SecurityBridge Expands U.S. Partnerships With Taciti Consulting
SecurityBridge Expands U.S. Partnerships With Taciti Consulting Alliance.
Combined Efforts Streamline SAP S/4HANA Transformations and Secure SAP Ecosystem
Whether security in SAP environments is relevant is not up for debate anymore. The SAP secure operations map has been around for a long time (when I worked at SAP as a product manager, it was called SAP Security Solution Map) and provides a 360-degree view of SAP security. Let’s take a deeper look:
An SAP Security dashboard is a key piece for solving the complexity issue discussed before.
Andreas Kirchebner (SAP Security Lead Austria at Accenture and chair of the DSAG working group for SAP Cloud Security) and I recently talked about dashboards: The key concept is to visualize SAP security posture in an easy-to-digest way.
A simple way to illustrate this would be to have a single traffic light for this with the top 5 risks that are currently the focus of mitigation activities. You should not only show risks, managers also need to understand what you have done already and where you need help. A filter can be: Top x recommendations of SAP, then the baseline topics, and then everything filtered by necessity level.
The next level could be a system overview. A leading pharma company in France has implemented this dashboard use case. They have defined a benchmark based on the SAP Baseline Security Template and measured the compliance of each key system against it. This shows overall progress over time and which systems and areas of responsibility are covered. The CISO organization could show that the security status could be increased from 15% to 75+% in a 2-year timeframe. That is tangible, isn’t it?
Besides status, showing the trend of SAP security is important. Do we make progress? Do we fall behind? What is the impact of migration? Or a shift to a HANA system? Or a new acquisition were some procedures need to be integrated? Etc.
Finally, a mitigation projects list could be illustrated. What is going on? Are we on time and within budget? What’s blocking success and must be escalated?
A dashboard should also allow it to drill down to the system owner level and the topic owner level (as defined by the SAP Secure Operations Map). Ideally, this is complemented with a knowledge base and monitoring capabilities (bridging the gap between the identification of an issue and the actual correction).
I have experienced many situations leaving customers “lost in space.” They had an “Über-Berater” in a project that showed them how bad their SAP security is and explained that with hundreds of examples without showing how and where to start. This usually does not work since every organization has its own pace. Knowing that 100% security is not possible, it’s better to assess where to invest and how far you can get that way (cost and benefit). We recommend the following approach (I like to draw an analogy with a big health check when you reach the mid of your life):
The dashboard requirement is around for quite some time. At the DSAG Technologietage in Düsseldorf in May 2022, Sebastian Westphal, DSAG Board Member for Technology, said: „Es bedarf dringend einer Umsetzung des Security-Dashboards, einer Kernforderung der DSAG seit mittlerweile zwei Jahren“.
This implies that we are not yet there. For me, it also shows different ways of thinking. Naturally, there is a request for a security dashboard from SAP. However, I have also seen dashboard projects where SAP data is collected and added to self-made or integrated solutions (based on Microsoft Excel (yes, this is still used for this), QlikView, SAP analytics cloud, etc. There are also 3rd party solutions that contain dashboarding capabilities.
No matter which route you take – a dashboard for SAP Security is key to being successful in mastering the SAP security challenges. And it is key to understand your reporting requirements for your organization. I would say that is the ultimate starting point and I look forward to further elaborating on this.
Posted by
Find recent Security Advisories for SAP©
Looking into securing your SAP landscape? This white-paper tells you the “Top Mistakes to Avoid in SAP Security“. Download it now.
SecurityBridge Expands U.S. Partnerships With Taciti Consulting Alliance.
Combined Efforts Streamline SAP S/4HANA Transformations and Secure SAP Ecosystem
SAP Authorization Objects for SAP NetWeaver AS ABAP technologies are not just blockers. They are the ENABLER of access.