The Benefits of Application GRC

⇨ Evaluate solutions that provide comprehensive functionality across platforms

⇨ Prepare for audit requirements related to systems connected to ERP instances

⇨ Look for opportunities to integrate access governance, monitoring, and cybersecurity capabilities

This year has seen many organizations face challenges brought on by the economic climate. Some have reduced staff, while others are putting projects on hold to reduce the need for capital expenditure. This is particularly true in the cybersecurity space as seen in our May 2023 report Cybersecurity Threats to SAP Systems. More than half of the survey respondents looked to reduce costs, put projects on hold, scale back planned investments, or even reduce staff in security teams.

Combined with this need to manage costs and limit unnecessary expenditure is a requirement to simplify how applications, processes, and data are protected. This is even more important for organizations focusing on transformation and moving workloads to the cloud. A significant number of organizations today achieve these goals using a combination of manual processes and multiple tools. Not only is this inefficient, but vulnerabilities can also potentially be overlooked by overworked or inexperienced staff.

Automating Application Governance and Controls Testing

Pathlock, previously known as Greenlight Technologies, recognized the challenges around protecting business applications and the data that is stored in them. They also understood that they did not have all the answers to those questions if they were going to deliver a platform to address these challenges. To achieve their vision, they brought together technology and capabilities from two other major players in the governance, risk, and compliance (GRC) and security spaces: Appsian and Security Weaver.

A year on from the merger, and following the additional acquisitions of SAST and CSI Tools, Pathlock is now positioning a way for organizations to fully automate their application governance and controls testing programs with a comprehensive suite of tools. These cover application access governance, continuous controls testing, and cybersecurity application controls.

SAPinsider sat down with Pathlock CMO Mike Puterbaugh to get a better understanding of what Pathlock is trying to achieve and how that will benefit SAPinsiders. According to Puterbaugh, the primary goal was to focus on the core business applications. “We wanted to deliver a 360-degree approach to access governance,” said Puterbaugh. “Controls testing and automation of controls testing is very important to a deep constituency of our customers. This includes segregation of duties (SoD), provisioning, and role-related projects both in SAP and elsewhere.”

Pathlock is not only looking to provide these capabilities for both cloud and on-premise environments, they also want to ensure that it is possible for organizations to automate these tasks. “We want to reduce risk and costs around controls and compliance automation,” stated Puterbaugh. “We provide customers with rules-based assignments which cuts down on down-time and improves user experience. Automation is key, and it is vital to us that all three products we offer have these capabilities.”

Audit Needs and Strategies

According to Puterbaugh, auditing needs have changed significantly over the last decade. “Ten years ago, auditing was all about ERP. The processes were there and the money was there. But in the last few years there has been greater interest in the applications connected to those ERP systems and the audit space has started to grow. We believe that in another three to five years the scope for audit will include purpose-built applications like SAP Ariba and SAP SuccessFactors in their own right, outside of the ERP context.”

This increase in audit need has also seen the need for audit capabilities expand beyond IT teams. In the past IT teams were typically the buyers for audit applications because they were the ones responsible for auditing the data. While IT is typically still the driver for audit capabilities, finance and business teams are more frequently providing budget for audit purchases because these teams are benefiting from audit capabilities as much as IT.

One thing Pathlock recommends is a step-by-step approach – get one thing right and then repeat that process. For example, start with the ERP system. Once that audit has been completed then audit teams will understand how to reduce the time that audit takes and have more bandwidth since they have an approach they’ve already completed. Repeating that same process on other systems can help standardize audits and ensure that the audit side gains more efficiencies.

Pathlock aims to ensure that it isn’t necessary to educate teams on different audit capabilities for different solutions. Their solutions also allow organizations to choose where they want to start depending on where they are in the process. They also have significantly greater depth in connectors to different solutions like SAP Access Control and SAP Process Control, integrations with infrastructure applications like Microsoft Entra (which includes Azure AD), OKTA, and ServiceNow, as well as capabilities such as reporting, usage monitoring, compliant provisioning, certifications, license management, risk quantification, transport control, and threat detection.

What Does This Mean for SAPinsiders?

Organizations today want to implement application GRC and cybersecurity controls that provide consistent protection across both cloud and on-premise environments. They are also concerned about ensuring compliance and automating audit capabilities. What should organizations do to address these needs and ensure they are ready for future audit and compliance needs?

• Evaluate solutions that provide comprehensive functionality across platforms. A significant challenge for overstretched security and IT teams is having to use different products to have the same capabilities in different environments and products. For example, some organizations use different cybersecurity tools for cloud and on-premise solutions, or different GRC tools for SAP and non-SAP products. Having a single set of tools with consistent capabilities across platforms and products can be a huge advantage to help understand the information that is presented and acting on flagged activity.
• Prepare for audit requirements related to systems connected to ERP instances. According to SAPinsider research, only one in five organizations already have audit automation tools deployed, with another 35% are in the process of deploying tools that will help automate audit requirements. But 45% say that any forensic audit will require significant manual effort. Given that audit requirements have started to expand beyond ERP systems to the solutions that they are integrated with, audit needs are likely to become more complex and extensive in the future. This makes it critical for organizations to ensure that they start preparing today for those requirements if they are to avoid expensive and time-consuming audit procedures.
• Look for opportunities to integrate access governance, monitoring, and cybersecurity capabilities. For SAP systems, access governance has been historically focused on tools like SAP Access Control and SAP Process Control, while cybersecurity capabilities were primarily available via third party vendors. While SAP has developed several innovative cybersecurity and security capabilities like SAP Enterprise Threat Detection and SAP Code Vulnerability Analyzer, these are still separate solutions that can require significant administrative effort to fully utilize when added to SAP GRC. But bringing these capabilities together can be a benefit for organizations that have limited security and IT resources. Look for vendors that can help consolidate these capabilities into offerings that make it easier for organizations to achieve both application GRC and cybersecurity goals without needing to acquire multiple tools.