Ensuring SAP compliance

In information technology, compliance and security are inseparable. In SAP systems, this becomes even more obvious. ERP systems often hold the most valuable corporate data, and for that reason, they are also the subject of regular SAP audits, where compliance to several regulations, such as SOX or GDPR, are validated. These regulations, in turn, require having processes in place to secure the valuable data.

With SAP systems, this relatively simple relationship between compliance and security becomes a little bit more complicated, for several reasons. Firstly, in order to comply to standards such as SOX or GDPR, it’s necessary to establish the correct values for related settings. This is quite a challenge with an SAP system with thousands of possible setting values. Secondly, most companies need to comply to several regulatory compliance standards, and these sometimes require different measures within the same domain. Take SOX and GDPR, for example. SOX asks for processes in place to secure data. This is like GDPR, with one big difference: GDPR also specifies that in the event of a data breach, authorities must be notified within 72 hours. Thirdly, there is a large overlap between SAP security and SAP compliance. A combination of several authorizations within an SAP system, for example, might be a violation of the segregation of duties (SoD) principle. At the same time, it might be a critical authorization which endangers the security of an SAP system.

Using security to comply to standards

There are many SAP compliance checklists out there which can be used in an SAP audit situation. However, just using an SAP compliance checklist will not change the fact that an SAP audit is still an effort. Some SAP customers report that when an SAP audit is done, they go right into preparation for the following SAP audit. As with security, the key to avoiding those situations is automation.

SecurityBridge is a modern SAP Security Platform, natively build in SAP.  It uses an ABAP based Intrusion Detection System (IDS) to guard your SAP landscape 24/7. Its frontend is build with Fiori, which provides you an intelligent insight on the security posture of your ABAP, Java and HANA based systems.

A good illustration for the benefits of automation is the audit guideline from the German SAP User Group (DSAG). This guideline represents a valuable compliance checklist for SAP systems. Manually validating all 250+ checks contained in this guideline takes time. However, solutions such as SecurityBridge, are preconfigured with all the checks from the guideline. Therefore, customers can prepare, execute, and hand over their reports to the auditor simply and quickly.

Additionally, SecurityBridge provides more out-of-the-box benefits. Take GDPR example from above. Studies show that on average it takes weeks, even months, to discover an actual data breach. This conflicts with the requirement of GDPR to notify authorities within 72 hours. SecurityBridge provides real-time monitoring and detection of anomalies. This ensures not only compliance to GDPR, it also improves the sleep quality for those responsible, usually the CISO, CFO and CEO – knowing that their valuable data is being continually watched.

Posted by

Patrick Boch
Share on linkedin
Share on twitter
Share on email
Find recent Security Advisories for SAP©

Looking into securing your SAP landscape? This white-paper tells you the “Top Mistakes to Avoid in SAP Security“. Download it now.

Security Patching SAP
SAP systems belong to the companies’ critical infrastructures, no doubt. Yet, enterprises struggle with the timely implementation of patches. Within this article, we provide a deep-dive into the challenges that let you remember how patching SAP NetWeaver application works.
Security Operation Center
The Cybersecurity and Infrastructure Security Agency (CISA) strongly recommends organizations immediately apply patches, and in situations where patches cannot be applied, CISA recommends “closely monitoring your SAP NetWeaver AS for anomalous activity”.
SAP Patch Day July 2020 shocked the customer community of SAP SE. Although everyone assumed that zero-days with a high-risk potential of exploitation exist, the recent Patch Day has delivered evidence. Read more to understand what you should do as the next best action to protect your enterprise.