sample for a picture in the title slide SAP and Novell Collaborate on Comprehensive, Integrated Governance, Risk, and Compliance Solutions
Dec 30, 2015
sample for a
picture in the title
slide
SAP and Novell Collaborate on Comprehensive, Integrated Governance, Risk, and Compliance Solutions
Cost Competition
Co
mp
lian
ceC
om
plexity
Determining“Who has access
to what?”
Determining“Who has access
to what?”
LoweringIT Management
Costs
LoweringIT Management
Costs
EliminatingSecurity
Vulnerabilities
EliminatingSecurity
Vulnerabilities
AddressingComplianceDemands
AddressingComplianceDemands
IntegratingDisparateSystems
IntegratingDisparateSystems
ReducingDuplicated Processes
ReducingDuplicated Processes
Enablinga Mobile Workforce
Enablinga Mobile Workforce
Gaining Insight
Into Risk
Gaining Insight
Into Risk
Addressing Risk ManagementRequirements
Addressing Risk ManagementRequirements
Challenges Surround the Enterprise
What’s Required to Be Effective in Compliance?
Policies, and Executive Directives
Business ProcessesControls in financial and business process applications
Application Access and IT Controls ManagementIT Security, Application Management,
Change Management, Identity Management
IT ServicesSIEM/Identity Mgmt/Roles Mgmt/Access Mgmt
Executive Management
Bu
sin
ess
Pro
cess
esF
inan
ce
Bu
sin
ess
Pro
cess
esM
anu
fact
uri
ng
Bu
sin
ess
Pro
cess
esL
og
isti
cs
Bu
sin
ess
Pro
cess
esE
tc…
IT ServicesSIEM/Identity Mgmt/Roles Mgmt/Access Mgmt
Executive Management
Bu
sin
ess
Pro
cess
esF
inan
ce
Bu
sin
ess
Pro
cess
esM
anu
fact
uri
ng
Bu
sin
ess
Pro
cess
esL
og
isti
cs
Bu
sin
ess
Pro
cess
esE
tc…
SAP and Novell: Uniquely Covers the Entire Stack of GRC from Application to IT Controls
Policies, and Executive DirectivesCovered through a variety of mechanisms including SAP
Business Process ControlsCovered by SAP GRC
Application Access and IT Controls ManagementCovered by Novell Compliance Management Platform
Problem: The CIO Cannot Provide Business-Relevant Risk Data to the CFO
Toni
CIO
The enterprise is setup with distributed security domainsIssue: Volumes of disparate data make it hard to assess the risk to the enterprise
The enterprise is setup with distributed security domainsIssue: Volumes of disparate data make it hard to assess the risk to the enterprise
Convert Raw Data into Information that Provides Full Visibility by
Monitoring all events in the enterprise, injecting identity into access events and correlating those to defined business processes and KRIs
Integrating Security and Access
BillAccounting Manager
The security officer noticed some change in department
jobs and wanted to review the activities of John and Bill
The security officer noticed some change in department
jobs and wanted to review the activities of John and Bill
Problem: The CIO Wastes Resources on Duplicate Efforts
Toni
CIO
PCI SOX Privacy … Information Security 3rd Party HIPAA
Line of Business Corporate IT
Functional Leads
Compliance Managers Legal Audit
Information Security
Service/ Arch Leads
Compliance Managers
Enterprise groups demand the same data from IT in separate requests
Issue: Duplication of efforts consume IT resources and create inconsistencies for the business
Enterprise groups demand the same data from IT in separate requests
Issue: Duplication of efforts consume IT resources and create inconsistencies for the business
Mapping controls to defined objectives and processes as well as mapping the process to business owners
Eliminate Duplication of Controls by
Problem: The CIO Cannot Sustain Compliance Demands
Toni
CIO
App Owner
User Entitlements & Security Controls
ProcessesRoles
UsersAudit
App OwnerApp Owner App Owner
Mainframe
Exchange Server
Site 1
ProcessesRoles
UsersAudit
ProcessesRoles
UsersAudit
ProcessesRoles
UsersAudit
PeopleSoft HR DB
Exchange Server
Site 2
SOAP
Exchange Server
Site 3
Java App
Exchange Server
Site n…
User Entitlements & Security Controls
User Entitlements & Security Controls
User Entitlements & Security Controls
Auditor
The enterprise is structured with siloed security domains
Issue: The sheer volume of disparate processes makes it costlyto provide compliance-related data
The enterprise is structured with siloed security domains
Issue: The sheer volume of disparate processes makes it costlyto provide compliance-related data
Automatingand enforcing common controls while providing transparencyto business processes across the enterprise
Processes Users
Roles Audit
User Entitlementsand Security Controls
Contain Compliance Costs through a Sustainable Infrastructure
App Owner App OwnerApp Owner App Owner
Exchange ServerMainframe SOAP PeopleSoft HR DB Java App
Auditor
Building the Crucial Bridge Between Strategic Applications
Strategic Business Applications
Strategic Business Applications
IT SystemsIT Systems
IT InfrastructureIT Infrastructure
IT ProcessesIT Processes
Novell Compliance Management
Platformextension for
SAP environments
SAP BusinessObjects
SAP ERP
SAP NetWeaver
HCM FIN OPS
Process Control
Risk Management
Access Control
Novell CMP Logical Architecture
• Sentinel: user activity monitoring and compliance reporting
• Identity Manager: user lifecycle management and account provisioning
• Access Governance: user access certification and role management
• Access Manager: single sign-on for web applications and VPN
• Identity Vault: identity and credential repository
Solution Boundary
Identity Vault
Novell Access Manager
Policy Engine
Reverse Proxy
Authentication
Authorization
Auditing
Role & Policy Controls
Log Archive
Novell Sentinel
Management Console
Event Collectors
Correlation Engine
Event Correlation
Incident Management
Compliance Reporting
Novell Access Governance
Administration
Novell Identity Manager
Web UI
Workflow
Provisioning
Provisioning Engine
Drivers
Policy Controls
Workflow Processing
Reporting
Role Management
The following Novell solutions have been integrated to form CMP:
Looking Forward
2007: SAP and Novell deepen a long-standing
partnership with a focus on Linux
2007: SAP and Novell deepen a long-standing
partnership with a focus on Linux
2009: CMP becomes the first solution certified with
Access Control
2009: CMP becomes the first solution certified with
Access Control
2010: Integration with Process Control,
Risk Management
2010: Integration with Process Control,
Risk Management
Security Focus Areas in 2009
Protecting data assets
• Regulatory and contractual obligations• Reducing risk of data breach
Streamlining security and compliance
• Addressing fragmented, one-off approaches to compliance with GLBA, SOX, HIPAA,, EU Data Protection Directive, PCI DSS and enterprise policies
• Risk-rationalized approach to controls and testing, automate manual processes
Securing a changing IT
infrastructure
• Protect the full range of enterprise IT assets • Support mobility, virtualization, cloud computing and other disruptive
changes
Enterprise Risk
Management
• Managing IT risks within a more comprehensive enterprise framework• IT security and controls as a business enabler
Enterprise Risk Management, Access Risks and Controls
Compliance Program Management
Risk Management
Access is controlled in a manner consistent with business and security requirements.
Access to resources occurs without proper business authorization
Systems for managing password are interactive and ensure quality passwords
.
Unauthorized access is gained via weak or improperly protected password
All users are assigned a unique ID for their personal use only, substantiated by Authentication & Reporting
Unauthorized users are able to gain access to systems by claiming to be an authorized user
The allocation and use of privileges is restricted and controlled through a formal authorization process
Users gain access to information that is beyond their appropriate level of privilege
Ris
ks
Co
ntr
ols
Enterprise Risk Management Program
GLBA SOX HIPAA PCI SAS 70 Enterprise PoliciesPrivacy
Enterprise Risk-Control Framework -
Integrated Novell CMP – SAP SolutionConceptual View
SAP ERP
SAP NetWeaver
SAP GRC Suite
Novell CMP
Enterprise ApplicationsEnterprise
ApplicationsLoB
ApplicationsLoB
ApplicationsIT
ApplicationsIT
Applications
IT Systems
IT Infrastructure
IT Processes
1. Leverage SAP roles in user management and compliance reporting processes across non-SAP environment
2. Report business-relevant security events to SAP GRC Suite components, extending their breadth of coverage and business value
Integrated Novell-SAP Solution in Deloitte SNet Lab
An enterprise solution for managing user access risk and compliance across SAP and broader IT landscapes
Provisioning
Enterprise Applications & SystemsBusiness Users
Access Management
AGS Users
Sentinel Users
Authoritative Sources
BU 1 HR
BU 2 HR
Data Feeds
CMP System Boundary
Administration
Provisioning Engine
Identity Vault
Compliance
Compliance
Requestors
Employees
IT Infrastructure
SIEM
Access Governance
Access Manager
SecureLogin
Log Manager
Sentinel
Compliance Certification
Manager
Roles Lifecycle Manager
Privileged User Management
Contractors
Business Partners
Customers
Audit
People Mgr.
App. Owner
Legal IT Security
Audit
IT Operations
IT Security
Authentication Authorization
Audit
Monitoring
Reporting
Alerting
Collection
RoleManagement
Access Certification
User Lifecycle Administration
Manage User Accounts
IT Systems
IT Applications
SAP NetWeaver
SAP ERP
SAP Business User
GRC Access Control
CUA
NW Portal
OPS FIN HR
Help Desk Config. Mgt.
SSO
Win2K8
AD DB
UNIX
UME
4
3
2
1
GRC Process Control
GRC Risk Management
IT Foundation
Access Governance
Suite
• Certifying User Access
• Managing Roles
Sentinel
• Security Event Monitoring & Logging
• Compliance Reporting
Access Manager
• Managing User Access• AuthN & AuthZ• Audit
• Single Sign-On
Identity Manager
• Managing Accounts
• Assigning Roles
• Managing Passwords
Controls ProvidedFunctionality
• Management reviews user access rights at regular intervals using a formal process
• Access to information resources is controlled in a manner consistent with business and security requirements.
• All users are assigned a unique ID for their personal use only, substantiated via appropriate authentication techniques
• Formal procedures to control allocation of access rights to information systems
• Interactive password reset
1
3
2
4
Novell CMP Component Functionality and Controls Provided
Contact Information
• Jay Roxe ([email protected])
• Rick Wagner ([email protected])
• Ranga Bodla ([email protected])
• Eli Fisk ([email protected])