SAP Dynamic Authorization Management by NextLabs Speaker’s Name/Department (delete if not needed) Month 00, 2015
Agenda The SAP GRC Portfolio of Solutions Customer Challenges with Information Risk Management Introducing SAP Dynamic Authorization Management by NextLabs Customer Value
SAP Solutions for Governance, Risk and Compliance Simplify, gain insight, strengthen SAP Risk Management application SAP Process Control application SAP Access Control application SAP Identity Analytics analytic application Preserve and grow value Ensure effective controls and ongoing compliance Manage access risk and prevent fraud Gain insights into user roles and optimize decision making SAP Fraud Management analytic application SAP Audit Management application SAP Global Trade Services application SAP Electronic Invoicing for Brazil application Better detect and prevent fraud Transform audit. Move beyond assurance Optimize global trade and screen restricted parties Meet electronic invoicing requirements for Brazil SAP Access Violation Management application by Greenlight SAP Regulation Management application by Greenlight SAP Dynamic Authorization Management application by NextLabs SAP Technical Data Export Compliance application by NextLabs Identify and quantify the impact of actual access risk violations Manage regulatory requirements and align with internal control activities Turn business policy into automated information controls for data access, use and sharing Automate trade compliance for digital goods and technical data 2015 SAP SE or an SAP affiliate company. All rights reserved. Public 3
Agenda The SAP GRC Portfolio of Solutions Customer Challenges with Information Risk Management Introducing SAP Dynamic Authorization Management by NextLabs Customer Value
How to effectively secure data and applications Need to Share Need to Protect Secure Sensitive Data Defend Against Cyber Attacks Make Better and Faster Decisions Global Business Model External Partners Distributed Supply Chain Collaboration Competitiveness Accelerate Time to Market Streamline Business Processes Leverage Cloud and Mobility Prevent Violations Financial Management Health and Privacy Agility and Efficiency Governance and Compliance “How do I protect sensitive information and still share with my extended enterprise?”
Customer challenges Enhancing security to SAP applications Protecting sensitive data throughout the enterprise Preventing policy violations, including fraud, compliance, security Increasing data security without increasing number of roles to an unmanageable level Eliminating manual tasks to automate processes and facilitate business goals
The expanding approach to access control Systemic Access determined by software ABAC RBAC (Attribute-based Access Control) Administration Grant permission prior to access attempt Runtime Grant permission at time of access attempt (Role-based Access Control) Groups + ACLs Procedural Access determined by people TSCP; Scott Fitch, Lockheed Martin
Attribute-based access control enhances the scalability of roles Attributes are now “how we role” Prediction: By 2020, 70% of all businesses will use Attribute-based Access Control (ABAC) as the dominant mechanism to protect critical assets, up from <5% today. Dynamic Authorization Management Privileged Access/User Management Provisioning integration Access Governance Dynamic Authorization Management Supporting static and dynamic access enforcement Provisioning integrating: Supporting more options for deeper connecting to target systems Privileged Access/User Management: Supporting all types of users Gartner predicts Attribute will be new role1 Kuppinger recommends Dynamic Authorization2 NIST Recommends ABAC 1: Gartner Predicts 2014: Identity and Access Management 2: Kuppinger Cole Leadership Compass for Access Governance 3: The status and expected evolution of Access Goverance.
Agenda The SAP GRC Portfolio of Solutions Customer Challenges with Information Risk Management Introducing SAP Dynamic Authorization Management by NextLabs Customer Value
SAP Dynamic Authorization Management by NextLabs Enhancing security for data and business applications Monitor data and application activity and streamline business processes Single policy platform to centralize and automate data and application security Automate Controls Secure Access Gain Insight Violations Prevent Minimize fraud, compliance and security violations Consistent and on-the-fly access enforcement with dynamic authorization
Controls Automate Secure Access Gain Insight Violations Prevent SAP Dynamic Authorization Management Automated Enforcement of Data and Application Security Controls Incorporates an attribute-based access control model with fine-grained contextual information Automate Controls Automates data classification and segregation Ability to control access at the transaction or field level
ABAC enhances traditional access control Fine-grained authorization Access Controls at Transaction level View level Field level Automated data classification Ensures sensitive data is categorized properly Enables accurate policy enforcement Policy management Business level policy authoring tool SAP GRC integration Central management ACCESS DENIED: Only members of Project Y can access project data
Automates data classification Features Classifies structured and unstructured data in SAP Allows user driven classification of data Classification based on content and/or association Automatic policy based classification Classification can be triggered at run time or through batch processes
SAP Dynamic Authorization Management Enforce policy decisions consistently and on-the-fly Controls Automate Secure Access Gain Insight Violations Prevent Real-time policy messages with explanation and corrective workflow Secure Access Integration with existing identity management, HR and directory systems Centralized policy management ensures consistent application across geographies and divisions
Control center – policy engine Integrates with Identity and Attribute sources Designs, deploys and evaluates policies Centrally manages policies Drag & Drop authoring Business friendly nomenclature Reusable policy components
Incorporates attribute-based access control Fine grained access control which takes into account contextual factors Attributes are categorized into Subject, Environment and Resource Attributes can be changed easily and can be applied dynamically
Integrating identity, content and context attributes User Recipient Internal and External Computer Network Location Channel/Application Connection Time Data Type Metadata Custom Tags Data Content Who is using or sharing what data, how, why and with whom
Business-level policies Who can access What ,When and Where IF AND AND View, Edit User Clearance User Citizenship Allow AuthN Type User / Subject Attribute User / Subject Attribute Environment Attribute TO ‘Secret’, ‘Top Secret’ Documents Users is greater than or equal to is equal to is equal to Document Sensitivity ‘U.S.’ ‘MultiFactor’ Resource Attribute Allow U.S. citizens only TO view and edit Secret & Top Secret documents IF the user’s security clearance is higher or equal to the sensitivity classification of the document AND authentication scheme is multifactor
Policies use attributes during transaction for real-time authorization Policies are evaluated dynamically during access request Policies use detailed attributes to more accurately determine what content should be accessed – what, why, when and where Changes in attributes and policies are seamless to the end user
SAP Dynamic Authorization Management Prevent fraud, compliance and security violations Controls Automate Secure Access Gain Insight Violations Prevent Automatically incorporates business rules and policies and applies them from a central system Prevent Violations Real-time contextual information prevents users from accessing unauthorized information Integrates with SAP Access Control SoD rule set to prevent violations
Automatically incorporates business rules and policies for continuous governance Rules and policies are applied at time of update to ensure the latest information is taken into account before allowing access Central repository for authoring and applying business rules and policies to ensure changes are up to date and consistent – minimizes manual intervention
Applies authorization policies from a central system Organizations can update and enforce corporate policies across the extended enterprise Easier to implement and maintain SAP CUA/LDAP/ AD/HRMS SAP ECC Policy Studio Web GUI Policy Server SAP PLM Mobile Reporter Switch Policy Controller SAP DMS SAP GUI Control Center SAP SCM Administrator
Prevents role explosion US Employee CA Employee UK Employee DE Employee NL Employee SE Employee SF Employee SE Employee North America Employee EU Employee Employee Functional roles cover broad static functions Derived roles enable the next level of organizational detail for transactions Need to create a new role for every new transaction capability Resulting in: Exponential increase of derived roles
Integrates with SAP Access Control Combine SAP roles and access control information with attributes for dynamic authorization decisions incorporating location, HR info, computer, organization, time, etc. Attributes can now be pulled automatically using the Attribute adapter provided as part SAP Access Control 10.1 SAP Entitlement Manager Data Classification Data Segregation Access Control Audit SAP Access Control Source of Attributes Control Center User Attributes Information Control Policies SAP ECC AD/LDAP CUA HR User Attributes
Enhances SAP Access Control by Preventing SoDs Stops Segregation of Duties violations before they occur Activating SoD checks through configuration Integrating with GRC AC SoD Rule set Stopping or warning the user during transaction Resulting in Reduction in Segregation of Duties violations Reduction in effort and resources to mitigate SoD violations and enforce compliance You ran the reports and have 2,345,678 violations. Now what?
SAP Dynamic Authorization Management Monitor data / application activity and streamline business processes Controls Automate Secure Access Gain Insight Violations Prevent Removes barriers to improve efficiency Gain Insight Centralized reporting and audit to detect patterns and anomalies Dashboards, trend analysis, incident investigation for preventative action
Centralized reporting on information usage and compliance All of the activity is logged and reported across multiple applications Tracks access across SAP applications Centralized activity journal with customizable reporting and compliance dashboards Alert system tracks abnormal activity and signals when it reaches threshold limit
Agenda The SAP GRC Portfolio of Solutions Customer Challenges with Information Risk Management Introducing SAP Dynamic Authorization Management by NextLabs Customer Value
Customer value Make sure the right people get the right data when they need it Enables automatic enforcement of business rules and policies Centralizes enforcement and streamlines authorization process / changes Provides real-time monitoring for insight into data access and helps prevent fraud Strengthens security for sensitive information to enable safe collaboration and regulatory compliance Simplifies access administration by greatly reducing the number of roles under management Helps prevent Segregation of Duties violations Enables automatic enforcement of business rules and policies Centralizes enforcement and streamlines authorization process / changes Provides real-time monitoring for insight into data access and helps prevent fraud Strengthens security for sensitive information to enable safe collaboration and regulatory compliance Simplifies access administration by greatly reducing the number of roles under management Helps prevent Segregation of Duties violations
Thank you Contact information: F name MI. L name Title Address Phone number