achieving continuous compliance with novell and sap
TRANSCRIPT
Business White PaperIdentIty and SecurIty
Achieving Continuous Compliance with Novell and SAP
Novell Logo1 The registered trademark, ®,
appears to the right and on thesame baseline as the Logo.
Minimum Size RequirementsThe Novell Logo should NOT beprinted smaller than 3 picas(0.5 inches or 12.5 mm) in width.
Clear-space Requirements2 Allow a clean visual separation
of the Logo from all other elements.The height of the "N" is themeasurement for the minimumclear-space requirements aroundthe Logo. This space is flat andunpatterned, free of other designelements and clear from the edgeof the page.
3 picas(0.5 in)
(12.5 mm)
21 3
3
www.novell.com
p. 1
Achieving Continuous Compliance with Novell and SAP
table of contents: 2 . . . . . Facing the Rising Risks and Costs of Compliance
3 . . . . . Finding Answers with Novell and SAP
4. . . . . . Using the Novell Compliance Management Platform Extension for SAP Environments to Achieve Compliance
7 . . . . . Technical Benefits
8. . . . . . Moving Toward Continuous Compliance and Beyond
10 . . . . . Why Novell?
p. 2
There are many memorable examples of what can happen when corporate policies are breached. But perhaps one of the most dramatic took place on a cold, otherwise forgettable winter’s day when Société Générale, the second-largest bank in France, announced it had become the victim of a US$7 billion crime.
In an announcement that made headlines around the world, bank officials revealed that, over the course of several years, a rogue trader had executed fraudulent transactions that had cost the bank billions of dollars. According to company executives, it was the trader’s knowledge of internal policies and controls that allowed him to hide the fraud for so long. Though Société Générale reacted quickly to the discovery, dismissing related personnel and addressing recovery plans with investors and the media, the staggering losses significantly diminished the company’s profits, shook customer and investor con-fidence and left the bank in the unenviable position of being the victim of the single largest act of fraud by an individual in the history of the securities industry.
So what happened? How did one person manage to perpetrate such monumental fraud for so long? And what can other organiza-tions learn from this example? In very simple terms, the thief found a way to gain access to systems that allowed him to both make trades and approve them. This constituted a clear and obvious separation-of-duties (SoD) violation, but Société Générale lacked the ability to check access rights against specific policies, identify SoD violations quickly, and then automatically deny access. This discon-nect between established corporate policies
and the ability to enforce them across the whole enterprise turned out to be an incredibly costly and damaging shortcoming.
The Société Générale example is impressive in scale, but it is certainly not unique. Today, companies around the world struggle to create an effective enterprise-wide framework for compliance. They often expend enormous resources on compliance, only to end up with a piecemeal solution that may get them through this year’s audit but still leaves them unprepared to deal with tomorrow’s threats. Even as compliance spending continues to increase dramatically year after year, ana-lyst firms like IDC report that “inadequately addressed compliance regulations will result in increased violations and subsequent legal and public relations problems for corporations over the next several years.”1
To make matters even more complicated, business executives must now take personal responsibility for compliance issues. An orga-nization’s failure to comply with established policies—whether internal or regulatory—could be damaging not just to the company’s brand and image, but also to the personal credibility of the management team.
Amid such a challenging business climate, executives are left to ponder several pressing questions:
Do our IT policies and infrastructure support our business goals and compliance requirements?
What’s the fastest, most efficient way to create an enterprise-wide compliance framework that connects business processes, IT controls, and applications?
Facing the Rising Risks and Costs of Compliance
“Integration of identity and access management (IAM) and security information and event management (SIEM) technologies can improve IAM user and role management capabilities, enable SIEM exception monitoring, and provide audit capabilities that are much broader than what IAM alone can deliver.”
Gartner, Inc.SIEM and IAM Technology, Mark Nicolett, Earl Perkins September 1, 2009 __________
1 IDC “Identity and Security Management and Strong Information Technology Governance: Novell’s Solution Suite Automates the Approach to the Perfect Union.” Sally Hudson, February 2008
p. 3
Achieving Continuous Compliance with Novell and SAP www.novell.com
How can I offset the escalating costs required to achieve compliance?
Can we confidently confirm our compliance status at any given moment?
Finding Answers with Novell and SAP
Fortunately, Novell and SAP are working together to provide new answers to these challenging questions. This starts with the Novell® Compliance Management Platform—a solution that integrates identity and access information with security information and event management technology to give you a real-time, enterprise-wide view of important network events. By creating a bridge between identity management (which defines who should have access to specific resources) and security event monitoring (which tracks who is actually accessing those resources), the Novell Compliance Management Platform provides important integrated governance and risk management tools that deliver new levels of visibility and control. This makes Novell uniquely qualified to deliver this type of solution. In fact, Novell is recognized as a leader in Gartner’s Magic Quadrants for User Provisioning2, Web Access Management3 and Security Information and Event Management (SIEM)4.†
Next, the Novell Compliance Management Platform extension for SAP environments forms crucial connections between these integrated identity management and SIEM capabilities and the risk analysis features in SAP* GRC solutions. The Novell Compliance Management Platform extension for SAP environments is the first major solution that is certified for SAP BusinessObjects GRC Access Control. With this certified integration, you can map what is occurring in the enter-prise to your business objectives. This creates a proactive infrastructure that allows you to stay more secure by monitoring processes to assess risks, setting up controls to contain
those risks and taking actions to remediate risks in real time before they negatively impact your business. It also helps you break down the kinds of infrastructure silos that make insider security breaches like the one at Société Générale possible.
Business Benefits
As the ultimate governance solution, the Novell Compliance Management Platform—and its extension for SAP environments—offers many compelling business benefits:
1. The Platform extension minimizes the anomalies, uncertainties and violations that can ruin a company’s reputation. Its real-time capabilities provide the infor-mation you need to instantly remediate any divergence from business policy both inside and outside SAP solutions, assur-ing that little or no damage can occur.
2. Rather than requiring administrators to separately manage point solutions, the Platform extension provides one central point for managing the entire identity, access and security manage-ment infrastructure. This significantly reduces costs and ensures consistency and reliability enterprise wide.
3. The Platform extension provides improved security to SAP customers by automating enterprise provisioning activities while at the same time vali-dating users’ access to all company systems. By combining these two critical components of compliance management, your organization can address critical issues such as SoD policies, while simul-taneously ensuring compliance to internal policies and external regulations.
4. The Platform extension allows you to rapidly react to changing business conditions in a secure and agile way. Whether it’s bringing on new partners or absorbing new employees from an acqui-sition, the systems remain secure while your business process needs are met.
three Industry Leaders. One Solution.Novell and SAP are working together to create a new kind of continuous compliance foundation. A new partnership with Greenlight is making that foundation even more capable. Here’s what each company brings to the table:
novell. Provides integrated identity and access, as well as security, event management and monitoring
SaP. Embeds risk analysis and compliance into the provisioning process
Greenlight. Adds a deeper level of risk analysis and compliance to specific applications
__________
2 Gartner, Inc., Magic Quadrant for User Provisioning, Perry Carpenter, Earl Perkins, September 30, 2009
3 Gartner, Inc., Magic Quadrant for Web Access Management, Ray Wagner, Earl Perkins, Gregg Kreizman, November 12, 2009
4 Gartner, Inc., Magic Quadrant for Security Information and Event Management, Mark Nicolett, Kelly M. Kavanagh, May 13, 2010
p. 4
By extending user provisioning, access control and security monitoring across the enterprise, the Novell Compliance Management Platform extension for SAP environments delivers business process automation that gives users the appropriate resources, validated in real time, to ensure compliance with company policies—eliminating the gaps that have left so many companies at risk. __________
5 IDC “Identity and Security Management and Strong Information Technology Governance: Novell’s Solution Suite Automates the Approach to the Perfect Union.” Sally Hudson, February 2008
The reduction in time to integrate these changes can have a huge impact on your bottom line.
5. User interactions with the Platform extension will promote trust. Rather than requiring a call to the helpdesk for pass-word support, the platform’s self-service password maintenance lets the users manage their passwords for all corporate
resources via a user-friendly graphical interface that will visually indicate which systems were affected by the change. In addition, users can initiate a self-service request to be provisioned access to a key SAP or non-SAP application. That request can then be automatically approved if the user’s identity and role match the corporate policy for application access.
Integrating the Novell Compliance Management Platform with SAP Access Controls
Figure 1. The Novell Compliance Management Platform extension for SAP environments works closely with SAP Access Control. In particular, the Platform extension acts as the provisioning front end and fulfillment engine, while SAP BusinessObjects Access Control conducts risk analyses to ensure compliance with company policies and regulatory requirements.
Using the Novell Compliance Management Platform Extension for SAP Environments to Achieve ComplianceTo deliver these important business benefits, the Novell Compliance Management Platform extension for SAP environments leverages and integrates identity and access management and SIEM technology in important new ways, so your IT organization can automate and enforce policies originally developed on paper. Here are some of the ways the solution can help you adopt a more streamlined, automated and holistic approach that leverages your existing investments and makes forward-looking compliance a reality for your enterprise.
Streamline Communication between Compliance and Security Systems
According to IDC5, the identity and access management market alone will exceed US$4 billion by 2011. Why? Because compliance and corporate governance initiatives will continue to drive the need for these capabilities.
p. 5
Achieving Continuous Compliance with Novell and SAP www.novell.com
Modern identity and access management products are extremely adept at validating identity, provisioning resources and enforcing access roles. Likewise, SIEM solutions do an excellent job of aggregating security data from across the enterprise. However, in most cases, these two technologies are not very good at working with each other. In many organiza-tions, there are two silos of information: one that holds identity and access management policies and another that contains security data. As in the case of Société Générale, it is this “gap” between what should be hap-pening and what is happening that provides an opening for criminal activity.
Consider this illustration to understand why the integration of identity and security man-agement is so vital to achieve compliance: A financial process within an organization involves transactions within both SAP ERP and an in-house transactional database application. To prevent fraud, the company has created a SoD rule to prevent employees from executing certain transactions in both the SAP ERP system and the in-house appli cation. Enforcing this SoD rule requires monitoring user activity not only at the application level, but also at the underlying database level. An employee who inadvertently or maliciously acquires administrative access to the in-house application database could conceivably com-mit fraud by diverting funds. The company can only prevent this fraud by integrating their identity management system with a SIEM system. This integration would allow them to correlate user activity across the SAP and in-house applications, and catch the inappro-priate access before it becomes a problem. If the identity management and SIEM systems are not integrated, the SIEM system simply shows that the employee is accessing the in-house application, without making the connection that the same employ ee also has access to the financial system and is therefore in violation of the SoD rule.
Ensuring that employees cannot circumvent the established process and initiate an unauthorized transaction is critical to avoiding
criminally fraudulent activities within the organization. With no common framework to tie together enterprise application security with the identity and security infrastructure, a perpetrator could commit a crime by taking advantage of his or her access to privileges or knowledge of internal processes.
Gain a Real-time, Holistic View of Your Compliance Status
By bridging the gap between identity and security, the Novell Compliance Management Platform extension for SAP environments also provides a real-time, holistic view of the enter-prise and its compliance status. The Platform extension cross-validates identity, access and security information in real time, so the business always knows who is accessing what, when they are doing it and if they are authorized. In turn, if situations arise that are out of the norm, the Platform takes appropri-ate action in real time that can range from simple notifications to the initiation of full remediation (e.g., revoking user access). The actual “remedy” for the violation is determined by the organization.
By extending user provisioning, access control and security monitoring, the Novell Compliance Management Platform extension for SAP environments delivers business process automation that gives users the appropriate resources, validated in real time, to ensure compliance with company policies—eliminating the gaps that have left so many companies at risk. Instead of complex (and expensive) product silos, Novell Compliance Management Platform extension for SAP environments delivers an enterprise-wide view and enforcement of policy, as defined by corporate governance to SAP customers.
At the heart of the Novell solution is its ability to operate in real time. No other identity, access or security management provider delivers a comprehensive solution that addresses both identity and access management and SIEM
The Novell Compliance Management Platform extension for SAP environments enables company executives to be confident in their compliance posture.
p. 6
Building on a record of SuccessThe Novell Compliance Management Platform extension for SAP environments is the latest collaboration between Novell and SAP. Other partnership highlights include:
10+ years of partnership
2,500+ joint customers A preferred Linux*
platform for SAP solutions, 75 percent market share
Seamless enterprise-class Linux support
Appliance solutions for large / mid-size customers
Certified integration with SAP BusinessObjects GRC solutions
Technology co- innovation leadership
in real time. While most identity management products take a periodic assessment of policy changes—creating a lag time between admi n-istrator actions (like revoking a disgruntled employee’s access to a financial database) and policy enforcement—the Novell solution implements policy changes as they occur.
Next, as policy and security data are gathered in real time, the Novell Compliance Management Platform extension for SAP environments correlates the information to identify legitimate threats. For instance, a user who legitimately logs in to SAP ERP using a valid username and password may simply be doing business as usual. However, if that user’s role within the company does not warrant access to the application, that login could present a serious threat. The Novell Compliance Management Platform extension for SAP environments can correlate the appli-cation log data with provisioning policies to catch this kind of security risk, which could easily go undetected by a piecemeal com-pliance solution. Until, that is, the auditors decide to take a closer look.
Automate Compliance Processes
In addition to correlating identity and security, automation is also a key factor in the Novell solution’s ability to ensure continuous compli-ance. Organizations are placing themselves at risk when they depend on manual processes
to prove compliance. Any manual process introduces the possibility of human error, not to mention the possibility of willful misconduct and increased expense.
Novell Compliance Management Platform extension for SAP environments can help pinpoint areas of concern and notify the appropriate individuals about those concerns, taking the guesswork out of evaluating com-pliance. The Platform extension can even automate the process of provisioning access to corporate applications, based on a user’s self-service request, if the request is in line with the company’s policies and SAP access controls. Again, the need for manual inter-vention, with all of its associated risks, is eliminated.
Take Advantage of Tighter Integration
Finally, the Novell Compliance Management Platform extension for SAP environments is a completely integrated solution, built on industry-leading identity, access and SIEM technologies that work seamlessly together. Other compliance-related offerings claim to be comprehensive solutions with strong returns on investment, but in reality they are little more than a set of poorly integrated products that create additional silos in the organization.
Deploying these piecemeal “solutions” requires substantial effort to assemble, correlate, and integrate policies from different sources. In contrast, the Novell Compliance Management Platform extension for SAP environments ships out-of-the-box with integrated software as well as preconfigured identity and security policies and innovative best practices documentation. This gives companies a significant head start on developing compliance solutions that fit their unique business needs. Better still, the Novell Compliance Management Platform extension for SAP environments allows companies to begin realizing a higher return on their SAP investments.
Novell Compliance Management Platform extension for SAP environments ships
out-of-the-box with integrated software as well as preconfigured identity and security
policies and innovative best practices documentation. This gives companies a
significant head start on developing compliance solutions that fit their unique
business needs.
p. 7
Achieving Continuous Compliance with Novell and SAP www.novell.com
Technical Benefits
Together, these comprehensive, integrated and automated compliance capabilities translate into concrete technical benefits for your IT organization:
Mitigate Business Risks by Addressing Potential Threats as They Occur
The Novell Compliance Management Platform extension for SAP environments includes certified connectivity to the SAP Computer Center Management System (CCMS), allow-ing your organization to easily incorporate SAP security events with other network and application security events across the enter-prise. This provides the validation you need to ensure that established governance policies are being followed and that users have the right level of access to the right resources. Any anomalous activities, such as abnormal user access requests, are identified in real time. The solution then responds to the threat immediately. It can issue alerts to administrators, block user accounts or even shut down affected systems.
Provide Identity-enriched Continuous Controls Monitoring
By mapping security information to identity profiles, the Novell Compliance Management Platform extension for SAP environments makes it possible to be much more effec-tive at identifying and investigating security breaches. Without this correlation, if someone attempted to access a sensitive customer database in the SAP Business Suite by over riding security protocols, database administrators would only know that some-one tried to break in using some username. By correlating this activity to an actual iden-tity, the Novell solution allows those same administrators to determine who attempted the security breach, what else he or she had been doing recently and what other accounts that user has access to across the enterprise. The Novell solution’s easy-to-read, real-time dashboard provides a clear, graphical
overview of identity and security concerns throughout the organization. This enables you to make sense of mountains of security data, identify legitimate threats quickly and eliminate false positives.
Deliver Role-based Access to Resources Enterprise Wide
Enterprise Role Management provides a tremendous opportunity to automate user provisioning and simplify the management of complex security models. Unfortunately, integrating the complex array of SAP roles, composite roles, profiles, portal groups and entitlements and other enterprise application security into a single cohesive model has historically been difficult to configure and even more difficult to maintain.
The Novell solution solves this problem with the Role Mapping Administrator component of the Novell Compliance Management Platform extension for SAP environments. This unique, business-level interface makes it easy for IT security staff, provisioning system administrators and SAP business owners to work together to create enterprise provisioning roles with the appropriate entitlements in SAP. With an interface that displays information in terminology familiar to each user, the Role Mapping Administrator allows you to automate the provisioning of enterprise entitlements from a single intuitive interface.
If your company is in a high-security industry, such as health care or financial services, you can ensure that access rights for role memberships are managed properly so you will always be in compliance with internal and external regulatory standards. Because access to resources is based on roles and policies that are consistently enforced, role-based provisioning from Novell increases the security of your valuable IT resources while making it easier to prove compliance with government and industry standards.
Novell Compliance Management Platform extension for SAP environments provides a real-time, holistic view of the enterprise, leverages your existing SAP GRC investments, mitigates the risks posed by internal and external threats, and ultimately ensures that your organization’s image, brand and reputation are safe.
p. 8
The Novell Compliance Management Platform extension for SAP environments extends the same processes to SAP systems and other applications across the organization, thus reducing the complexity and cost of identity management and security.
Streamline Access Requests without Increasing Risk
The Novell Compliance Management Platform extension for SAP environments maximizes user efficiency because it automates the process of requesting application access without increasing risk. Because the Platform extension delivers certified integration with SAP GRC Access Control, risk analysis is built directly into the access-request process. For example, a salesperson attempts to log in to a new lead management system, but is denied because access has not yet been provisioned. The Novell solution automatically creates a workflow request, which is then sent to SAP’s Access Control where risk analysis is conducted. If the salesperson has already been granted rights to the SAP Account Management system, for example, the same set of rights can be automatically extended to the lead management system. When the workflow request is approved, the user is provisioned to the application and notified by the Novell Compliance Management Platform. This self-service model not only improves the experience and the productivity of users, but it also serves as an additional layer of automation to ensure that policy compliance is maintained at a consistent level across all systems, and that it reduces the associated costs.
Provide Continuous, Enterprise-wide Compliance
The Novell Compliance Management Platform extension for SAP environments guards against changes made by administrators that overtly or accidentally violate policy. For instance, a new accounting employee is assigned to work with the marketing depart-ment and is granted appropriate access to SAP ERP Financials. Then a system admini-strator—either intentionally or inadvertently— grants the new accountant additional access inside the financial application, giving him vis-ibility into the finances of not just the mar ket ing
department, but the entire organi zation. With the Novell Compliance Management Platform extension for SAP environments in place, the inappropriate access is not only immediately revoked, but the action is also correlated with relevant security data. This helps determine who it was that granted the additional access, so the appropriate security personnel can be alerted. Certainly, given the employee’s job function, it is quite possible that the provisioning error was sim-ply a mistake—but the Novell Compliance Management Platform extension for SAP environments gives companies the insight they need to make that determination for themselves before a more serious security breach can occur.
While these illustrations are in no way a comprehensive list of the capabilities of the Novell Compliance Management Platform extension for SAP environments, they do serve to demonstrate the scope of the Novell solu-tion. Only by addressing such a broad range of challenges can the Platform extension actually ensure enterprise-wide compliance.
Moving Toward Continuous Compliance and Beyond
It’s easy to talk about the business and technical benefits of a complete enterprise compliance framework. Getting there is more complicated. The good news is that most organizations already have at least some of the necessary pieces in place. For example, some enterprises have already integrated their identity management systems and access control tools to create a more auto-mated compliance framework. Others have added automated, real-time security capabili-ties to their identity infrastructures, allowing them to automatically test the controls that protect the organization. And most busines ses already have some kind of solution in place to manage and enforce business policies. Although every organization is at a different
p. 9
Achieving Continuous Compliance with Novell and SAP www.novell.com
point along this path to GRC maturity, most are in a position to leverage their existing investments as they move toward a frame-work that connects compliance efforts to business results. It’s simply a matter of extending those investments, adding addi tional pieces and then enabling all the components to interact and work together in new ways. This white paper has focused
primarily on how Novell and SAP are combin-ing identity management, security information and event management, and access controls to achieve continuous com pli ance. Future efforts will focus on how similar integration with SAP’s process management and risk management solutions will make it possible to move beyond continuous compliance toward full business risk visibility.
Novell expertise in compliance-related solutions is second to none. The company is not only an established leader in identity and security management, but is also a solution provider to thousands of organizations around the globe. That deployment experience allows Novell to go beyond just installing a patchwork of products. The Novell Compliance Management Platform extension for SAP environments combines powerful technology with preconfigured policies and documented best practices to provide a comprehensive approach to policy compliance—plus the most impressive return on investment available anywhere.
Staying Ahead of the Compliance Maturity Curve
Figure 2. Novell and SAP are ready to help you move toward continuous compliance and beyond.
Why Novell?By blending its award-winning identity, access and security technology from the Novell Compliance Management Platform with SAP access controls, Novell has deliv-ered the ultimate governance solution.
This solution provides a real-time, holistic view of the enterprise, leverages your existing SAP GRC investments, mitigates the risks posed by internal and external threats, and ultimately ensures that your organization’s image, brand and reputation are safe.
www.novell.com
Contact your local Novell Solutions Provider, or call Novell at:
1 800 714 3400 U.S./Canada1 801 861 1349 Worldwide1 801 861 8473 Facsimile
novell, Inc.404 Wyman Street Waltham, MA 02451 USA
462-002124-004 | 07/10 | © 2010 Novell, Inc. All rights reserved. Novell, the Novell logo and the N logo are registered trademarks of Novell, Inc. in the United States and other countries.
*All third-party trademarks are the property of their respective owners.
† The Magic Quadrant is copyrighted 2010 by Gartner, Inc. and is reused with permission. The Magic Quadrant is a graphical representation of a marketplace at and for a specific time period. It depicts Gartner’s analysis of how certain vendors measure against criteria for that marketplace, as defined by Gartner. Gartner does not endorse any vendor, product or service depicted in the Magic Quadrant, and does not advise technology users to select only those vendors placed in the “Leaders” quadrant. The Magic Quadrant is intended solely as a research tool, and is not meant to be a specific guide to action. Gartner disclaims all warranties, express or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.
Novell Logo1 The registered trademark, ®,
appears to the right and on thesame baseline as the Logo.
Minimum Size RequirementsThe Novell Logo should NOT beprinted smaller than 3 picas(0.5 inches or 12.5 mm) in width.
Clear-space Requirements2 Allow a clean visual separation
of the Logo from all other elements.The height of the "N" is themeasurement for the minimumclear-space requirements aroundthe Logo. This space is flat andunpatterned, free of other designelements and clear from the edgeof the page.
3 picas(0.5 in)
(12.5 mm)
21 3
3
To learn more about the Novell Compliance Management Platform extension for SAP environments and how it can help organizations
bolster security, boost performance and lower operating costs, go to: www.novell.com/cmpsap