, but, you know, not all of those are reviewed as far as part of the compliance risk process.

So it's very difficult, given the number of access points that these applications have.

When we look at user provisioning, the most common source of internal abuse is user access which is a top focus for IT Audits

A Gartner Survey says 44% of the IT audit deficiencies are access related.

Then EY, seven of the top 10 control deficiencies relate to user access control.

There are several reasons why you have a lot of unauthorized access. Let’s look at this real quickly here. We've got orphan accounts. Orphan accounts are when somebody is employed by the organization, whether it's an employee or a consultant, then leave the organization. And if they leave the organization, you have to ensure that they're de provisioned properly. And if not, it creates a risk to the organization because you can have a username password shared across with other individuals, but they haven't de- provisioned that user correctly.

The other one is rogue accounts, rogue is pure fraud. These are fake accounts that are created onside, nobody knows about them, and they now they have access to the applications without any consequences to anything they may want to provide.

Once again, this is designed specifically for any kind of theft, fraud, or abuse of the app.

Entitlement creep is when that somebody changes roles in your organization.

They're given new capabilities with new responsibilities and new roles, but they haven't relinquished their former roles or responsibilities, because there's usually a transition period that that person needs to be part of as it moves to the new rule. And all of a sudden, with all these additional capabilities, they're creating policy violations given the level of access they have. Once again, it's increased potential risk for fraud, privileged users, You know, these are the super users have unfettered access into your ERP applications and essentially have keys of the Kingdom. They can almost do anything they want. And it's very, very challenging to monitor and manage these individuals, because of that level of access that they do provide. This listed here poor visibility due to shared accounts.

Look at, let's look at access policy compliance. So, looking at access policy compliance, you establish roles and the roles will decide who can do what to what sets of data.

So you look at different role examples that we provide. We have Procurement Manager, Sales Manager, CFO, Buyer, and HR specialist, each one of those roles are uniquely defined to give them a certain level of capabilities within ERP. You look at the privileges that are given to them if we  focus on Procurement Manager, some examples are reassign a purchasing document, manage a procurement agent, manage purchase order changes. So, this is the what that individuals that have that role are able to perform. Then, also, data security, as to what sets of data. You can put root logic in there to protect certain data based on the role, based on the individual, but also allow them to perform certain functions that are unique to that particular individual.

Here are the examples there.

You can have Procurement Manager view all purchase orders, but they can only update items and purchase orders for specified in Germany, because it's one of their business units, also, higher buyers for Germany.

So, once again, we start looking at the policy compliance each individuals have. Unique roles give them level capabilities to process data within their applications.

Some more examples, what data types of data you can read, right, or delete.

And once again, it's how the roles are defined and given to a specific individual and any specific conditions that allow them to perform transactions based on their role in the organization. The examples that are given, you have employee salary, I have the ability to view my own salary, but I can't change it. Manager with direct reports, the ability to view those direct reports, and update salary information.

Looking at it from a sales standpoint, you got opportunities. It can do an update opportunities that are within my territory and only view all the opportunities across your organization. So once again how the policies are defined or the role is defined will dictate what individuals have access to.

When we start looking at high risk we do it with segregation of duties analysis.

In this particular example is Oracle: ERP Cloud, It gives you the navigation structure of the user security model, that individuals be allowed based on the role as being provided.

And SafePaaS uniquely provides the analysis at the most granular level within the hierarchy of the role that’s assigned, all the way down to the privilege and permission level. We do that with all of our capabilities for user provisioning, SoD monitoring and management.

Also, look at compliance. Just as we built the roles and we establish the roles we need to understand from a management standpoint, is the ERP system protected.

There will be established enough controls in place to make sure that the ERP system won't be affected. Do we conform to the access policies? We can give people access, but are we conforming to those policies? That's where you need to run the analysis on a regular basis to see where you may have individuals that are out of policy. They may have too much access. And thirdly, what do we do when we have a risk incident? and how do we correct that? The risk doesn't go away until we make a change or remediate what that access that person had or had done in order to cause risk incident.

You start looking at the compliance checklist, it becomes a challenge, basically, an inability to translate the corporate governance into actual IT policy. As I mentioned, segregation of duties and the common control to make sure that individuals, that won't have too much access to steps in a single process. For example, the ability to create a vendor and enter invoices against vendors. Those would be a toxic combination of capabilities for use. Also, you want to make sure you maintain the Data Privacy policies, if I have sensitive access, you want to know individuals have access to certain pieces of information.

When look at access controls testing, and it's typically e-mails and spreadsheets.

Very manual. When it's manual,  always human error always comes into play, and it causes issues with the testing effort.

Also, a lot of times data that you need for complete testing is hard to find, or it's missing, and we don't have that information.

Also, there's the challenge of managing the identity through a business lens for the business users to understand. When somebody's controls are put in place or more done at the IT level, and, but the business doesn't quite fully understand the terminology that's being used and how that's actually being established within the ERP application.

And a lot of cases, the business users don't understand, Some of the terms are being used to deploy these controls within your ERP.

So as you can see the compliance checklist to identify some of the key things you need to be aware of as you go through and deploy a solution.

So let's do real quickly. I'll walk you through an Oracle user security assignment. This is an example for Oracle E-Business Suite. It’ll help you kind of understand some of the steps that occur from a system administrator standpoint and how they give access.

Here, we have a user, In this case, it's Paul, and the username will be dependent on your organization’s protocol for establishing users, the user is tied to a HR person so you know who's responsible for that, that access what individuals actually impacts.

You have to establish your password expiration, number of days… in some cases it may be non. In most cases you need to have some sort of change on a periodic basis.

Also, you can activate, inactivate a user by based on dates. So when they are first given access you may want to give them a start date.  And if you want to have it work automatically ends at a specific date, it may be some temporary access, you can put the end date in there also.

For each user, you assign one or more responsibilities. Those responsibilities dictate what the person has access to, because each responsibility has many menus and sub menus that they navigate to to get to this function or form that they want to execute for a specific transaction.

As you can tell, it's pretty straightforward process. Give a person access, and then monitor that access. The challenge starts when you look under the covers and what that really entails from a security model design standpoint.

Here we've got an example of John Doe that can navigate all the way through different menus and sub menus all the way down to the invoice, function of invoice batches ability to submit invoices for payment. So let's say we want to remove, because that's not a function that I want that person to have, it's causing some violations for that particular individuals' usage. There are other users that navigate to the same function of the same different responsibilities, that same sub menu, get access to the same invoice  function through the main menu AP invoice Entry, and may have others to other payables users.

Now, that's where you have a challenge, but I'm gonna remove that function away from John Doe because it's created an access conflict. It could impact other users within, within the ERP. So we have to be really conscientious to what changes you make to responsibilities your menus and sub menus so you don't affect other people's access to that same functionality. So once again, as I stated here, it's a root cause analysis are required for remediation.

It’s a challenge to know do you remediate that access.

So let's talk about the self-service user provisioning process. The SafePaaS solution for user provision is iAccess™. We use the risk-based approach for user provisioning.

I want to walk you through the steps here to help you understand what actually occurs when you provision access with iAccess. You have your SoD rules. They can be established either individually or from a catalog SafePaaS might provide.

It has some common rules that are important to organizations for managing risk.

Also, you have your active employees that are able to access your ERP. And can come from several sources, can come from your Oracle HR, some other could come from different IDM solutions, also. The next step in the process going to the next  swim lane, is, you have to register these individuals. Not every employee in your organization is going to have access to your ERP. So, you have to register those of you. So, for example, we have 5000 employees, not all 5000 have access to your ERP. So, they go through a registration process so they can request access as needed. The next step is to request the actual roles and responsibilities that they're looking to get access to. Then, from there, you submit it for the process approval and what occurs at this stage is an SoD analysis of when I make this request what's the SoD impact of when I give this access to this individual. Now, you haven't actually give it to me requesting this access.

Part of my access is to identify those potential violations before they're given access.

So, once the workflow approval kicks in, in SafePaaS it provides up to five levels.

And for the final approval, it'll automatically update your ERP with the user with their new role. That's all done through our DataProbeETL™ technology and then from there, it's going to monitor and manage that person's access, now that they have access to the ERP. So, once again, it's a straightforward process. These are the steps that occur when you go through that process.

Now, if I  look iAccess™ and deploying an automated solution for user provisioning.

I've moved from a fragmented approach because of the different ERP applications to a single solution that centralizes visibility and control over user access. I’ve automated the identity controls and business processes, so when you provision access using iAccess™ it’s gone through the rules analysis to make sure you identify what rules or roles are actually violated, given that access. It compares not only what they requested, but also what they already might have.  It's a business friendly layer. It's a common look and feel for the users that are given the access and hides all the underlying technology and technical components away from the actual individuals that are doing the provisioning. Once again it’s a common and feel across EBS, ERP Cloud J D Edwards, PeopleSoft, they're all the same. It's the same look and feel. And you can also accurately measure and monitor risks associated with the users and the resources as you go into the provisioning process.

Next thing I want to cover is how to achieve a converged IAM platform. This is a new solution that SafePaaS has recently released which includes user provisioning with iAccess™. This kind of lays out the different components of the solution.

When you look at the different processes, this is basically a complete process for user provisioning and user monitoring based on the ERP you're using. If we look at the integration number one. The integration comes from the ERP and into SafePaaS to do the typical analysis for access certification and segregation of duties.

If I go to integration number two it goes beyond the EFP, so now we're able to take the user access management to the database, to the service accounts to other data sources that you have user access. So, now you find individuals that have access to the database, but also have access to ERP applications. That may be something you might want to look into further and possibly avoid. Bullet number three, we have an access certification, where the business process owners will get a notification as to they need to review individuals' access in these different systems or data sources and make a determination that they should be retained. Then also, you have the capabilities and an observation of your audit team, so they can monitor these changes as they occur.

Then also the integration with a ticketing system, so you have whether it's ServiceNow or Jira, you have a ticketing system that you use to track some of your requests, IT requests, you can now automate that into SafePaaS.

So if I go to look at number five, it's the access violation remediation.

Number six the ticket can go into SafePaaS  to initiate a user access request.

And then also, the integration back into the ticketing system when it's been completed.

So, if you make a change within SafePaaS, such as a corrective action, you can create a ticket out of SafePaaS in the ticketing system, and so now can be monitored and managed through the ticketing system.

And then, for the final step in the integration for access management is user provisioning. You can integrate through an IGA provider, such as SailPoint, Okta, OneLogin and so forth, it'll update the ERP with access

Once again, this is kind of a new capability that is a complete process for access management across all the different applications and data sources.

Let's look at the case study.

It's a global household brand. Everybody will know this company as one of our customers. They operate in over 100 countries. They're using both the ERP Cloud and Oracle E-Business Suite. They have hundreds of other applications that they're managing also, and they use ServiceNow for a ticketing solution, and SailPoint for identity management.

There's some other challenges that they're faced with, it did not have fine grained SoD capabilities across all their applications. So that was a challenge for them. As we stated in this presentation there, with all these applications, that inconsistent user provisioning policy and processes. So, each one was different, no common controls or audit trail when they did provision some of the acces, which led to some challenges during the audit period, to make sure they've got proper individuals with proper access. Lack of integration in the current security, management systems. And then there's always a risk of that data theft, fraud, and abuse by service accounts.

The solution they selected, was SafePaaS AccessPaaS™ for Policy Monitor, Enterprise  Access Certification Monitor, iAccess™ for user provisioning, Then MonitorPaaS™ for monitoring transactions, configurations and master data within their organization, We're still involved with the client what we've had success with  deploying, SafePaaS solutions, they're better able to monitor and enforce SoD controls and sensitive access, they've streamlined and reduced the risk remediation time for access controls. They have self-serviced the current user audit process for users and service accounts. They've leverage some of our capabilities for the converged IAM platform. And also, they have streamlined the access certification. This is one our current clients that were still involved and some of the success that they've had in this case.

Demo

Q&A

Can SafePaaS be deployed in a core banking environment or a telco environment to monitor core systems other than just ERP?

We can monitor any system, not just ERP systems, we're application agnostic. Based on the controls that you want to deploy, whether it's AccessPaaS™, or MonitorPaaS™, we can deploy those controls, and provisioning in those environments.

Are you able to build cross-platform SoD rules?

Yes. It's standard functionality within SafePaaS, we do have the ability to setup based on the different data sources.

Why isn't an identity management system enough to mitigate risk in an ERP system?

In lots of cases the SoD policy analysis is not done at a granular level. That's one of the challenges that we're seeing in some of these IDM solutions that we've worked with. IIt's done at a role level. They can define a role. Roles can have the combined access, but it's all dependent on the granular level of access. It depends on how the roles are defined. Then, regardless of what's the name of the role,  we look at the actual function, or former privilege or permission, that a person is allowed, given and we evaluate it that way.

Does SafePaaS monitor across all of the Oracle Cloud platforms, or just Fusion ERP?

All the entire Oracle suite, EBS, ERP Cloud, PeopleSoft J D Edwards, HCM, Hyperion.

Does the Firefighter application log the activities performed by the user?

Yes. You can set that up with firefighter, because firefighter has super user access. When they get a firefighter role, we can track everything that they perform, they’ve touched in, any functions that they executed in that firefighter wall. But also as part of firefighter, we generate a certification report that identifies what they had touched while they had the firefighter capability.

What would be your top tip for selecting an IGA solution?

It’s not necessarily what to look for. Always drive towards a proof of concept with the vendor that you're talking to. Because they may say it's something that they perform, but you want to make sure it meets your specific requirements. The proof of concept gives you the opportunity to identify your specific requirements, and map that the vendor solution against the requirements of how they execute against with departments.