SAP Secure Operations Map
The SAP Secure Operations Map is part of the security recommendations published by SAP and has been revised several times over the years. While the diagram below is well known to SAP security experts, much fewer people in Information Security are familiar with it.
Changes in Version 2
Changes to the SAP Secure Operations Map are usually made by SAP without much notice. SAP security experts will find these changes obvious, as SAP’s security recommendation is, quite rightly, regarded as the standard guide for experts. From version 1 to 2, the SAP Secure Operations Map, which essentially consists of five levels with associated task areas, has been revised. A comparison of the five levels reveals the reorientation in version 2.
|Level||Version 1||Version 2|
The new structure of the levels allows the SAP Secure Operations Map to cover a larger scope. While the first version was mostly concerned with the SAP solutions, the environment on the lowest level with “Security Environment” up to the organization is now taken into account. Let’s take a closer look at this current version. I don’’t want to go into the details and methods behind the individual topics, as this would go beyond the scope of an article, instead, I want to focus on the assertions suggested by the current SAP Secure Operations Map illustration.
For this we have to look at the chosen visualization. It is not a map in the true sense of the word, but rather an arrangement of building blocks. Consistent with the theme of Cyberdefence, the SAP Secure Operations Map presents itself like a security wall in that it symbolizes a security defence that an attacker must overcome to gain access.
Design and structure
The security defence wall illustration follows a clear scheme. There are five levels that build on top of each other like rows of bricks. This arrangement suggests that the subjects on the lower rows provide the foundation for those above them. It might therefore make sense to work strategically from bottom to top in order to increase the effect of the measures.
At first glance, the structure of the individual level doesn’t suggest any fixed dependencies. Apart from the fact that on each level e.g. "Environment" the associated ranges, subject, activities are listed. The basis is the environment with the areas:
- Network Security
- Operating System & Database Security
- Client Security
- Security Hardening
- Secure SAP Code
- Security Monitoring & Forensic
This level is largely focused on the standard SAP product and the installed Add-ons. The SecurityBridge platform for SAP, covers the three thematic blocks and includes even more areas from the following levels.
This level also deals with the SAP standard product, but from a different perspective. Here, the areas are:
- User & Identity Management
- Authentication & Single Sign-on
- Roles & Authorization
- Custom Code Security
All these areas are determined by the customer, the environment and the intended use.
This is about the process and actions that are performed within the SAP system. These must comply with certain standards to prevent access to personal data (GDPR) or fraud. Also, legal frameworks must be complied with. The following areas are included:
- Regulatory Process & Compliance
- Data Privacy & Protection
- Audit & Fraud Management
As the name suggests, this is about organizational measures such as risk assessment in Enterprise Risk Management (ERM), as well as awareness training for users, etc. The areas mentioned can certainly only be understood as incomplete examples:
- Security Governance
- Risk Management
I hope this has given you some insight into the SAP Secure Operations Map, and enables you to use this to help with security challenges. However, pehaps a more important take-away from this, is that the SAP Secure Operations Map visualizes the necessity of a holistic security approach to protect the SAP critical enterprise applications. All components and areas must comply with a certain standard of protection in order to adequately protect the SAP system. It’s far from optimal to have excellence in one of the security domains mentioned (e.g., custom code security) if the entire system is not configured securely.