Safety Detectives: Please share your company background, how you got started, and your mission.
CSI tools: CSI tools started in 1997 with developing solutions to get insight/audit the SAP authorization concept. Johan Hermans, founder and CEO of CSI tools, has a background in IT auditing. Back in the day, there was no software available to analyze SAP systems on their risks in the area of access governance. Everything was done manually. Manually analyzing the SAP authorization concept was very time-consuming and not 100% accurate. Therefore we started developing our own software to get this insight and help our customers with remediating the risks.
More and more companies were interested in using the CSI tools software themselves, so they would be able to do their audits at any desired time. Nowadays. CSI tools has evolved and delivers all the applications (auditing, compliant user provisioning, emergency access, and SAP role maintenance) that are needed for governance, risk, and compliance for SAP systems on the access governance level. Our GRC suite is module-based, so depending on the security maturity of a company, module(s) can be acquired.
SD: What is the main service your company offers?
CSI tools: CSI tools delivers GRC software that helps companies to detect, identify, and prevent any risks in SAP systems in access governance. We do not only focus on reporting the risks, but we focus on the remediation part. How can the current risks be mitigated in the best and efficient way? We also go one step further, moving from detecting to preventing. In preventing we focus on answering the question of how can we prevent creating new risks?
SD: What is something unique that helps you stay ahead of your competition?
CSI tools: Our cockpit and engine provide insights into real vulnerabilities, streamlining SAP roles, and then delivering practical solutions to improve risk and security posture.
CSI tools simplifies SAP security and makes it understandable for all layers of the organization. CSI tools has a unique approach and structures the (difficult to understand) technical security data, into 300 data elements that are easy to understand and interpret within all layers of the organization. These data elements cover all control objectives for the confidentiality, integrity, and availability of the SAP data and are used to define the security requirements in an understandable and correct way.
SD: What do you think are the worst cyberthreats today?
CSI tools: Malware and phishing threats are getting very mature. These are real threats because the IT environment of companies is getting bigger and easier to access from the outside world. When one’s credentials are being compromised, the keys to the kingdom are available to the hacker(s). That’s why we really stress reducing the access of your own personnel’s authorizations in the SAP environment. Even when you are convinced that your personnel will not harm you, the hacker that will receive the keys to the kingdom most probably will!
That’s why we also focus on limiting emergency access to the SAP environment. Emergency access is needed to grant broad access rights to the SAP system, but this access should be secured against misusage, and only be temporary. Credential sharing of these users should never be possible. Our solution CSI Emergency Request does not only secure the emergency access to the SAP environment(S) but also secures other privileged SAP accounts by logging all activities.