Should SAP security be a priority for organizations?
- Security
A report by analyst firm KuppingerCole leaves no doubt. Enterprise security is primarily affected by the evolving IT infrastructure and the ever-increasing level of threats (new opportunities for data interception are regularly emerging). SAP security should therefore become a priority for any organization using this system.
Recommendations resulting from the analysis
Securing SAP today requires a 360-degree approach. Managing user access, user roles, and identifying violations resulting from SOD remains the focus of auditors, it is only this view that will ensure SAP security.
This is due to the complexity of today's systems, where security must be ensured:
To ensure overall SAP security, you need to:
- Define and implement security processes with all process owners (IT, specialists, business, internal audit) and include them in the overall GRC policy,
- select an appropriate risk management approach, based on the identification and evaluation of all possible risks (and the identification of appropriate countermeasures),
- Define and implement a strong security policy for all systems, including SAP,
- test security at every level of the infrastructure (using regular audits and conducting penetration tests),
- subscribe to security information to stay updated on vulnerabilities and their closure,
- Automate processes to improve their efficiency and eliminate manual activities (including human error),
- Analyze access and security to identify undesirable activities (so that they can be removed quickly),
- Provide owners of relevant processes with an appropriate set of reports and dashboards so that they have insight into relevant information.
KuppingerCole analysis - 8 conclusions
PROPOSAL 1:
SAP allows today's companies to implement strategic processes and its security is their top priority.
As a result of the growing demand for systems that meet regulatory requirements and create up-to-date documentation of major data breaches, companies' security awareness has increased. They want to secure their systems properly and effectively.
PROPOSAL 2:
Maintaining an adequate level of security in complex SAP systems is becoming increasingly difficult.
Organizations can choose from both a multitude of business applications (such as ERP, CRM, SRM, BI, HCM) and various system solutions (HANA, ABAP, JAVA/J2EE, mobile). The traditional approach to SAP security focuses on access control, i.e. managing authorizations, permissions, users, roles and profiles. This is not enough to ensure security.
PROPOSAL 3:
The SAP system is such a sophisticated and complex solution that it must be secured at a level:
- Operating system (working and tested operating system required),
- Network infrastructure (securing access to the system).
PROPOSAL 4:
All SAP components and all additional third-party components must be continuously updated.
Comprehensive information about required patches and the risks of using old software versions must be available on an ongoing basis. It is also an ongoing challenge to identify good practices for configuring both individual components and an overall view of the SAP environment. You can start by changing all default passwords.
PROPOSAL 5:
Because the vulnerabilities and threats are well-documented, not applying patches and best practices is unacceptable.
All client solutions (programs that extend SAP functionality) must be thoroughly tested. Management of privileged users (including mechanisms that define access for firefigters) is a key aspect of security, and there must be cooperation in this area from both system administrators and highly privileged business users.
PROPOSAL 6:
Maintaining adequate SAP security is a highly interdisciplinary task.
It requires expertise and proper cooperation of various teams (IT, SAP specialists, business line, internal audit and controlling).
PROPOSAL 7:
Defining a corporate security strategy covers a wide range of aspects related to auditing, embezzlement management, user management and processes.
The approach to security is constantly changing. Properly selected SAP functions and tools (identifying gaps and selecting additional tools and services) are being used.
PROPOSAL 8:
Several manufacturers provide advanced security management solutions.
Given the size of the infrastructure and security requirements, well-designed security management aims for a high level of automation. It also uses intelligent analysis mechanisms. The goal is to reduce manual activities and increase the speed of detecting threats and anomalies.
SUMMARY
SAP security primarily encompasses aspects of enterprise security from the operating system and network infrastructure level, user management and business processes. Maintaining proper security for this critical enterprise IT infrastructure requires a 360-degree approach. Applying criteria based on the identification of risks, it is possible to ensure appropriate levels of security covering the overall security strategy beyond the SAP environment.
Tomasz Jurgielewicz
Head of Security Department at Lukardi. For the past 10 years, he has led a team of SAP Security specialists, providing comprehensive services and tools to secure SAP systems and optimize licenses. Experience in the areas of: - identification of authorization conflicts and reorganization of authorization, - SAP vulnerability identification, - integration of SIEM solutions with SAP, - SAP license optimization.