By Tony Collins
Auditors claim that weaknesses in security controls in a SAP system used by a police force and two councils could allow people who don’t work for the police to have access to the force’s administrative database.
Grant Thornton also warns of risks that those with access to the system could create new programs, manipulate and change data, and view files they may not be authorised to see.
The risks are detailed by Grant Thornton in its report “Review of South West One (SWO) AP IT Controls”. Southwest One is an IBM-owned company that runs IT and other services for, Avon and Somerset Police, Taunton Deane Borough Council and Somerset County Council.
The three authorities, which are minority shareholders in Southwest One, share a SAP database that is run by the joint venture company.
Grant Thornton concludes that there are risks of unauthorised access and changes to a SAP system shared by the three authorities. It says that “while we have identified this significant weakness in control we have no evidence of actual, inappropriate access or changes to data. However, our review was not intended to go into this level of detail and further testing would be required to establish if inappropriate access had been made.”
The SAP database is likely to contain sensitive information such as the home addresses of senior police officers and council officers.
Grant Thornton says that “two significant issues” require an “urgent” response and officials should also “clarify immediately” who has access to a SAP database and “whether there has been any unauthorised access to, or changes, made to the data”.
It appears that the security risks in control existed for years. Southwest One was set up in 2007 and the SAP system implemented gradually in the years after a signing of the deal. The contract has another four years to run.
The claimed flaws are because the SAP database is shared between the three authorities and its data is not always segregated, according to Grant Thornton.
The auditors suggest that the problem is not in the design of SAP but in the way the system has been implemented.
SAP separates “client” accounts in two ways, says Grant Thornton.
One way is for SAP to be implemented as a single system, with data kept separately for different legal entities. Data is segregated between the legal entities so there are no shared users.
SW1 adopts cheaper option?
A cheaper option, says Grant Thornton, is to have a single “SAP client”, which is the implementation used at Southwest One.
This type of deployment separates accounts by trial balance codes, known as company codes. It’s suitable for large companies that have several subsidiaries, and allows for consolidation of accounts at group level.
It uses a shared database that stores a shared set of configuration parameters and has a shared set of users. Each table in the database contains data from each of the trial balance codes. Access to data is restricted through the SAP security model and requires careful fine-grained access permissions to be created to ensure adequate restrictions to sensitive and personal information.
For administrators, this may be the easiest implementation as there is only a single database to manage, rather than one for each client.
“It is likely to be the lowest cost model because of this,” says Grant Thornton. “However, it is the least secure method to manage legal entities that have no relation to each other.”
Upgrades, system reports and database maintenance may need to be done only once. Licence costs are shared.
Auditors suggest that the weaknesses mean that people who access the shared database may work for the police, or either of the councils, or be posing as secondees for any of the three authorities.
When Grant Thornton tried to find out the names of people who have access to the database they were told some could not be identified as they were police officers, Grant Thornton said in its report:
“As we are unable to identify these individuals we only have SWO’s [Southwest One’s] assurance that these are genuine seconded employees.”
Said Grant Thornton:
“We identified approximately 20 users who had access to SAP. We were informed by SWO that some of these users are seconded from the three users bodies to SWO and that because some of them are police officers we could not be given their names. Thus you have a complex situation where staff work for the respective legal entities but are seconded to SWOne.
“It is not clear if the respective entities are aware that data is not really segregated and that secondees could gain access to other entities data.
“Even if SWO reduces the number of staff that have access to sensitive data they will not be able to reduce this type of cross entity access to zero because of the single client they are using in SAP.
“In addition to the potential control risk, as SAP contains personally identifiable data that could be accessed by ‘inappropriate’ users there is the potential for a challenge under the Data Protection legislation and fines levied by the Information Commissioner can be significant.”
Under the Southwest One contract IBM has provided the SAP service under a single ‘software as a service licence’ (SAAS).
Grant Thornton claims in its report other security weaknesses which include:
– Excessive privileges in SAP
“It was noted that 26 users had access to the SA38 privilege. The use of the transaction code SA38 in the production environment should be highly restricted since it provides access to run custom programs that have not been secured with authorisation objects or authorisation groups, thereby allowing the user to access functionality and data not associated with their normal SAP role.
“This could expose the organisation’s data to users who do not work directly for the organisation. It should be noted that in many SAP implementations, custom programs may be inherited from legacy SAP installations and new custom programs may not have been programmed using authority checks. Access to SA38 provides full access to any program that does not contain an authority check and can therefore circumvent the standard SAP authorisation model.”
– Programmers with access to the final working system.
Programmers should be able to make changes in development systems, and only transfer them to the production version after following suitable change controls, testing and authorisation.
“Direct access to programming editing tools in the production environment represents a high risk to the organisation as it allows unauthorised changes to be made to data and programs.”
– Access to sensitive tables in SAP [SM30/SM31]
“The organisation has 22 users with access to sensitive table data editing transactions SM30 and SM31. A review of the organisations that these individuals work for identified a mixture of IBM, Somerset County Council, Taunton Deane Borough Council, Avon & Somerset Police and EPIUSE. All have been seconded to SW One, with the exception of IBM and the EPIUSE user. Access in all cases was authorised by SW One.
“Access to these transactions under certain conditions can allow customised data tables to be edited directly, potentially resulting in unauthorised entries or database integrity problems.”
Grant Thornton says that officers at Somerset County Council were aware already of the underlying database configuration and its inherent risks.
Southwest One has been approached to comment on, and provide the necessary assurance around, database controls. Somerset has also asked Southwest One to provide details about access levels to the SAP system and about the frequency of their use.
A report for the Council’s audit committee on 21 November 2013 says that at the start of Southwest One contract (in 2007), Somerset’s officers received assurances that sufficient access controls and permissions existed within the SAP system, and in particular the SAP security model, to permit a single database to be used.
IBM says most of the problems mentioned by Grant Thornton are matters it has dealt with and regards as “closed”. It has responded to Grant Thornton’s concerns with some changes, undertakings of further discussions and various assurances.
On the claimed lack of segregation between programming, operations and management that prevents adequate controls being exercised which could lead to unauthorised changes being made to the system, Southwest One says:
“Low risk – Grant Thornton has confirmed that this only applies to one user.
Grant Thornton were happy with the secondary controls (separation of duties) that were already in place to mitigate this, but SWOne agreed to amend this person’s access to ensure that they cannot move any transport they have created.”
It’s not certain that Somerset’s councillors will accept IBM’s assurances at face value; and Grant Thornton is likely to investigate further.
At its meeting on 21 November, the council’s audit committee will consider whether to accept IBM’s assurances.
“Members are asked to review the findings in the Grant Thornton report and to consider what level of assurance they can take from South West One’s response and mitigations,” says a report to Somerset’s audit committee.
Details of Grant Thornton’s concerns were spotted by Dave Orr, a former Somerset County Council IT employee who campaigns for openness over the Southwest One deal.
“This state of affairs where SAP is not separately configured for each partner organisation’s security is very worrying.
“It is hard to believe that over 5 years after implementation of SAP by IBM/SW1, a basic configuration error of judgement of this magnitude has taken place – especially considering police security requirements.
“Are the HMIC [Her Majesty’s Inspectorate of Constabulary] & NAO aware of these security issues? How would this unsuitable configuration have supported the many new joiners envisaged in the original joint venture model for SW1?
“Without a rebuild of SAP ground up, it is hard to see how this can be properly rectified.”