SAP Security Dashboard by SecurityBridge
Chapters
Share Article
Whether security in SAP environments is relevant is not up for debate anymore. The SAP secure operations map has been around for a long time (when I worked at SAP as a product manager, it was called SAP Security Solution Map) and provides a 360-degree view of SAP security. Let’s take a deeper look:
- SAP Security is its domain. Given the proprietary nature of SAP, the concepts are also sometimes different, on top, or complementary. Take roles and authorizations as an example: This is a typical SAP topic, but also subject to change with the new HANA roles. The fact that you need code pieces for authority checks makes it unique, and it is well-known that you need compliance checks on top of GRC solutions. For example, the best role concepts are worthless if you don’t properly patch your system or have unprotected operating systems. All key concepts are categorized in the SAP secure operations map, making it a great way to get a complete picture.
- The other issue is that there is still a gap between SAP security and IT Security teams. They often work in different departments, speak different languages, and don’t harmonize technical solutions and resulting data.
- Finally, we need various levels of detail for different target groups. For example, the management team (CxO) usually cannot and doesn’t have to understand terms like Directory Traversal, or SAP gateway remote code execution. These are terms for the basis or development team. Managers need, however, to understand the risk impact of such issues to avoid bad business outcomes.
Unified View: SAP Security Dashboard
An SAP Security dashboard is a key piece for solving the complexity issue discussed before.
Andreas Kirchebner (SAP Security Lead Austria at Accenture and chair of the DSAG working group for SAP Cloud Security) and I recently talked about dashboards: The key concept is to visualize SAP security posture in an easy-to-digest way.
A simple way to illustrate this would be to have a single traffic light for this with the top 5 risks that are currently the focus of mitigation activities. You should not only show risks, managers also need to understand what you have done already and where you need help. A filter can be: Top x recommendations of SAP, then the baseline topics, and then everything filtered by necessity level.
The next level could be a system overview. A leading pharma company in France has implemented this dashboard use case. They have defined a benchmark based on the SAP Baseline Security Template and measured the compliance of each key system against it. This shows overall progress over time and which systems and areas of responsibility are covered. The CISO organization could show that the security status could be increased from 15% to 75+% in a 2-year timeframe. That is tangible, isn’t it?
Besides status, showing the trend of SAP security is important. Do we make progress? Do we fall behind? What is the impact of migration? Or a shift to a HANA system? Or a new acquisition were some procedures need to be integrated? Etc.
Finally, a mitigation projects list could be illustrated. What is going on? Are we on time and within budget? What’s blocking success and must be escalated?
A dashboard should also allow it to drill down to the system owner level and the topic owner level (as defined by the SAP Secure Operations Map). Ideally, this is complemented with a knowledge base and monitoring capabilities (bridging the gap between the identification of an issue and the actual correction).
How to get started
I have experienced many situations leaving customers “lost in space.” They had an “Über-Berater” in a project that showed them how bad their SAP security is and explained that with hundreds of examples without showing how and where to start. This usually does not work since every organization has its own pace. Knowing that 100% security is not possible, it’s better to assess where to invest and how far you can get that way (cost and benefit). We recommend the following approach (I like to draw an analogy with a big health check when you reach the mid of your life):
- Start with an “anamnesis” where you determine the status of the different topics of the SAP secure operations map and the SAP Baseline Security Template. This can be tool-supported to cover as much information as you can and to be repeatable.
- Ask the consultant doing this for a list of “quick wins” – aka things your organization can and should do immediately with given time and budget constraints.
- Based on that data targets can be defined for the different topics. What must be done and why, when, and how long will it take? That way, a roadmap can be shaped that you can use to constantly improve the SAP security level over time.
- Reporting progress can be achieved by showing trending in the dashboard while monitoring helps you to be covered in areas where you cannot yet act.
- Regular review meetings with the management are not only useful, but they are also key to the success of a comprehensive SAP security program. Thus, a dashboard is a key requirement for getting this done.
DSAG Requirements and status in the market
The dashboard requirement is around for quite some time. At the DSAG Technologietage in Düsseldorf in May 2022, Sebastian Westphal, DSAG Board Member for Technology, said: „Es bedarf dringend einer Umsetzung des Security-Dashboards, einer Kernforderung der DSAG seit mittlerweile zwei Jahren“.
This implies that we are not yet there. For me, it also shows different ways of thinking. Naturally, there is a request for a security dashboard from SAP. However, I have also seen dashboard projects where SAP data is collected and added to self-made or integrated solutions (based on Microsoft Excel (yes, this is still used for this), QlikView, SAP analytics cloud, etc. There are also 3rd party solutions that contain dashboarding capabilities.
No matter which route you take – a dashboard for SAP Security is key to being successful in mastering the SAP security challenges. And it is key to understand your reporting requirements for your organization. I would say that is the ultimate starting point and I look forward to further elaborating on this.