Cooper Standard Accelerates Cross-Platform Access Management
Global Manufacturer of Automotive and Industrial Products Uses Security Weaver Solutions to Drive Down Risk While Boosting Efficiency
As a global provider of systems and components for automotive and industrial markets, Novi, Mich.-based Cooper Standard has a lot of moving parts. Not only does the company operate in over 100 locations in more than 20 countries — with 74 of its sites running on either SAP ERP or SAP Business Warehouse — it is in the midst of consolidating ERP environments and transitioning to SAP S/4HANA. The sprawling nature of Cooper Standard’s business and the heterogeneous application landscape it maintains mean complex challenges for its Lead Systems Administrator Jessica Goldsmith, who manages global SAP user access and security for several other non-SAP applications.
When Cooper Standard saw the need to automate access management — Goldsmith found herself at the center of a major project. The project would affect over 11,000 desktop users who speak more than 18 languages. It would require her to define common processes that met the company’s current compliance requirements, improved control over the heterogenous application landscape that involved SAP and other vendor applications, and more importantly, her improvements needed to anticipate how the application landscape would evolve over time. After a rigorous evaluation period, Cooper Standard selected and implemented a suite of access management applications by Security Weaver designed to tackle these and other critical and complex challenges.
Now, when a request finishes and reaches approval, the system goes out and auto-creates the user and adds the access or removes the access – all automatically. And I, as an administrator, no longer have to manually manage it which is a really big deal.
– Jessica Goldsmith, Lead Systems Administrator, Cooper Standard
One of the most obvious challenges that required immediate improvement had to do with the user access request and approval process. Previously, administrators and managers were manually routing their approvals, which often created delays on the back end, according to Goldsmith. “Systems administrators would first have to review all the access requests that came in before sending them on for approval.,” she says. “Then, after each request was returned to us approved, we had to manually provision the access in the SAP system.”
A big opportunity for improvement was in performing periodic access reviews. Cooper Standard had been using Microsoft SharePoint as a platform, and users were manually running and uploading reports and using email to perform approvals and reviews. “We wanted to simplify this process for users and make it easier to track,” Goldsmith says. It was a manual process with many issues, and given Cooper Standard’s commitment to quality in all aspects of its business and its cultural mandate to delight customers, it needed to change.
Benefiting Business Users, Not Just Administrators
When Cooper Standard began investigating access management solutions, it wanted to maximize its return on investment. It did so, driven by a clear objective articulated by IT leadership. “When going through any evaluation process it’s important not just to focus on how to solve the problems for systems administrators, but rather to also make it easier for the users themselves,” says Bob Cross, Director of Information Technology at Cooper Standard. “Otherwise there’s not much value in it.”
Sue Kampe, Senior VP and Chief Information and Procurement Officer at Cooper Standard, summed up another objective: “In IT, we do a thousand things at once, but they are all to enable the business. Every decision we make is designed to ensure Cooper Standard is more competitive in the market and more supportive of its employees and customers, while providing the highest levels of security on behalf of all stakeholders.”
With this business orientation in mind, Cooper Standard sought a user-friendly and flexible access management solution that would benefit the business — not just IT administrators, while at the same time, ensure the highest standards of fiduciary control and compliance. One reason that objective led to Security Weaver was due to its ability to integrate with SAP software, according to Goldsmith, who has been at Cooper Standard for 17 years, and in IT for nine of them. “Another big thing was the flexibility of the automation the new solution provides,” she says. “Now, when a request finishes and reaches approval, the system goes out and auto-creates the user and adds the access or removes the access — all automatically. And I, as an administrator, no longer have to manually manage it, and that is a really big deal.”
Indeed, there is a business benefit to this automation, according to Satnam Hundgenn, Director of Global IT Audit at Cooper Standard. “Though our previous system had workflow, it lacked auto-provisioning capabilities,” he says. “Users can be assured now that, as soon as their requests are approved, they will have access. Otherwise, there could be a lot of waiting time, depending on the admin queues.” Consequently, with IT staff being able to do more at scale and, at the same time, make more productive SAP users, a compelling business case to move forward with Security Weaver was finalized.
In addition to IT staff benefits and SAP business user productivity, Nate Miller, Senior Manager of Global Cyber Security, IT Compliance, and Network at Cooper Standard, sums up the business case by saying, “At Cooper Standard, we understand the value of effective and efficient controls, so when we looked for a solution to give us the control and automation we needed, while improving the processes across various applications, Security Weaver was the right answer.”
A Partnership-Oriented Attitude
Security Weaver’s team, meanwhile, collaborated closely with Cooper Standard’s development team. “We had a great working relationship,” Goldsmith says. “We actually had a Security Weaver professional sit in our office for several months and he was basically my coworker for that time during the implementation.”
Through tight collaboration, key capabilities necessary for Cooper Standard’s unique requirements were raised by Goldsmith and her team. This resulted in additional training on the solution, and in some cases, changes to Security Weaver’s product roadmap. A few times, Cooper Standard was able to get new features delivered almost immediately and well before an official product release. Security Weaver also invited Miller, Cooper Standard’s Senior Manager of Global Cyber Security, IT Compliance, and Network, to participate in its annual solution portfolio roadmap review to ensure the company’s needs were represented.
Beyond product features, strong consulting services, and close executive collaboration, Security Weaver also provided, and continues to provide, ad hoc advise from domain experts and product managers and exceptional support. This level of partnership from a solutions provider is appreciated by Cooper Standard and Goldsmith.
Ultimately, Cooper Standard deployed several Security Weaver solutions, including Separations Enforcer, Secure Provisioning, Role Recertification, Risk Visualizer, Emergency Repair, and Transaction Archive. The business implemented these solutions at the same time, with all going live in Q1 2017.
The Whole Is Greater than the Sum of Its Parts
Cooper Standard recognizes measurable benefits as a result of its migration to the new Security Weaver solutions. As Goldsmith emphasizes, the auto-create feature is paying significant dividends. She estimates that her access management group is running 700 SAP requests through a system per month and is no longer requiring an administrator to touch all those requests, which is “a really big win on our part.”
The improved efficiency has enabled administrators such as Goldsmith to focus on other tasks. “Instead of spending all my time manually administering access, I can perform more value-added activities, like use Security Weaver Transaction Archive to help me to run a role management project and remove all unused roles,” she says. “I have more free time to perform those sorts of tasks that administrators rarely have time for. For example, we couldn’t do it before because we were too busy.”
Consider that, as a result of the more efficient process, Goldsmith, in her “free time,” was able to remove 80% of the assigned roles from existing users. This meant more than 61,000 roles were eliminated because they weren’t being used. This streamlined the process for users when looking for the access they needed and allowed them to spend less time maintaining and recertifying roles by IT and managers. “That level of reduction is just unbelievable and has compounding benefits,” she says. “For example, by doing that, I was able to remove 40% of conflicts across the board just by removing unused access.”
By cleaning up those conflicts quickly and efficiently, Cooper Standard managed to reduce risk and boost productivity. Soma Venkat, Vice President of Information Technology at Cooper Standard says, “For every conflict we remove, we eliminate a risk control that had to be performed. This means we save hundreds of hours because our global controllers and management team now avoid performing many mitigations and sign offs. It helps remove even more manual work as we move toward digitization.”
Following the initial cleanup of unused roles, Cooper Standard has been able to use Security Weaver and its improved processes to maintain a leaner operation. Goldsmith says that it’s more of a maintenance phase at this point. “We’re still implementing SAP software into new locations, but now we’ve built the unused role removal as part of the go-live,” she says. “After an SAP rollout in a location, for example, we now have a standard to remove roles that haven’t been used after 45 days. If they haven’t used it in the first 45 days, they probably aren’t going to use it.” In the rare situation where a user requires a removed role after all, it is a two-minute exercise, and no one is inconvenienced by the request.
The process is working. Goldsmith says she evaluated the current state of unused roles and found it is almost exactly where it was immediately after the initial cleanup. It sits within 2% of that early benchmark so, according to Goldsmith, the new processes are keeping the system lean.
Great Parts, Used Well, Make for a Superb Drive
The Security Weaver go-live is continuing to pay dividends. Goldsmith is focused on implementing monthly mitigation reminders built into Security Weaver Separations Enforcer. This application allows Cooper Standard to generate emails out of the system that sets actions into motion, such as:
Lets users know they have a control they need to perform
Creates a review
Requires a sign off
Allows the upload of an attachment
Having these actions trafficked within the system “gives audit a better opportunity to make sure to enforce that these controls are actually being done,” Goldsmith says. “Doing this manually, it was hard to ensure that users were doing what they were supposed to be doing. Not only was it difficult for audit; it was difficult for the business.”
Despite all the quantifiable benefits, perhaps the biggest benefit of Cooper Standard’s transition to Security Weaver access management solutions is that it has allowed the organization to better focus on further improvements. Its transition to SAP S/4HANA, which is targeted to be complete in the first quarter of 2020, is a great example.
Meanwhile, Cooper Standard is evaluating two additional Security Weaver modules — Automation Mitigation and Process Auditor. Clearly, the automotive and materials science company that has a lot of parts moving in every direction isn’t afraid of tackling new processes — if the result is a smoother-running operation. These solutions and related professional services will streamline processes, ensure the right risks are being addressed efficiently and at the right time, and will inevitably lead to even more business benefits for the IT staff, auditors, and most importantly, business users.
Headquarters: Novi, Michigan
Industry: Automotive industry systems and components
Revenue: $3.6B (2018)
Over 50 years of history
(NYSE: CPS) www.cooperstandard.com
Core product lines include sealing systems, fuel and break delivery systems, and fluid transfer systems
SAP solutions: SAP ERP, SAP Business Warehouse, and in the process of migrating to SAP S/4HANA
Third-party solutions: Security Weaver Separations Enforcer, Security Weaver Secure Provisioning, Security Weaver Role Recertification, Security Weaver Risk Visualizer, Security Weaver Emergency Repair, and Security Weaver Transaction Archive