We know that employees who store and deal with business data operate the SAP ERP and all underlying systems that deliver information (Financial, HR processes etc.). It is this exact data that forms an essential part of an enterprise’s value and thus is considered to be an asset. Employees who use the information within their business processes can read, modify and print data on a daily basis, and systems are set up to support this, which is normal. But the new angle to take into consideration is what happens when an unauthorized person gains access to sensitive data? What is the impact of critical financial, IP related information if or when it leaks out?

SAP now provides a product in the Identity Management (SAP IdM) area that allows for active management of all users and authorizations within an SAP run enterprise, ensuring complete data & access governance. Prior to the introduction of SAP IdM, SAP users managed their ABAP and JAVA systems using CUA – Central User Administration. The new product – SAP IdM , allows for the management of user data, user accounts and authorizations of systems not only on the SAP Platform but also on the entire heterogeneous landscape.

The reasons for implementing SAP IdM are very compelling:

1. To comply with laws and external audits
2. To reduce security risks
3. To reduce costs through automation and process optimization
4. To manage the lifecycle of an identity in the enterprise

We will discuss the detailed functionality and features of the SAP IdM solution in my next blog. Meanwhile. I will leave you with a high level architecture of the SAP IdM as food for thought.

Author

Dr. Jagan Nathan Vaman PhD CGEIT CISA
Chief Consulting Officer
Aujas Risk Management Services

But there are some serious concerns around the usage of open source in commercial environments. It is imperative to keep in mind the following possibilities if you are considering going the open source way.

Intellectual Property (IP) Infringement:The licensing aspect of open source code poses some unique challenges. Some of the licenses are permissive, while the others are restrictive. If you are unaware of this, you face the possibility of being subject to a “breach of agreement” on one hand or being subjected to claims of copyright infringement on the other hand. In fact, there have been several instances where organizations were asked to stop the commercial distribution of product shipments and product recalls. Recently Oracle sued Google (GOOG), alleging patent and copyright infringement of Java-related intellectual property in the development of Android mobile operating system software.

In some cases, organizations have been asked to make the source code available, leading to potential loss of Intellectual Property, loss of competitive advantage and/or possible financial obligations because they were using code from the most viral OSS licenses.

Open Source Software can be susceptible to security vulnerabilities: At the end of the day, open source software is nothing but source code and like any other source code, it is susceptible to security vulnerabilities. If the source code is not tested rigorously before moving it to production, it leaves the door open for an adversary to compromise the application running in production. For example, recently, there was a major vulnerability discovered in Apache Tomcat which could lead to denial of service if not patched appropriately

Unknown Source: Open source components can be made up of other open source components or derived from other open source components. So, whose code is it anyway? The original code might have been issued under special GPL license or commercial license forcing the organization to indirectly oblige to licensing terms specified by the original author of the code.

They are everywhere, yet hidden: Let us assume that the organization has a specific policy crafted for open source usage but is unable to document all the open source and/or third party components that are being used within the organization. During one of the audit engagements, we observed that the organization had visibility of only 40% of total open source components in use. So the issue is “the organization uses open source software, but it doesn’t know where they are”. Obviously this can lead to security or legal issues.

The risk of open source usage does not lie in the usage of open source itself, but on how the open source code is being managed in the organizational environment. If the organization does not keep track of the open source code it has adopted, then it is very difficult and expensive to deal with obligations and vulnerabilities that are associated with it. So, there is a definite need to create an open source compliance management program (including an assessment checklist, training programs and software tools to monitor open source software usage) which can establish a framework for due diligence to ensure both the security and legal status of resulting application or product.

Author

Jaykishan Nirmal
Practice Lead, Aujas Networks

Introduction

In the last article in the “IAM: Before and After series” we looked at how organizations can drastically reduce user access calls to the helpdesk by implementing an IAM solution. In the scenario , the client was able to reduce the call volumes by more than 95%.

In the second article of this series, we look at IAM from a security and risk management view – specifically from the Access Governance and Recertification Process in the organization.

Why is Access Governance Important?

Access risk is defined as, “risks related to unauthorized or inappropriate access”. As per Forrester, access governance includes three key components,

1. Access recertification
2. Role management and
3. Access request management

Access governance has become a critical component in the information risk management domain. It lowers access risk and improves security because it provides a better understanding of who has access to what and why; thus, fewer people accumulate privileges during their tenure in an organization.

Client Background

Let’s take the same client we discussed in the earlier article. The client is a country arm of a global Fortune 500 financial services company with a large user base of over 12,000 which is still seeing active growth. The user base includes internal users, external users and
contractors. Additionally, the organization works with more than 50,000 agents. The business operations are supported by over 30 business critical applications that are built on diverse and heterogeneous technology platforms, and managed by different business teams.

Before IAM

As part of their compliance policy, the client needed to recertify access to all their users and applications on a regular basis. But the process was manual and used to take 2 to 3 months. As it was labor intensive and time consuming, it could not be scheduled more than once a year.

Manual deletion of accounts and recertification took significant effort and so, by default, the tendency was to grant all access unless explicitly denied. Exposure to access risk started increasing year on year, since unwanted access was not being identified and de-provisioned in an assured manner.

The Solution

Aujas successfully implemented a comprehensive IAM solution to address client requirements. The solution included:

• User Provisioning System: This component provided centralized control and 360° automation of business processes involved in user access management. As a result processes for requesting, validating, approving and provisioning access became more efficient and manual errors were eliminated.
• Access Governance Workflows: This component helped by automating and streamlining the periodic review of access entitlements. Additionally, the solution leveraged role information built into the system. As a result, the system proactively prevented violation of separation of duties paradigm while granting access.
• Access Management System: A comprehensive access management system comprising web access management and enterprise Single Sign-on (SSO). This solution component helped in enforcing role based access controls. Access Reporting Dashboards: This component allowed business and IT teams to easily track the status of the recertification process. The system the organization to quickly identify specific areas that created a bottleneck in the processes and to provide remediation in a focused manner.

After IAM

The table below lists some of the significant client benefits after implementing the IAM solution.

Automating the access governance and recertification process simplified the jobs of the security and risk management team and they were able to ensure a much more focused and tighter life-cycle process to manage access risk.

The biggest benefit for the client was moving from a reactive audit approach to a more proactive role management to manage access risk problem.

Conclusion

One of the key security concerns in any large organization is access risk. Governing access and conducting recertification manually is a tedious process, and most organizations shy away from a comprehensive and frequent review, which leads to access risks. Automating the entire process brings significant efficiency related benefits to the organization and more importantly peace of mind due to reduced risk!

Last month, I met some major telecom companies and during these meetings, the business and security leaders discussed the challenges they face in their B2C mobility initiative. The concerns were around launching mobile applications for various mobile operating systems and platforms, deciding the right communication channels and of course security.

B2C mobile apps architecture involves mobile client apps, middleware applications and external integration services which make it complex. This is true for any company wanting to provide a mobile application to their consumers and not just telecom companies.

Key Security Risks

A B2C mobile apps has four major risk categories – mobile client app risk, middleware application risk, mobile applications interfaces risks and device lost / stolen case risks. Below are some major security risks for mobile applications:

• Mobile Client App Security Risks

1. A malicious user can perform reverse engineering attacks to get sensitive information on improper signed application.
2. Weak cryptographic implementation for critical data storage on device’s local data storage can lead to fraudulent transactions.

• Middleware Application Security risks

1. In middleware applications where web services – HTTP, SOAP, REST – are used, an adversary may attempt to intercept request/response messages
2. Insecure network communications channels may lead to tampering of middleware/interfaces parameters and/or database compromises.

• Mobile Application Interfaces risks

1. Mobile applications connect to the backend and database servers through various interfaces. Insecure interfaces may lead to data tampering, Denial of Services and message reply attacks.
2. Improper data validations may lead to SQL injections, Cross site scripting attacks.

• Device lost/stolen case risks

1. In case of device lost/stolen, un-authorized user may misuse data on device

Securing the B2C Mobile Application

To secure your mobility initiative organizations should focus on security of the entire eco-system including:

• Mobile client and server applications,
• Middleware applications, its interfaces, web services,
• Communication channels and
• Local device data storage.

Securing only one or two components will not help secure the entire chain, since the chain is only as strong as your weakest link.

Top 10 suggestions to secure your B2C mobile application would be:

1. Validate all trusted (local data storage or server data storage) and not trusted (invalid user inputs e.g., special characters) inputs in the mobile client application
2. Encrypt request and response messages
3. Use secure web services
4. Use appropriate security controls for firmware and middleware applications
5. Encrypt data storage on local handheld devices
6. Employ a strong authentication mechanism
7. Release proper signed mobile apps
8. Remote data wipe configurations to prevent unauthorized access
9. Session management
10. Restricting access to the integration services and its configurations

Happy mobilizing!

Author

Mr. Suhas Desai,
Sr. Consultant – Mobile Security Practice
Aujas Risk Management Services

Introduction:

While Identity and Access management (IAM) projects can solve multiple problems, they can also become complex and time consuming. Most organizations struggle with the question, “To deploy or not to deploy”. Is there an ROI? Are there real benefits at the end of the tunnel? These are typical questions most CIOs ask.

Aujas has implemented large IAM projects for clients across industry verticals. In a series of articles, we plan to discuss what benefits a client can expect realistically. We will provide the “Before and After” view by discussing scenarios prior to IAM implementation and scenarios post implementation.

In this first article of the series, we are going to cover the aspect of Helpdesk calls related to access management.

Client Background:

The client is a country arm of a global financial services company with a large user base of over 10,000 and growing. The user base includes internal users, external users and contractors. Additionally, the organization works with more than 50,000 agents. The business operations are supported by over 30 business critical applications that are built on diverse and heterogeneous technology platforms, and managed by different business teams.

Before IAM:

One key problem the client had was of managing user identities across enterprise applications. While there were support teams for each of the application, there were no universal and common procedure followed for user requests to avail application access.

With this approach, although the process for requesting access was defined, the implementation lacked user ID standardization, strong password policies, escalation matrix, audit and compliance reports to name a few.

Users had to remember multiple sets of user IDs and passwords to login to applications. Because of this, there was a huge backlog in helpdesk calls for password reset, unlocking accounts and other such requests.

The Solution:

Aujas successfully implemented a leading IAM suite to address the client requirements. The solution included:

• User Provisioning System: To streamline the business processes by defining a centralized control to manage identity records. The processes to provision access to business applications were refined to leverage the automated system. Access provisioning was aligned with roles and a self-service interface was setup to allow users to request application access and their approvers to grant or reject the request.

• Access Management System: A comprehensive access management system comprising web access management and enterprise Single Sign-on (SSO) was setup. The access management system provided a unified and dynamic portal for users to see and access their currently approved applications. This system allowed users to access the web easily, thick client and terminal based applications in a safe manner without the hassle of remembering different passwords and policies, thereby drastically enhancing user experience. 

After IAM:

Even though the client saw many positive improvements, the biggest benefits were seen in the following two categories:

• Productivity Increase: The key factor in productivity increase stemmed from the reduction in turn-around time for Access Provisioning. The turn-around time reduced from an average of 4 days to less than 15 minutes – a 99% decline.

  This led to an enormous productivity improvement for the client. With an average growth of user base at 30% (3000 employees), the 4 days saved per employee in access provisioning led to tremendous increase in productivity as the client saved over 12,000 man-days of effort annually.

• Cost savings: Reduction in user account management related helpdesk calls from 5500 per month to 500 per month (90% reduction). On an average, a helpdesk call costs $10. Hence, the solution provided savings of $50,000 per month ($600,000 per annum).

  Additionally, the solution provided savings in lost productivity. Earlier the helpdesk received 100 account lockout tickets per day with an average turnaround time of 4 hours. The new solution allowed the client to eliminate almost all account lockout situations (90% reduction). Totally, around 13,000 man-days were saved which would have been wasted otherwise.

Conclusion:

There are definite benefits in terms of automating your access provisioning system. The primary benefits are around productivity increase and cost savings and these are only a few of them. We will cover other benefits like security, risk management and other productivity improvements as we go along in this series.

Author(s):

Mohit Vaish
Practice Head – IAM
Aujas Risk Management Services

Ms. Amitha Raju
Consultant – IAM Practice

Here is what Rumelt says, “Back in the 1930s, the Graf Zeppelin and the Hindenburg were the largest aircraft that had ever flown. The Hindenburg was as big as the Titanic. Together these vehicles had made 620-odd successful flights when one evening the Hindenburg suddenly burst into flames and fell to the ground in New Jersey. That was May 1937.”

Years ago, I had a chance to chat with a guy who had actually flown over Europe in the Hindenburg. He had this wistful memory of it being a wonderful ride. He said, “It seemed so safe. It was smooth, not like the bumpy rides you get in airplanes today.” Well, the ride in the Hindenburg was smooth, until it exploded.

The risk that passengers took wasn’t related to the bumps in the ride or to its smoothness. If you had a modern econometrician on board, no matter how hard he studied those bumps and wiggles in the ride, he wouldn’t have been able to predict the disaster. The fallacy is the idea that you can predict disaster by looking at the bumps and wiggles in current results.”

To see the disaster coming, you had to have looked beyond the data about flight bumpiness—beyond the professionalism of the staff—and really think, “Does it make any sense to have people riding in a gondola, strapped to a giant sack of flammable hydrogen gas?” There’s just not a data series that lets you think about that.  The history of bumps and wiggles—and of GDP and prices—didn’t predict economic disaster. That is the fallacy most people fall into when they talk about security, Tail risk or Black Swan events.

If we apply this logic to any ERP – I find many ERP customers suffer from the smooth sailing fallacy.

• “Well – we implemented SAP 10 years back, IBM is managing the support and we have no problems!”
• “Our security incidents are insignificant.”
• “Oh we have installed SAP GRC solutions but no one uses them! And so we are secure!”

This smooth-sailing fallacy in security arises when we mistake a measure for reality. Mature managers always look deeper than the numbers, deeper than the current measures. Others just focus on the metrics that are based on past reality. That’s how we get into trouble.

This lesson is fundamental: you cannot manage by just looking at the results.  You have to have a big picture view of security by applying constant changes in security issues, technology, protocols and metrics. That means your security policy which may be 3 years old is useless and you have no security in place. CEOs and CFOs will use the smooth sailing argument – Hey! We never had a security issue in the past 2 years? So why worry now?

You have to show them what Rumelt said about Hindenburg! A small design flaw can blow them out of business since the ERP system is the business backbone in many companies.

So it is important to focus on three things:

1. Critically question your IT systems & the Security design – are they relevant? Are they bullet proof & future proof? Is there a hidden flaw?
2. Hope is not a strategy! So create a Security Team to redesign the IT Security Framework based on a thorough and annual Risk Assessment (mere adherence to ISO 27001 or ITIL will not do!). Use professional help if needed.
3. Execute your plans in a phased manner – first time right. Do not try to boil the ocean. Keep this as a continuous improvement process.

Author:
Dr. Jagan Nathan Vaman PhD CGEIT CISA
Chief Consulting Officer
Aujas Risk Management Services

Maintaining awareness of potential security incidents all the time, every day, is difficult, and knowing how to react to incidents is more difficult still. Your company needs to be ‘right’ all the time, but intruders only need to be ‘right’ once. Imagine an IP, Design, Customer Data, Financial data theft from your SAP system! It can lead to both a reputation loss and a loss of business.

Companies that run SAP ERP & their security teams should understand how vulnerable your SAP system is! Here are some facts that might shake you:

1. In a typical SAP environment, data transferred between a client and the server is unencrypted. E.g. Any communication with the SAP server using a Desktop or mobile device or client app or portal transmits unencrypted data! It is a high risk area, “client to server un-encrypted communication”, and makes your entire SAP system highly vulnerable.
2. To fix this gap, SAP has recently introduced “SNC Encryption module” in
   October 2011 and is a free release for the SAP clients. Through this
   small upgrade you can quickly fix one of the most vulnerable areas of
   your SAP system.  Point to note here is that this un-encrypted
   communication vulnerability existed for a long time in your SAP system
   and even now you are vulnerable without this fix.
   

SAP did two acquisitions to provide a Secure SAP system and these are recent events.

1. SAP acquired MaxWare Identity Management solution in 2006. This is incorporated as SAP Netweaver Identity Management solution & sold with a licensing model.
2. SAP acquired SECUDE (a Swiss SAP Information security company) software assets in March 2011. With this acquisition came Single Sign-On (Secure Log-In), ESSO – Enterprise SSO and SNC Encryption.

There is a lot to catch up and be compliant with these security solutions – to ensure a secure SAP environment. To bring you up-to-date on the SAP security and improve your SAP Security posture – you need a roadmap. 

The road map broadly should focus on a combination of business focus, scenario analysis and SAP security tools. The combined knowledge of your security experts and a purpose driven SAP security assessments, provide you with a world-class SAP security service at a low cost.

High Performance SAP Security road-map is developed with a three phased approach:

1. Assessment – This phase is designed to understand the ‘as-is’ risk profile of your organization, and how it fits with the business requirements of your enterprise. Based on this assessment you should tailor SAP Security design and controls to monitor and protect key business assets as well as the enabling IT of your enterprise.

2. Implementation – Deployment of controls processes and tools to put the right monitoring capability in place, and building of the right rule-sets to prioritize and escalate events in line with business priorities.

3. Ongoing Management –SAP Security process that works on intelligent escalation as required and continuous improvement of your risk management and security posture with a managed SAP Security service. A Security Management Portal should be built so that your company can drill down into the status of threats and remediation actions underway.

The benefits of a high performance SAP Security includes:

• Business-focused security delivery model: guard your business, not just your SAP ERP
• Improved security efficiency as a result of wider SAP Security situational awareness and Business asset aligned prioritization
• SAP Security and compliance tools, dashboards that provide you with a view of your security posture and results of security improvement programs
• Improved manageability and reduction in security operating costs
• Reduced security ‘distraction factor’ so that you can focus on your core business objectives.

Author:
Dr. Jagan Nathan Vaman PhD CGEIT CISA
Chief Consulting Officer
Aujas Risk Management Services

The Problem

The Risk
Usually, these IDs, especially the ones that are in-built, are shared among the groups of administrators. This method of sharing highly powerful access can cause accountability concerns and non compliance with regulatory requirement, thereby significantly increasing the access risk.

Data can be stolen undetected or IT systems can be sabotaged by misusing the privileged access, since these IDs have access to systems from the backend and can bypass the control deployed for business users.

The rapidly emerging trends of cloud computing, consolidation of data centers, virtualization and hosted application services providers imply growing numbers of IT systems and privileged IDs. Any organization using significant number of IT systems like servers, network devices, desktops, or applications faces the requirement of managing privileged IDs.

Regulatory and government requirements for telecom, banking and IT verticals create an even greater need to address this requirement. Recent prominent and high profile security breaches in these verticals across the globe highlight the degree of access risk caused by inadequate privileged ID management.

What Not to Do
Limiting the privileges granted to these IDs will not mitigate the risk as it will render the useless IDs to perform its functions. Alternatively, some organizations aim to bring in accountability by assigning individual IDs to their administrators in order to eliminate sharing. This approach is helpful only for managing a small number of administrators managing few systems.

In-built IDs will still need to be shared even if administrators use their own individual IDs. To add to the complexity, some IT systems enforce a limit on the number of individual accounts that can be created to manage them. Moreover, the number of individual IDs grows multiplicatively with the increase in both the number of administrators and managed systems.

For example, an admin team of twenty managing a thousand systems can easily be dealing with more than 20,000 IDs. The cost and complexity of managing the lifecycle, enforcing password policies and access controls on so many individual IDs makes this approach suboptimal.

Mitigating the Risk
What is needed is a comprehensive and modular approach to privileged access and activity management. Privileged access and activity management is an identity management domain comprising of the same traditional building blocks of User Provisioning, Single Sign-on and Access Management, Role Management, Password Vault and SIEM tied together with robust solution design based on well thought of policies and procedures.

A good solution approach uses an iterative model to focus on each of these areas and improve them incrementally by understanding how it integrated with other building blocks. This approach allows for a modular solution which not only can solve immediate problems with least disruption and change to the existing practices, but also scale to meet the evolved requirements as the business and expectations grow.