The GRC Ninja channel has released another episode focusing on emergency access and privileged management in ERP/IT systems. GRC SAP security experts Filip Nowak and Andrzej Partyka, based on their experience, defined the 5 most common mistakes made when configuring and managing emergency and privileged access to SAP.
Support for the system – it’s time for wise use of the GRC system.
After the implementation of a GRC-class system, the support period begins. During this time, we track how the implemented solution comes to life and is practically utilized by companies. Some do it exceptionally well, while others constantly grapple with new recommendations from financial auditors who, in examining financial reports, pay attention to weaknesses in the area of privileged access. What are these most common mistakes? What should you pay attention to when designing a solution? How to avoid them – you can learn about all of this in the latest episode on the GRC Ninja channel. In this Expert-level series, we discuss 5 errors in the area of emergency access management, broken down into details by our experts.
1. Excessive use of emergency access
Starting work in an ERP system (such as SAP), consultants have the option to use privileged accounts (Firefighter), which grant them special permissions to facilitate the execution of routine tasks. Unfortunately, they may not be aware of the consequences of excessive use of these emergency accounts, leading to a significant workload for controllers who analyze logs of operations performed in the system. The unintended result is often the neglect of session audits and the overlooking of access controls to the system. For this reason, it is important for emergency access to be applied only in specific situations for which it was originally intended, rather than being a widespread solution in daily work. Broad, emergency access (commonly known as privileged accounts or “Firefighter” accounts) is designed for use in urgent situations or situations requiring immediate intervention.
Here are a few examples of situations in which using such access may be appropriate:
System Outage: When a critical system or application failure occurs, and normal procedures do not allow for a quick response to repair or restore functionality, emergency access can provide quick access to tools or permissions necessary to fix the problem promptly.
Security Threat: In the event of detecting a serious security threat to the system, privileged access can be used for swift identification, blocking, or remediation of security breaches.
Urgent Intervention: When there is a sudden need for intervention in the system or application, and standard permissions are insufficient for necessary actions, broad emergency access can be used for effective intervention. This often arises during the go-live phase of a project or when a large batch of changes is uploaded to the ERP (SAP) system.
System Performance Issues: In the case of sudden drops in system performance, emergency access can facilitate quick actions for diagnosing and resolving the issue, contributing to the restoration of optimal system performance.
However, it is crucial to remember that the use of broad emergency access should be limited to genuine emergency situations. Excessive and unjustified utilization can lead to increased risks and threats to the system and data. It is essential to apply cautionary principles and adhere to procedures associated with such permissions, avoiding their excessive and uncontrolled use in daily operations.
Too frequent use of emergency accounts (such as privileged “Firefighter” accounts) can result in a range of negative effects and consequences that may impact the system’s functionality and data security. Here are some potential consequences of excessive use of these accounts:
Security Risk: Frequent logins to emergency accounts increase the risk of compromising system security. The more people use these accounts, the higher the likelihood that access credentials may be compromised or used in a manner inconsistent with security principles.
Lack of Activity Tracking: Excessive use of emergency accounts can lead to neglecting proper documentation and tracking of operations performed by users. This, in turn, can complicate audits, analysis, and activity tracking in the system, which is crucial in the case of security incidents or audits.
Violation of Compliance Rules: For systems subject to legal and organizational regulations (e.g., PCI DSS, GDPR), excessive use of emergency accounts may lead to violations of compliance requirements that mandate strict monitoring of access and user activities.
Increased Risk of Errors: Using emergency accounts without necessity in urgent cases can lead to operational errors or thoughtless actions, which, in turn, can cause serious issues in the system or application.
System Overhead: An excessive number of users working on privileged accounts can generate additional load on the system, potentially affecting its performance and stability.
Therefore, it is crucial to use emergency accounts only in situations for which they were originally intended—namely, for urgent, emergency tasks that cannot be performed using standard permissions. Regular training and awareness among employees regarding proper and controlled use of these accounts are key to ensuring the security and smooth operation of IT systems.
2. Lack of control over activities carried out on emergency accounts.
The second error is related to the situation described earlier, where there is a lack of control. This arises from the overwhelming volume of logs that controllers are unable to effectively review. Consequently, it becomes challenging to determine the changes made in the system using emergency accounts. The absence of control over activities on privileged accounts can lead to various negative consequences, including:
Increased Security Risks: The lack of monitoring activities on privileged accounts can lead to unauthorized access to critical resources or data. This, in turn, can result in their loss, theft, or manipulation, exposing the organization to the risk of cyberattacks or security breaches.
Difficulty in Incident Detection: Without tracking activities on such accounts, it becomes challenging to detect potential security incidents or unauthorized actions. This can lead to delayed responses to threats or even hinder their detection in a timely manner.
Non-compliance with Regulations: In some sectors and industries, there are legal requirements regarding the monitoring and reporting of user activities, including those using privileged accounts. The lack of proper control can lead to violations of laws and regulations.
Risk of Misuse of Privileges: Without monitoring activities on privileged accounts, there is a risk of misuse of these privileges by employees or third parties. This allows for actions that exceed the scope of permissions and may compromise the integrity of the system or data.
Difficulty in Audits and Incident Tracking: The absence of control over activities on privileged accounts complicates audits, incident analysis, and user activity tracking in the system. This, in turn, makes it challenging to reconstruct events or answer questions about actions taken in the past.
Therefore, proper monitoring and control of activities on privileged accounts are crucial to ensuring the security of systems, preventing security incidents, and maintaining compliance with industry regulations. Regular audits and user activity tracking are essential to minimize the risk of incidents and provide transparency and credibility in actions taken on these accounts.
3. Lack of knowledge of the Firefighter controller regarding the actions performed during a session.
The highest number of errors often stems from a lack of knowledge or unfamiliarity with a particular system. Even if the controller is well-versed in general security requirements, they may lack detailed knowledge of the specifics of a particular system, such as SAP, which has highly complex and intricate functional capabilities. As a result, during log reviews of actions performed on Firefighter accounts, the controller may overlook specific actions that could negatively impact the stability of the entire system. This leads to the ineffectiveness of controls, and harmful actions remain undetected. The lack of attention or failure to notice damaging actions affecting the system’s stability during controls can result in several adverse consequences:
System and Data Security: Ignoring certain actions that may impact stability can also open the door to security attacks or threats that could harm the integrity of the system or data.
Repair Costs: Unidentified errors or issues that go undetected during controls may lead to the need for later repairs, generating additional costs associated with system maintenance.
Loss of Trust and Reputation: Repeated problems resulting from ineffective control can erode users’ trust in the system or the entity responsible for its management. This can have a negative impact on the reputation of the company or organization.
4. Manual handling of the process due to the lack of a GRC-class tool.
The lack of implementation of an appropriate GRC-class tool often stems from a desire to cut costs or the belief that, given the current size of the company (a small number of users), the tool is not necessary. In the long run, and due to the increasing number of actions that must be performed manually (such as simple user blocking/unblocking, log retrieval, manual data analysis, ensuring that each session is checked, etc.), this leads to the accumulation of additional problems. Manual retrieval and logging after each session may prove to be an inefficient solution. The absence of a proper control tool due to a small number of users undermines the entire audit and log control process. The situation where there is no implemented control tool in a company or organization due to cost-saving efforts or the belief that it is unnecessary with a small number of users can result in several negative consequences:
Lack of Operational Efficiency: Manually performing operations that could be automated by the right tool can lead to time loss and increased administrative workload. This, in turn, can reduce the overall efficiency of the IT team or personnel responsible for system management.
Increased Risk of Human Error: Performing manual operations, such as user blocking/unblocking, may increase the risk of human errors, leading to incorrect actions or security breaches in the area of privileged access.
Audit and Compliance Issues: The absence of a tool for automating controls and logging can impact audit difficulties and maintaining compliance with regulations and legal-organizational requirements.
Lack of Scalability: As the company or organization grows, the failure to implement an appropriate tool may lead to difficulties in scaling processes, potentially causing problems in the future.
Loss of Data or Information: Manual management of data or logs after each session can lead to errors or information loss, resulting in incomplete or insufficient data for analysis in the area of emergency access.
Therefore, even though in the initial phases of a company it may seem that an automated control tool is unnecessary due to a small number of users, it is worth considering its implementation with future growth in mind, ensuring efficiency, security, and compliance. The consequence of underinvesting in appropriate tools may be the need to address issues later on and hinder the company’s development in the long run.
5. Overly broad access for FireFighter accounts
The situation occurs when a company initiates a process without having a previously defined and well-thought-out concept of roles and permissions. The creation of Firefighter accounts begins with establishing accounts with full access in the system. As a result, in situations where creating a Firefighter account with access to a specific module would be sufficient, the user ends up with complete permissions, allowing access to confidential data and exposing the company to unnecessary risks. This may involve an inexperienced consultant who unknowingly takes actions that affect the entire system. The situation where Firefighter accounts with full permissions are created instead of being limited to necessary modules or functionalities can lead to several negative consequences:
Risk of Errors and Accidental Actions: Excessive permissions for users who are not fully aware of the extent of these permissions can lead to accidental actions or errors. This, in turn, can cause system failures or data issues.
Increased Risk of Data Loss: Full permissions for users who should not have access to all data increase the risk of data loss or improper use.
Lack of Control and Audit: Excessively granted permissions can lead to a loss of control over user actions. It will be more challenging to track and audit who and how is using these broad permissions, making it difficult to identify potential threats or irregularities.
As a result, granting excessively broad permissions to users can lead to serious consequences for the security of the system, data, and the company’s performance. This poses a threat to both the organization itself and its customers or business partners. Therefore, it is crucial to grant permissions in accordance with the principle of least privilege, meaning granting only those permissions that are necessary to perform specific tasks, to minimize the risk of encountering the mentioned problems.
In the course of the discussion, Andrzej and Filip discuss solutions for specific situations. You can find the entire conversation in the video on the GRC Ninja YouTube channel.
While using the system, errors will inevitably arise. Understanding the described situations allows for conscious management and utilization of emergency and privileged access. This conversation focused on errors made in designing emergency access. The risks associated with excessive user permissions working on privileged accounts were also discussed, along with the lack of awareness or tools for control. Granting excessive permissions can lead to data security issues, audit problems, and expose the system to errors. The importance of the principle of least privilege, granting only those permissions necessary for tasks on emergency accounts, was emphasized. The implementation of appropriate tools for managing special – privileged permissions and monitoring these activities is crucial. Conscious use of tools automating processes and regular audits for tracking actions form the foundation for the secure and efficient operation of IT systems. Stability, compliance with regulations, and data protection are priorities that require a responsible approach to managing permissions and monitoring IT infrastructure, which is essential in an era of continuous technological changes and a dynamic business environment.