Is Your SAP GRC Truly Cyber Resilient?

How to Protect Access Control, Risk Management, and Process Control

What does it mean for your SAP governance, risk, and compliance (SAP GRC) system to be truly cyber-resilient?

GRC is closely linked with SAP cybersecurity and manages security objects in the connected SAP systems. This makes it an ideal target for hackers. Compounding matters, SAP GRC is both a product and a brand of products. As a single product, SAP GRC 12 is implemented on a single SAP system, performing as a management system for the GRC of other SAP systems. However, SAP is evolving GRC to include new applications and is merging into the SAP cybersecurity market. For this article, we will focus on SAP GRC 12.

SAP GRC 12

There are several “modules” that comprise the SAP GRC 12 suite of capabilities:

1. Access Control manages and monitors user access to sensitive data and systems. It helps organizations ensure employees have the correct level of access based on their roles, minimizing the risk of fraud, errors, and regulatory non-compliance. The module automates the management of user permissions and access rights within SAP systems, helping organizations adhere to data protection laws, internal security policies, and audit requirements.

• Access risk analysis (ARA) is the core feature that identifies potential risks in user permissions by evaluating whether employees have access to incompatible transactions or conflicting permissions which could lead to fraud or data breaches. The ARA tool allows continuous risk analysis to prevent or remediate potential access issues.

• Emergency access management (EAM), or “firefighter” access, allows authorized users to temporarily gain elevated permissions to resolve critical system issues. The feature includes audit trails and logs to monitor activities performed under this special access, ensuring accountability and compliance.

• Business role management (BRM) centralizes the design, testing, and maintenance of user roles, simplifying the assignment of access rights according to job functions. It helps standardize role assignments across the organization and reduces the administrative burden associated with manual role provisioning.

• Access request management (ARM) streamlines the process of requesting and approving access changes. It automates workflows for creating, modifying, or deleting user access, ensuring access requests go through appropriate approval channels. This module includes self-service capabilities, allowing users to request access directly, which is then routed for automated or manager approvals.

• User access review (UAR) facilitates periodic reviews of user access rights to ensure compliance with internal controls and regulatory requirements. By conducting regular access reviews, organizations can validate users have the correct access based on their current roles and responsibilities, maintaining a secure access environment.

2. SAP Process Control is designed to help organizations manage and automate internal controls, risk assessments, and compliance processes. Its core functionality ensures business operations align with regulatory and organizational standards, making it easier to detect, correct, and prevent process control deficiencies across complex business environments.

3. SAP Risk Management helps businesses identify, assess, and mitigate various operational, financial, and compliance risks. It provides real-time risk monitoring, analysis, and reporting tools across various business units. It supports a unified view of risk management alongside GRC modules, including process control, access control, and audit management. This integration allows businesses to align risk mitigation strategies with broader compliance and business objectives.

‘Firefighter Access‘

The S/4HANA system and GRC interact so one system trusts the other to “come to its rescue” by dispatching a firefighter or multiple firefighters. These individuals are given temporary access to perform a specific emergency function or business process. They perform these functions while granted “elevated permissions” via specially designated “firefighter” user IDs.

Companies, however, can become relaxed and begin to perform “normal” business processes through a firefighter arrangement because they do not take the time to properly configure the needed role/authorization/user architecture that should be in place to support the business processes.

An adequately designed EAM/firefighter process is critical to enabling proper governance and implementing and enforcing guardrails around the need for elevated access. A well-governed process for elevated access includes a presumption of limited use. Elevated access should only be granted under specific criteria and in limited circumstances. The elevated access roles/IDs should be designed with least privilege access in mind and purpose-built for the intended use.

Beware of assigning roles with widespread access to a firefighter ID. This adds additional risk as users may have access to extremely powerful transactions or something they may not understand. This may lead to more transactions than intended, which results in much larger logs and more complexity for reviewers who monitor activities during a firefighter session. In other words, a support user for a procurement process should not need access to maintain security roles.

Why Protect Your GRC?

Even though GRC is a tool to help keep your SAP systems safe, it is also running on its own SAP system. GRC’s vulnerability exposure is based simply on its running on an SAP NetWeaver server. So, just like any other NetWeaver system, it will have vulnerabilities to address, configurations to check, and SAP security notes to apply. Failure to address these standard system hardening tasks will leave the SAP GRC server vulnerable.

If the GRC server can be compromised, the following are in jeopardy:

1. The SAP systems connected to the GRC system by interfaces.
2. The SAP security technical objects (users and roles) managed and administered by GRC.
3. The key governance processes that internal controls rely upon to satisfy audit requirements.

What are the Top Cyber Risks for GRC?

The top risks are lateral movement into other systems via interfaces. GRC contains an “inventory” of SAP roles and profiles, which makes it desirable for hackers. You can protect GRC by checking the core: SAP NetWeaver AS ABAP. Use an SAP security solution for scanning and monitoring split stack environments, performing security and compliance checks, and monitoring for exploit actions on the SAP NetWeaver AS ABAP system. Also, routinely attend to patch management to ensure the system is up to date on the SAP security notes.

Concluding Thoughts

Organizations need to remember that SAP GRC is a privileged control point, embedded deep in the SAP landscape to interface with role management–making it a high-valued target for any hacker. SAP GRC must be treated as an enterprise security system in the same manner as other core infrastructure components. Security teams need to harden the SAP NetWeaver AS ABAP stack through continuous patching and ensure firefigher IDs are granular, purpose-built, and monitored with full audit traceability. In addition, cybersecurity teams need to incorporate GRC into the enterprise SIEM and threat management frameworks, correlating access events with security incidents across the entire SAP ecosystem.

By following these procedures when embedding SAP GRC into the SAP security architecture, organizations can better protect governance controls while reinforcing broader security postures to insulate this vital business system from bad actors.

ABOUT THE AUTHOR

Barry Snow

Barry Snow is the technical account manager at SecurityBridge, where he leverages over a decade of experience in SAP cybersecurity and technical account management. Before joining SecurityBridge, Snow served as a technical account manager at Onapsis, providing strategic guidance and customer advocacy in SAP cybersecurity, including managing customer renewals, expansions, and license oversight. He has a rich background in implementing and optimizing cybersecurity solutions, having worked as a professional services implementation engineer, where he advised on threat remediation, incident monitoring, and SIEM integration. Snow also consulted for IBM and RHEA Group, overseeing rollout of the Onapsis platform. His expertise spans SAP vulnerability management, patch management, and cybersecurity best practices, making him a trusted advisor for organizations looking to enhance their SAP security posture.

Jonathon Pasquale of Snowflake also contributed to this article.