Blogs

Permalink

Oracle Cloud Security with Access Reviews and Certifications

By Robert Garofallou posted 04-12-2022 09:18 AM

  

In the fast pace of business, most employees struggle just to keep the business moving forward. Handling the day-to-day operations fills their day, and, as the business grows and changes, it is easy to lose track of the details that help secure the business.

One of the aspects of security that is often overlooked is maintaining user access security. Individuals with access to sensitive company data or who can perform critical financial functions should be monitored periodically to ensure they are restricted to the minimum access required to perform their jobs.

Oracle ERP Cloud provides a security architecture, including Privileges, Duty and Job Roles, Data Access Policies, and User Provisioning Rules. This architecture makes it possible for administrators to assign privileges so that users can access only the specific areas of the application they require to complete their duties and no more.

But even if users were granted the appropriate access when they were provisioned, things can change rapidly. Employees leave, change job roles, and are promoted. New people are hired. Business processes change. These changes can all lead to confusion as to who has access to the critical areas of the company’s resources.

Employees with inappropriate access can do intentional or, more often, unintentional damage to the company’s financial and competitive position. Examples include:

  • Erroneous entries made by unauthorized personnel
  • Inappropriate visibility of sensitive company information
  • Fraudulent manipulation of financial information
  • Theft of assets, including intentional diversion of funds and theft of intellectual property
  • Regulatory and compliance violations

One way to safeguard the company is to perform regularly scheduled access certifications, where managers and business process owners review and certify who has access to the system, their level of access, and whether they should still be allowed the access they have been granted. These reviews focus on areas of risk related to Segregation of Duties (SOD) and Sensitive Access (SA). SOD conflicts arise when an employee can perform multiple steps of a financial process without oversight, such as creating a vendor, entering an invoice from that vendor, and then paying the vendor, leading to fraud. SA conflicts arise when an individual has inappropriate access to data, such as accessing payroll information or changing system configurations without proper authorization.

Public companies are bound by Sarbanes-Oxley (SOX) and other laws and regulations to routinely certify that users are allowed to keep their access to business-critical applications. However, all companies should be aware of user access risks and take steps to remove or mitigate these risks.

 

Risks of Seeded User Roles

Oracle ERP Cloud comes with pre-defined (or “seeded”) roles that are intended to be a starting point for assigning access privileges. Unfortunately, these roles come with inherent SOD conflicts that can lead to errors and fraud risk. Also, keep in mind that the pre-defined names do not necessarily reflect the privileges that should be assigned to those names.

Oracle strongly recommends that seeded roles in Oracle ERP Cloud should be modified to align with the organization’s requirements and risk tolerance. When customizing these roles, the security team should limit any duplication of key functions across multiple job roles.

 

Risk Across Multiple Business Applications

User access risk can also span multiple applications with the introduction of other business applications into the business environment. For example, a user with access to both the CRM application and Oracle ERP Cloud could enter a new client in CRM and then pay that client through Oracle ERP Cloud.

 

Periodic Access Certifications

Access certifications require that managers and business process owners review the access of the individuals in their department to the business applications used by the company. Once the user access reviews are completed, the managers and business process owners then certify the access, showing that the users are indeed authorized to have the access they have been granted. These access certifications are critical documents to show internal and external auditors that the company is managing user risk.

Most access risk management systems will include automated tools to conduct regular access certifications that send a list of users and their access to the appropriate business process owners and track the responses in an auditable report.

Auditors and regulators look closely at how companies of all sizes address internal security and access risk management. Management, internal auditors, IT, and business process owners must work together to develop a robust security architecture for their critical business applications and ensure they have complete visibility of the user access and Segregation of Duties risks to those applications.

 

How Fastpath Can Help

Fastpath specializes in security, audit, and compliance, providing solutions for reviewing access, segregation of duties, user provisioning, emergency access. Fastpath Assure is a suite of access security tools to help maintain the visibility of user access risk and manage or mitigate SOD or SA risks.

The Fastpath Assure Access Risk Monitor (ARM) performs granular SOD and SA risk analysis within Oracle ERP Cloud. Fastpath ARM includes a customizable ruleset that lets business process owners identify, review, approve, and mitigate access risks across multiple systems simultaneously from a single dashboard. Fastpath includes connectors for many other common business systems, such as SAP, Oracle EBS, Microsoft Dynamics, Salesforce, Oracle NetSuite, and others – each with its system-specific ruleset.

The Fastpath Assure Access Certifications module allows companies to schedule periodic reviews and signoff for different types of access: Business Process, Conflict, Critical Access, Product, and Role Assignment access. Fastpath Access Certifications help ensure that users are only provided the access privileges required to perform their job functions. For each review type, users can set up reviews by the accessible objects or by the reviewers.

The Access Certification module gives process owners greater visibility and control over who has access to their systems and the type of access. Once reviewers complete the certification, the Audit or Security team is notified, reports are generated for internal and external auditors, and access rejections are sent to the provisioning team so they can take immediate action.

 

Find out how to build a robust security architecture for Oracle Cloud. Download Oracle Security in the Cloud and receive a step-by-step guide to building a solid security architecture during Oracle Cloud implementation and redesign projects.