SlideShare a Scribd company logo

Alexey Yudin

Positive Hack Days
Positive Hack Days

This document discusses building a governance, risk, and compliance (GRC) system for SAP. It outlines how to build mechanisms to control access, detect segregation of duties violations, and detect fraud. It describes analyzing critical business processes and roles in SAP, developing a separation of duties matrix, and using reports to check for violations. It provides examples of how to monitor roles and detect fraudulent purchasing patterns like improper one-time vendor payments. The conclusion recommends automating controls and identifying business actions that produce risks if not properly separated.

Technology
1 of 37
Building a GRC System for SAP Alexey Yudin The Head of DBs and Business Applications Security Department Positive Technologies PHDays III
Plan ― Another three-letter acronym: GRC ― GRC market ― Access Control ― Fraud Management ― SAP authorization concept ― How to build access control mechanism in SAP ― How to build SOD check mechanism in SAP ― Fraud schemes in SAP MM ― Conclusions: to buy, to build or …?
GRC intro
GRC Governance Top management sets the company’s goals and wants to control them Risk Management A company identifies risks for business and wants to avoid them Compliance Inner and outer controls, regulations, laws, that a company must obey An integrated approach used by corporations to act in accordance with the guidelines set for each category. Governance, risk management and compliance (GRC) is not a single activity, but rather a firm-wide approach to achieving high standards in all three overlapping categories.
What does business really want? Governance To make money Risk management To save money Compliance To save money
― Detecting an unauthorized access to critical business actions ― Detecting segregation of duties violations ― Detecting fraudulent actions ― IdM integration and automated access control Russian companies are interested in
GRC market leaders
GRC market leaders ― ERP vendors solutions • SAP • Oracle ― GRC vendors solutions • EMC-RSA • Protivity • MetricStream • SAS • Software AG • …..
SAP GRC components Risk Management Access Control Process Control FraudManagementThe most demanded part of SAP GRC Access Control
Possible approaches 1. Deployment one of the existing solutions (SAP GRC for SAP ERP) • High price • Long term implementation • High IT operations cost • Too complicated • Need much customization 2. Building own solution • Need development from scratch
GRC implementation process ― Analyze critical business process ― Assess business actions ― Develop SoD matrix with possible violations ― Create and redesign roles (remove unnecessary roles) ― Map business actions to roles ― Check current usage of roles ― Find users with SoD violations ― Minimize number of SoD violations ― Control role modifications ― Develop and automate user access process
SAP terminology ― SAP Transaction is the execution of a program. The normal way of executing ABAP code in the SAP system is by entering a transaction code (for instance, PA30 is the transaction code for "Maintain HR Master Data"). ― Authorization objects are composed of a groups of fields that are related to AND. These fields’ values are used in authorization check. For example, authorization object S_TCODE has one field TCD (transaction code). ― Authorization is a definition of an authorization object, that is a combination of permissible values in each authorization field of an authorization object. For example, authorization S_TCODE: TCD=SE16.
Business Processes in SAP Authorization 2Authorization 1 Business Action 1 Business Action 2 Business Process
SOD in SAP Business Action 1 Business Action 2 Authorization 2 Authorization 1 Authorization 4 Authorization 3 SOD
Where to find SoD matrix ― ISACA - Security, Audit and Control Features SAP ERP, 3rd Edition ― Australian National Office - SAP ECC 6.0 Security and Control ― http://scn.sap.com ― Google :)
SAP MM ― purchasing, ― goods receiving, ― material storage, ― consumption-based planning, ― inventory.
Procurement cycle overview
Purchasing activities
Critical actions in purchasing ― MM01 – Create Material ― MK01 – Create Vendor ― ME01 – Maintain Source List ― MD11 – Create Planned Order ― ME51N – Create Purchase Requisition ― ME41 – Create RFQ ― ME21N – Create PO ― MIRO – Enter Invoice
How to build a control mechanism Module Action Transaction Role 1/Profile 1/User 1 Role N/Profile N/User 1 MM Create Purchase Order ME21 ME21N Z_Role_1 Z_Role_N ― Create XL table with critical actions ― Run check on regular basis • Report RSUSR070 • Transaction SUIM ― Compare results in XL
XL example
SOD in purchasing Create SOD matrix based on particular business processes Purchasing Document Creator Purchasing Document Approver Purchasing Document Creator X Purchasing Document Approver X
How to build a SOD check mechanism ― Create XL table based on SOD matrix SOD Name Action 1 Transaction (Action 1) Action 2 Transaction (Action 2) Role/Profile/ User CREATE PURCHASE ORDER & CREATE VENDOR MASTER RECORD Create Purchase Order ME21 ME21N ME25 ME27 ME31 Create Vendor Master Record FK01 MK01 XK01
How to build a SOD check mechanism ― Run roles check on regular basis • Report RSUSR070 • Transaction SUIM ― Compare results in XL
How to build a SOD check mechanism ― Run users check on regular basis • Report RSUSR002 • Transaction SUIM ― Compare results in XL
Max Patrol Now ― Helps to analyze roles and authorization profiles ― Monitors users with critical administrative privileges ― Regular control of roles assigned to users ― Regular control of roles modifications (creating, updating and role removal)
Max Patrol Near futures ― Create customer business actions ― Map roles to business actions ― Automatically find matches of roles and business action rules ― Automation in creating and control users and roles that violate SoD matrix ― Check usage of roles and transactions
MaxPatrol – Role Control
MaxPatrol – Authorization profile control
MaxPatrol –Control administrative privileges
Fraudulent activity in purchasing ― Purchasing without purchase requisition ― Abuse of one-time vendor accounts
How to build a fraud check mechanism ― Build a possible fraud scheme ― Divide a scheme into separate actions ― Describe each action in SAP terms ― Go to logs and get all users who perform actions ― Analyze users, performed sequence of actions which suits to a fraud scheme
One-time vendor (OTV) payments ― SAP provides one-time vendor functionality to reduce administration over the vendor master file by paying infrequent vendors through a one-time vendor account. ― The use of the one-time vendor function overcomes typical vendor master file authorization and review controls and may be used to process unauthorized payments.
How to control OTV payments? ― Periodically review one-time vendor payments. • The vendor line item report RFKEPL00, transaction code S_ALR_87012103, is the best report to view one-time vendor payments. • Payments are also be viewed through the Purchasing Overview by Vendor Report.
Best Practices ― Focus on prevention ― Automate as many controls as possible ― Automate the flow of manual controls ― Identify business actions that produce risks when executed by one person ― Perform risk analysis before committing and approving changes to access controls ― SoD risk identification and remediation should be performed automatically across multiple ERP environments and instances ― Automate user provisioning and changes ― Control real transaction and role usage
Conclusions ― GRC is an information security trend ― The most demanded GRC-features: • Critical actions control • SOD violation control • Fraud control ― It’s possible to build a GRC system that satisfies top management without large-scale deployments.
Thank you for your attention! Q&A

Recommended

Grc eng
Grc engGrc eng
Grc engPositive Hack Days
 
Sap business process flows
Sap business process flowsSap business process flows
Sap business process flowsVerity Solutions
 
Segregation of duties in SAP @ ISACA Pune presentation on 18.4.2015
Segregation of duties in SAP @ ISACA Pune presentation on 18.4.2015 Segregation of duties in SAP @ ISACA Pune presentation on 18.4.2015
Segregation of duties in SAP @ ISACA Pune presentation on 18.4.2015 CA CISA Jayjit Biswas
 
Sap GRC Basic Information | GRC 12 online training
Sap GRC Basic Information | GRC 12 online trainingSap GRC Basic Information | GRC 12 online training
Sap GRC Basic Information | GRC 12 online traininggrconlinetraining
 
Defying Logic - Business Logic Testing with Automation
Defying Logic - Business Logic Testing with AutomationDefying Logic - Business Logic Testing with Automation
Defying Logic - Business Logic Testing with AutomationRafal Los
 
Computer chp 10 on books of Nickerson
Computer chp 10 on books of NickersonComputer chp 10 on books of Nickerson
Computer chp 10 on books of NickersonMaha Islam
 
Computer chp 10 on books of Nickerson
Computer chp 10 on books of NickersonComputer chp 10 on books of Nickerson
Computer chp 10 on books of NickersonMaha Islam
 
What if a hacker has already broken in when your IT auditor is at the door? H...
What if a hacker has already broken in when your IT auditor is at the door? H...What if a hacker has already broken in when your IT auditor is at the door? H...
What if a hacker has already broken in when your IT auditor is at the door? H...akquinet enterprise solutions GmbH
 

Recommended

Grc eng
Grc engGrc eng
Grc engPositive Hack Days
 
Sap business process flows
Sap business process flowsSap business process flows
Sap business process flowsVerity Solutions
 
Segregation of duties in SAP @ ISACA Pune presentation on 18.4.2015
Segregation of duties in SAP @ ISACA Pune presentation on 18.4.2015 Segregation of duties in SAP @ ISACA Pune presentation on 18.4.2015
Segregation of duties in SAP @ ISACA Pune presentation on 18.4.2015 CA CISA Jayjit Biswas
 
Sap GRC Basic Information | GRC 12 online training
Sap GRC Basic Information | GRC 12 online trainingSap GRC Basic Information | GRC 12 online training
Sap GRC Basic Information | GRC 12 online traininggrconlinetraining
 
Defying Logic - Business Logic Testing with Automation
Defying Logic - Business Logic Testing with AutomationDefying Logic - Business Logic Testing with Automation
Defying Logic - Business Logic Testing with AutomationRafal Los
 
Computer chp 10 on books of Nickerson
Computer chp 10 on books of NickersonComputer chp 10 on books of Nickerson
Computer chp 10 on books of NickersonMaha Islam
 
Computer chp 10 on books of Nickerson
Computer chp 10 on books of NickersonComputer chp 10 on books of Nickerson
Computer chp 10 on books of NickersonMaha Islam
 
What if a hacker has already broken in when your IT auditor is at the door? H...
What if a hacker has already broken in when your IT auditor is at the door? H...What if a hacker has already broken in when your IT auditor is at the door? H...
What if a hacker has already broken in when your IT auditor is at the door? H...akquinet enterprise solutions GmbH
 
I tlecture2
I tlecture2I tlecture2
I tlecture2Imen Charfeddine
 
SAP SRM Interview questions
SAP SRM Interview questionsSAP SRM Interview questions
SAP SRM Interview questionsIT LearnMore
 
Dora ppt1
Dora ppt1Dora ppt1
Dora ppt1Dorai Dorai
 
Oracle eBS Overview.pptx
Oracle eBS Overview.pptxOracle eBS Overview.pptx
Oracle eBS Overview.pptxssuser9dce1e1
 
Compliance Automation with Microsoft Technology
Compliance Automation with Microsoft Technology Compliance Automation with Microsoft Technology
Compliance Automation with Microsoft Technology SoHo Dragon
 
Rex Introduction - Accounting was never so EASY.
Rex Introduction - Accounting was never so EASY.Rex Introduction - Accounting was never so EASY.
Rex Introduction - Accounting was never so EASY.Rex-Solutions
 
SAP Security & GRC Framework
SAP Security & GRC FrameworkSAP Security & GRC Framework
SAP Security & GRC FrameworkHarish Sharma
 
eDelta Trading Platform Marketing-2015
eDelta Trading Platform Marketing-2015eDelta Trading Platform Marketing-2015
eDelta Trading Platform Marketing-2015Frank Castelluccio
 
Overview of Dynaflow Solution
Overview of Dynaflow Solution Overview of Dynaflow Solution
Overview of Dynaflow Solution bpmgeek09
 
Government and SOX Compliance for ERP Systems
Government and SOX Compliance for ERP SystemsGovernment and SOX Compliance for ERP Systems
Government and SOX Compliance for ERP SystemsDan Aldridge, ERP Software Evangelist, LION
 
Just in Time (JiT) Business Rules Mining
Just in Time (JiT) Business Rules MiningJust in Time (JiT) Business Rules Mining
Just in Time (JiT) Business Rules MiningShirley Sartin, PBA, BSAC, CBAP, PMP, CSM
 
If I want a perfect cyberweapon, I'll target ERP - second edition
If I want a perfect cyberweapon, I'll target ERP - second editionIf I want a perfect cyberweapon, I'll target ERP - second edition
If I want a perfect cyberweapon, I'll target ERP - second editionERPScan
 
dheeraj
dheerajdheeraj
dheerajdheeraj_9102000
 
Auxis Webinar: Diving into RPA
Auxis Webinar: Diving into RPAAuxis Webinar: Diving into RPA
Auxis Webinar: Diving into RPAAuxis Consulting & Outsourcing
 
SAP ERP - OVERVIEW - NEWYORKSYS ONLINE TRAINING
SAP ERP - OVERVIEW - NEWYORKSYS ONLINE TRAININGSAP ERP - OVERVIEW - NEWYORKSYS ONLINE TRAINING
SAP ERP - OVERVIEW - NEWYORKSYS ONLINE TRAININGNEWYORKSYS-IT SOLUTIONS
 
RPA in Finance v2
RPA in Finance v2RPA in Finance v2
RPA in Finance v2Baxter Black
 
Sap demo with focus on FICO
Sap demo with focus on FICOSap demo with focus on FICO
Sap demo with focus on FICORitesh Solanki
 
SAP Authoziations: RENK AG tests out SAST's new self-adjusting SAP roles. [We...
SAP Authoziations: RENK AG tests out SAST's new self-adjusting SAP roles. [We...SAP Authoziations: RENK AG tests out SAST's new self-adjusting SAP roles. [We...
SAP Authoziations: RENK AG tests out SAST's new self-adjusting SAP roles. [We...akquinet enterprise solutions GmbH
 
PPG Industries Simplifies with DRM
PPG Industries Simplifies with DRMPPG Industries Simplifies with DRM
PPG Industries Simplifies with DRMAlithya
 
CITY MART MANAGEMENT SYSTEM
CITY MART MANAGEMENT SYSTEMCITY MART MANAGEMENT SYSTEM
CITY MART MANAGEMENT SYSTEMsana rana
 
Инструмент ChangelogBuilder для автоматической подготовки Release Notes
Инструмент ChangelogBuilder для автоматической подготовки Release NotesИнструмент ChangelogBuilder для автоматической подготовки Release Notes
Инструмент ChangelogBuilder для автоматической подготовки Release NotesPositive Hack Days
 
Как мы собираем проекты в выделенном окружении в Windows Docker
Как мы собираем проекты в выделенном окружении в Windows DockerКак мы собираем проекты в выделенном окружении в Windows Docker
Как мы собираем проекты в выделенном окружении в Windows DockerPositive Hack Days
 

More Related Content

Similar to Alexey Yudin

SAP SRM Interview questions
SAP SRM Interview questionsSAP SRM Interview questions
SAP SRM Interview questionsIT LearnMore
 
Oracle eBS Overview.pptx
Oracle eBS Overview.pptxOracle eBS Overview.pptx
Oracle eBS Overview.pptxssuser9dce1e1
 
Compliance Automation with Microsoft Technology
Compliance Automation with Microsoft Technology Compliance Automation with Microsoft Technology
Compliance Automation with Microsoft Technology SoHo Dragon
 
Rex Introduction - Accounting was never so EASY.
Rex Introduction - Accounting was never so EASY.Rex Introduction - Accounting was never so EASY.
Rex Introduction - Accounting was never so EASY.Rex-Solutions
 
SAP Security & GRC Framework
SAP Security & GRC FrameworkSAP Security & GRC Framework
SAP Security & GRC FrameworkHarish Sharma
 
eDelta Trading Platform Marketing-2015
eDelta Trading Platform Marketing-2015eDelta Trading Platform Marketing-2015
eDelta Trading Platform Marketing-2015Frank Castelluccio
 
Overview of Dynaflow Solution
Overview of Dynaflow Solution Overview of Dynaflow Solution
Overview of Dynaflow Solution bpmgeek09
 
If I want a perfect cyberweapon, I'll target ERP - second edition
If I want a perfect cyberweapon, I'll target ERP - second editionIf I want a perfect cyberweapon, I'll target ERP - second edition
If I want a perfect cyberweapon, I'll target ERP - second editionERPScan
 
SAP ERP - OVERVIEW - NEWYORKSYS ONLINE TRAINING
SAP ERP - OVERVIEW - NEWYORKSYS ONLINE TRAININGSAP ERP - OVERVIEW - NEWYORKSYS ONLINE TRAINING
SAP ERP - OVERVIEW - NEWYORKSYS ONLINE TRAININGNEWYORKSYS-IT SOLUTIONS
 
Sap demo with focus on FICO
Sap demo with focus on FICOSap demo with focus on FICO
Sap demo with focus on FICORitesh Solanki
 
SAP Authoziations: RENK AG tests out SAST's new self-adjusting SAP roles. [We...
SAP Authoziations: RENK AG tests out SAST's new self-adjusting SAP roles. [We...SAP Authoziations: RENK AG tests out SAST's new self-adjusting SAP roles. [We...
SAP Authoziations: RENK AG tests out SAST's new self-adjusting SAP roles. [We...akquinet enterprise solutions GmbH
 
PPG Industries Simplifies with DRM
PPG Industries Simplifies with DRMPPG Industries Simplifies with DRM
PPG Industries Simplifies with DRMAlithya
 
CITY MART MANAGEMENT SYSTEM
CITY MART MANAGEMENT SYSTEMCITY MART MANAGEMENT SYSTEM
CITY MART MANAGEMENT SYSTEMsana rana
 

Similar to Alexey Yudin (20)

I tlecture2
I tlecture2I tlecture2
I tlecture2
 
SAP SRM Interview questions
SAP SRM Interview questionsSAP SRM Interview questions
SAP SRM Interview questions
 
Dora ppt1
Dora ppt1Dora ppt1
Dora ppt1
 
Oracle eBS Overview.pptx
Oracle eBS Overview.pptxOracle eBS Overview.pptx
Oracle eBS Overview.pptx
 
Compliance Automation with Microsoft Technology
Compliance Automation with Microsoft Technology Compliance Automation with Microsoft Technology
Compliance Automation with Microsoft Technology
 
Rex Introduction - Accounting was never so EASY.
Rex Introduction - Accounting was never so EASY.Rex Introduction - Accounting was never so EASY.
Rex Introduction - Accounting was never so EASY.
 
SAP Security & GRC Framework
SAP Security & GRC FrameworkSAP Security & GRC Framework
SAP Security & GRC Framework
 
eDelta Trading Platform Marketing-2015
eDelta Trading Platform Marketing-2015eDelta Trading Platform Marketing-2015
eDelta Trading Platform Marketing-2015
 
Overview of Dynaflow Solution
Overview of Dynaflow Solution Overview of Dynaflow Solution
Overview of Dynaflow Solution
 
Government and SOX Compliance for ERP Systems
Government and SOX Compliance for ERP SystemsGovernment and SOX Compliance for ERP Systems
Government and SOX Compliance for ERP Systems
 
Just in Time (JiT) Business Rules Mining
Just in Time (JiT) Business Rules MiningJust in Time (JiT) Business Rules Mining
Just in Time (JiT) Business Rules Mining
 
If I want a perfect cyberweapon, I'll target ERP - second edition
If I want a perfect cyberweapon, I'll target ERP - second editionIf I want a perfect cyberweapon, I'll target ERP - second edition
If I want a perfect cyberweapon, I'll target ERP - second edition
 
dheeraj
dheerajdheeraj
dheeraj
 
Auxis Webinar: Diving into RPA
Auxis Webinar: Diving into RPAAuxis Webinar: Diving into RPA
Auxis Webinar: Diving into RPA
 
SAP ERP - OVERVIEW - NEWYORKSYS ONLINE TRAINING
SAP ERP - OVERVIEW - NEWYORKSYS ONLINE TRAININGSAP ERP - OVERVIEW - NEWYORKSYS ONLINE TRAINING
SAP ERP - OVERVIEW - NEWYORKSYS ONLINE TRAINING
 
RPA in Finance v2
RPA in Finance v2RPA in Finance v2
RPA in Finance v2
 
Sap demo with focus on FICO
Sap demo with focus on FICOSap demo with focus on FICO
Sap demo with focus on FICO
 
SAP Authoziations: RENK AG tests out SAST's new self-adjusting SAP roles. [We...
SAP Authoziations: RENK AG tests out SAST's new self-adjusting SAP roles. [We...SAP Authoziations: RENK AG tests out SAST's new self-adjusting SAP roles. [We...
SAP Authoziations: RENK AG tests out SAST's new self-adjusting SAP roles. [We...
 
PPG Industries Simplifies with DRM
PPG Industries Simplifies with DRMPPG Industries Simplifies with DRM
PPG Industries Simplifies with DRM
 
CITY MART MANAGEMENT SYSTEM
CITY MART MANAGEMENT SYSTEMCITY MART MANAGEMENT SYSTEM
CITY MART MANAGEMENT SYSTEM
 

More from Positive Hack Days

Инструмент ChangelogBuilder для автоматической подготовки Release Notes
Инструмент ChangelogBuilder для автоматической подготовки Release NotesИнструмент ChangelogBuilder для автоматической подготовки Release Notes
Инструмент ChangelogBuilder для автоматической подготовки Release NotesPositive Hack Days
 
Как мы собираем проекты в выделенном окружении в Windows Docker
Как мы собираем проекты в выделенном окружении в Windows DockerКак мы собираем проекты в выделенном окружении в Windows Docker
Как мы собираем проекты в выделенном окружении в Windows DockerPositive Hack Days
 
Типовая сборка и деплой продуктов в Positive Technologies
Типовая сборка и деплой продуктов в Positive TechnologiesТиповая сборка и деплой продуктов в Positive Technologies
Типовая сборка и деплой продуктов в Positive TechnologiesPositive Hack Days
 
Аналитика в проектах: TFS + Qlik
Аналитика в проектах: TFS + QlikАналитика в проектах: TFS + Qlik
Аналитика в проектах: TFS + QlikPositive Hack Days
 
Использование анализатора кода SonarQube
Использование анализатора кода SonarQubeИспользование анализатора кода SonarQube
Использование анализатора кода SonarQubePositive Hack Days
 
Развитие сообщества Open DevOps Community
Развитие сообщества Open DevOps CommunityРазвитие сообщества Open DevOps Community
Развитие сообщества Open DevOps CommunityPositive Hack Days
 
Методика определения неиспользуемых ресурсов виртуальных машин и автоматизаци...
Методика определения неиспользуемых ресурсов виртуальных машин и автоматизаци...Методика определения неиспользуемых ресурсов виртуальных машин и автоматизаци...
Методика определения неиспользуемых ресурсов виртуальных машин и автоматизаци...Positive Hack Days
 
Автоматизация построения правил для Approof
Автоматизация построения правил для ApproofАвтоматизация построения правил для Approof
Автоматизация построения правил для ApproofPositive Hack Days
 
Мастер-класс «Трущобы Application Security»
Мастер-класс «Трущобы Application Security»Мастер-класс «Трущобы Application Security»
Мастер-класс «Трущобы Application Security»Positive Hack Days
 
Формальные методы защиты приложений
Формальные методы защиты приложенийФормальные методы защиты приложений
Формальные методы защиты приложенийPositive Hack Days
 
Эвристические методы защиты приложений
Эвристические методы защиты приложенийЭвристические методы защиты приложений
Эвристические методы защиты приложенийPositive Hack Days
 
Теоретические основы Application Security
Теоретические основы Application SecurityТеоретические основы Application Security
Теоретические основы Application SecurityPositive Hack Days
 
От экспериментального программирования к промышленному: путь длиной в 10 лет
От экспериментального программирования к промышленному: путь длиной в 10 летОт экспериментального программирования к промышленному: путь длиной в 10 лет
От экспериментального программирования к промышленному: путь длиной в 10 летPositive Hack Days
 
Уязвимое Android-приложение: N проверенных способов наступить на грабли
Уязвимое Android-приложение: N проверенных способов наступить на граблиУязвимое Android-приложение: N проверенных способов наступить на грабли
Уязвимое Android-приложение: N проверенных способов наступить на граблиPositive Hack Days
 
Требования по безопасности в архитектуре ПО
Требования по безопасности в архитектуре ПОТребования по безопасности в архитектуре ПО
Требования по безопасности в архитектуре ПОPositive Hack Days
 
Формальная верификация кода на языке Си
Формальная верификация кода на языке СиФормальная верификация кода на языке Си
Формальная верификация кода на языке СиPositive Hack Days
 
Механизмы предотвращения атак в ASP.NET Core
Механизмы предотвращения атак в ASP.NET CoreМеханизмы предотвращения атак в ASP.NET Core
Механизмы предотвращения атак в ASP.NET CorePositive Hack Days
 
SOC для КИИ: израильский опыт
SOC для КИИ: израильский опытSOC для КИИ: израильский опыт
SOC для КИИ: израильский опытPositive Hack Days
 
Honeywell Industrial Cyber Security Lab & Services Center
Honeywell Industrial Cyber Security Lab & Services CenterHoneywell Industrial Cyber Security Lab & Services Center
Honeywell Industrial Cyber Security Lab & Services CenterPositive Hack Days
 
Credential stuffing и брутфорс-атаки
Credential stuffing и брутфорс-атакиCredential stuffing и брутфорс-атаки
Credential stuffing и брутфорс-атакиPositive Hack Days
 

More from Positive Hack Days (20)

Инструмент ChangelogBuilder для автоматической подготовки Release Notes
Инструмент ChangelogBuilder для автоматической подготовки Release NotesИнструмент ChangelogBuilder для автоматической подготовки Release Notes
Инструмент ChangelogBuilder для автоматической подготовки Release Notes
 
Как мы собираем проекты в выделенном окружении в Windows Docker
Как мы собираем проекты в выделенном окружении в Windows DockerКак мы собираем проекты в выделенном окружении в Windows Docker
Как мы собираем проекты в выделенном окружении в Windows Docker
 
Типовая сборка и деплой продуктов в Positive Technologies
Типовая сборка и деплой продуктов в Positive TechnologiesТиповая сборка и деплой продуктов в Positive Technologies
Типовая сборка и деплой продуктов в Positive Technologies
 
Аналитика в проектах: TFS + Qlik
Аналитика в проектах: TFS + QlikАналитика в проектах: TFS + Qlik
Аналитика в проектах: TFS + Qlik
 
Использование анализатора кода SonarQube
Использование анализатора кода SonarQubeИспользование анализатора кода SonarQube
Использование анализатора кода SonarQube
 
Развитие сообщества Open DevOps Community
Развитие сообщества Open DevOps CommunityРазвитие сообщества Open DevOps Community
Развитие сообщества Open DevOps Community
 
Методика определения неиспользуемых ресурсов виртуальных машин и автоматизаци...
Методика определения неиспользуемых ресурсов виртуальных машин и автоматизаци...Методика определения неиспользуемых ресурсов виртуальных машин и автоматизаци...
Методика определения неиспользуемых ресурсов виртуальных машин и автоматизаци...
 
Автоматизация построения правил для Approof
Автоматизация построения правил для ApproofАвтоматизация построения правил для Approof
Автоматизация построения правил для Approof
 
Мастер-класс «Трущобы Application Security»
Мастер-класс «Трущобы Application Security»Мастер-класс «Трущобы Application Security»
Мастер-класс «Трущобы Application Security»
 
Формальные методы защиты приложений
Формальные методы защиты приложенийФормальные методы защиты приложений
Формальные методы защиты приложений
 
Эвристические методы защиты приложений
Эвристические методы защиты приложенийЭвристические методы защиты приложений
Эвристические методы защиты приложений
 
Теоретические основы Application Security
Теоретические основы Application SecurityТеоретические основы Application Security
Теоретические основы Application Security
 
От экспериментального программирования к промышленному: путь длиной в 10 лет
От экспериментального программирования к промышленному: путь длиной в 10 летОт экспериментального программирования к промышленному: путь длиной в 10 лет
От экспериментального программирования к промышленному: путь длиной в 10 лет
 
Уязвимое Android-приложение: N проверенных способов наступить на грабли
Уязвимое Android-приложение: N проверенных способов наступить на граблиУязвимое Android-приложение: N проверенных способов наступить на грабли
Уязвимое Android-приложение: N проверенных способов наступить на грабли
 
Требования по безопасности в архитектуре ПО
Требования по безопасности в архитектуре ПОТребования по безопасности в архитектуре ПО
Требования по безопасности в архитектуре ПО
 
Формальная верификация кода на языке Си
Формальная верификация кода на языке СиФормальная верификация кода на языке Си
Формальная верификация кода на языке Си
 
Механизмы предотвращения атак в ASP.NET Core
Механизмы предотвращения атак в ASP.NET CoreМеханизмы предотвращения атак в ASP.NET Core
Механизмы предотвращения атак в ASP.NET Core
 
SOC для КИИ: израильский опыт
SOC для КИИ: израильский опытSOC для КИИ: израильский опыт
SOC для КИИ: израильский опыт
 
Honeywell Industrial Cyber Security Lab & Services Center
Honeywell Industrial Cyber Security Lab & Services CenterHoneywell Industrial Cyber Security Lab & Services Center
Honeywell Industrial Cyber Security Lab & Services Center
 
Credential stuffing и брутфорс-атаки
Credential stuffing и брутфорс-атакиCredential stuffing и брутфорс-атаки
Credential stuffing и брутфорс-атаки
 

Recently uploaded

Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesSinan KOZAK
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Servicegiselly40
 
Google AI Hackathon: LLM based Evaluator for RAG
Google AI Hackathon: LLM based Evaluator for RAGGoogle AI Hackathon: LLM based Evaluator for RAG
Google AI Hackathon: LLM based Evaluator for RAGSujit Pal
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking MenDelhi Call girls
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationRadu Cotescu
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Miguel Araújo
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun
 
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slidevu2urc
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonetsnaman860154
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slidespraypatel2
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Allon Mureinik
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationRidwan Fadjar
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitecturePixlogix Infotech
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024Results
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxMalak Abu Hammad
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersThousandEyes
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsMaria Levchenko
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)Gabriella Davis
 

Recently uploaded (20)

Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen Frames
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
 
Google AI Hackathon: LLM based Evaluator for RAG
Google AI Hackathon: LLM based Evaluator for RAGGoogle AI Hackathon: LLM based Evaluator for RAG
Google AI Hackathon: LLM based Evaluator for RAG
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slides
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 Presentation
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC Architecture
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 

Alexey Yudin

  • 1. Building a GRC System for SAP Alexey Yudin The Head of DBs and Business Applications Security Department Positive Technologies PHDays III
  • 2. Plan ― Another three-letter acronym: GRC ― GRC market ― Access Control ― Fraud Management ― SAP authorization concept ― How to build access control mechanism in SAP ― How to build SOD check mechanism in SAP ― Fraud schemes in SAP MM ― Conclusions: to buy, to build or …?
  • 4. GRC Governance Top management sets the company’s goals and wants to control them Risk Management A company identifies risks for business and wants to avoid them Compliance Inner and outer controls, regulations, laws, that a company must obey An integrated approach used by corporations to act in accordance with the guidelines set for each category. Governance, risk management and compliance (GRC) is not a single activity, but rather a firm-wide approach to achieving high standards in all three overlapping categories.
  • 5. What does business really want? Governance To make money Risk management To save money Compliance To save money
  • 6. ― Detecting an unauthorized access to critical business actions ― Detecting segregation of duties violations ― Detecting fraudulent actions ― IdM integration and automated access control Russian companies are interested in
  • 8. GRC market leaders ― ERP vendors solutions • SAP • Oracle ― GRC vendors solutions • EMC-RSA • Protivity • MetricStream • SAS • Software AG • …..
  • 9. SAP GRC components Risk Management Access Control Process Control FraudManagementThe most demanded part of SAP GRC Access Control
  • 10. Possible approaches 1. Deployment one of the existing solutions (SAP GRC for SAP ERP) • High price • Long term implementation • High IT operations cost • Too complicated • Need much customization 2. Building own solution • Need development from scratch
  • 11. GRC implementation process ― Analyze critical business process ― Assess business actions ― Develop SoD matrix with possible violations ― Create and redesign roles (remove unnecessary roles) ― Map business actions to roles ― Check current usage of roles ― Find users with SoD violations ― Minimize number of SoD violations ― Control role modifications ― Develop and automate user access process
  • 12. SAP terminology ― SAP Transaction is the execution of a program. The normal way of executing ABAP code in the SAP system is by entering a transaction code (for instance, PA30 is the transaction code for "Maintain HR Master Data"). ― Authorization objects are composed of a groups of fields that are related to AND. These fields’ values are used in authorization check. For example, authorization object S_TCODE has one field TCD (transaction code). ― Authorization is a definition of an authorization object, that is a combination of permissible values in each authorization field of an authorization object. For example, authorization S_TCODE: TCD=SE16.
  • 13. Business Processes in SAP Authorization 2Authorization 1 Business Action 1 Business Action 2 Business Process
  • 14. SOD in SAP Business Action 1 Business Action 2 Authorization 2 Authorization 1 Authorization 4 Authorization 3 SOD
  • 15. Where to find SoD matrix ― ISACA - Security, Audit and Control Features SAP ERP, 3rd Edition ― Australian National Office - SAP ECC 6.0 Security and Control ― http://scn.sap.com ― Google :)
  • 16. SAP MM ― purchasing, ― goods receiving, ― material storage, ― consumption-based planning, ― inventory.
  • 19. Critical actions in purchasing ― MM01 – Create Material ― MK01 – Create Vendor ― ME01 – Maintain Source List ― MD11 – Create Planned Order ― ME51N – Create Purchase Requisition ― ME41 – Create RFQ ― ME21N – Create PO ― MIRO – Enter Invoice
  • 20. How to build a control mechanism Module Action Transaction Role 1/Profile 1/User 1 Role N/Profile N/User 1 MM Create Purchase Order ME21 ME21N Z_Role_1 Z_Role_N ― Create XL table with critical actions ― Run check on regular basis • Report RSUSR070 • Transaction SUIM ― Compare results in XL
  • 22. SOD in purchasing Create SOD matrix based on particular business processes Purchasing Document Creator Purchasing Document Approver Purchasing Document Creator X Purchasing Document Approver X
  • 23. How to build a SOD check mechanism ― Create XL table based on SOD matrix SOD Name Action 1 Transaction (Action 1) Action 2 Transaction (Action 2) Role/Profile/ User CREATE PURCHASE ORDER & CREATE VENDOR MASTER RECORD Create Purchase Order ME21 ME21N ME25 ME27 ME31 Create Vendor Master Record FK01 MK01 XK01
  • 24. How to build a SOD check mechanism ― Run roles check on regular basis • Report RSUSR070 • Transaction SUIM ― Compare results in XL
  • 25. How to build a SOD check mechanism ― Run users check on regular basis • Report RSUSR002 • Transaction SUIM ― Compare results in XL
  • 26. Max Patrol Now ― Helps to analyze roles and authorization profiles ― Monitors users with critical administrative privileges ― Regular control of roles assigned to users ― Regular control of roles modifications (creating, updating and role removal)
  • 27. Max Patrol Near futures ― Create customer business actions ― Map roles to business actions ― Automatically find matches of roles and business action rules ― Automation in creating and control users and roles that violate SoD matrix ― Check usage of roles and transactions
  • 29. MaxPatrol – Authorization profile control
  • 31. Fraudulent activity in purchasing ― Purchasing without purchase requisition ― Abuse of one-time vendor accounts
  • 32. How to build a fraud check mechanism ― Build a possible fraud scheme ― Divide a scheme into separate actions ― Describe each action in SAP terms ― Go to logs and get all users who perform actions ― Analyze users, performed sequence of actions which suits to a fraud scheme
  • 33. One-time vendor (OTV) payments ― SAP provides one-time vendor functionality to reduce administration over the vendor master file by paying infrequent vendors through a one-time vendor account. ― The use of the one-time vendor function overcomes typical vendor master file authorization and review controls and may be used to process unauthorized payments.
  • 34. How to control OTV payments? ― Periodically review one-time vendor payments. • The vendor line item report RFKEPL00, transaction code S_ALR_87012103, is the best report to view one-time vendor payments. • Payments are also be viewed through the Purchasing Overview by Vendor Report.
  • 35. Best Practices ― Focus on prevention ― Automate as many controls as possible ― Automate the flow of manual controls ― Identify business actions that produce risks when executed by one person ― Perform risk analysis before committing and approving changes to access controls ― SoD risk identification and remediation should be performed automatically across multiple ERP environments and instances ― Automate user provisioning and changes ― Control real transaction and role usage
  • 36. Conclusions ― GRC is an information security trend ― The most demanded GRC-features: • Critical actions control • SOD violation control • Fraud control ― It’s possible to build a GRC system that satisfies top management without large-scale deployments.
  • 37. Thank you for your attention! Q&A