Takeda, Japan’s largest pharmaceuticals company, manages its business processes in a global, heterogeneous IT landscape. From SAP ERP to SAP Cloud applications, employees work at a variety of levels, depending on their involvement in processes, and therefore need access to a number of systems. As a result, the company has to constantly review conflicting authorizations to meet strict compliance requirements, such as segregation of duties (SoD). Most standard software solutions on the market only monitor SoD conflicts and risks in a single system, however, which led the company to search for an end-to-end solution.
Takeda uses the SAP Cloud platform “Ariba” to optimize its procurement processes, but this solution does not cover all process steps. Master data maintenance, such as creating new vendors, is still performed by central purchasing in an SAP ERP system. Therefore, continuous, cross-system audits of authorizations, including SoD analysis, are absolutely essential.
The challenge: Review critical authorizations, monitoring, and reduction of SoD conflicts.
Since the order process in SAP Ariba is distributed across a variety of systems in which users work with different accounts, monitoring SoD risks proved to be a special challenge for Takeda.
After all, a textbook SoD risk arises when an employee from purchasing can approve purchase orders in the SAP Ariba cloud platform and is also authorized to maintain vendor master data in the SAP system – whether SAP ERP or SAP S/4HANA.
The technical term for an SoD risk that is spread across different systems is “cross-SoD”. Most standard software solutions on the market only monitor SoD risks in a single system, however. When it comes to monitoring cross-SoD risks in different systems, these systems normally all have to be based on the same technology. Otherwise, analysis is impossible from a technical perspective. What’s more, the user IDs of the individuals have to be identical in the different systems, because the defined processes for identifying SoD risks would not be able to match them if not. As a result, different accounts owned by the same natural person across different systems cannot be synchronized, which is a requirement for identifying cross-SoD risks.
The graphic below shows an example of the different user IDs a person can have at a company that operates different systems:
Analysis of SoD risks in a heterogeneous system landscape with a Cross-SoD matrix.
Together with Takeda, we developed a cross-SoD matrix with audit content for ERP and S/4HANA systems in combination with Ariba. It makes it possible to identify cross-SOD risks in a heterogeneous system landscape. We then integrated this solution in our SAST SUITE.
In a first step, all heterogeneous systems are technically connected to the central instance. Next, the defined identities are analyzed, read, transferred to a central identity store, and evaluated with an intelligent check algorithm, which identifies the different user IDs for an individual and assigns them to a central identity. For SAP Cloud applications like the Ariba platform, the IDs are synchronized as needed or once per day in the background, using the SAP Cloud Connector.
The SAST SUITE helps to identify and minimize risks, while satisfying all legal requirements.
Our SAST SUITE can be integrated with any applications in an IT landscape through interfaces and analyze them for SoD violations, as well as critical authorizations. Furthermore, vulnerabilities are identified automatically and SAST SUITE offers recommendations and solutions for remedying them.
This enabled Takeda to enhance its security reporting, identify risks and conflicts between roles – SoD and otherwise, and then minimize them. All systems are continuously checked and monitored for vulnerabilities and any attempts at manipulation are stopped in their tracks.
Steffen Maltig (Head of SAP Consulting, SAST SOLUTIONS)
Takeda Pharmaceutical Company Ltd. is a global pharmaceuticals company headquartered in Tokyo, Japan, with a history of more than 200 years of success. The largest pharmaceuticals company in Japan, the Takeda Group employs around 30,000 people worldwide at more than 300 subsidiaries and holding companies. Takeda generated revenue of some $30 billion in 2019.
This may also interest you: