sample for a picture in the title slide SAP and Novell Collaborate on Comprehensive, Integrated Governance, Risk, and Compliance Solutions
sample for a picture
in the title slide
SAP and Novell Collaborate on Comprehensive, Integrated Governance, Risk, and Compliance Solutions
Session Description
Title: Ensuring Security and Compliance Across the Enterprise take place on Wednesday, Oct. 14th at 3:15pm
Abstract: Learn how SAP BusinessObjects GRC and Novell are building bridges between SAP, the IT Infrastructure and other strategic applications to streamline security and regulatory compliance efforts, reduce redundancies and improve the return on investment of systems in the enterprise. This session will provide detailed examples of how SAP and Novell have partnered to provide solutions and best practices around provisioning, compliance assurance, and identity and access management. The Novell Compliance Management Platform extension for SAP environments is the industry's first solution certified with SAP GRC Access Control. You will gain insights from key partners and customers on how to integrate your IT GRC infrastructure You will also hear from SAP BusinessObjects GRC and Novell executives about the current and future technology roadmap that enables a clear and agile enterprise.
Agenda
• Addressing today’s GRC challenges
• Demo
• Real-World Insights
Cost Competition
Com
plianceC
omplexity
Determining“Who has access
to what?”
Determining“Who has access
to what?”
LoweringIT Management
Costs
LoweringIT Management
Costs
EliminatingSecurity
Vulnerabilities
EliminatingSecurity
Vulnerabilities
AddressingComplianceDemands
AddressingComplianceDemands
IntegratingDisparateSystems
IntegratingDisparateSystems
ReducingDuplicated Processes
ReducingDuplicated Processes
Enablinga Mobile Workforce
Enablinga Mobile Workforce
Gaining Insight
Into Risk
Gaining Insight
Into Risk
Addressing Risk ManagementRequirements
Addressing Risk ManagementRequirements
Challenges Surround the Enterprise
What’s Required to Be Effective in Compliance?
Policies, and Executive Directives
Business ProcessesControls in financial and business process applications
Application Access and IT Controls ManagementIT Security, Application Management,
Change Management, Identity Management
IT ServicesSIEM/Identity Mgmt/Roles Mgmt/Access Mgmt
Executive Management
Bus
ines
s Pr
oces
ses
Fina
nce
Bus
ines
s Pr
oces
ses
Man
ufac
turin
g
Bus
ines
s Pr
oces
ses
Logi
stic
s
Bus
ines
s Pr
oces
ses
Etc…
IT ServicesSIEM/Identity Mgmt/Roles Mgmt/Access Mgmt
Executive Management
Bus
ines
s Pr
oces
ses
Fina
nce
Bus
ines
s Pr
oces
ses
Man
ufac
turin
g
Bus
ines
s Pr
oces
ses
Logi
stic
s
Bus
ines
s Pr
oces
ses
Etc…
SAP and Novell: Uniquely Covers the Entire Stack of GRC from Application to IT Controls
Policies, and Executive DirectivesCovered through a variety of mechanisms including SAP
Business Process ControlsCovered by SAP GRC
Application Access and IT Controls ManagementCovered by Novell Compliance Management Platform
Content, Policy and Events Unify Disparate Systems
ConsultingPartners
Problem: The CIO Cannot Provide Business-Relevant Risk Data to the CFO
Toni
CIO
The enterprise is setup with distributed security domainsIssue: Volumes of disparate data make it hard to assess the risk to the enterprise
Convert Raw Data into Information that Provides Full Visibility by
Monitoring all events in the enterprise, injecting identity into access events and correlating those to defined business processes and KRIs
Integrating Security and Access
BillAccounting Manager
The security officer noticed some change in department
jobs and wanted to review the activities of John and Bill
Problem: The CIO Wastes Resources on Duplicate Efforts
Toni
CIO
PCI SOX Privacy … Information Security 3rd Party HIPAA
Line of Business Corporate IT
Functional Leads
Compliance Managers Legal Audit Information
SecurityService/ Arch
LeadsCompliance Managers
Enterprise groups demand the same data from IT in separate requestsIssue: Duplication of efforts consume IT resources and create inconsistencies for the business
Mapping controls to defined objectives and processes as well as mapping the process to business owners
Eliminate Duplication of Controls by
Problem: The CIO Cannot Sustain Compliance Demands
Toni
CIO
App Owner
User Entitlements & Security Controls
ProcessesRoles
UsersAudit
App OwnerApp Owner App Owner
Mainframe
Exchange Server
Site 1
ProcessesRoles
UsersAudit
ProcessesRoles
UsersAudit
ProcessesRoles
UsersAudit
PeopleSoft HR DB
Exchange Server
Site 2SOAP
Exchange Server
Site 3Java App
Exchange Server
Site n…
User Entitlements & Security Controls
User Entitlements & Security Controls
User Entitlements & Security Controls
Auditor
The enterprise is structured with siloed security domainsIssue: The sheer volume of disparate processes makes it costly
to provide compliance-related data
Automatingand enforcing common controls while providing transparencyto business processes across the enterprise
Processes UsersRoles Audit
User Entitlementsand Security Controls
Contain Compliance Costs through a Sustainable Infrastructure
App Owner App OwnerApp Owner App Owner
Exchange ServerMainframe SOAP PeopleSoft HR DB Java App
Auditor
Building the Crucial Bridge Between Strategic Applications
Strategic Business Applications
IT Systems
IT Infrastructure
IT Processes
Novell Compliance Management
Platformextension for
SAP environments
SAP BusinessObjects
SAP ERP
SAP NetWeaver
HCM FIN OPS
Process Control
Risk Management
Access Control
Novell CMP Logical Architecture
• Sentinel: user activity monitoring and compliance reporting
• Identity Manager: user lifecycle management and account provisioning
• Access Governance: user access certification and role management
• Access Manager: single sign-on for web applications and VPN
• Identity Vault: identity and credential repository
Solution Boundary
Identity Vault
Novell Access Manager
Policy Engine
Reverse Proxy
Authentication
Authorization
Auditing
Role & Policy Controls
Log Archive
Novell Sentinel
Management Console
Event Collectors
Correlation Engine
Event Correlation
Incident Management
Compliance Reporting
Novell Access Governance
Administration
Novell Identity Manager
Web UI
Workflow
Provisioning
Provisioning Engine
Drivers
Policy Controls
Workflow Processing
Reporting
Role Management
The following Novell solutions have been integrated to form CMP:
Looking Forward
2007: SAP and Novell deepen a long-standing
partnership with a focus on Linux
2007: SAP and Novell deepen a long-standing
partnership with a focus on Linux
2009: CMP becomes the first solution certified with
Access Control
2009: CMP becomes the first solution certified with
Access Control
2010: Integration with Process Control,
Risk Management
2010: Integration with Process Control,
Risk Management
DEMO
Real-World Insights
Security Focus Areas in 2009
Protecting data assets
• Regulatory and contractual obligations• Reducing risk of data breach
Streamlining security and compliance
• Addressing fragmented, one-off approaches to compliance with GLBA, SOX, HIPAA,, EU Data Protection Directive, PCI DSS and enterprise policies
• Risk-rationalized approach to controls and testing, automate manual processes
Securing a changing IT
infrastructure
• Protect the full range of enterprise IT assets • Support mobility, virtualization, cloud computing and other disruptive
changes
Enterprise Risk Management
• Managing IT risks within a more comprehensive enterprise framework• IT security and controls as a business enabler
Enterprise Risk Management, Access Risks and Controls
Compliance Program Management
Risk Management
Access is controlled in a manner consistent with business and security requirements.
Access to resources occurs without proper business authorization
Systems for managing password are interactive and ensure quality passwords
.
Unauthorized access is gained via weak or improperly protected password
All users are assigned a unique ID for their personal use only, substantiated by Authentication & Reporting
Unauthorized users are able to gain access to systems by claiming to be an authorized user
The allocation and use of privileges is restricted and controlled through a formal authorization process
Users gain access to information that is beyond their appropriate level of privilege
RisksControls
Enterprise Risk Management Program
GLBA SOX HIPAA PCI SAS 70 Enterprise PoliciesPrivacy
Enterprise Risk-Control Framework -
Integrated Novell CMP – SAP SolutionConceptual View
SAP ERP
SAP NetWeaver
SAP GRC Suite
Novell CMP
Enterprise Applications
LoB Applications
IT Applications
IT Systems
IT Infrastructure
IT Processes
1. Leverage SAP roles in user management and compliance reporting processes across non-SAP environment
2. Report business-relevant security events to SAP GRC Suite components, extending their breadth of coverage and business value
Integrated Novell-SAP Solution in Deloitte SNet LabAn enterprise solution for managing user access risk and compliance across SAP and broader IT landscapes
Provisioning
Enterprise Applications & SystemsBusiness Users
Access Management
AGS Users
Sentinel Users
Authoritative Sources
BU 1 HR
BU 2 HR
Data Feeds
CMP System Boundary
Administration
Provisioning Engine
Identity Vault
Compliance
Compliance
Requestors
Employees
IT Infrastructure
SIEM
Access Governance
Access Manager
SecureLogin
Log Manager
Sentinel
Compliance Certification
Manager
Roles Lifecycle Manager
Privileged User Management
Contractors
Business Partners
Customers
Audit
People Mgr.
App. Owner
Legal IT Security
Audit
IT Operations
IT Security
Authentication Authorization
Audit
Monitoring
Reporting
Alerting
Collection
RoleManagement
Access Certification
User Lifecycle Administration
Manage User Accounts
IT Systems
IT Applications
SAP NetWeaver
SAP ERP
SAP Business User
GRC Access Control
CUA
NW Portal
OPS FIN HR
Help Desk Config. Mgt.SSO
Win2K8
AD DB
UNIX
UME
4
3
2
1
GRC Process Control
GRC Risk Management
IT Foundation
Access Governance
Suite
• Certifying User Access
• Managing Roles
Sentinel
• Security Event Monitoring & Logging
• Compliance Reporting
Access Manager
• Managing User Access• AuthN & AuthZ• Audit
• Single Sign-On
Identity Manager
• Managing Accounts
• Assigning Roles
• Managing Passwords
Controls ProvidedFunctionality
• Management reviews user access rights at regular intervals using a formal process
• Access to information resources is controlled in a manner consistent with business and security requirements.
• All users are assigned a unique ID for their personal use only, substantiated via appropriate authentication techniques
• Formal procedures to control allocation of access rights to information systems
• Interactive password reset
1
3
2
4
Novell CMP Component Functionality and Controls Provided
Questions?
© SAP 2008 / Page 25 Geoffrey Coulehan, SAP Market Development
Contact Information
• Jay Roxe ([email protected])
• Rick Wagner ([email protected])
• Ranga Bodla ([email protected])
• Eli Fisk ([email protected])