Ensuring SAP compliance
In information technology, compliance and security are inseparable. In SAP systems, this becomes even more obvious. ERP systems often hold the most valuable corporate data, and for that reason, they are also the subject of regular SAP audits, where compliance to several regulations, such as SOX or GDPR, are validated. These regulations, in turn, require having processes in place to secure the valuable data.
The Relationship between SAP Security and Compliance
With SAP systems, this relatively simple relationship between compliance and security becomes a little bit more complicated, for several reasons. Firstly, in order to comply to standards such as SOX or GDPR, it’s necessary to establish the correct values for related settings. This is quite a challenge with an SAP system with thousands of possible setting values. Secondly, most companies need to comply to several regulatory compliance standards, and these sometimes require different measures within the same domain. Take SOX and GDPR, for example. SOX asks for processes in place to secure data. This is like GDPR, with one big difference: GDPR also specifies that in the event of a data breach, authorities must be notified within 72 hours. Thirdly, there is a large overlap between SAP security and SAP compliance. A combination of several authorizations within an SAP system, for example, might be a violation of the segregation of duties (SoD) principle. At the same time, it might be a critical authorization which endangers the security of an SAP system.
Using security to comply to standards
There are many SAP compliance checklists out there which can be used in an SAP audit situation. However, just using an SAP compliance checklist will not change the fact that an SAP audit is still an effort. Some SAP customers report that when an SAP audit is done, they go right into preparation for the following SAP audit. As with security, the key to avoiding those situations is automation.
SecurityBridge is a modern SAP Security Platform, natively build in SAP. It uses an ABAP based Intrusion Detection System (IDS) to guard your SAP landscape 24/7. Its frontend is build with Fiori, which provides you an intelligent insight on the security posture of your ABAP, Java and HANA based systems.
A good illustration for the benefits of automation is the audit guideline from the German SAP User Group (DSAG). This guideline represents a valuable compliance checklist for SAP systems. Manually validating all 250+ checks contained in this guideline takes time. However, solutions such as SecurityBridge, are preconfigured with all the checks from the guideline. Therefore, customers can prepare, execute, and hand over their reports to the auditor simply and quickly.
Additionally, SecurityBridge provides more out-of-the-box benefits. Take GDPR example from above. Studies show that on average it takes weeks, even months, to discover an actual data breach. This conflicts with the requirement of GDPR to notify authorities within 72 hours. SecurityBridge provides real-time monitoring and detection of anomalies. This ensures not only compliance to GDPR, it also improves the sleep quality for those responsible, usually the CISO, CFO and CEO – knowing that their valuable data is being continually watched.