Deloitte & Touche LLP's Enterprise Risk Services (ERS) practice was the first major integrator to establish a national service focused on designing and implementing innovative and efficiency-focused security and control environments in SAP-enabled businesses. The addition of our powerful identity management service, i-MAAP,™ has allowed us to combine our leading SAP business process, security and control, and project management skills with the in-depth vendor software knowledge required to deliver comprehensive and sustainable identity management solutions to SAP-enabled businesses.
The SAP Equation
Deloitte & Touche LLP's experience in SAP and identity management implementations is based on a methodology that is flexible and component-based to meet the specific needs of clients. We understand that success must be measured in the short term while also achieving our clients' strategic objectives. The business needs of our clients, therefore, drive the implementation approach and time frame, resulting in increased user satisfaction and productivity, reduced costs and improved security.
SAP advocates an integrated e-business platform that can seamlessly connect your entire enterprise–including suppliers, partners and customers. The need for this increased reach and accessibility to information, however, comes with increased risk exposure from both internal and external sources. The challenge in managing these risks is to develop a strategy to effectively and efficiently manage the proliferation of user identities (IDs) resident within the applications and systems being accessed, while creating a common authentication and authorization security framework for the future.
An i-MAAP Framework
Deloitte & Touche's i-MAAP services provide a framework for this strategy and can provide an integration point for the management of today's disparate user IDs and a model for the identity-based security architecture required in the future. To support our SAP clients' identity management initiatives, we have developed an implementation approach that addresses the steps necessary to transform a company into an identity-centric framework.
The role that SAP can play in this framework is as the authorized origination point for populating and maintaining identities. This is accomplished by establishing an identity model that is developed through an analysis of the SAP environment to select business attributes that can be leveraged to define who the user is, the relationship they have with the company, and the business purpose that dictates their need for access to the company's resources. Supporting SAP transactions are then identified that create and maintain user attributes within SAP. These transactions are then enabled to publish changes in the attribute values of an external identity repository.
The measurable benefits of using SAP as your authoritative source are: reduced administration costs, increased processing efficiency and a more sustainable solution. The contents of the SAP-enabled identity repository can then be leveraged across your enterprise in the form of user provisioning and access management solutions.
More Benefits and a Complementary Program
The position-based attributes designed within your SAP environment can be leveraged as a basis for an enterprise role architecture to facilitate the policy definition component necessary in provisioning and access management solutions. Additional benefits of the usage of the identity repository include increased timeliness of user maintenance, improved quality of authentication, increased consistency in assignment of access rights, improved ability to integrate strong authentication and reduced policy development time.
Deloitte & Touche's global vendor alliance program, which complements our i-MAAP services, allows us to deliver the best-of-breed vendor software and hardware solutions that support our identity framework. The combination of vendor offerings from organizations such as IBM/Tivoli allows Deloitte & Touche to offer unique value-added solutions to our clients.
We believe that the combination of IBM/Tivoli's leadership position in the directory, provisioning and access management areas helps create a solid foundation for our identity framework.
The Solution Set: Tivoli Identity Manager™
Tivoli Identity Manager (TIM) provides automation in the request, approval, creation and management of SAP user accounts, through a Web browser.* TIM routes the requests through a workflow approval process, which can be configured to require certain approvals (employee's manager, contractor's sponsor, SAP Data Owner, etc.) and/or can be configured to request additional information from others (allow SAP Administrator to provide Authorization Profile).
TIM sends an email notification to the individuals identified as participants in the workflow process, and can be configured to send follow-up emails if they do not respond in a timely fashion, and/or to escalate the request to others in the organization. Once all the appropriate approvals are received, TIM executes the administrative processes in SAP to effect the account creation or access change.
To increase the efficiency and data integrity, user information can be loaded from validated information in the Human Resources (HR) system to obtain current personnel information, such as a person's name, status, location, job title, position, etc. Using this automated feed also allows user accounts to be automatically revoked when a person is terminated in the HR System.
Versatility with TIM
TIM can be configured to enforce corporate standards for the naming convention of new user accounts (e.g., first initial of first name plus last name), and to enforce corporate security standards for password rules (e.g., 6-8 characters, must include both alpha and numeric, not the same as user ID, etc.). TIM can also reconcile all existing SAP accounts with the known users from HR and flag accounts that do not match known users to help identify active accounts for unknown/terminated users. End users can access TIM using a Web browser to change their SAP password, synchronize their SAP password with any other systems that TIM is managing, or to reset their own password if they have forgotten it.
In the case of a forgotten password, TIM can prompt the user to answer challenge/response questions to establish identity before changing the password. The TIM solution consists of a Web Server that communicates to the TIM server over HTTP/HTTPS.
The TIM Server communicates with the Directory Server for identity and organizational information using LDAP/SSL, and with the Database Server for logging Audit trail and workflow information using JDBC. The communication between the TIM Server and the SAP Agent is secured using SSL. The SAP Agent resides remotely from SAP and communicates using SAP BAPI's and a User Account with Administrator privileges to SAP.
*The current agent works with the following SAP versions: 4.6B, 4.6L, 4.6D, 6.1 or 6.2. Also Basis Support Packs up to 14 must exist and OSS notes 323395 and 323656 must have been applied.
The Deloitte & Touche Advantage
Technological innovation, globalization, complex regulation, and increased accountability at the senior management and board level have all combined to significantly change the landscape of risk management today. To help address these issues, the security professionals of Deloitte & Touche deliver services to address the various elements of security and trust associated with communicating, transacting and accessing in this environment. With the support of our global firm, our professionals are able to address the increasing complexity of the network economy, through an integrated approach to security that is applied at all levels: infrastructure, application and strategy. With these resources, a Deloitte & Touche i-MAAP™ solution can help you achieve today's business objectives and gain even greater rewards in the future.
Related Topics: Security Services, Identity Management
