Successful companies are often built on a simple idea: Make life better for ordinary people. Southwire Company, LLC, was founded on this premise. Due to post-war wire shortages in the late 1940s, many rural farming families were living without electricity. With a mission to bring power to rural families living in Carroll County, Georgia, Southwire’s 12 employees started producing wire using second-hand machinery in 1950. Nearly 70 years later, the family-owned business has become a leading manufacturer of wire and cable in North America with 7,500 employees in over 30 locations across the US and beyond, including Canada and Mexico.
Southwire manufactures and sells wire and cable products for the distribution and transmission of electricity — from the power plant to the outlets in a residential home — and the depth and breadth of its products make the company unique in its industry. Its offerings include high voltage cable for overhead and underground transmission, wires for manufacturing machinery, and wiring for light fixtures in homes and office buildings.
To support its operations and processes, Southwire has maintained an SAP solution landscape since 2010, which began with the implementation of SAP Treasury and Risk Management to manage the high volume of copper going through its rod mill. It has since expanded to include other solutions, such as SAP Business Warehouse, SAP Process Integration, the SAP BusinessObjects Business Intelligence suite, SAP SuccessFactors solutions, and SAP Hybris applications. Anchoring this SAP environment is SAP ERP, which is used by all of the company’s business divisions to enable processes such as order to cash, plan to inventory, and procure to pay. As its use of technology has increased, user access across technologies and business functions has become both a key to operational efficiency and, if poorly managed, a material and unacceptable risk.
In a sizable and growing business such as Southwire, where large numbers of users access a variety of applications and information daily, avoiding segregation-of-duties (SoD) conflicts is critical to ensure regulatory compliance, prevent errors, and avoid fraud. Identifying existing user access risk due to SoD conflicts in its SAP landscape became a pressing mandate for Southwire’s IT Center of Excellence team in early 2017, when it was tasked by the company’s board to minimize and mitigate SoD conflicts across the organization.
Driven by this directive, the IT team embarked on a multi-phased project aimed at understanding the scope of the issue, identifying conflicts, mitigating risks, automating user provisioning, making support operations more efficient, and improving the role catalog. The project started with an investigation phase to first gain a full picture of the issue, which was followed by a planning phase to determine what the solution should look like, an implementation phase, and finally a continuous improvement program that would systematically analyze and improve role designs. Analytics were critical to each stage and continue to play an important part in Southwire’s access management strategy.
Getting Plugged In
To initially scope the project, Southwire implemented the Separations Enforcer application from Security Weaver to identify and manage SoD conflicts in its SAP ERP system. (For more information about Security Weaver, see the sidebar at the end of the article.)
Separations Enforcer enabled Southwire to do a rapid yet thorough analysis of its SAP landscape for SoD conflicts and sensitive access risks with reports that were readable and comprehensive. The solution was also able to handle custom transactions because of its advanced pattern-matching capability, which extends its analytics beyond explicitly defined SoD rules to automatically discover SoD-relevant custom transactions that have not yet been included in the SoD ruleset.
“Previously, we had no tool in the legacy systems that would identify the number of SoD conflicts, and we had no means of reporting on them,” says Chris Easterwood, Vice President of Southwire’s IT Center of Excellence. The reports generated by Separations Enforcer revealed a surprising number of conflicts — approximately 10,000 — and when the company’s board saw the results, it passed down another directive to the IT team to address these conflicts.
To understand how to mitigate or remove a conflict, the team needed a way to look in depth at what transactions each user was exercising in the system. In the second quarter of 2017, Southwire selected Security Weaver’s Transaction Archive application to accomplish this task. Transaction Archive provided Southwire with detailed SAP transaction code execution histories that could be filtered by user, transaction, time period, user group, and other criteria. It not only showed which users were using which transactions, it also showed what transactions were being exercised in a role across the population of users who had the role. In addition to role and user analytics, Transaction Archive discovers and monitors Remote Function Calls (RFCs) within the SAP system to improve security across the integrated landscape.
The decision to go with Transaction Archive was an easy one because of its rich analytics. It also integrated easily with other Security Weaver solutions in use at Southwire as well as with the core SAP ERP system. “We decided to pursue Transaction Archive to help us better understand our past and present user activity and provide that information in a meaningful report for IT and for the business,” says Bryan Mann, Manager of SAP Basis and Security in Southwire’s IT Center of Excellence.
The in-house IT team implemented Transaction Archive within a day across Southwire’s global SAP instance using the standard change management functionality within the SAP system. The solution went live throughout the company’s SAP landscape, covering all of its SAP users, in August 2017.
Shining a Light on User Roles
Since that time, Southwire has successfully utilized Transaction Archive to optimize roles and improve security. The reports generated by Transaction Archive have enabled Southwire to:
- Analyze user transaction history, including which transactions were executed and by which users, how often they were executed and in what sequence, and when the transactions were used
- Evaluate role efficiency in terms of how roles are used — such as what percentage of users have exercised each transaction in a role — to ensure that the roles are not bloated with access rights
- Identify unused roles and then remove those roles to improve the user experience and reduce SoD conflicts
The data provided by Transaction Archive has made it possible for the IT team to redesign and optimize roles. “Previously, we managed roles manually based on what we thought users would need,” says Mann. “Transaction Archive makes the process more intelligent — it allows us to design our roles around what the users are actually doing.”
Using Transaction Archive and Separations Enforcer together enabled the IT team to significantly reduce conflicts, from approximately 10,000 to fewer than 1,000. For example, an SoD analysis of Southwire’s finance group using Separations Enforcer revealed several conflicts among users. “When we looked at those particular users in Transaction Archive, we discovered that they never actually used the transactions causing the conflicts,” says Easterwood. By changing the roles for these users and taking away rights to transactions they didn’t use, the IT team was able to reduce the number of SoD conflicts without affecting user productivity.
“Once we did that, many of the SoD conflicts that had been on the report simply disappeared,” adds Easterwood, “and we were left with just the SoD conflicts for transactions that were actually being used, which we could easily monitor going forward.”
The sales group was another area with SoD conflicts. Once Separations Enforcer identified the conflicted users, Transaction Archive enabled the sales group and the IT team to see what authorizations sales administrators were exercising. Then, using that information, the IT team was able to reduce the number of conflicts by redesigning user roles in a targeted way. For example, some users were viewing data using a transaction that allowed changes to the data when a display-only transaction would have sufficed. “Knowing this enabled us to remove access that would allow them to change something when all they needed was to display it,” says Easterwood.
Connecting with the Business
Separations Enforcer and Transaction Archive also enabled the IT team to better partner with business users — a critical step in mitigating SoD conflicts. The IT team worked with the business side to review what their users were accessing, the transactions they were executing, and the transactions they never used.
“With Transaction Archive, we were able to communicate with the business exactly which transactions their users were actually using, and which transactions could be better used either by a different department or by other resources available in the company,” says Mann. “We also used that information to help the business to better define their processes.”
Because IT and the business are the core users of analytics from Transaction Archive at Southwire, with the business users usually serving as the final approvers for SoD mitigation, it was important that the tool was easy to use for both teams. “We provided a one-hour workshop for each of the functional areas on how to use the product,” adds Mann, “and after that, with just a few questions here or there, most of the business users were proficient.” Sharing the workload across IT and business users has been a critical success factor for access management at Southwire.
Wired for Success
The Transaction Archive tool has become an integral part of Southwire’s SAP environment, according to Mann, and is used daily by IT and business users. The ability to quickly and easily see exactly what users have been doing in the system, and have it presented in a consolidated, meaningful report, has yielded significant returns — first and foremost by decreasing the overall number of SoD conflicts by more than 90%. “The number one benefit is that by the end of the project, we were able to present a report to the board that reflected a significant reduction in SoD conflicts,” says Easterwood.
Other benefits produced by the project have been time and cost savings, including reducing the time it takes to investigate conflicts from days to minutes. “It is a lot simpler to get to the information that we need,” Easterwood reports, “and it takes less time to review what users are doing in the system than anything we’ve had in the past.” The team was also able to use its existing resources to implement, administer, and manage the tool, as well as review and respond to reports, saving the company from having to spend money on additional resources, which would have cost more than $100,000 per year. “It limited the resources we needed to work on the project,” adds Mann.
In addition to enabling the IT team to efficiently address immediate access risks, the visibility into user activities provided by the tool has helped IT and the business make progress toward its overall goal of building better roles for users. “It gives us insight into how the system is being used, and we can then take that information and make better decisions about how roles should be designed,” says Easterwood. The role redesign — which is an iterative process of designing, testing, and adjusting roles before moving them into production — is an ongoing endeavor that will continue over the next few years. “It’s a continual process,” adds Mann, “and Transaction Archive will continue to play a valuable part in the overall project.”