Business Objects Risk Management and Regulatory Needs

When it comes to Business Objects risk management or Business Objects regulations needs it is a black box due to inherent technical limitations around metadata access, security management, etc.

Does my Business Objects environment need to meet regulatory needs?

The answer is YES if you need to meet SOX, FISMA, GDPR, SOLVENCY, or HIPAA regulations. Why? Business Objects is used to publish your data (sensitive and non-sensitive), so you have needs around protecting Business Objects! 360Suite has tools specifically made for SAP Business Objects used by over 2,000,000 end users (they are popular tools)!

The most common regulations customers have with regards to Business Objects are; SOX, HIPPA, GDPR, SOLVENCY, and FISMA. There are differences in these regulations, although they all have in common the requirement to protect data and users/owners. Protection can be security rights, Disaster and Recovery, Segregation of Duties (SoD), account recertification, anonymizing data owners, confirming inactive users have no more access, etc.

SOX is directed at financial data from public companies. Financial information needs to be protected and a financial “information trail” and related changes is also necessary. Needs are around access control, Backup & Disaster Recovery, versioning, data integrity, monitoring, regressions, etc.

GDPR is focused on protecting European residents’ data (personal, professional or private). This is true for EU organizations in Europe or Organizations outside of Europe handling EU citizens’ data. Requirements are; locating who is an EU resident and what is their data, access control, security transparency, pseudonymization, anonymization, right to erasure, backup, data integrity, etc.

FISMA is targeted at agencies, contractors and organizations exchanging with FISMA compliant agencies. The aim is protecting information relating to economic and national security interests. Needs are around determining security category, access control, reporting security and changes, auditing users, finding dormant users and content, resilience, securing content, two factor authentication, account re-certification, documentation, contingency planning, monitor and control changes.

HIPAA is aimed at protecting patient information and how information is handled. Requirements are: Access management, backup, Preventing Unauthorized Access, Track record of access authorizations, confidentiality, monitoring changes, protecting publications, archiving, categorizing information, finding dormant users and content, and locating data where patients are mentioned.

Solvency II is an EU regulation focused on how insurance organizations are funded and governed. Solvency helps to determine whether an insurer or a reinsurer has sufficient capital to reduce the risk of insolvency. This regulation is based on 3 pillars: (1) Financial requirements such as capital, which the insurer should hold, (2) Governance and supervision, (3) Reporting and transparency. Key requirements from a Business Objects perspective are; SOD, Disaster and Recovery, Access Management, Version Control, providing reliable and consistent information, Auditing and Monitoring around any risk exposure.

Regulatory needs typically have in common the W’s and the R’s focused around security:

W’s: Who, What, When, Why and Where

R’s: Recovery and Regression

Who:

Who has access to what & who does not have access to what?

Who had access to what & who did not have access to what?

Who is using what?

Who is not using?

Who is who?

What:

What has changed?

What is being used?

What needs to be flagged or alerted?

What needs to be documented?

When:

When was it changed or not changed?

When has security been changed?

Why:

Why has it been changed?

Where:

Where is the user located?

Where are the regressions?

Who:

Who has access to what & who does not have access to what?

Who had access to what & who did not have access to what?

Who is using what?

Who is not using?

Who is who?

1. Who has access to what & who does not have access to what?
   1. Who has access to what? Example: What does Pete Townshend (lead singer of the Who!) have access to? 360Suite has a user centric view, including all related Explicit, inherited, double inherited and granular rights.
   2. Who does not have access to what? In case of a breach this is very handy information. We know Snowden had access to almost everything, but what did he not have access to in his deployment was critical to know to segregate leakage. 360Suite is able to provide reporting around this need.

2. Who is using what or who is not using what?
   1. Who is using what? Who is using SSN Objects? Who is getting Patient info? 360Suite is able to gather metadata around any usage; application, memory, Webi, SQL, objects, etc.
   2. Who is not using what? Certain users need to be using certain applications, or objects but are not. This is a direct safety issue typically addressed by account recertification. 360Suite can easily answer that question.

3. Who is who and who is not who?
   1. Who is Who? This is typically an easy answer to get and provide reporting on.
   2. Who is not who? Federal Organizations need to do reporting on Business Objects Users. In some cases, reporting needs to be anonymous for certain statistical work, user information, sharing, etc. We should not know who is who. Reporting around users can be done but, users are made anonymous so that there is no way to know who is behind user 007. 360Suite meets this particular requirement.
   3. To Who? To whom has information been exchanged with and is it safe? 360Suite offers possibility to see all scheduled reports with destination list, formats, prompt values, etc., and offers the possibility to secure scheduled/bursted reports with passwords.

In Business Objects the Who’s are virtually impossible to manage due to the lack of a user centric view. 360Suite provides a user centric view and is able to consolidate information between the Auditor, CMS and File Store.

As a result, I’m a big fan of the 70’s and of the Who!

What:

What has changed and not changed?

What is being used?

What needs to be flagged or alerted?

What is used or not used by Whom?

What needs to be documented?

1. What has changed and not changed? Has anything changed in my security? Has anything changed in the filters of my destination list? 360Suite will be able to compare such information and keep historical information. Any changes can be highlighted.
2. What is being used and not being used? Are your universes being used? How many actions have been taken on certain reports? Are reports being opened? Typically, 40%-60% of universes, objects, and reports are not being used. From a security perspective, gathering this information is critical, if not being used it can potentially be a breach.
3. What needs to be flagged or alerted? Some objects are very sensitive and can be flagged. As a result, each time they are triggered, actions can be reported.
4. What is used or not used by Whom? Who has access to Patient Files or Payroll? 360Suite offers a resource centric Funny story at an organization my CEO used to work for. He discovered Payroll access had not been denied to a user who had changed departments! Typically, you hear from users who don’t have access, but you won’t ever hear from users who have too much access!
5. What needs to be documented? 360Suite provides the ability to export and document changes.

To answer the “To What” question, 360Suite Business Objects tools are able to gather information based on changes, based on actions and based on flagging. 360Suite offers an object and resource centric search engine.

When:

When has it been changed or not changed?

When was security changed?

1. When was it changed or not changed? Historical changes can be gathered by taking snapshots of deployments, objects, security, etc. Such snapshots are then compared and changes, deletions and additions can be reported.
2. When has security changed? Security is always very tricky due to extremely complex calculations and processing time. 360Suite with its patent is able to gather this info.

Historical information is limited in Business Objects despite a few good features from the Auditor but there are inherent issues. The information in Business Objects Auditing is lacking. BOBJ Auditing tells us who is using the system, how they are using it, when they use it and what they do, it records actions. 360Suite tells us all of this, as well as what is not being used, and who is not logging into the system, along with full impact analysis on SQL and objects used in reports.

Why:

Why has it been changed; Reporting, universes, etc.?

Why has it been changed; Security?

Why has it been changed? Reporting, universes, etc. Regulations such as SOX require full audit of a paper trail. 360Suite offers full versioning capabilities. Therefore, you can check-in and check-out reports and universes, and put annotations around changes and have a workflow before modifications can be promoted.

1. Why has it been changed? Each time security has been changed, comments need to be added, and the workflow can be saved.

360Suite with it is versioning and workflows is able to provide such information and does not have limitations from the Business Objects SDK.

Where:

Where is the user located?

Where are the regressions?

Where?

1. Where is the user located? Such information needs to be classified for certain regulations such as GDPR. 360Suite handles this feature.
2. Where are the regressions? Regressions are like a box of chocolates, when you upgrade, modifications in your deployment it always looks good at first glance, but they are not always good. Most regulations require regression testing. Regression testing is manual, and automated solutions on the market are amateur solutions. They were not designed for Business Objects and do not follow security workflows. 360Suite offers such a solution.
3. Where? Where are the reports using object X? Used by User X? Patient X is displayed in which reports? 360Suite is able to gather this info with its impact analysis metadata.

Recovery:

Disaster and Recovery

Selective Recovery

Rollback Recovery

Recovery from archiving

1. Disaster and Recovery. Must have for all regulations whether they are aimed at protecting data or users. If there are any breaches, you need to be able to recover as fast as possible. I have to say most deployments do not fully stress their environments. 360Suite is being used by Fortune 500 organizations and highly regulated and sensitive federal organizations and central banks. Typically, Disaster and Recovery situations can be fully operational within 2 hours and meet COOP.
2. Selective Recovery. Certain regulations require personal content to be removed from backup due to the right of erasure. At present this is impossible to do. Only 360Suite is able to meet such requirement for HIPPA, GDPR, etc.
3. Rollback Recovery. Many deployments are using and as a result do not meet regulatory needs. How are corrupted versions restored and how quickly are they restored? 360Suite manages rollback to past versions with the possibility to restore individual objects, Universes, reports, or the entire deployment.

Compliance overall is not so difficult to understand. The first need is understanding the guidelines and narrow down what you need to secure. Then think of the relevant W’s and R’s for your regulatory needs and secure them. Securing them is challenging and 360Suite becomes critical.

360Suite is a set of tools aimed at getting more out of SAP BusinessObjects. Main focus is:

• Security
• Documentation
• Reducing costs
• BI on BI
• Backup
• Regression testing