Oracle has just beefed up the Oracle Risk Management Cloud with the addition of Advanced Access Controls. It is targeting users of its ERP Cloud to help them ensure that they can manage all risks to the business. According to the press release, the new controls will allow organisations to: “continuously monitor for segregation of duties (SoD), financial compliance (SOX), privacy risks, proprietary information and payment risks.”
Sid Sinha, vice president of Risk Management Cloud Product Strategy, at Oracle said: “Advanced Access Controls automates the time-consuming analysis needed to protect business data from insider threats, fraud, misuse and human error.
“This service is part of an integrated, practical solution to effectively protect information in business applications using the latest data analysis and exception management techniques.”
What does Advanced Access Controls deliver?
This is about access to applications to spot insider threats and improve an organisation’s security stance. One of the problems for many businesses is privilege creep. As people move through a business and get promoted they gain privileges but rarely use older ones. This is what makes access credential theft so important to hackers. They can exploit this excess privilege to gain control over systems.
One area where this is a particular problem is when users change departments. In financial organisations, there are strict compliance controls around access to business units. Any failure to monitor and track access and then compare to job role can lead to a compliance breach.
Oracle has defined four areas where it sees AAC delivering key benefits. They are:
- Prevent fraud – by restricting privileges so that no user is able to perform end-to-end financial transactions independently
- Accelerate secure deployment of Cloud ERP Applications – by designing roles that are free of SoD conflicts.
- Ensure compliance with audit requirements and mandates (such as SOX) – by auditing access privileges.
- Protect information assets from insider threats– by limiting and monitoring access to sensitive data and super-user privileges.
How does it work?
Oracle is using a mix of machine learning, AI and self-learning within AAC. It will compare user, roles and privileges against a library of active security rules. Orgnisations can update this library to ensure that they are able to spot any potential compliance breach. This is something that will appeal to compliance and risk teams with enterprises.
One of the problems with setting compliance rules is complexity. Risk and compliance teams spend a lot of time decomposing legislation into rules that that they then apply to IT systems. As they are often not IT experts, they have to rely on developers, sysadmins and DBAs to interpret those rules. It can often mean that the implementation doesn’t match the original expectation.
AAC could change that. By using AI and machine learning, it could start to validate access against controls. This would not remove responsibility for user access management but it could guide and speed up rectification. What isn’t clear is if Oracle intends to integrate it into things like Microsoft Active Directory or other user access systems.
What does this mean
Anything that can improve security and access to systems will be welcomed providing it doesn’t increase workloads. There will be bedding down issues here for many organisations and the rate of false positives and alerts will need to be managed. However, as compliance gets every stricter, organisations are keen to adopt any solution that gives them hope.
This is also a potential solution to the insider threat problem. Most organisations have tried a number of different solutions to that problem with varying degrees of success and failure. It will be interesting to see if Oracle delivers any anonymised stats around success in this area. If it can reduce the risk, organisations will leap at the opportunity.
AAC only covers Oracle ERP Cloud at the moment. There is no mention of it being integrated into NetSuite. This seems strange. NetSuite is the star performer across the different Oracle ERP offerings. It also addresses the mid-sized enterprise who struggle with these types of controls. How long before Oracle realises this and announces a new release covering all of its ERP solutions?