The integrated SAP and Novell functions enable a more holistic approach to GRC, extending to more of the IT infrastructure. The announcement extends a partnership between the companies that was announced last March, according to Marge Breya, executive vice president and general manager with SAP Business Objects, during a press conference here.
"We're extending that [partnership] now to go across the entire portfolio of GRC with monitoring and the compliance management platform from Novell to make sure that we have end-to-end solutions so that customers can reduce any vulnerabilities in their access and process environment as well as their risk management environment," Breya said.
The joint offering, available now, addresses some major challenges with GRC automation today, said Narina Sippy, senior vice president and general manager, GRC Solutions, SAP AG. Many organizations have ended up with multiple GRC silos, she said, focusing on certain regulations, applications or business units. The result is no clear view of risk across an entire operation. Worse, many GRC activities to date tend to focus on reporting after the fact, Sippy said.
"In this day and age, reporting after the fact is very dangerous," Sippy said. "You want to know when something might be happening and have the ability to prevent that from happening."
SAP's GRC functions can already manage GRC-related processes across SAP and non-SAP applications, but Novell now brings a new level of integrated system monitoring to the equation with event monitoring and identity management, said Jay Roxe, director, ISM Solution and Product Marketing with Novell Inc. Novell's event management functionality can now monitor the network for events deemed to be potential threats and pass back alerts to the SAP GRC interface. Its identity management also works across an IT infrastructure and is integrated with SAP GRC.
"We can take roles and identities from SAP and map those onto roles and identities on other systems, which enables us to have a holistic view of that user's identity as they exist in different places," Roxe said.
This can be extremely important, combating risky business such as users acquiring increasing permissions as they change roles in an organization, Roxe said. Users who change roles may be granted new permissions for systems, but their old permissions are never de-authorized. This can result in putting companies at high risk for internal fraud if, say, a user is able to both open purchase orders and approve them.
Officially, the joint offering means that Novell's Compliance Management Platform extension for SAP environments, Novell Identity Manager and Novell Sentinel, now have SAP-certified integration with SAP BusinessObjects suite of GRC products. The real value, Sippy reiterated, is being able to set up GRC-related policies that are integrated, and therefore more enforceable, at a system level.
"If you don't have the links between the IT level and the business process level, you won't know when there's been a breach in internal policy," Sippy said. "We can help you not only set up your systems and processes to comply with your policies and regulations, but we can give you the assurance of having that monitoring occur, so that you have alert capabilities and you can actually potentially prevent something from happening."
It's not difficult to find examples of situations that probably could have been avoided by implementing better mechanisms for monitoring and enforcing GRC policies, Sippy said. Trading fraud at French investment bank Societe Generale was just one recent example of fraud that could potentially have been avoided or minimized with integrated GRC technology. And, while financial fraud tends to grab headlines, she said similar situations have happened in manufacturing and in other industries.
It's hard to put specifics on the "large number of joint customers" of SAP and Novell, she said, but 600 customers of Novell have downloaded extensions for the SAP environments. There are about 5,000 companies using SAP GRC solutions now, according to Sippy.
Here at SAP TechEd 2009, a number of sessions on GRC technology were well attended. Technology is a necessity for managing GRC efficiently, said Ronnie Duda, SAP security architect with Columbia, Md.-based W.R. Grace & Co, a specialty chemicals and materials manufacturer. While not familiar with the SAP-Novell offering, Duda is very familiar with the challenges of managing GRC technology programs, but added that many of the challenges she encounters are with users.
"Even having GRC technology, it's still a challenge to get users to understand that they can't have this [system access] and this [system access]," Duda explained, "or if they have [both], they need to have a mitigating control. But is the mitigating control sufficient to offset the risk?"
On deck for Duda and W.R. Grace next year is upgrading to the SAP GRC access control suite from an "ancient" .NET-based version of SAP Virsa.