Implementing Process Controls and Risk Management with Novell® Compliance Management Platform extension for SAP Environments

Mark WorwetzSenior Engineering ManagerNovell Inc./mworwetz@novell.com

Volker ScheuberConsulting EngineerNovell Inc./vscheuber@novell.com

© Novell, Inc. All rights reserved.2

Novell® Compliance Management Platform• Integrated Identity and Security Management Platform

– Software Components> Identity Vault> Novell® Identity Manager with Roles Based Provisioning Module (RBPM)> Novell® Sentinel™

> Novell® Access Manager™

– Tools> Designer for Novell Identity Manager> Analyzer for Novell Identity Manager

– Solution Content> Integrated Provisioning and Access Control Policies and Workflows> Identity Tracking> Identity and Security Monitoring and Reporting

© Novell, Inc. All rights reserved.3

Extension for SAP Environments

• Role Mapping Administrator– Tool for mapping SAP-specific authorizations to RBPM Business Roles

• SAP Drivers – New or Enhanced– SAP User Management Fanout Driver– SAP Business Logic Driver– SAP Portal (UME) Driver– SAP BusinessObjects Access Control Driver

• SAP Solution Pack– SAP-specific Sentinel Content

• SAP-specific Identity Manager Content– Driver Configurations, Policies, Workflows

© Novell, Inc. All rights reserved.4

Technical Integration Goals

• Develop SAP-Oriented Solution Synergies– Allow Identity Manager customers to utilize the advanced Segregation of Duties

and Risk Analysis/Remediation capabilities of SAP BusinessObjects Access Control

– Extend the reach of SAP BusinessObjects Access Control to other Enterprise Systems via Identity Manager

– Integrate Sentinel™ with the SAP Computing Center Management System (CCMS)

– Provide an SAP Solution Pack for Sentinel• Extend Existing Integrations with SAP Products

– SAP ERP Human Capital Management (HCM)– SAP User Management– SAP User Management Engine (UME)

• Provide a Roles-based Entitlement Content Framework

Scenario 1:SAP User Provisioning

© Novell, Inc. All rights reserved.6

IDM Provisioning of SAP Users

Monitoring and Reporting

SAP HCM(ABAP)

Abby SpencerSales Rep SAP CRM

(ABAP)

SAP Portal

© Novell, Inc. All rights reserved.7

IDM Provisioning of SAP Users

Monitoring and Reporting

SAP HCM(ABAP)

Abby SpencerSales Rep SAP CRM

(ABAP)

SAP Portal

Mtn RegionSales Rep

© Novell, Inc. All rights reserved.8

IDM Provisioning of SAP Users

Monitoring and Reporting

SAP HCM(Self-Service)

SAP PortalSales Rep

SAP CRM(Sales Rep)

Mtn RegionSales Rep

Abby SpencerSales Rep

© Novell, Inc. All rights reserved.9

Role to Authorization Mapping

Role “IT Specialist”• SAP System N4S (CRM) Client 100

– Single Role: SAP_ALM_ADMINISTRATOR– Single Role: SAP_BC_BASIS_ADMIN– Single Role: SAP_BC_DB_ADMIN– Composite Role: SAP_BC_MID_ALE_ADMIN

• SAP System S7H (HR - SAPABAP) Client 300– Profile: SAP_ALL

• SAP Portal (CRM Portal)– Group: /VIRSA/VFAT_ADMINISTRATOR– Role: Administrator

© Novell, Inc. All rights reserved.10

Role Mapping Administrator

Scenario 2:SAP User Provisioning using SAP BusinessObjects Access Control

© Novell, Inc. All rights reserved.12

IDM Provisioning to Access Control

Monitoring and Reporting

© Novell, Inc. All rights reserved.13

Additional Security Benefits

• Roles for all SAP systems are aggregated in Access Control• Risk Analysis can be run for all SAP role assignment requests• Risk Mitigation can be performed prior to approval of role assignments• IDM exposes the results of SAP Risk Analysis in Provisioning Workflow

– Provides critical risk information to Role Approver– Provides information to guide tuning of Enterprise Role Model and

Process Controls• Leaves the ultimate decision on SAP Provisioning Security in the domain

of the SAP System and Business Owners

© Novell, Inc. All rights reserved.14

SAP Risk Analysis Results

© Novell, Inc. All rights reserved.15

IDM Provisioning Request Results

Scenario 3:IDM User Provisioning using SAP BusinessObjects Access Control

© Novell, Inc. All rights reserved.17

Access Control Provisioning to IDM

Monitoring and Reporting

© Novell, Inc. All rights reserved.18

Scenario Characteristics

• Roles for non-SAP systems are imported to Access Control• Risk Analysis Rules can be implemented for non-SAP systems• Risk Mitigation can be performed prior to requesting provisioning of role

assignments to non-SAP systems• IDM can act as a Provisioning Agent to non-SAP systems

Where Are We Going From Here?

© Novell, Inc. All rights reserved.20

Value Proposition

Provide the Platform for a Comprehensive IT Compliance LifeCycle!

© Novell, Inc. All rights reserved.21

IT Compliance Lifecycle

Define business objectives, policies and Key Performance Indicators (KPIs)

to help meet objectives

Real time risk response

Allow business to determine best

long-term response

Monitor and detect risk

Analyze risk versus thresholds

Evaluate processes and business objectives to

identify and qualify risks

© Novell, Inc. All rights reserved.22

Typical IT Concerns Never Stop

for(;;) {Are the Business Service Level Agreements being met?Are my Employees as Productive as Possible?Is My Infrastructure Compliant?Are my IT System and Application Administrators following established processes?Are my Controls Adequate and Efficient?Are my Control Policies Protected?Can I Verify all of this?}

© Novell, Inc. All rights reserved.23

Data Gathering...

• Novell® Compliance Management Platform ability to deliver a great deal of data related to IT Systems, Users, Provisioning, Access, etc.

© Novell, Inc. All rights reserved.24

Plus Risk Management...

• Novell® Compliance Management Platform ability to deliver a great deal of data related to IT Systems, Users, Provisioning, Access, etc.

• SAP BusinessObjects Risk Management ability to Identify and Calculate Risk based on data from Key Risk Indicator (KRI) data providers

© Novell, Inc. All rights reserved.25

SAP BusinessObjectsRisk Management Integration

• Novell® Compliance Management Platform ability to deliver a great deal of data related to IT Systems, Users, Provisioning, Access, etc.

• SAP BusinessObjects Risk Management ability to Identify and Calculate Risk based on data from Key Risk Indicator (KRI) data providers

Enterprise IT Risk Management Solutions!

© Novell, Inc. All rights reserved.26

Novell® IT Key Risk Indicators(KRI)

• Gather Information about Risky Behaviors– Bad Login Attempts– Password Changes– Authorization Changes

• Gather IT Performance Values– Metrics for System Availability– Workflow Run-Times– Provisioning / Deprovisioning Statistics

• Monitor the Need for, and Effectiveness of, Controls– Identify Out-of-Policy Administration Activity– Verification of Performance of Control Tasks

© Novell, Inc. All rights reserved.27

Risk Management Integration

• Development of Key Risk Indicator Components– CMP KRI Gateway Driver– IT-related KRIs– KRI Dashboards– KRI Reports

• Integration with SAP BusinessObjects Risk Management– Implementation of Event-Based KRI Interfaces– Scenario Development and Documentation

© Novell, Inc. All rights reserved.28

IT Risk Management Integration

© Novell, Inc. All rights reserved.29

IT Risk Management Integration(cont.)

© Novell, Inc. All rights reserved.30

Process Control Integration

• Integration with SAP BusinessObjects Process Control– Development of Process Control Alert Adapters

> Occurrence of High-Risk Activities> Occurrence of Process Violations> Occurrence of Critical System Outages

– Development of Automated Mitigation Controls> Restart Identity Services> Roll-back of Improper Data Changes> Account Locking

– Scenario Development and Documentation

Use Case Scenarios

© Novell, Inc. All rights reserved.32

Scenario 1Workflow Efficiency

• Process Policies:– All Access Approvals are granted via IDM Workflows– All Access Workflows must be completed within 24 hours

• Business Problems:– How Long do Workflows really take to complete?– Are there any Bottlenecks in Approval Chains?– What is the current state of my Workflows?– Are my current Policies optimal for the Business?– Are my current Policies meeting my Security Needs?

© Novell, Inc. All rights reserved.33

Role Provisioning

System Assets,Accounts, and Authorizations

Scenario 1Current View

80% =

5% = 15% =

Average Time = 36 Hours

© Novell, Inc. All rights reserved.34

Scenario 1Workflow Efficiency

• Process Policies:– All Access Approvals are Processed via IDM Workflows– All Access Workflows must be completed within 24 hours– All Low Threat Access will have Automated Approval– All Medium Threat Access must have 1 Approval– All High Threat Access must have 2 Approvals

© Novell, Inc. All rights reserved.35

Scenario 1Revised Policies

Multiple Approvals based on Role LevelSystem Asset Values and

Authorization Threats Valued by Asset Owner

Automated Approvalsbased on Role Level

Average Time = 2.56 Hours

(12 mins) 15% = 5% =

80% = (8 hours) (24 hours)

© Novell, Inc. All rights reserved.36

Scenario 1Workflow Efficiency

• Process Policies:– All Access Approvals are Processed via IDM Workflows– All Access Workflows must be completed within 24 hours– All Low Threat Access will have Automated Approval– All Medium Threat Access must have 1 Approval– All High Threat Access must have 2 Approvals

• Process Improvements:– All Access Approvals are completed faster!– Security Posture Improved!– Bottlenecks Removed!

© Novell, Inc. All rights reserved.37

Scenario 2Rogue Administration

• Process Policies:– All Access Approvals are granted via IDM Workflows– All Access Rights changes are performed via IDM Drivers after

approval

• Business Problems:– Can I detect if these policies are violated?– Can I remediate violations at an IT level?– Can Process Owners receive notification of violations?

© Novell, Inc. All rights reserved.38

Scenario 2Process Control

Novell® CMP receives eventAnd begins IT and Process remediation

GRC Process control forwards the item to Glen to review the effect on SAP applications

Jim's Acces is reset in the SAP CRM system

A notification is sent to Process administrators to remediate controls violation

Violating Policy, Natasha grants Jim SAP_ALL rights in the SAP CRM system.

Jim requests IT to Temporarily give him access rights to perform a task

“Rogue Administration” work flow is started to remediate IT security

Questions and Answers

Unpublished Work of Novell, Inc. All Rights Reserved.This work is an unpublished work and contains confidential, proprietary, and trade secret information of Novell, Inc. Access to this work is restricted to Novell employees who have a need to know to perform tasks within the scope of their assignments. No part of this work may be practiced, performed, copied, distributed, revised, modified, translated, abridged, condensed, expanded, collected, or adapted without the prior written consent of Novell, Inc. Any use or exploitation of this work without authorization could subject the perpetrator to criminal and civil liability.

General DisclaimerThis document is not to be construed as a promise by any participating company to develop, deliver, or market a product. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decisions. Novell, Inc. makes no representations or warranties with respect to the contents of this document, and specifically disclaims any express or implied warranties of merchantability or fitness for any particular purpose. The development, release, and timing of features or functionality described for Novell products remains at the sole discretion of Novell. Further, Novell, Inc. reserves the right to revise this document and to make changes to its content, at any time, without obligation to notify any person or entity of such revisions or changes. All Novell marks referenced in this presentation are trademarks or registered trademarks of Novell, Inc. in the United States and other countries. All third-party trademarks are the property of their respective owners.