SAP Security governs what data and processes users can access inside an SAP landscape. It’s a field that combines several distinct elements of cyber security, ranging from access control to application-level security to data protection. SAP security services focus on keeping the system and its data (and as a result, your business) secure from a wide variety of threats while doing as little as possible to disrupt business operations. Typically, users are given just enough access to do their jobs. In order to understand the SAP security basics, picture a warehouse with many locked rooms. To do a task, a user needs to enter (and have access to) the correct room.
The job of SAP security services is to make sure each user only has keys to the rooms they’re supposed to be able to access — this way, employees are prevented from accidentally damaging data they shouldn’t have access to (or potentially creating a security issue should they compromise sensitive information). Want to know more?
What follows is a comprehensive guide to Symmetry’s top SAP Security insights that IT leaders need to know. These links allow you to jump to specific sections:
- What is SAP Security?
- SAP Security Best Practices
- SAP Security Risks
- SAP Security Architecture
- SAP System Health Checks
- How to Stop Worrying About SAP Security
- SAP Fiori Security Implementation
- SAP Security: From Impossible to Routine
- Cyber Security Vulnerabilities
SAP security is a balancing act that involves all the tools, processes, and controls set in place in order to restrict what users can access within an SAP landscape. This helps ensure that users only can access the functionality they need to do their job. They should be prevented from viewing or altering data they aren’t authorized to see. At the same time, the access controls need to be seamless, so people don’t get locked out of their workflows and spend unproductive time getting back to work.
Expert, Ben Uher, Client Manager of Security & Controls at Symmetry, provides more detail on three main areas: how SAP security works with GRC, the difference between SAP security and cyber security, and how managed security services could help your organization’s SAP security needs.
While GRC examines users’ capabilities in the system and creates policies that meet compliance requirements, SAP security implements those policies regularly by provisioning new users and identifying gaps in the system that don’t align with GRC. Likewise, while SAP security is focused mainly on insider threats, cyber security is focused on external threats. With the sheer variety of risks involved in an SAP security landscape, a managed security services partner can help monitor, revamp, and remediate any security risks and findings to support your IT team.
SAP Security Basics — Security vs. GRC
SAP security isn’t the same thing as governance, risk and compliance (GRC). GRC audits user access to spot problems with user privileges or behavior, then it puts together a compliant provisioning program, which is implemented using SAP security tools.
SAP Security — Basics of Access Control
SAP security assigns roles to users. Each role allows users to run certain transactions (processes within the SAP system). When running a transaction, the user get authorizations to perform specific tasks.
Under SAP security best practices, admins create a standard role for a position, which can then be assigned to anyone occupying that position. For example, a company might create a financial consultant role that permits each consultant to run a set of transactions related to credit limits and other tasks their job covers. Each consultant would receive SAP HANA security authorization to address customer credit limits, but only for their own customers. This lets the consultants do their jobs, while minimizing the security risks they pose.
While security is crucial for any technology, SAP HANA security requires unique adaptations from the standard SAP security model. There are three top SAP HANA best practices you should implement as part of your security routine.
Operate on a least access rights model in order to minimize the potential damage employees could cause if they were to have access to more information. Also, ensure you have the right expertise, given SAP HANA privileges require different implementation than traditional SAP permissions. Furthermore, understand how HANA handles objects to avoid catastrophic events.
Although security concepts remain fairly consistent across applications, each application, such as SAP HANA, has a distinct implementation process and knowledge base.
Implementing SAP Fiori can pose a variety of new security risks that you should be aware of. You can help mitigate these risks by making sure you have a comprehensive understanding of SAP Fiori security best practices.
There are eleven main security best practices you should keep in mind when implementing Fiori. Some include managing your access controls, defining security baselines for SAP, leveraging threat intelligence tools, and more. Overall, these practices help boost your enterprise’s security and proactively mitigate SAP system risks.
To help secure SAP Fiori and its associated risks, leveraging a tool like ControlPanelGRC can help solve issues around access control. This GRC solution not only works in SAP Fiori, but also in the SAP GUI.
The first step to alleviating your worries about SAP security is understanding what it is: a control process that helps address specific enterprise risks. For instance, it provides various tools that restrict user capabilities within an SAP landscape. The balance lies in providing users enough access to fulfill their job needs, while maintaining strong Segregation of Duties (SoD) controls.
While SAP security can be managed by your internal IT team, it poses a couple risks that should be considered. Perhaps your business lacks certain skill sets that are required, or you become susceptible to potential insider threats. Maybe your internal team can’t easily recognize issues in your SAP security controls because they lack outside perspective.
In these situations it proves helpful to have an outside, managed security partner. They can easily spot gaps in your controls, reduce the risk of internal attacks, keep your internal team accountable, and fully utilize your internal IT team more efficiently.
SAP Security is all a balance of locking down data and making data accessible and usable for people. Understand these three key SAP security basics to help you get started laying the foundation for protecting your business.
Establish your baseline risks by reviewing the power and people who have access to the company’s most sensitive roles, evaluating custom transactions that are outside normal procedure, and running a Segregation of Duties (SoD) risk analysis.
It’s also important to define your controls and perform a system risk assessment. Knowing who controls various aspects of the business enables you to assign proper mitigating controls. Performing regular risk assessments of SAP users’ password strength, profile parameters, developer keys, and more will also help you mitigate risk.
Why SAP Security Basics Are Easy to Get Wrong
It’s easy to get SAP security settings wrong because SAP security can get quite complicated. SAP security settings can interact in complex, unintended ways. Authorizations are shared between transactions, so sharing access to a piece of data can give inadvertent access elsewhere. For example, one of our customers had previously granted access to a manager to see their employee’s performance appraisal, but did it incorrectly. As a result, the manager was able to see their own appraisal before it was complete.
Getting SAP security basics wrong can be bad for business, e.g. if a customer manager is only supposed to see customer names but is accidentally given access to their credit card numbers. This is a PCI violation that can lead to fraud. And, some kinds of access (e.g. debug) can let users bypass access controls entirely.
How SAP Security Services Fail at Go Live
Many integration partners see SAP security as an obstacle; they want to get the system up and running first, and don’t want to have to deal with complicated role creation. Instead of accounting for SAP security basics in the planning stage, they try to tack on security controls once the project has been built, with potentially disastrous results.
Compounding the problem, most testing is done in the quality assurance (QA) system where the SAP project management team has unlimited access. Failing to test adequately in production can lead to major SAP security risks by giving users too much access, or paralyse the company by not providing all the permissions users need to do their jobs. These mistakes can also increase the risks posed by cyber security vulnerabilities, since hackers can gain more access by compromising an account.
Companies regularly face threats from outside the firewall through cyber-attacks – that’s why it is vital you build a comprehensive SAP security architecture inside the firewall to build both agile and sustainable data protection.
Creating a balance of access, risks and controls among employees is important in managing risk. Limiting data access may minimize risk, but without enabling access and permissions to users who need it, an organization can become paralyzed.
It’s also key to keep your SAP security architecture nimble in order to adapt with changing roles and responsibilities throughout the organization. This will help mitigate any risks and potential SoD conflicts that come along with shifting people, roles, and processes.
Redesigning SAP Security with Ease
There’s a large difference between simply enhancing an SAP security landscape with a sound structure and having to completely redesign dysfunctional, outdated SAP security that has a poor foundation.
Companies may attempt to fix old security models with poor foundations as opposed to redesigning the entire SAP security landscape. Attempting to manually revamp an SAP security model then often results in an unusable system. That’s why you should consider automating your SAP controls and partnering with experienced SAP security experts to ease the redesign process.
Having a partner that understands SAP security redesign can help you minimize risk and fully utilize automation software tools that can reduce overall redesign time and cost by more than 50%. For instance, automation tools like ControlPanelGRC Security Acceleration Suite can help you streamline troubleshooting and routine redesign tasks.
Without regular monitoring of your organization’s SAP health, you can’t fully maximize what SAP has to offer or use new insights to improve your performance and strategy. It really comes down to being aware and having the internal skill set to effectively use Solution Manager to perform system health checks.
With SAP comes Solution Manager (SolMan), an invaluable solution that provides technical monitoring capabilities for daily system health checks, as well as EarlyWatch Alerts that delve deeper and provide comprehensive information on your system health. That’s why it’s crucial that you fully utilize all that SolMan has to offer.
While SolMan provides the tools you need to monitor SAP health, it can be difficult to use it effectively because of large, unprioritized information sets. Having adequate SAP Basis support staff and using support tools like ScienceLogic can help manage and automate the process of conducting regular SAP system health checks, as well as prioritize your system’s most important needs.
SAP security is evolving to make things easier. What might have once been nearly impossible is now routine. A sound SAP security solution makes life easy by merging three core considerations: SAP GRC, SAP security and cloud security. A managed SAP Security Services team can readily take on the first two, setting GRC policies and simplifying your SAP security model to meet required policies. The MSP can also deal with daily security tasks.
Cloud security takes focus, though. With or without an MSP, your SAP cloud security team needs to perform the following tasks:
- Continuous vulnerability scanning
- Monitoring user activity and compliance
- Applying patches quickly
- Fixing other SAP platform problems, e.g. configuration issues
- Using advanced threat intelligence to anticipate and address risks
Making SAP Security Part of Your Routine
SAP security mainly focuses on insider threats, such as risks of fraud, theft, vandalism, and record keeping errors, which does not protect your business from potential external attacks. That’s where cyber and cloud security comes in. Focusing on both SAP and cloud security together will build a complete strategy for protecting your enterprise.
Many companies struggle with basic SAP security and cloud security. In terms of internal threats, organizations commonly face challenges of outdated security approaches and inefficient approval sign offs that delay processes and decrease productivity. In preventing external threats, companies struggle with performing regular SAP maintenance, have poor information or priorities, and face uncertainty of malicious attackers having insider assistance.
Having the right SAP managed security services team can help you effectively support your internal SAP GRC and SAP security needs, while your cloud security team and partners like Onapsis can help proactively spot external threats.
Why SAP is a Cyber “Crown Jewel”
Security is based on the principle of prioritized defense. It’s impossible to defend every digital asset to the same degree. As a result, security experts recommend protecting the company’s “crown jewels” with the most intense countermeasures. SAP is one of those crown jewels. If your business runs on SAP, then your SAP landscape contains your most valuable and sensitive data – the kind hackers like to steal. In addition, shutting down your SAP system will effectively shut down your business. As a crown jewel, SAP needs robust security.
If you pay attention to the news, you will undoubtedly see an endless procession of destructive and extremely costly data breaches. These are caused by Cyber Security Vulnerabilities. A vulnerability is a weakness in a system, one that can be exploited by a malicious actor. For example, an unfiltered email system is vulnerable to the threat of phishing attacks.
SAP landscapes are vulnerable to network-borne threats, application-level attack, email-based attacks and social engineering. An attacker might use a phishing attack to steal log-in credentials for your SAP system. Then, with those credentials, he or she can enter your system and steal data. Or, the hacker could sell the stolen credentials on the “dark web.” Other hackers could then enter your system for malicious purposes.
Working with an SAP Security Partner
Symmetry has deep expertise in both IT project management and long-term IT managed services, so we understand the importance of careful planning and thorough testing. By incorporating strict security and compliance controls in the planning phase, we establish a strong foundation for long-term SAP security services.
Working with you, we then build on that foundation post-go-live, with 24-hour monitoring and incident response, along with direct access to a dedicated SAP support team. Our customers sleep better, knowing that in an emergency, they’ll never have to wait on hold or navigate a help menu.
Learn how to catch SAP security vulnerabilities and make your SAP landscape more secure with our ControlPanelGRC Security Risk Assessment.