By Tony Collins
Auditors claim that weaknesses in security controls in a SAP system used by a police force and two councils could allow people who don’t work for the police to have access to the force’s administrative database.
Grant Thornton also warns of risks that those with access to the system could create new programs, manipulate and change data, and view files they may not be authorised to see.
The risks are detailed by Grant Thornton in its report “Review of South West One (SWO) AP IT Controls”. Southwest One is an IBM-owned company that runs IT and other services for, Avon and Somerset Police, Taunton Deane Borough Council and Somerset County Council.
The three authorities, which are minority shareholders in Southwest One, share a SAP database that is run by the joint venture company.
Grant Thornton concludes that there are risks of unauthorised access and changes to a SAP system shared by the three authorities. It says that “while we have identified this significant weakness in control we have no evidence of actual, inappropriate access or changes to data. However, our review was not intended to go into this level of detail and further testing would be required to establish if inappropriate access had been made.”
The SAP database is likely to contain sensitive information such as the home addresses of senior police officers and council officers.
“Significant issues”
Grant Thornton says that “two significant issues” require an “urgent” response and officials should also “clarify immediately” who has access to a SAP database and “whether there has been any unauthorised access to, or changes, made to the data”.
It appears that the security risks in control existed for years. Southwest One was set up in 2007 and the SAP system implemented gradually in the years after a signing of the deal. The contract has another four years to run.
The claimed flaws are because the SAP database is shared between the three authorities and its data is not always segregated, according to Grant Thornton.
The auditors suggest that the problem is not in the design of SAP but in the way the system has been implemented.
SAP separates “client” accounts in two ways, says Grant Thornton.
One way is for SAP to be implemented as a single system, with data kept separately for different legal entities. Data is segregated between the legal entities so there are no shared users.
SW1 adopts cheaper option?
A cheaper option, says Grant Thornton, is to have a single “SAP client”, which is the implementation used at Southwest One.
This type of deployment separates accounts by trial balance codes, known as company codes. It’s suitable for large companies that have several subsidiaries, and allows for consolidation of accounts at group level.
It uses a shared database that stores a shared set of configuration parameters and has a shared set of users. Each table in the database contains data from each of the trial balance codes. Access to data is restricted through the SAP security model and requires careful fine-grained access permissions to be created to ensure adequate restrictions to sensitive and personal information.
For administrators, this may be the easiest implementation as there is only a single database to manage, rather than one for each client.
“It is likely to be the lowest cost model because of this,” says Grant Thornton. “However, it is the least secure method to manage legal entities that have no relation to each other.”
Upgrades, system reports and database maintenance may need to be done only once. Licence costs are shared.
Auditors suggest that the weaknesses mean that people who access the shared database may work for the police, or either of the councils, or be posing as secondees for any of the three authorities.
When Grant Thornton tried to find out the names of people who have access to the database they were told some could not be identified as they were police officers, Grant Thornton said in its report:
“As we are unable to identify these individuals we only have SWO’s [Southwest One’s] assurance that these are genuine seconded employees.”
Said Grant Thornton:
“We identified approximately 20 users who had access to SAP. We were informed by SWO that some of these users are seconded from the three users bodies to SWO and that because some of them are police officers we could not be given their names. Thus you have a complex situation where staff work for the respective legal entities but are seconded to SWOne.
Genuine employees?
“It is not clear if the respective entities are aware that data is not really segregated and that secondees could gain access to other entities data.
“Even if SWO reduces the number of staff that have access to sensitive data they will not be able to reduce this type of cross entity access to zero because of the single client they are using in SAP.
“In addition to the potential control risk, as SAP contains personally identifiable data that could be accessed by ‘inappropriate’ users there is the potential for a challenge under the Data Protection legislation and fines levied by the Information Commissioner can be significant.”
Under the Southwest One contract IBM has provided the SAP service under a single ‘software as a service licence’ (SAAS).
Grant Thornton claims in its report other security weaknesses which include:
– Excessive privileges in SAP
“It was noted that 26 users had access to the SA38 privilege. The use of the transaction code SA38 in the production environment should be highly restricted since it provides access to run custom programs that have not been secured with authorisation objects or authorisation groups, thereby allowing the user to access functionality and data not associated with their normal SAP role.
“This could expose the organisation’s data to users who do not work directly for the organisation. It should be noted that in many SAP implementations, custom programs may be inherited from legacy SAP installations and new custom programs may not have been programmed using authority checks. Access to SA38 provides full access to any program that does not contain an authority check and can therefore circumvent the standard SAP authorisation model.”
– Programmers with access to the final working system.
Programmers should be able to make changes in development systems, and only transfer them to the production version after following suitable change controls, testing and authorisation.
“Direct access to programming editing tools in the production environment represents a high risk to the organisation as it allows unauthorised changes to be made to data and programs.”
– Access to sensitive tables in SAP [SM30/SM31]
“The organisation has 22 users with access to sensitive table data editing transactions SM30 and SM31. A review of the organisations that these individuals work for identified a mixture of IBM, Somerset County Council, Taunton Deane Borough Council, Avon & Somerset Police and EPIUSE. All have been seconded to SW One, with the exception of IBM and the EPIUSE user. Access in all cases was authorised by SW One.
“Access to these transactions under certain conditions can allow customised data tables to be edited directly, potentially resulting in unauthorised entries or database integrity problems.”
Somerset’s response
Grant Thornton says that officers at Somerset County Council were aware already of the underlying database configuration and its inherent risks.
Southwest One has been approached to comment on, and provide the necessary assurance around, database controls. Somerset has also asked Southwest One to provide details about access levels to the SAP system and about the frequency of their use.
A report for the Council’s audit committee on 21 November 2013 says that at the start of Southwest One contract (in 2007), Somerset’s officers received assurances that sufficient access controls and permissions existed within the SAP system, and in particular the SAP security model, to permit a single database to be used.
IBM’s response
IBM says most of the problems mentioned by Grant Thornton are matters it has dealt with and regards as “closed”. It has responded to Grant Thornton’s concerns with some changes, undertakings of further discussions and various assurances.
On the claimed lack of segregation between programming, operations and management that prevents adequate controls being exercised which could lead to unauthorised changes being made to the system, Southwest One says:
“Low risk – Grant Thornton has confirmed that this only applies to one user.
Grant Thornton were happy with the secondary controls (separation of duties) that were already in place to mitigate this, but SWOne agreed to amend this person’s access to ensure that they cannot move any transport they have created.”
It’s not certain that Somerset’s councillors will accept IBM’s assurances at face value; and Grant Thornton is likely to investigate further.
At its meeting on 21 November, the council’s audit committee will consider whether to accept IBM’s assurances.
“Members are asked to review the findings in the Grant Thornton report and to consider what level of assurance they can take from South West One’s response and mitigations,” says a report to Somerset’s audit committee.
Comment
Details of Grant Thornton’s concerns were spotted by Dave Orr, a former Somerset County Council IT employee who campaigns for openness over the Southwest One deal.
He says:
“This state of affairs where SAP is not separately configured for each partner organisation’s security is very worrying.
“It is hard to believe that over 5 years after implementation of SAP by IBM/SW1, a basic configuration error of judgement of this magnitude has taken place – especially considering police security requirements.
“Are the HMIC [Her Majesty’s Inspectorate of Constabulary] & NAO aware of these security issues? How would this unsuitable configuration have supported the many new joiners envisaged in the original joint venture model for SW1?
“Without a rebuild of SAP ground up, it is hard to see how this can be properly rectified.”
Campaign4Change 
Pingback: SAP SECURITY FOR CISO: SAP Attacks and Incidents
Pingback: Officials black out IT security report after it's published in full … – News4Security
Pingback: Officials black out IT security report after it’s published in full | UNITE@SOMERSET COUNTYCOUNCIL
Pingback: Officials black out IT security report that’s already published in full | Campaign4Change
From: Dave Orr
29 January 2014
Dear Avon and Somerset Constabulary,
Please pass this on to the person who conducts Freedom of
Information reviews.
I am writing to request an internal review of Avon and Somerset
Constabulary’s handling of my FOI request ‘IBM/SW1 SAP IT Controls
serious security issue.’.
SAP is a back office IT system for accounts and payroll. It has no
connection with frontline policing and therefore the application of
a law enforcement exemption is both inappropriate and excessive.
Additionally, published ICO guidance on the application of the law
enforcement exemption does not support this use by you to avoid
proper disclosure.
The SAP UK assessment report (referred to above) should be
disclosed in a redacted form, with redactions only being applied
where genuine security risks and commercial confidence issues
apply. In that regard, much of SAP IT controls and security
guidance is available publicly through web site searches, so
redaction should not be applied where that is the case.
The shared SAP IT system was supplied back in 2009 by IBM through
the South West One joint venture and was recently subject to a
negative IT controls audit by lead partner Somerset County Council
(in November 2013).
There is a strong public interest case in why the two assessments
are in direct contradiction with each other and whether the single
database model implemented for multiple public partners and South
West One themselves is “fit for purpose” with regard to secure and
Home Office/ACPO compliant Police use.
There is a particular public interest if other Police forces were
to join South West One and use the same shared SAP IT system, if
the configuration is not “fit for purpose” i.e. a secure database
per partner configuration should have been implemented instead.
There are additional security issues, as IBM used and use a
Bangalore, India division to configure SAP and supply 3rd line
configuration and upgrade support. If the law enforcement exemption
is applied correctly, and upheld, then the access by IBM staff who
are employed in an offshore Indian sub-continent location would be
of greater concern.
Please conduct an internal review and supply a minimally and
appropriately redacted copy of the SAP UK report referred to above.
A full history of my FOI request and all correspondence is
available on the Internet at this address:
https://www.whatdotheyknow.com/request/ibmsw1_sap_it_controls_serious_s#followup
Yours faithfully,
Dave Orr
LikeLike
Good work Dave.
A quick one on the likely content of SAP reports. At a minimum their review would be aligned with the Security Optimisation Service that can be run by each customer. It’s general good practice to either run this periodically or perform similar reporting by some means. This is reasonably thorough and would have flagged most of the items that have been highlighted in the auditors report.
As far as SAP good practice goes, there is freely available and well circulated information on the SAP website: http://preview.tinyurl.com/osc2wkm and there is no excuse for most of this not to be enacted. Most, if not all of this would be raised in a review by SAP because they are generally very thorough.
LikeLike
Police accountability & transparency culture remains “closed”:
Mr Dave Orr Our Reference 1113/13
Your reference [FOI #184925 email] Date 29 January 2014
Dear Mr Orr
I write in connection with your request for further information dated
13th December concerning SAP. Specifically you asked:
Q1. As SAP is a shared system implemented on a single database basis and Somerset was the lead partner, then surely the findings by external
auditor Grant Thornton (the same Auditor as the police) apply to the
Police as well, thus indicating formal action & response?
Avon and Somerset Constabulary is monitoring the progress at SCC and will not be formulating a separate response.
Q2. Please disclose who conducted the Police review into SAP Feb-Mar 2012?
The review was conducted by SAP (UK) Ltd.
Q3. Which committee had oversight of this report? Did the other partners
(SCC & TDBC) receive a copy of this report?
The Police Authority at the time were fully briefed, as were SCC and TDBC. The partners did not receive copies of the report.
Q4. If the report concluded that ‘the original technical implementation is
aligned to best practices and is a good example of how the core
configuration should be set up’ then how are the discrepancies with the
latest Grant Thornton report for SCC explained?
Avon and Somerset Constabulary cannot comment on whether or not there are discrepancies as Grant Thornton has not discussed their review with this constabulary.
Q5. Please disclose a copy of this report.
The report was provided in confidence and the document is commercially
sensitive. Additionally, disclosure of the report would undermine law
enforcement. As such the report will not be disclosed.
The exemptions applicable are section 31(1)(a) law enforcement, section
41(1)(b) information provided in confidence and section 43(2) commercial
interests. Section 41 is an absolute and class based exemption which
means that there is no requirement to identify and evidence the harm that
would be caused by disclosure or consider the public interest. There is a
requirement however to conduct a public interest test on whether the
common law duty of confidentiality can be overcome however the default
position favours non-disclosure. Section 31 and 43 are qualified and
prejudice based exemptions which mean there is a requirement to identify
and evidence the harm that would be caused by disclosure and consideration given to the public interest.
Overall Harm
The disclosure of the information requested would constitute an actionable
breach of confidence. As noted above an absolute exemption under Section 41 applies to these arrangements. This disclosure could render the forces vulnerable to civil proceedings. The report demonstrates the methodology as to how SAP will carry out the services of providing such a review of the implementation of its products. The disclosure of this information would be prejudicial to SAP as it would enable competitors and other bodies to draw conclusions about SAP products. Additionally, conclusions may be drawn about the performance of its products and services which may influence future purchasing decisions – thus harming their commercial interests.
Furthermore, disclosure could compromise the constabulary’s IT security.
Public Interest test
Section 31 considerations
Factors favouring disclosure:
Disclosure may add value to the accuracy of public debate with regards to
resources allocated for the prevention and detection of crime.
Factors favouring non- disclosure:
The Police Service has a duty to deliver effective law enforcement
ensuring the prevention and detection of crime, apprehension or
prosecution of offenders and administration of justice is carried out
appropriately. By identifying specific information in respect of the
Constabulary’s IT systems would enable a third party to exploit any
potential vulnerabilities within those systems.
Section 43 considerations
Factors favouring disclosure:
Where public funds are being spent, there is a public interest in
accountability and justification. Disclosure could also add value to
public debate.
Factors favouring non- disclosure:
As stated within the harm disclosure of the information requested would
constitute an actionable legal breach of confidence surrounding the
current contractual arrangements. This disclosure could render the
forces vulnerable to civil proceedings.
Section 43(2) states that information is exempt if its disclosure under
this Act would, or would be likely to prejudice commercial interests of
any person. In this case disclosure would adversely affect SAP Ltd as
their testing methodology and process would be available to competitor
companies, which will negatively affect the commercial interests.
Balance test
On balance, the damage incurred by release of this information is likely
to prejudice the commercial interests of SAP Ltd, including a possible
actionable breach of confidence against the constabulary of which the
common law duty of confidence cannot be overcome, outweighs the benefit of accountability or public debate. After weighing up the competing
interests, I have determined that the disclosure of the above information
would therefore not be in the public interest. In accordance with the Act,
this letter represents a Refusal Notice for this specific information.
Yours sincerely
Freedom of Information Officer
Corporate Information Management Department
LikeLike
A local Somerset MP has blogged about Avon & Somerset Police and redacting the original critical SAP IT Controls report from Grant Thornton for Somerset County Council:
http://www.liddellgrainger.org.uk/ian/PEREGRINESPEN.html
LikeLike
Offering a few more thoughts on this:
1. Amusingly most of what is redacted is standard stuff, only a little is actually sensitive.
2. The un-redacted report is still available online.
3. Point 2 in the report referring to “counters” has not been amended.
4. The internal audit/IT security teams hold some responsibility for not ensuring that basic ITGC’s were in place before the service went live. The info required to check this is freely available, even on the SAP website.
5. Plenty of organisations who are not subject to detailed audits are just as bad.
6. IBM does not have a track record of being good at SAP Security. The UK has a wealth of small companies & independents who are very good in this field. Hell, I’d even do some stuff pro-bono.
7. Despite what the MP says, SAP is not that bad. There are lots of happy customers (ok, so may be there are fewer happy users), it is rarely the fault of the tech, more so the sales people & buyers not doing due diligence (which, considering the install base should not be difficult).
LikeLike
Here are some additional thoughts regarding risks in a hosted SAP environment: https://www.virtualforge.com/de/blog/post/hosting_risks_en.html
LikeLike
I attended the Audit Committee of Somerset County Council (SCC) yesterday (21/11/2013).
SW1 fielded no DBAs or IT security staff, but chose to send only an IBM Auditor and the CEO. In my view, their answers were regrettably unimpressive and lacked the reassurance the Audit Committee were seeking.
It now looks as if the SCC Audit Committee will ask SCC Auditor Grant Thornton to investigate deeper & further and then report again (in January).
They admitted that seconded staff from the two Councils (SCC and Taunton Deane Council) do access SAP admin (with high privileges) for Police data.
The excellent IT SAP auditor from SCC Auditor Grant Thornton went on to explain that IBM/SW1 were not logging the high privilege admin access usage and should do so.
Meanwhile, the Avon & Somerset Police & Crime Commissioner’s Office have confirmed that the Police Audit Committee will look at these security assurance issues at a meeting on the 13th of December.
LikeLike
Thank you for that update.
LikeLike
We can secure data belonging to separate legal entities in SAP. The problem is that the chosen service provider lacks capability in this area. There are plenty of SAP systems with legal and/or regulatory requirements to segregate data within a single instance. 3 separate systems and support teams is unnecessary to achieve that objective.
The info presented in the article is like a high-level IT General Controls review and not and in-depth review of the security of the SAP system. There are likely many other areas which have not been reported here that present risk to data and integrity of processes and have not fallen under the scope of the audit. Has custom code review been performed? How about securing the RFC gateway? DB level access? encryption between presentation layers and applications?
LikeLike
It’s true that there is much more detail in the review than in the article – and the review was written so as to be understood by councillors who may know nothing about IT. Things I didn’t mention include a failure to lock out users if they don’t provide the password in a certain number of attempts, management not investigating login failures on high risk or privileged user accounts, not enforcing “strong” passwords, default passwords still being assigned to default accounts: TMSADM, EARLYWATCH and SAPCPIC.
The fact that Somerset Council has not yet accepted IBM’s assurances indicates, to me, that it can difficult assuring yourself of the security of your systems once they are outsourced. If you own your systems and an independent review highlights weaknesses in security you can make the changes you consider necessary. If the systems are outsourced the IT security is, in effect, outsourced to the supplier. That supplier may not accept the need to make all the changes you consider necessary. Tony Collins.
LikeLike
I’ve read the report now. IBM have failed to meet the most basic security practice in plenty of areas which is a concern. It is also a concern to see a factually incorrect statement by the auditor relating to the auto unlock of ID’s & they have then made a recommendation based on a misunderstanding of how the various authentication related parameters work and interact.
It is relatively straightforward to provide a reasonable level of assurance over the security of a SAP system and there are well documented & free resources which specify “what good looks like”. Failure to do these basics is negligence. I fully agree that it is easier if it is your own system. Many organisations also outsource their SAP environments (in many cases to IBM – so there is no excuse for not knowing what is generally accepted good practice) and every single one I have worked with has mandated some adherence to standards of some sort which will apply to the security of the service that is being provided.
Ultimately the right outcome would be the service provider taking accountability for being negligent in this area. Organisations who have relatively little sensitive data do so much better so it is disappointing that it has happened in this instance.
LikeLike
I understand that the Police Service files within IBM/South West One SAP contain details about all Police Officers and some of those will be Special Branch or Anti-Terrorism and the files could also contain the aliases for paid informants.
Clearly, that information will be of interest to organised crime etc, so vigilant database access controls, preferably in a secure and controlled building, is surely the Gold standard?
With South West One direct hire staff, sub-contractors and with staff coming from IBM Global Systems India to South West One (is there any remote access?) then clearly enforcing secure access controls across a diverse staff and contractor base, to meet National Police information security standards, will be far more difficult to manage. audit & enforce than within a Police Service HQ and an in-house IT service.
LikeLike
Pingback: Police SAP system’s “significant” security weaknesses? | UNITE@SOMERSET COUNTYCOUNCIL
Staggeringly, the Avon & Somerset Constabulary have stopped running their own Risk Log and handed over Risk Logging to the contractor South West One against all known best practice!
From an FOI 15th November 2013:
Q2. Please disclose the latest copy of the Risk Log/Register
(or similar assessment report[s]) for the South West One contract with IBM.
A2. That risk register is, as explained, properly held by, maintained and managed by Southwest One. If you are enquiring about how the Constabulary manages and monitors risks associated with the Southwest One partnership, then that is a different question. The Constabulary risk register no longer has any entry relating to Southwest One. The last entry was removed last year upon the conclusion of the SCC/Southwest One contract renegotiation, when the risk diminished.
LikeLike