Sample for a picture in the title slide SAP and Novell Collaborate on Comprehensive, Integrated Governance, Risk, and Compliance Solutions.

sample for a

picture in the title

slide

SAP and Novell Collaborate on Comprehensive, Integrated Governance, Risk, and Compliance Solutions

Agenda

• Addressing today’s GRC challenges

• Demo

• Real-World Insights

Cost Competition

Co

mp

lian

ceC

om

plexity

Determining“Who has access

to what?”

Determining“Who has access

to what?”

LoweringIT Management

Costs

LoweringIT Management

Costs

EliminatingSecurity

Vulnerabilities

EliminatingSecurity

Vulnerabilities

AddressingComplianceDemands

AddressingComplianceDemands

IntegratingDisparateSystems

IntegratingDisparateSystems

ReducingDuplicated Processes

ReducingDuplicated Processes

Enablinga Mobile Workforce

Enablinga Mobile Workforce

Gaining Insight

Into Risk

Gaining Insight

Into Risk

Addressing Risk ManagementRequirements

Addressing Risk ManagementRequirements

Challenges Surround the Enterprise

What’s Required to Be Effective in Compliance?

Policies, and Executive Directives

Business ProcessesControls in financial and business process applications

Application Access and IT Controls ManagementIT Security, Application Management,

Change Management, Identity Management

IT ServicesSIEM/Identity Mgmt/Roles Mgmt/Access Mgmt

Executive Management

Bu

sin

ess

Pro

cess

esF

inan

ce

Bu

sin

ess

Pro

cess

esM

anu

fact

uri

ng

Bu

sin

ess

Pro

cess

esL

og

isti

cs

Bu

sin

ess

Pro

cess

esE

tc…

IT ServicesSIEM/Identity Mgmt/Roles Mgmt/Access Mgmt

Executive Management

Bu

sin

ess

Pro

cess

esF

inan

ce

Bu

sin

ess

Pro

cess

esM

anu

fact

uri

ng

Bu

sin

ess

Pro

cess

esL

og

isti

cs

Bu

sin

ess

Pro

cess

esE

tc…

SAP and Novell: Uniquely Covers the Entire Stack of GRC from Application to IT Controls

Policies, and Executive DirectivesCovered through a variety of mechanisms including SAP

Business Process ControlsCovered by SAP GRC

Application Access and IT Controls ManagementCovered by Novell Compliance Management Platform

Content, Policy and Events Unify Disparate Systems

ConsultingPartners

Problem: The CIO Cannot Provide Business-Relevant Risk Data to the CFO

Toni

CIO

The enterprise is setup with distributed security domainsIssue: Volumes of disparate data make it hard to assess the risk to the enterprise

The enterprise is setup with distributed security domainsIssue: Volumes of disparate data make it hard to assess the risk to the enterprise

Convert Raw Data into Information that Provides Full Visibility by

Monitoring all events in the enterprise, injecting identity into access events and correlating those to defined business processes and KRIs

Integrating Security and Access

BillAccounting Manager

The security officer noticed some change in department

jobs and wanted to review the activities of John and Bill

The security officer noticed some change in department

jobs and wanted to review the activities of John and Bill

Problem: The CIO Wastes Resources on Duplicate Efforts

Toni

CIO

PCI SOX Privacy … Information Security 3rd Party HIPAA

Line of Business Corporate IT

Functional Leads

Compliance Managers Legal Audit

Information Security

Service/ Arch Leads

Compliance Managers

Enterprise groups demand the same data from IT in separate requests

Issue: Duplication of efforts consume IT resources and create inconsistencies for the business

Enterprise groups demand the same data from IT in separate requests

Issue: Duplication of efforts consume IT resources and create inconsistencies for the business

Mapping controls to defined objectives and processes as well as mapping the process to business owners

Eliminate Duplication of Controls by

Problem: The CIO Cannot Sustain Compliance Demands

Toni

CIO

App Owner

User Entitlements & Security Controls

ProcessesRoles

UsersAudit

App OwnerApp Owner App Owner

Mainframe

Exchange Server

Site 1

ProcessesRoles

UsersAudit

ProcessesRoles

UsersAudit

ProcessesRoles

UsersAudit

PeopleSoft HR DB

Exchange Server

Site 2

SOAP

Exchange Server

Site 3

Java App

Exchange Server

Site n…

User Entitlements & Security Controls

User Entitlements & Security Controls

User Entitlements & Security Controls

Auditor

The enterprise is structured with siloed security domains

Issue: The sheer volume of disparate processes makes it costlyto provide compliance-related data

The enterprise is structured with siloed security domains

Issue: The sheer volume of disparate processes makes it costlyto provide compliance-related data

Automatingand enforcing common controls while providing transparencyto business processes across the enterprise

Processes Users

Roles Audit

User Entitlementsand Security Controls

Contain Compliance Costs through a Sustainable Infrastructure

App Owner App OwnerApp Owner App Owner

Exchange ServerMainframe SOAP PeopleSoft HR DB Java App

Auditor

Building the Crucial Bridge Between Strategic Applications

Strategic Business Applications

Strategic Business Applications

IT SystemsIT Systems

IT InfrastructureIT Infrastructure

IT ProcessesIT Processes

Novell Compliance Management

Platformextension for

SAP environments

SAP BusinessObjects

SAP ERP

SAP NetWeaver

HCM FIN OPS

Process Control

Risk Management

Access Control

Novell CMP Logical Architecture

• Sentinel: user activity monitoring and compliance reporting

• Identity Manager: user lifecycle management and account provisioning

• Access Governance: user access certification and role management

• Access Manager: single sign-on for web applications and VPN

• Identity Vault: identity and credential repository

Solution Boundary

Identity Vault

Novell Access Manager

Policy Engine

Reverse Proxy

Authentication

Authorization

Auditing

Role & Policy Controls

Log Archive

Novell Sentinel

Management Console

Event Collectors

Correlation Engine

Event Correlation

Incident Management

Compliance Reporting

Novell Access Governance

Administration

Novell Identity Manager

Web UI

Workflow

Provisioning

Provisioning Engine

Drivers

Policy Controls

Workflow Processing

Reporting

Role Management

The following Novell solutions have been integrated to form CMP:

Looking Forward

2007: SAP and Novell deepen a long-standing

partnership with a focus on Linux

2007: SAP and Novell deepen a long-standing

partnership with a focus on Linux

2009: CMP becomes the first solution certified with

Access Control

2009: CMP becomes the first solution certified with

Access Control

2010: Integration with Process Control,

Risk Management

2010: Integration with Process Control,

Risk Management

DEMO

Real-World Insights

Security Focus Areas in 2009

Protecting data assets

• Regulatory and contractual obligations• Reducing risk of data breach

Streamlining security and compliance

• Addressing fragmented, one-off approaches to compliance with GLBA, SOX, HIPAA,, EU Data Protection Directive, PCI DSS and enterprise policies

• Risk-rationalized approach to controls and testing, automate manual processes

Securing a changing IT

infrastructure

• Protect the full range of enterprise IT assets • Support mobility, virtualization, cloud computing and other disruptive

changes

Enterprise Risk

Management

• Managing IT risks within a more comprehensive enterprise framework• IT security and controls as a business enabler

Enterprise Risk Management, Access Risks and Controls

Compliance Program Management

Risk Management

Access is controlled in a manner consistent with business and security requirements.

Access to resources occurs without proper business authorization

Systems for managing password are interactive and ensure quality passwords

.

Unauthorized access is gained via weak or improperly protected password

All users are assigned a unique ID for their personal use only, substantiated by Authentication & Reporting

Unauthorized users are able to gain access to systems by claiming to be an authorized user

The allocation and use of privileges is restricted and controlled through a formal authorization process

Users gain access to information that is beyond their appropriate level of privilege

Ris

ks

Co

ntr

ols

Enterprise Risk Management Program

GLBA SOX HIPAA PCI SAS 70 Enterprise PoliciesPrivacy

Enterprise Risk-Control Framework -

Integrated Novell CMP – SAP SolutionConceptual View

SAP ERP

SAP NetWeaver

SAP GRC Suite

Novell CMP

Enterprise ApplicationsEnterprise

ApplicationsLoB

ApplicationsLoB

ApplicationsIT

ApplicationsIT

Applications

IT Systems

IT Infrastructure

IT Processes

1. Leverage SAP roles in user management and compliance reporting processes across non-SAP environment

2. Report business-relevant security events to SAP GRC Suite components, extending their breadth of coverage and business value

Integrated Novell-SAP Solution in Deloitte SNet Lab

An enterprise solution for managing user access risk and compliance across SAP and broader IT landscapes

Provisioning

Enterprise Applications & SystemsBusiness Users

Access Management

AGS Users

Sentinel Users

Authoritative Sources

BU 1 HR

BU 2 HR

Data Feeds

CMP System Boundary

Administration

Provisioning Engine

Identity Vault

Compliance

Compliance

Requestors

Employees

IT Infrastructure

SIEM

Access Governance

Access Manager

SecureLogin

Log Manager

Sentinel

Compliance Certification

Manager

Roles Lifecycle Manager

Privileged User Management

Contractors

Business Partners

Customers

Audit

People Mgr.

App. Owner

Legal IT Security

Audit

IT Operations

IT Security

Authentication Authorization

Audit

Monitoring

Reporting

Alerting

Collection

RoleManagement

Access Certification

User Lifecycle Administration

Manage User Accounts

IT Systems

IT Applications

SAP NetWeaver

SAP ERP

SAP Business User

GRC Access Control

CUA

NW Portal

OPS FIN HR

Help Desk Config. Mgt.

SSO

Email

Win2K8

AD DB

UNIX

UME

4

3

2

1

GRC Process Control

GRC Risk Management

IT Foundation

Access Governance

Suite

• Certifying User Access

• Managing Roles

Sentinel

• Security Event Monitoring & Logging

• Compliance Reporting

Access Manager

• Managing User Access• AuthN & AuthZ• Audit

• Single Sign-On

Identity Manager

• Managing Accounts

• Assigning Roles

• Managing Passwords

Controls ProvidedFunctionality

• Management reviews user access rights at regular intervals using a formal process

• Access to information resources is controlled in a manner consistent with business and security requirements.

• All users are assigned a unique ID for their personal use only, substantiated via appropriate authentication techniques

• Formal procedures to control allocation of access rights to information systems

• Interactive password reset

1

3

2

4

Novell CMP Component Functionality and Controls Provided

Questions?

© SAP 2008 / Page 25 Geoffrey Coulehan, SAP Market Development

Contact Information

• Jay Roxe ([email protected])

• Rick Wagner ([email protected])

• Ranga Bodla ([email protected])

• Eli Fisk ([email protected])