Governance, risk, and compliance initiatives are beginning to take root in many businesses that have to deal with many compliance rules and regulations. With integrated GRC solutions in place, companies have found a way to streamline processes and workflows without an overwhelming amount of software, hardware, and independent solutions that will incite confusion and increase costs.
SAP’s GRC solution provides security measures for controlling access to business transactions, business critical data, and other sensitive information that should be protected at all times. In the event a user must access an area outside their normal job function, to which they do not usually have authorized access, SAP GRC has an Emergency Access Management component of the GRC solution also known as Firefighters. This allows temporary system access for a different user to solve a problem, finish a task, or takeover responsibilities for a short period of time.
Risks Associated with SAP Firefighter
Although this is a valid solution for situations that cannot be foreseen, there is risk in providing such open access to a user accessing sensitive information without any control parameters, as they can accidently or maliciously engage in a potentially unsafe behavior. As part of the auditing layer, the burden of reviewing the activities performed by a Firefighter lies with the Firefighter (EAM) Controller. This review is designed to provide an additional layer of control in the use of a privileged account and to create awareness in the mind of the Firefighter that his or her activities will be reviewed. The Controller is notified about each Firefighter session and can review most actions that were taken during a Firefighter session. One aspect that is not part of the Firefighter auditing framework is activity related to the download or extraction of data from SAP.
A classic Firefighter use case would be the extraction of certain tables, containing potentially sensitive information, from SAP for the purpose of data cleansing before re-importing the data back into SAP. This data can contain social security and credit card numbers, employee private data, trade secrets, financial, and other types of sensitive information, the exposal of which can have damaging consequences for the enterprise if leaked maliciously or unintentionally. Any data downloaded or extracted from SAP during the above Firefighter session would not get recorded and hence won’t be visible as part of the Controller review process. That could lead to potentially sensitive data leaking from SAP, as part of Firefighter activity without any record or notice.
Mitigate the Risk: SAP Emergency Access Management Best Practices
There are ways to reduce potential data loss from a Firefighter session. Some best practices are to set up an alerts monitor when a Firefighter session is initiated. Alerts can be initiated in risk areas such as mitigation monitoring alerting when a regular action is not executed at the specified regularity, or when conflicting actions happen when a user performs multiple actions. Additionally, the Controller should also receive full disclosure on a timely basis of all information regarding the download activity occurring during Emergency Access Management sessions to make those records available to the Emergency Access Management review framework. As a result, all download and data extraction activity occurring during an Emergency Access Management session can be logged and made available for review to the Controller. Controllers should be made aware of planned data extraction activity and unplanned or suspicious data extraction activity that should be later investigated. With Controllers having more information on Emergency Access Management activity, they can ensure compliance and mitigate any potentially risky behavior.
Benefits of logging data extraction activity during Firefighter/EAM sessions in SAP:
- Enable Controller’s holistic view on Emergency Access Management sessions
- Reduce the risk of potentially risky Emergency Access Management behaviors
- Prevent intentional and unintentional data loss
- Enables compliance with data protection laws
Are you an SAP user who wants to learn more about security gaps in SAP GRC and how to protect against them? Download a complimentary copy of our guide “GRC Guide for SAP – 3 SAP GRC Gaps No One Talks About.”