The Art of War on Enterprise Access Risks

The SailPoint Blog

If Sun Tzu were writing The Art of War today, unequivocally, he would add a few chapters and tactics to address today’s electronic warfare that extends beyond the battlefield. When penning his treatise on war approximately 2,400 years ago, Tzu wasn’t envisioning modern organizations around the world having to arm themselves to defend against cyber threats of every type—including attacks from outside hackers and even from within at the hands of their employees.

According to the Ponemon Institute’s 2020 Cost of Insider Threats report, the frequency of fraud has increased by 75% since 2016. A major cause: a lack of risk visibility and control for ERP systems, such as SAP, that often support a company’s most critical business processes and house sensitive data. The complexity of ERP security structures makes it extremely difficult to ensure the data can only be accessed by people with the appropriate job responsibilities. This becomes nearly impossible when organizations try to control access manually. With data siloed across multiple ERPs and applications and a lack of automation, companies face a futile war to protect the organization and address audit requirements.

Tzu may not have had the foresight to include technological warfare in his ancient collection of military advice, but SailPoint has stepped in to continue the saga with the introduction of SailPoint Access Risk Management. As part of the SailPoint Identity Security platform, SailPoint Access Risk Management enables you to gain a wide breadth of visibility and control of access across your organization and gives you the granular depth needed to mitigate risk stemming from today’s complex ERP systems. Together with this centralized platform, many of Tzu’s maneuvers are still applicable to defeat access risks.

  • Attack by Strategy

Any well-planned defense is backed by strategy, and a solid stratagem starts with understanding the scope of the problem to determine solution tactics. Most businesses can’t see their separation of duties (SoD) threats across their digital properties; holistic visibility is vital. Modern army night vision goggles enable soldiers to see and catch enemies lurking even in the dark of night. That’s advanced foresight—and a way to head off disaster before it hits. How does this relate to what we are doing at SailPoint with Access Risk Management?

Think of our AI-enhanced identity security as a first line of defense. It protects the perimeter and allows entrance only to the right users with verified access as an added safeguard. But we also secure the interior. For that, we need more granular vision and control to determine who has access, who should have access, and exactly what they are doing with it—in real-time. We believe a smart security strategy will include both identity safeguards and granular utilization visibility to see threats before they become full-blown attacks, and to begin executing the second phase of the strategy—remediation.

Deep, granular risk analysis

  • Execute a Variation of Tactics

Failure to cover all the bases can open any organization to risk. An all-inclusive arsenal should include automated and continuous analysis of risks with built-in remediation advice, plus the ability to conduct periodic access reviews and generate audit-ready reports without any IT intervention.

There is another significant weapon, though, that can head risks off at the pass: predictive risk analysis. It’s an advantage to see risks already in a system; it’s even better if you can see them before they enter. Pre-provisioning risk simulation does just that. When provisioning a new user or granting elevated or emergency access, Access Risk Management analyzes potential risks before permitting access. It’s the extra guard at the gate.

  • Unify Your Troops and Elevate Intelligence

You know the risks, how bad they are and how to potentially stop them before they start, but it doesn’t work to protect only one section of the combat zone. You need to easily traverse the entire ERP and application landscape with a united front. That involves taking a unified approach with the same level of security and with a solution that can serve as a command center to centralize all risk data.

Disparate solutions cause fragmented knowledge for compliance, IT and security teams. They eat up time and money, but more importantly, they don’t enable rapid and broad risk visibility across the enterprise. Tzu knew the value of surveillance and military intelligence. Precise and accurate access risk insight that is easily generated, comprehensive and intuitive is what companies need to win the war on risk.

Continuing with your legacy ERP governance approach is not a winning strategy. Companies need to go wide and go deep for complete protection. SailPoint brings all of the benefits of holistic identity security across SAP, SAP cloud applications and more – and it’s delivered from the cloud. Check out the SailPoint difference and the future of access and identity security for not only SAP but also other ERP, HCM and CRM platforms to come.