Accenture has delivered stable, compliant security operations while keeping pace with the growth and change demanded by a global services company. These operations have been accomplished using three different identity platforms each paired with various versions of SAP Governance, Risk and Compliance (GRC).
Four key factors have contributed to the solution’s long-running success:
Govern with process-centered, cross-organizational perspective and analytics
Strong security role governance, led by Accenture’s Business Integration Security service line, is delivered by cross-functional collaboration between the internal IT organization and business function leadership.
Business Integration Security is responsible for governance, compliance and role provisioning for Accenture’s core global business applications. Working seamlessly across the SAP IDM, SAP GRC, and other IT areas, the team manages consistent but flexible access models designed to fit the needs of each internal business function, including Finance, Human Resources, Business Reporting, Forecasting and Sales. This overall approach allows Accenture to run global applications with the right balance of business function flexibility and control to protect the principle of least privilege.
Governance and operations decisions made by the Business Integration Security team are driven by data analytics, used to help ensure user access impacts are minimized as a result of system upgrades and to optimize user profiles and license usage, resulting in significant service efficiencies and cost savings. Further, Business Integration Security and internal IT collaborate with various assurance teams such as Internal Controls, Internal Audit, external audit and Accenture’s Information Security organization to confirm Accenture is compliant with areas such as Sarbanes-Oxley, ISO27001, data privacy and Accenture’s corporate insider trading policies.
Integrate GRC capabilities
GRC tools are crucial for consistent and repeatable control of complex application environments. Accenture moved from a manual solution to partial SAP GRC integration and then to a full integration of SAP GRC 10.1 with the business reporting module, segregation of duties (SoD) simulation capability, and real-time SoD check for temporary role requests.
With the release of SAP GRC 10.1, the Business Integration Security team expanded its monitoring capability, which it did with the deployment of two modules, SAP Access Risk Analysis and SAP Emergency Access Management. These modules enable the team to anticipate and control potential SoDs and monitor use of production support IDs with elevated privileges needed for rapid support of production issues and software releases.
The maturing of SAP IDM for requests and provisioning enabled the Business Integration Security team to integrate with the GRC system and deliver online scan results embedded in the approver workflow. This solution enables simulation results to be presented to the business approver at the time they are reviewing single-privilege requests, which has limited the number of requests with SoDs being approved.
Automate role authorization
A comprehensive security model was needed to protect Accenture’s global applications, including the global SAP system against fraud or material misstatement of financials as well for the protection of data privacy (including EU General Data Protection Regulation [GDPR] compliance). The solution was to use organizational and geography-specific authorizations based on the data context selected by the user to limit access to only the data they need to transact or view data. By governing from a single source of authorization truth using SAP IDM, Accenture grants access consistently across its Finance, HR, Business Reporting, Forecasting and Sales systems.
Accenture is using the SAP IDM application as the engine for Accenture’s IDM solution. On top of the SAP IDM platform, Accenture’s internal IT organization built a custom .NET user interface to enhance and simplify the user experience. The improved visibility of SAP IDM allowed the teams to clean up and recalculate user data and locate security master data issues previously unseen in the legacy system. The resulting business benefit was accurate reconciliation between the IDM data and the target SAP systems.
This solution is used to provision access to more than 20 global applications, including custom applications and third-party, cloud-based systems. The IDM solution automates more than 99 percent of the SAP-related privileges in a standard month and more than 94 percent of entitlements across all applications in scope.
Host in the public cloud
The Accenture business and IT security teams provide more than 230 security services to its internal customers, including the SAP system, custom and third-party applications and cloud-based solutions such as Salesforce. The architecture, now in the public cloud, has demonstrated clear benefits in scalability, agility and performance. The combination of the cloud performance and an IDM upgrade to 8.0 has improved front-end UI response times by over 90 percent. The migration to the cloud was accomplished in stages, over several weekends, seamlessly coordinated by Accenture’s own cloud transition teams.
Additionally, master data, request history and user profile information are captured in the cloud and available to the Business Integration Security team to use for controls or initiative assistance. Dashboards, status and control reports are compiled and shared using Microsoft Teams and PowerBI. This flexible and collaborative approach allows costs to be low and enables the teams to support five times the number of applications and a greater user request volume compared to more than a decade ago.
