November 22, 2021

SAP Secure Operations Map

The SAP Secure Operations Map is part of the security recommendations published by SAP and has been revised several times over the years. While the diagram below is well known to SAP security experts, much fewer people in Information Security are familiar with it.

Changes in Version 2

Changes to the SAP Secure Operations Map are usually made by SAP without much notice. SAP security experts will find these changes obvious, as SAP’s security recommendation is, quite rightly, regarded as the standard guide for experts. From version 1 to 2, the SAP Secure Operations Map, which essentially consists of five levels with associated task areas, has been revised. A comparison of the five levels reveals the reorientation in version 2.

Level	Version 1	Version 2
5	Security Compliance	Organization
4	Security Operation	Process
3	Security Setup	Application
2	Security Code	System
1	Infrastructure Security	Enviroment

The new structure of the levels allows the SAP Secure Operations Map to cover a larger scope. While the first version was mostly concerned with the SAP solutions, the environment on the lowest level with “Security Environment” up to the organization is now taken into account. Let’s take a closer look at this current version. I don’’t want to go into the details and methods behind the individual topics, as this would go beyond the scope of an article, instead, I want to focus on the assertions suggested by the current SAP Secure Operations Map illustration.

The Illustration

For this we have to look at the chosen visualization. It is not a map in the true sense of the word, but rather an arrangement of building blocks. Consistent with the theme of Cyberdefence, the SAP Secure Operations Map presents itself like a security wall in that it symbolizes a security defence that an attacker must overcome to gain access.

Design and structure

The security defence wall illustration follows a clear scheme. There are five levels that build on top of each other like rows of bricks. This arrangement suggests that the subjects on the lower rows provide the foundation for those above them. It might therefore make sense to work strategically from bottom to top in order to increase the effect of the measures.

The Levels

Level 1: Environment
Level 2: System
Level 3: Application
Level 4: Process
Level 5: Organization

At first glance, the structure of the individual level doesn’t suggest any fixed dependencies. Apart from the fact that on each level e.g. "Environment" the associated ranges, subject, activities are listed. The basis is the environment with the areas:

- Network Security
- Operating System & Database Security
- Client Security

- Security Hardening
- Secure SAP Code
- Security Monitoring & Forensic

This level is largely focused on the standard SAP product and the installed Add-ons. The SecurityBridge platform for SAP, covers the three thematic blocks and includes even more areas from the following levels.

This level also deals with the SAP standard product, but from a different perspective. Here, the areas are:

- User & Identity Management
- Authentication & Single Sign-on
- Roles & Authorization
- Custom Code Security

All these areas are determined by the customer, the environment and the intended use.

This is about the process and actions that are performed within the SAP system. These must comply with certain standards to prevent access to personal data (GDPR) or fraud. Also, legal frameworks must be complied with. The following areas are included:

- Regulatory Process & Compliance
- Data Privacy & Protection
- Audit & Fraud Management

As the name suggests, this is about organizational measures such as risk assessment in Enterprise Risk Management (ERM), as well as awareness training for users, etc. The areas mentioned can certainly only be understood as incomplete examples:

- Awareness
- Security Governance
- Risk Management

Final Conclusion

I hope this has given you some insight into the SAP Secure Operations Map, and enables you to use this to help with security challenges. However, pehaps a more important take-away from this, is that the SAP Secure Operations Map visualizes the necessity of a holistic security approach to protect the SAP critical enterprise applications. All components and areas must comply with a certain standard of protection in order to adequately protect the SAP system. It’s far from optimal to have excellence in one of the security domains mentioned (e.g., custom code security) if the entire system is not configured securely.

Posted by

Till Pleyer

#s4hana #sapsecurity

Find recent Security Advisories for SAP©

Looking into securing your SAP landscape? This white-paper tells you the “Top Mistakes to Avoid in SAP Security“. Download it now.

DSAG-Jahreskongress 2023

Alles verändert sich, nichts bleibt wie es ist, die heutige Zeit setzt Flexibilität voraus. Entsprechend wandelbar präsentieren sich DSAG, SAP und das gesamte Ökosystem. Diese Wandlungsfähigkeit steht auch im Fokus des DSAG-Jahreskongress 2023 vom 19.-21. September 2023 in Bremen. Unter dem Motto „Wunderbar wandelbar – Gemeinsam neue Perspektiven schaffen“ freut sich die DSAG wieder darauf, mehr als 5.000 Teilnehmende zu begrüßen. Wagen Sie gemeinsam mit der Interessenvertretung den Blick durch das Kaleidoskop und finden Sie den richtigen Dreh, um zu neuen Blickwinkeln zu gelangen und Veränderungen zu gestalten.

Webinar: NIS2 – Appropriate SAP Application Security Measures

In this webinar Ivan Mans, CTO and Co-founder, SecurityBridge and Steen Schledermann, GRC Advisor, NTT DATA Business Solutions will discuss and demonstrate appropriate SAP application technical, organizational and operational security measures as required by NIS2, involving risk-based approach to continuous security improvements, agile risk mitigation and delegation, as well as SAP security and compliance monitoring.

MSP PASàPAS Selects SecurityBridge To Protect Customers’ SAP Systems

Security News

PASàPAS will continue to leverage and install the SecurityBridge platform for SAP to help more SME organizations understand and mitigate SAP Security risks.

SAP Security Patch Day – May 2023

SAP Security Patch Day

Today is another SAP Security Patch Day. In May 2023, the SAP Response Team released 20 SAP Security Notes, including Evergreen 2622660 Security updates for the browser control Google Chromium delivered with SAP Business Client with HotNews priority. Besides two updated Notes, SAP Security Patch Day May 2023, contains 18 new security updates for the vast SAP Product portfolio while the majority relates to SAP Business Objects.

SAP ABAP Directory Traversal Vulnerability: Risks and Solutions

SAP Vulnerability

SAP developers know that ABAP/4 (Advanced Business Application Programming) is not immune to security vulnerabilities like any other programming language. One significant security risk associated with SAP ABAP is directory traversal vulnerability. In this blog post, we will discuss what a directory traversal vulnerability is, why it is a problem for SAP customers, how it can be exploited, and what measures to take to prevent it.

Sales Representative – US Market (Software Sales, SAP Security, Cybersecurity)

Open Position

SecurityBridge is a leading provider of cutting-edge cybersecurity for SAP, catering to businesses of all sizes. We are expanding our operation to the US market and are looking for an experienced Sales Representative to join our team. The ideal candidate will have at least 5 years of experience in sales, with a focus on software sales, SAP security, and cybersecurity.