Enterprise Security Services – Risk & Compliance
This blog is part of a five-part series. I recommend starting here: Enterprise Security Services – Security for the Cloud Age
We are now in the third category, Risk and Compliance, and I am leaving my home turf – technology. Nevertheless, this is an important topic. As a developer or administrator, you should be aware of the functionality available in addition to the technology-driven security services. Large companies often have one problem in common: We tend to lose sight of the big picture and projects other teams are working on. This might cause us to miss integration or re-use opportunities.
SAP Cloud Identity Access Governance
Do you know SAP Access Control? It’s a solution for compliance challenges such as segregation of duties, access re-certification, or permission workflows. It would not be entirely correct to say that SAP Cloud Identity Access Governance is the cloud version of SAP Access Control, because it doesn’t offer quite the same functionality, but its roots lie there. SAP did not just use the existing capabilities and deployed them to the cloud. It was newly developed to meet changing business and technology requirements. Of course, the development team at SAP started with the core capabilities: access analysis, role design and access requests. Make sure you stay tuned for additional capabilities in the future.
I always try to sketch a picture. There are two main drivers: IT and business (like risk, compliance, and finance departments).
Historically, identity management was driven by IT. The requirements changed – there are more and more regulations, and security has become a strong factor. A risk/business view on the access to sensitive data is required in addition to the IT-driven capabilities.
IT departments often focused on a cost and technical perspective:
- TCO reduction
- Central user management
- Improve security measures
- Optimizing the team resources by automating repetitive tasks
On the other side there are the business requirements:
- Access governance
- Access analysis
- Risk mitigation
The technical realization of the requirements is based on the same objects in a system: Users and related permissions. User provisioning is the point where IT and business must align. That is why SAP Cloud Identity Services, Identity Provisioning is also part of SAP Identity and Access Governance. It is the technical foundation, so both parties do not obstruct each other.
Identity Provisioning is recommended if a simple user provisioning is required (standalone usage blog) and SAP Cloud Identity Access Governance if your organization requires enterprise/premium capabilities such as governance, risk and compliance.
Below you’ll see the similar picture but with a product-centric view and related on-premise solutions.
With SAP Access Control 12.0, SAP introduced the so-called access bridge, an interface that integrates SAP Access Control with SAP Cloud Identity Access Governance. It allows you to extend an existing process for provisioning access from SAP Access Control to the cloud. End users can request access to cloud applications in SAP Access Control, which forwards the required provisioning tasks to SAP Cloud Identity Access Governance. Compliance experts can analyze segregation of duties conflicts for on-premise and cloud applications within SAP Cloud Identity Access Governance.
SAP Cloud Platform Data Retention Manager
What does it take to delete personal data from a business application? The answer to these questions needs a lot of consideration. An attempt to answer them in turn brings us more questions, such as, can you hit the delete button directly? Are there any factors that stop you from doing that? What are these factors? What if I sell cosmetics and medicines, are these influencing factors the same for all the businesses my organization is involved in? Can someone ask me (an organization) to delete their data instantly?
Some amount of homework is needed to arrive at answers to these questions? This is something you would need to sort out with some help from legal and business experts. Considering that the business application in question is built on SAP Cloud Platform, the SAP Cloud Platform Data Retention Manager (DRM) can help solve you solve the deletion dilemma after the analysis/homework is done.
Residence time is the time until which your application uses the data actively. Retention time is the extended period (as suggested by those factors we mentioned) for which the data needs to be kept. Data Retention Manager allows you to set residence and retention times/rules for data in your application and based on these rules it then interacts with the business application to calculate dates for deletion. It then triggers events for your application to let it know that it’s time to delete the data. The application then simply honors this trigger and executes the deletion.
My colleague created another blog which explains this process in detail with an example.
SAP Customer Data Cloud
SAP Customer Data Cloud provides a wealth of functionality and benefits, but I will concentrate on the security perspective. SAP Customer Data Cloud is not part of the SAP technology stack, for good reasons. Often, it is driven by your sales or marketing department because it helps you win customers while protecting your business with a centralized, secure and compliant way to manage your customers’ profile, preferences and consents.
How does SAP Customer Data Cloud fit in with other SAP solutions like SAP Cloud Identity Services/SAP Cloud Identity Access Governance? That is a very common question and nothing in our world is only about organges and apples, but I want to provide you with a simple rule:
- SAP Customer Data Cloud: consumer/partner used cases
- Consumers prefer self-registration and various login options (for example password, password-less, social login)
- Delegated administration is often used for partners
- SAP Cloud Identity Services/SAP Cloud Identity Access Governance: employee use cases
- Identity sources are often HR, Microsoft Active Directory or ABAP systems
- Permissions and roles are complex
Now that we’ve established the difference, let’s focus solely on SAP Customer Data Cloud.
There are two main perspectives:
- Consumer – your customers, prospects, partners
- Enterprise – your company
I tried to sketch another picture which you can see below. Do you think the main expectation of a consumer is to prevent the usage of personal data? No, it isn’t. If I am using my favorite shopping store (maybe the one with a smiling face on all packages), I like the recommendations I get based on the shopping behavior of all customers, and I also like my personal recommendations. They help me select the right products. But I do want to keep control over my data! This means that I agree that the shopping store is using the personal data which I agreed to, so they can provide a great user experience.
Companies want to continue to innovate. Customer experience is one important success block – and there it is again: Companies need personal data to provide a superior user experience. The Enterprise Consent and Preference Management of SAP Customer Data Cloud is the core building block for innovation, but in a compliant manner.
Companies need a central and secure vault to store all related information to:
- Be audit ready
- Automate GDPR requirements
- Provide a unique customer experience across all different landing pages
- Provide versioning of consent records
- Synchronize data to customer relationship management systems
We learned that consumers want to control their personal data – what about enterprises? They need full control over where and how the data is used. We all know that trust is the ultimate currency in business. If personal data is compromised, it might ruin your reputation.
Let us take now a 1000 feet perspective on the topic
You can use SAP Customer Data Cloud if you want to help your company and associated brand to:
- Connect with your users by transforming unknown users into known users, providing registration, authentication and risk-based authentication capabilities, reducing the number of passwords customers have for brands, and reusing an account across different channels
- Secure the first party profile that is collected from the user in different engagement points in a cloud-native application and synchronize this data with downstream applications to improve personalization of experiences
- Build trusted customer relationships by providing transparent consent collection which understands who, when and what is being asked
- Provide control to manage end users’ consent and preferences for a brand in a central place; orchestrate end users’ choices and changes to up- and downstream applications in order to maintain compliance
As a developer, you should be aware of SAP Customer Data Cloud. If you are developing a customer-facing solution on SAP Business Technology Platform, you should think about integrating with your existing SAP Customer Data Cloud instance. And if you are a consultant or architect? Despite all regulations, it is still possible to manage customer profiles in a compliant way and to use this data to drive innovations and user experience within your company. The important thing is that you gain control over the customer data, that you are ready for audits, and that you can meet consumer expectations on how you handle their data.