SAP Secure Operations Map

SAP-Security-Operations-Map

The SAP Secure Operations Map is part of the security recommendations published by SAP and has been revised several times over the years. While the diagram below is well known to SAP security experts, much fewer people in Information Security are familiar with it.

Copyright: SAP 2020

Changes in Version 2

Changes to the SAP Secure Operations Map are usually made by SAP without much notice. SAP security experts will find these changes obvious, as SAP’s security recommendation is, quite rightly, regarded as the standard guide for experts. From version 1 to 2, the SAP Secure Operations Map, which essentially consists of five levels with associated task areas, has been revised. A comparison of the five levels reveals the reorientation in version 2.

Level Version 1 Version 2
5
Security Compliance
Organization
4
Security Operation
Process
3
Security Setup
Application
2
Security Code
System
1
Infrastructure Security
Enviroment

The new structure of the levels allows the SAP Secure Operations Map to cover a larger scope. While the first version was mostly concerned with the SAP solutions, the environment on the lowest level with “Security Environment” up to the organization is now taken into account. Let’s take a closer look at this current version. I don’’t want to go into the details and methods behind the individual topics, as this would go beyond the scope of an article, instead, I want to focus on the assertions suggested by the current SAP Secure Operations Map illustration. 

The Illustration

For this we have to look at the chosen visualization. It is not a map in the true sense of the word, but rather an arrangement of building blocks. Consistent with the theme of Cyberdefence, the SAP Secure Operations Map presents itself like a security wall in that it symbolizes a security defence that an attacker must overcome to gain access.

Design and structure

The security defence wall illustration follows a clear scheme. There are five levels that build on top of each other like rows of bricks. This arrangement suggests that the subjects on the lower rows provide the foundation for those above them. It might therefore make sense to work strategically from bottom to top in order to increase the effect of the measures.

The Levels

  • Level 1: Environment
  • Level 2: System
  • Level 3: Application
  • Level 4: Process
  • Level 5: Organization

At first glance, the structure of the individual level doesn’t suggest any fixed dependencies. Apart from the fact that on each level e.g. "Environment" the associated ranges, subject, activities are listed. The basis is the environment with the areas:

- Network Security
- Operating System & Database Security
- Client Security

- Security Hardening
- Secure SAP Code
- Security Monitoring & Forensic

This level is largely focused on the standard SAP product and the installed Add-ons. The SecurityBridge platform for SAP, covers the three thematic blocks and includes even more areas from the following levels.

This level also deals with the SAP standard product, but from a different perspective. Here, the areas are:

- User & Identity Management
- Authentication & Single Sign-on
- Roles & Authorization
- Custom Code Security

All these areas are determined by the customer, the environment and the intended use.

This is about the process and actions that are performed within the SAP system. These must comply with certain standards to prevent access to personal data (GDPR) or fraud. Also, legal frameworks must be complied with. The following areas are included:

- Regulatory Process & Compliance
- Data Privacy & Protection
- Audit & Fraud Management

As the name suggests, this is about organizational measures such as risk assessment in Enterprise Risk Management (ERM), as well as awareness training for users, etc. The areas mentioned can certainly only be understood as incomplete examples:

- Awareness
- Security Governance
- Risk Management

Final Conclusion

I hope this has given you some insight into the SAP Secure Operations Map, and enables you to use this to help with security challenges. However, pehaps a more important take-away from this, is that the SAP Secure Operations Map visualizes the necessity of a holistic security approach to protect the SAP critical enterprise applications. All components and areas must comply with a certain standard of protection in order to adequately protect the SAP system. It’s far from optimal to have excellence in one of the security domains mentioned (e.g., custom code security) if the entire system is not configured securely.

Posted by

Till Pleyer
Share on linkedin
Share on twitter
Share on email
Find recent Security Advisories for SAP©

Looking into securing your SAP landscape? This white-paper tells you the “Top Mistakes to Avoid in SAP Security“. Download it now.

Next-Gen Application Security for SAP

Join roundtable delegates who will discuss the challenges, solutions, and their experiences in simplifying security and combining it across the network and the SAP application, to introduce a shift in paradigm for SAP customers.

SAP and Cybersecurity – What you can do to protect yourself

Join IBM and SecurityBridge to hear exclusive content from SAP cybersecurity experts who will share invaluable insight into the best practices and upcoming strategies for SAP cybersecurity.
SAP Patchday
November has come and the days in Germany are getting shorter and colder. No reason for the SAP Security and Response team not to continue their monthly practice. Looking at today's publication of SAP Security Patch Day, we luckily find only 1 Hot News and 2 High priority corrections.
SAP Patchday
Like every second Tuesday of the month, it’s again SAP Patch day! Today, 12th October 2021, SAP again released security patches for its vast product portfolio.