Securing Accenture through SAP GRC and SAP IDM
Accenture operates user security in the new with process-focused, cloud-delivered services.
The backbone of Accenture’s business is a core set of global applications, including a single global instance of SAP® S/4HANA®. These applications require a robust, role-based security model and operations processes that protect the confidentiality, integrity and availability of Accenture’s systems and data as well as reduce the impact of an external security breach.
Given this environment, Accenture faces the ongoing need to deliver a comprehensive user security solution that is compliant with controls and operates at increasing scale, agility and efficiency across multiple business units, business processes and applications while creating a single source of truth.
Accenture has delivered stable, compliant security operations while keeping pace with the growth and change demanded by a global services company. These operations have been accomplished using three different identity platforms each paired with various versions of SAP Governance, Risk and Compliance (GRC).
Four key factors have contributed to the solution’s long-running success:
Govern with process-centered, cross-organizational perspective and analytics
Strong security role governance, led by Accenture’s Business Integration Security service line, is delivered by cross-functional collaboration between the internal IT organization and business function leadership.
Business Integration Security is responsible for governance, compliance and role provisioning for Accenture’s core global business applications. Working seamlessly across the SAP IDM, SAP GRC, and other IT areas, the team manages consistent but flexible access models designed to fit the needs of each internal business function, including Finance, Human Resources, Business Reporting, Forecasting and Sales. This overall approach allows Accenture to run global applications with the right balance of business function flexibility and control to protect the principle of least privilege.
Governance and operations decisions made by the Business Integration Security team are driven by data analytics, used to help ensure user access impacts are minimized as a result of system upgrades and to optimize user profiles and license usage, resulting in significant service efficiencies and cost savings. Further, Business Integration Security and internal IT collaborate with various assurance teams such as Internal Controls, Internal Audit, external audit and Accenture’s Information Security organization to confirm Accenture is compliant with areas such as Sarbanes-Oxley, ISO27001, data privacy and Accenture’s corporate insider trading policies.
Integrate GRC capabilities
GRC tools are crucial for consistent and repeatable control of complex application environments. Accenture moved from a manual solution to partial SAP GRC integration and then to a full integration of SAP GRC 10.1 with the business reporting module, segregation of duties (SoD) simulation capability, and real-time SoD check for temporary role requests.
With the release of SAP GRC 10.1, the Business Integration Security team expanded its monitoring capability, which it did with the deployment of two modules, SAP Access Risk Analysis and SAP Emergency Access Management. These modules enable the team to anticipate and control potential SoDs and monitor use of production support IDs with elevated privileges needed for rapid support of production issues and software releases.
The maturing of SAP IDM for requests and provisioning enabled the Business Integration Security team to integrate with the GRC system and deliver online scan results embedded in the approver workflow. This solution enables simulation results to be presented to the business approver at the time they are reviewing single-privilege requests, which has limited the number of requests with SoDs being approved.
Automate role authorization
A comprehensive security model was needed to protect Accenture’s global applications, including the global SAP system against fraud or material misstatement of financials as well for the protection of data privacy (including EU General Data Protection Regulation [GDPR] compliance). The solution was to use organizational and geography-specific authorizations based on the data context selected by the user to limit access to only the data they need to transact or view data. By governing from a single source of authorization truth using SAP IDM, Accenture grants access consistently across its Finance, HR, Business Reporting, Forecasting and Sales systems.
Accenture is using the SAP IDM application as the engine for Accenture’s IDM solution. On top of the SAP IDM platform, Accenture’s internal IT organization built a custom .NET user interface to enhance and simplify the user experience. The improved visibility of SAP IDM allowed the teams to clean up and recalculate user data and locate security master data issues previously unseen in the legacy system. The resulting business benefit was accurate reconciliation between the IDM data and the target SAP systems.
This solution is used to provision access to more than 20 global applications, including custom applications and third-party, cloud-based systems. The IDM solution automates more than 99 percent of the SAP-related privileges in a standard month and more than 94 percent of entitlements across all applications in scope.
Host in the public cloud
The Accenture business and IT security teams provide more than 230 security services to its internal customers, including the SAP system, custom and third-party applications and cloud-based solutions such as Salesforce. The architecture, now in the public cloud, has demonstrated clear benefits in scalability, agility and performance. The combination of the cloud performance and an IDM upgrade to 8.0 has improved front-end UI response times by over 90 percent. The migration to the cloud was accomplished in stages, over several weekends, seamlessly coordinated by Accenture’s own cloud transition teams.
Additionally, master data, request history and user profile information are captured in the cloud and available to the Business Integration Security team to use for controls or initiative assistance. Dashboards, status and control reports are compiled and shared using Microsoft Teams and PowerBI. This flexible and collaborative approach allows costs to be low and enables the teams to support five times the number of applications and a greater user request volume compared to more than a decade ago.
Governing with a process-centered, cross-organizational perspective and analytics
Integrating GRC capabilities
Automating role authorization using centralized SAP Identity Management (IDM)
Hosting in the public cloud
Accenture today operates with a global security solution that is compliant with controls, yet delivers business solutions with increasing compliance, agility and efficiency via one single source of truth. Accenture has transparency in its internal business application environment that is well beyond what is expected for an environment as complex as Accenture’s. Audit questions can be addressed better, faster and more cost-effectively than in prior years. Rather than audit teams finding issues, Accenture’s security teams now prevent issues or proactively identify and resolve them.
From a business perspective, while audit findings were low previously, the implementation and integration of the solution with SAP GRC 10.1 has driven them lower with earlier visibility. The percentage of SoDs per user has since been reduced by nearly 98 percent compared to the pre-SAP GRC days. Fewer than five in 10,000 users are permitted to retain long-term, locally mitigated SoDs in Accenture’s finance and HR systems.
SAP IDM integrated with a custom SAP Solution Manager report allows the OSE Security team to reduce unused authorized business roles and profiles, resulting in a 50 percent reduction in the number of active users. Additionally, a long-standing issue with complex users having more privileges approved than what SAP S/4HANA permits was corrected by performing a detailed analysis of the role and design data.
The solution is agile enough to keep pace with the changes in the business, while at the same time managing the workflow of more than 100,000 entitlements per month. It is also efficient. Provisioning, now highly automated, has been reduced from one to two days following approval down to just a few minutes on average. The cloud architecture has improved response time of the UI by over 90 percent. Accenture is gaining in scalability and agility to operate and support its internal customers in an incremental way every year.
Accenture’s security solution has been built in such a way that Accenture’s internal IT organization can accept SAP software changes as it releases new functionality and upgrade the solution without service interruptions. The current capability enables Accenture to deliver security at the speed of business change and at the same time consider new areas of analytics and mobility for its security solution.
Accenture treats SAP GRC and SAP IDM as assets, and continually looks to the power that these tools can bring to better comply, be agile and be efficient. Implementing SAP GRC and SAP IDM has served to further enhance the value of SAP software at Accenture, and will continue to improve operations, support digitization and deliver business value.
The solution is agile enough to keep pace with the changes in the business, while at the same time managing the workflow of more than 100,000 entitlements per month.