Balancing Future Opportunities With Future Risks In SAP
Blog Security

Balancing Future Opportunities With Future Risks In SAP

S/4 Hana, cloud and new security controls come with increased opportunities for SAP customers, yet there are new risks, too. How do you balance them?

This will be a year of change and digital transformation for many SAP customers. More companies are expected to migrate to Hana and S/4, some businesses will move to an SAP cloud environment for the first time, and others will take greater advantage of the SAP cloud application ecosystem. Fast forward to the end of the year when end-of-life for SAP GRC 10 occurs, and the year ahead will also mean an upgrade or change of access controls for those on this version.

All of the above come with increased opportunities for SAP customers, yet there are new risks, too. How do you balance them and make the right choices for your company? Since a great many SAP users will also be in the midst of evaluating or building a business case on how to proceed on their digital transformation initiatives, they’ll most certainly be weighing advantages and vulnerabilities. The following are a few.

Migration to S/4 Hana

SAP enterprise resource planning (ERP) customers have known for some time that to remain on a supported version of SAP will require a migration to S/4 Hana before the end of 2027. Leaders and early adopters realize the value in making the change – sooner rather than later. According to an August 2019 SAPinsider report, Benchmarking the Business Case for SAP S/4 Hana, survey respondents classified as “leaders” were driven to migrate for the digital transformation and optimization of business processes more than the fear of the eventual end of support for ECC. This factor overrode concerns of disrupting operations or the soft and hard costs of implementation.

Forward-thinking, progressive companies see the advantages of faster processing and reporting, improved ability to measure business performance through digital intelligence, and overall increased efficiencies as core reasons to take the migration leap. For this cohort, the pros outweigh the cons.

However, there are downsides or risks to keep in mind and prepare for. Migration is complex, it can be costly and there are many ancillary requirements to make the move to a new SAP environment that functions differently than what customers are accustomed to.

Outside of potentially long, complicated and expensive implementations that can grow even more so without solid transition plans and project management, data migration and conversions are a considerable risk depending on how they are approached. One possible hazard is migrating dirty data, outmoded customizations or inefficient processes or workflows. Getting clean and an intensive review of existing data and processes first is a must. As a result, many customers designated as “leaders” are choosing greenfield implementations to modernize processes and reduce inefficiencies, according to one survey of SAP users.

Starting with a clean environment is a must, as well, for access risks in your SAP system. Don’t take them with you when you make the move to S/4 Hana, especially if you are choosing a brownfield implementation. Understand your Segregation of Duties (SoD) and access violations by user, role and business process and remediate them before, during and after migration. SAP is confusing and convoluted enough; access controls don’t need to be. Researching options and selecting quickly implemented, easy-to-use, end-to-end GRC tools should be a priority on your migration project plan.

Climbing into the cloud

A large number of SAP users will be experiencing cloud-based ERP for the first time in the succeeding months. An April 2019 study showed that 60 percent of survey respondents are choosing a cloud deployment – using either private, public or hybrid models. Companies most interested in digital transformation, agility, faster deployment time and cost-saving rewards will select cloud.

The upside of leveraging the cloud far outweighs any negatives. Upgrade and maintenance inconveniences and costs can be eliminated depending on the cloud model selected.  Customers, for example, can scale easily up or down to suit their needs, have added flexibility of use location, reduce data storage costs, get more data storage options, ensure business continuity and data backups, secure encryption of data, improve collaboration and reduce dedicated support staff.

As far as drawbacks to be aware of with SAP cloud, some integration and middleware solutions currently in use also may need to be upgraded. They may not support integration to the cloud, making it necessary to explore other solutions. Therefore, make sure you understand the interdependencies of all components and if they will work together.

Where data is stored and geographical regulations on data storage may also be an issue. GDPR and EU data location requirements are two instances of data localization to consider based on where your company is located.

Data breaches, especially internal breaches, may not be any more likely with a cloud solution than an on-premises system. Taking proper security precautions is paramount for any software – run in the cloud or in-house. Automated access controls are the best line of defense for internal threats in both cases.

Leveraging SAP’s application ecosystem

S/4 Hana brings other changes that may seem counterintuitive. The ERP serves as the digital core while other functionalities once included within the ERP are now cloud applications residing outside the core. Human resources, as an example and once a part of the ERP, has been replaced with SAP SuccessFactors. The application shares the same Hana database as the ERP, as do other SAP applications that integrate with the digital core.

One benefit of the expanding cloud applications is that customers have more choice in what modules to add to the digital core. They can even elect not to use an SAP solution, such as SuccessFactors, Ariba, Concur, Hybris, etc., and can choose a cloud solution outside of SAP. They also reap the advantages of one common database in Hana.

Negatives to contemplate may include module pricing and integration costs. The more disparate moving parts, the more complex the connectedness. Another consideration is that the cloud applications create a need for multi-application access controls to provide visibility into risks across ERP and the cloud applications that connect to it, which may cause you to rethink how you monitor SoD and access threats to get an enterprise-wide view without disparate tools to do so.

Next steps for GRC 10 users

An important date to keep in mind when thinking about changes is December 31, 2020, when support for SAP’s GRC 10.1 ceases. For customers who use SAP’s version of access controls, a migration to GRC 12 or another solution is required and is a prerequisite particularly if upgrading to S/4 Hana. New customers will also need to closely look at what access control solutions to implement for the most cost-saving and efficient approach.

As it stands now, however, there is a shortcoming. GRC 12 on its own can’t handle the complexity of S/4 Hana and the applications connected to it without the use of a bridge to perform risk analysis across all systems. SAP reports that you can opt to use SAP’s Cloud Identity Access Governance (IAG)  solution, which can integrate with GRC 12 to conduct “access analysis and to connect to cloud applications from on-premise SAP Access Control to bring those cloud applications under the access governance umbrella.”

Users of access control on premises create access requests through GRC 12, and the risk analyses and mitigation control assignments are handled by the cloud access analysis service through IAG. In essence, this amounts to using two disparate systems to manage access risks. Additionally, you will have the migration to GRC 12 itself, and transitions to new versions of SAP’s access controls historically have not been particularly easy, quick or economical.

There are alternatives that offer better opportunities for improved digital transformation in internal controls, too, without the convolutions, use of multipart tools, long implementations, higher cost and uncertainty of the future of GRC 12. There are some ambiguities for customers about what happens after version 12 and if and when IAG will be able to handle all of the analysis of multiple applications on its own.

As you move into 2020, take into account all of the benefits and risks in the transformations ahead and include all in your analysis and business case for change. Most importantly, move ahead safely, securely and as cost-effectively as possible.

ERP Maestro

About the author

Jody Paterson, ERP Maestro

Jody is a trusted advisor and cybersecurity thought leader who is a Certified Information Security Specialist (CISSP), a Certified Information Security Auditor (CISA), former director at KPMG, and founder of ERP Maestro.

Add Comment

Click here to post a comment

Sign up for e3zine´s biweekly newsbites

Please do not use administrative mail adresses like "noreply@..", "admin@.." or similar as these may get blocked for security reasons.

We use rapidmail for dispatching our newsletter. By signing up, you agree that the data you have entered will be transmitted to rapidmail. Please take note of their terms and conditions and privacy policy.termsandconditions.

Our Authors