SAP Secure Operations Map


The SAP Secure Operations Map is part of the security recommendations published by SAP and has been revised several times over the years. While the diagram below is well known to SAP security experts, much fewer people in Information Security are familiar with it.

Copyright: SAP 2020

Changes in Version 2

Changes to the SAP Secure Operations Map are usually made by SAP without much notice. SAP security experts will find these changes obvious, as SAP’s security recommendation is, quite rightly, regarded as the standard guide for experts. From version 1 to 2, the SAP Secure Operations Map, which essentially consists of five levels with associated task areas, has been revised. A comparison of the five levels reveals the reorientation in version 2.

Level Version 1 Version 2
Security Compliance
Security Operation
Security Setup
Security Code
Infrastructure Security

The new structure of the levels allows the SAP Secure Operations Map to cover a larger scope. While the first version was mostly concerned with the SAP solutions, the environment on the lowest level with “Security Environment” up to the organization is now taken into account. Let’s take a closer look at this current version. I don’’t want to go into the details and methods behind the individual topics, as this would go beyond the scope of an article, instead, I want to focus on the assertions suggested by the current SAP Secure Operations Map illustration. 

The Illustration

For this we have to look at the chosen visualization. It is not a map in the true sense of the word, but rather an arrangement of building blocks. Consistent with the theme of Cyberdefence, the SAP Secure Operations Map presents itself like a security wall in that it symbolizes a security defence that an attacker must overcome to gain access.

Design and structure

The security defence wall illustration follows a clear scheme. There are five levels that build on top of each other like rows of bricks. This arrangement suggests that the subjects on the lower rows provide the foundation for those above them. It might therefore make sense to work strategically from bottom to top in order to increase the effect of the measures.

The Levels

At first glance, the structure of the individual level doesn’t suggest any fixed dependencies. Apart from the fact that on each level e.g. "Environment" the associated ranges, subject, activities are listed. The basis is the environment with the areas:

- Network Security
- Operating System & Database Security
- Client Security

- Security Hardening
- Secure SAP Code
- Security Monitoring & Forensic

This level is largely focused on the standard SAP product and the installed Add-ons. The SecurityBridge platform for SAP, covers the three thematic blocks and includes even more areas from the following levels.

This level also deals with the SAP standard product, but from a different perspective. Here, the areas are:

- User & Identity Management
- Authentication & Single Sign-on
- Roles & Authorization
- Custom Code Security

All these areas are determined by the customer, the environment and the intended use.

This is about the process and actions that are performed within the SAP system. These must comply with certain standards to prevent access to personal data (GDPR) or fraud. Also, legal frameworks must be complied with. The following areas are included:

- Regulatory Process & Compliance
- Data Privacy & Protection
- Audit & Fraud Management

As the name suggests, this is about organizational measures such as risk assessment in Enterprise Risk Management (ERM), as well as awareness training for users, etc. The areas mentioned can certainly only be understood as incomplete examples:

- Awareness
- Security Governance
- Risk Management

Final Conclusion

I hope this has given you some insight into the SAP Secure Operations Map, and enables you to use this to help with security challenges. However, pehaps a more important take-away from this, is that the SAP Secure Operations Map visualizes the necessity of a holistic security approach to protect the SAP critical enterprise applications. All components and areas must comply with a certain standard of protection in order to adequately protect the SAP system. It’s far from optimal to have excellence in one of the security domains mentioned (e.g., custom code security) if the entire system is not configured securely.

Posted by

Till Pleyer
Share on linkedin
Share on twitter
Share on email
Find recent Security Advisories for SAP©

Looking into securing your SAP landscape? This white-paper tells you the “Top Mistakes to Avoid in SAP Security“. Download it now.

Webinar: Why is SAP Security Patching not like Windows Updates?

The webinar, taking place on 05.10.2022, is all about SAP Patch Management and its challenges. The German-speaking SAP User Group (DSAG) and the American colleagues of ASUG asked why SAP security patching cannot be as simple and effective as, for example, Windows updates.

SecurityBridge at the DSAG Annual Congress 2022: How to protect SAP systems during these times

Together with its partner, Fortinet, the SAP Security specialist company will present how to close the gap between SAP and network security in Leipzig.
S/4HANA migration
SAP Cybersecurity- SAP Security Automation- Security News
“There are a few constants in life” – a statement that also applies to the SAP user community. It has always been a challenge for SAP customers to bring their large SAP environments to a current release level. Although the vendor has done a lot in the past to simplify this, it is still not a complex undertaking.
Here at SecurityBridge, we are extremely lucky to have a team full of amazing professionals. Thanks to our team, we have achieved extraordinary things in the past couple of years. With that in mind, we thought it was time for us to start introducing you to the team that drives everything behind the scenes. And we couldn't have chosen a better example to start with than our very own, Harish Dahima! Read on and learn all about Harish's life as a Senior Product Developer, his role, and life at SecurityBridge.
SAP Cloud Connector
SAP Cloud Security- SAP Cybersecurity- Security News
Every organization constantly faces the challenge of minimizing the attack surface that an adversary could use to perform malicious operations. To do this, administrators must install the deployed components and understand them in detail to identify risks and proactively mitigate or prevent those. Today we are looking at what is necessary to protect the SAP Cloud Connector.
SAP Cycling event
Life at SecurityBridge- Partner News- Security News
It was John F. Kennedy who once said: “nothing compares to the simple pleasure of a bike ride”. And what a pleasure it has been! We had our annual bike ride with friends from Accenture, Deloitte, CGI, McCoy, Thales, KPN, Hunt &Hacket, and security leaders from major customers. We had a lot of opportunities for exchange in the cozy atmosphere among like-minded people who all love road cycling and have SAP Security improvement in mind.