GRC tools, IT vulnerability analysis, authorization management, SIEM management – these are four of the top five topics cited by IT decision-makers when asked which current and future technologies are of vital importance to them. *
This means that the new release of GRC Suite SAST from AKQUINET – couldn’t have arrived at a better time to offer answers on some of the subjects that are on the minds of these managers right now. In this interview, Lars Henning (product manager for the SAST SUITE) presents the highlights of the latest version, along with some helpful tips.
Mr. Henning, what do you think are the most interesting innovations in the latest release of the SAST SUITE?
Lars Henning: I’d break them up into two separate categories. On the one hand, we’ve added an array of optimized functions and improvements in maintenance that will mainly be of interest to those who are already actively using our suite. On the other, there are numerous new features that could certainly draw the attention of people who aren’t SAST SUITE users yet.
Then let’s start with the all-new functions. What surprises does SAST SUITE 5.0 have in store there?
Lars Henning: In my opinion, there are four innovations that are definitely worth highlighting. First, there’s the new SAST SUITE user interface: The optional starting screen and process-oriented menu navigation help you access functions faster, and you’ve got an overview of all the information you need, along with key figures that provide constant status updates on all the relevant areas. For me, the way the suite enables administrators, controllers, and auditors to get started based on use cases is a particularly nice new feature that gives users a lot more transparency, more direct access to the functions they need, and a constant view of the exact information relevant to them at any given moment.
The second innovation I’d point out would surely be our SAST Safe Go-Live Management module. This gives our GRC Suite a total of 13 individual modules that our customers can assemble in a way that meets their precise requirements to the letter. SAST Safe Go-Live Management will be of particular interest to those planning a new authorization concept or redesign. In scenarios like these, the module offers huge reductions in the time and organizational resources required for implementation. It works like this: At the start of a project, user behavior is analyzed. This process automatically identifies all the authorizations users utilize and incorporates them into the new concept at hand. For the transition between authorization concepts, every user also has access to a fallback function: If they’re missing authorizations they had before the transition, they can activate this function to have their authorizations restored right away. If you ask me, the biggest advantage is that this enables our customers’ day-to-day business to continue without any interruptions at all. Our consultants will be happy to lend a hand in preparing and implementing an automated authorization concept, of course. A number of companies have been wary of this subject, but I think this overall package will convince them to take the plunge and start a project to clean up their authorizations.
The last thing I’d mention involves two functions of the SAST Security Radar module that certainly deserve separate acknowledgment. One of them provides the option to pseudonymize user data, which is just one of the many areas in which the SAST SUITE helps companies comply with the EU’s new General Data Protection Regulation (GDPR) and provisions of Germany’s data protection laws (Bundesdatenschutzgesetz, BDSG). Pseudonymization makes it possible to guarantee the best possible protection of personal data while still enabling select employees to view the original information based on a corresponding authorization project. And finally, warnings regarding complex events are a feature that I think provides the perfect complement to our other new functions. Until now, we’ve treated each event as a separate instance with its own criticality. What about when individual events aren’t critical, but the combination of them should be cause for concern? We’ve come up with a solution: You can now link multiple events based on certain conditions to create an event with a higher level of criticality. This is useful when you see a large number of failed login attempts from the same terminal or a flurry of downloads within a defined period of time, to give you just two examples.
What improvements and optimized functions can users look forward to in maintenance?
Lars Henning: I could see our existing customers getting excited about three advancements in particular. First of all, we’ve continued to optimize our processes and now offer a simplified system of distributing licenses for SAST SUITE modules. Licenses can now be automatically allocated to all the connected SAP systems at hand by means of an RFC connection, which eliminates a number of additional steps.
We’ve also made several enhancements in risk and compliance management. For example, customers now have the option to compare two policies when upgrading to a new release (like SAST SUITE 5.0) or when a new standard policy is rolled out. This enables their administrators to spot the differences immediately and adopt all the changes at the click of a mouse. To ensure greater transparency, we now also log policy uploads and downloads. This update resulted from feedback we received from a number of customers, which we always really like to see.
The third helpful addition I wanted to cover has to do with mitigation groups. This new function makes it possible to dynamically assign users to a group by means of an automated job, which completely eliminates the need to maintain individual users manually. All the users in question just need to have a certain role. It really couldn’t be easier.
Have any other improvements been made apart from what you’ve already covered?
Lars Henning: For sure. The new release gives our customers access to an add-on we’ve already received a lot of positive responses about since announcing it at our summer events. SAST Enhanced SoD-Matrix enables customers to export any functional separation conflicts they’ve had into Excel, which provides a clear format even SAP neophytes can understand in related discussions with user departments, managers, and external auditors. An overview sheet lists all the conflicts at hand along with the number of users affected, which makes it easier for user departments to identify risks and render a corresponding assessment. Our authorization experts handle the customizing for each specific customer while activating this add-on, which is a very simple process. The first customers to use it are already thrilled with how it’s improving their internal workflows.
Another thing we’ve done in release 5.0 is renew our certification for how smoothly the suite integrates with SAP NetWeaver and SAP HANA, and now with S/4HANA, as well. We’ve also made progress in user access management, where interested companies can now take advantage of the option to approve requests via responsive, web-based interfaces on mobile devices. All this shows that we’re ready for the next generation and in a great position to help our customers take on the future today.
Can you give us a preview of what the SAST SUITE will have in store for us in 2018?
Lars Henning: A lot of things are still under wraps, but one thing I can tell you is that we’re going to keep strengthening SAST’s reputation as the most comprehensive security and compliance tool on the market. We want to continue to be the only provider our customers need in this area, which is why we never stop enhancing our suite. Believe me, there are plenty more real innovations to get excited about in 2018.
Are there any tips you’d like to pass on to your customers before we sign off?
Lars Henning: It’s hardly a secret these days, but it always bears repeating: Security and compliance efforts should be left to the experts, not to an employee who has all kinds of other responsibilities to worry about. The cyberattacks and data leaks that have made the news in recent years have shown that companies need to safeguard their IT systems in order to ensure their survival. I can only recommend that organizations incorporate GRC issues into their projects from the very beginning. These concerns should be just as integral to a project schedule as the kickoff date. My second tip would be to take advantage of the software updates providers release. It’s shocking how often we find out that companies are running obsolete programs with known vulnerabilities even Google can tell you about. With policies like these, you don’t need to run afoul of a hacking genius to land yourself in a sticky situation. Finally, I recommend engaging in active communications with other companies. It’s the fastest way to find out about solutions others have already discovered, and it can also help you avoid mistakes. Our regularly occurring events give customers the opportunity to present best-practice cases and actively network with one another. We also offer webinars, which are always a good setting for asking your own personal questions.
Mr. Henning, thank you for talking with us and providing your insight.