skip to Main Content

SAP SecurityEven a casual review of the news reveals how corporations are in the midst of a severe crisis of cyber vulnerability. It seems like every day another well-known business announces a major data breach. The costs of remediating these breaches can be immense. In some cases, reputational damage is hard even to repair.

Enterprises that run SAP have unique risk exposure, due to the business-critical nature of data held on SAP solutions. This fact collides with another current, difficult truth: it’s extremely challenging (some say impossible) for a single, in-house team to perform all of the required security and compliance workloads. Managed SAP security services offer an answer. They provide a range of expertise and services, as required, to fill in gaps and ensure a robust security posture for SAP enterprises.

What are Managed Security Services?

Managed Security Services (MSS) are a growing sector in the broader world of IT outsourcing. Their popularity arises from a nearly universal shortage of trained and affordable security personnel. Certain security tasks also tend to be repetitive, demanding around-the-cloud vigilance. Having an external resource pool to tap for security and services helps avoid gaps in important workloads like security monitoring and alert response. An MSS provider also enables a core, in-house security team to focus on high-level security matters that are unique to the business. The MSS resources handle the routine work as well as periodic situations that require expertise.

Why Security is So Critical for Enterprises that Run SAP

Cyber security professionals have a term to describe data assets that must absolutely be protected at all costs. They refer to them as “the crown jewels.” Security policies typically concentrate on defending the crown jewels. In a “defense in depth” security strategy, for example, the most layers of countermeasures surround the crown jewels.

SAP solutions, with their tendency to form the operational heart of the enterprise, along with the financial system of record, are invariably the crown jewels of most businesses. Disruption of SAP usually means a break in profitable operations. It correlates to difficulty in the supply chain and tension with customers. A breach of an SAP solution might mean the loss of valuable customer data—a scenario that could even put a company into violation of the law in the process.

Hackers target SAP. It’s where the high-value data lives. SAP may handle financial transactions, making them vulnerable to fraudsters. Insiders may even be a threat, taking advantage of deficient financial controls in the system to embezzle funds.

For example, a well-designed financial system will have “Segregation of Duties” (SOD) affecting users. An SAP user who has the authority to request a check should not also have the authority to approve the check. If the request and approval duties are not segregated, there is an opportunity for fraud, or at least costly errors. SOD is largely a matter of SAP permission and role settings. Though many business leaders dislike contemplating this possibility, it is nonetheless a very real problem. And, compliance (e.g. Sarbanes-Oxley) demands that businesses mitigate such risks with strong controls over financial reporting.

SAP security is as much about business as it is about security and technology. With the role data plays in an enterprise, security policies that are overly restrictive may lock down the data to the point where the controls negatively affect productivity. The security team has to work with the business to define and enforce security policies for SAP that balance security needs with operational imperatives.

How Managed SAP Security Services Work

MSS programs for SAP vary widely. In our experience, we have found that most enterprises want flexibility in the way they engage with an MSS vendor. They might ask us for technical troubleshooting for complex issues or change control management. Documenting and carefully managing the latter is required for compliance in many cases. Other MSS offerings from Symmetry include:

  • Security monitoring of SAP solutions – This service involves the analysis of user activities and the identification of possible security policy violations. With insights gleaned from our Governance, Risk Management and Compliance (GRC) platform, we can highlight issues like inactive logons, unused passwords and so forth. The platform can also record system usage statistics.
  • Security-related maintenance — The MSS vendor designs roles and manages the day-to-day tasks of user changes. The advantage of this approach comes from the placement of a consistent resource (The MSS vendor) in control of user roles, which is required for SOD as well as for security policies that prevent unauthorized transactions and system access.
  • SAP Audit reportingAuditors need to accurately audit and test the environment. A GRC platform can enable an organization to get clean ahead of the audit along with simplify and automate the process of gathering the otherwise tedious samples.

Figuring Out If You Need Managed SAP Security Services

Does your enterprise need managed SAP security services? Only you will know the answer, of course. Our clients have found that it can pay to trust some or all of their SAP security and compliance to our team. In some cases, we offer expert SAP security training and support when it’s needed. As maintaining a clean, compliant SAP security architecture becomes increasingly complex in SAP environments, we find that some clients prefer to have some external help. In other engagements, we perform ongoing security monitoring and maintenance tasks on a permanent basis.

We have project-based security services as well. In these situations, we perform security assessments and make security architecture recommendations for your team to implement. For example, we can establish a single point of administration for all SAP user accounts.

We are known for delivering managed SAP security services in such a way that our SAP security and compliance experts blend seamlessly into your environment. The result is to keep you audit-ready and focused on running your business. Learn more about our SAP Security Solutions.

Ben Uher, Client Manager of Security & Controls

Ben Uher manages the SAP Security and Controls Practice at Symmetry where he leads a team of permanent Consultants in delivering SAP Security and GRC offerings to global organizations. His deep knowledge in everything SAP Security and GRC related has come from the opportunity to work with over 150 Organizations running SAP throughout various cycles of their implementations. Variation in industry, sector and size has provided a breadth of opportunity and experience in almost every facet of SAP technology spanning HANA, Fiori, ERP, BW/BI, HCM and SCM amongst others. Most importantly, Ben is driven based on results and continually strives to provide exceptional support for the organizations that rely on him and his team as trusted advisers for SAP Security and GRC support.