The Art of SAP Security

Key Takeaways

  • Security is a skill. Organizations need to learn, train and enhance their security skills to become efficient in cyber defense.
  • 100% may be your biggest enemy. Doing anything is better than nothing. Realizing that 100% security does not exist, is a necessity.
  • Continuity is key. Cyber threats are always present. A moment of carelessness can lead to major damage. That is why SAP security must be constantly kept in mind.

A role model for SAP Security

Headlines about a publicly available exploit for a vulnerability existing in SAP Solution Manager have shocked the SAP community. This raises the seriousness of securing SAP applications amongst CISOs and other senior level security.

In practice what often happens is this: The IT-Security member responsible reaches out to the SAP team, seeking the support of the subject-matter experts to address the issues. From the perspective of the SAP team, this means additional work, on top of a likely over-burdened workload.

At this point, it is important that the IT-Security experts address a common misunderstanding within the application team. IT-Security, particularly for complex enterprise-critical applications, is a skill and not a static attribute. There is an especially important and distinct difference which I will explain. A “Skill” is defined as something that can be taught, needs practicing, and which might improve going forward. With more practice, the skill level increases. Challenges, such as the detection of false positives, are part of the learning process, as this is the only way for a company to increase its level of experience in cybersecurity. If SAP security is wrongly perceived as an “attribute,” it is likely that the initiative will fail, as it is not a single event, it is a continuous problem. In the worst-case scenario, the issue is reported to senior executives as a “solved”, tick-box set.

What is needed

Starting a security initiative for SAP, requires clear communication, change management skills and a deep understanding of the structure of the SAP organization. Onboarding the right players within the organization and adjusting their perspective on the upcoming security task is essential. You may have recognized that I deliberately used the term „security initiative“ and not project. That is again to emphasize that once started, the initiative will never end. A project on the contrary is initiated to solve a specific requirement or problem and ends after the project goals have been reached. A security initiative consists of many projects and demands a comprehensive strategy and the backing of your management.

Start with a Strategy

Building the security strategy for SAP may be a challenging task that requires knowledge about the SAP system architecture, business processes, data classification, interfaces and even the SAP team structure. The strategy needs to address many areas:

  • Hardening: Secure configuration, Authorization management, etc.
  • Vulnerability Management: Patching the standard product and detecting vulnerable custom code
  • Monitoring: SAP specific monitoring and the connection to general security monitoring and automation (SIEM and SOAR)
  • Training: Education of key players like SAP Basis, and Developers but also end-users shall not be forgotten.
  • Internal control systems: Regular audits including compliance checks. Introducing 4-eye principles for critical activities.

The strategy needs to be built under the premise to implement a continuous innovation cycle.

SAP Security Improvement Circle
SAP Security Improvement Circle

Summary

Positioning SAP security for your management teams requires input from security people and SAP experts. Your organization can only improve and grow its’ SAP security posture when an initiative is started.

100% security just doesn’t exist! Any security measures taken will not be perfect, ever, and will require continuous adjustment. Ignoring security for SAP is not an option, it’s merely applying due diligence to any company’s most valuable, and essential core business.

Posted by

Christoph Nagy
Share on linkedin
Share on twitter
Share on email
Find recent Security Advisories for SAP©

Looking into securing your SAP landscape? This white-paper tells you the “Top Mistakes to Avoid in SAP Security“. Download it now.

SecurityBridge joins NTT Data’s Cybersecurity for SAP Webinar

Whether your business critical SAP landscape is traditional on-prem, in one or more clouds, or even the latest RISE with SAP, you are accountable for ensuring it is secured against rapidly increasing cyber threats. Join this webinar to learn why SAP application security is critical and how you can stay in control and protect your business.

Meet us at SAPINSIDER 2022 – in Las Vegas

June 19-21, 2022 the US team of SecurityBridge will be at the SAPinsider Event in Las Vegas. You will find our booth in the Cybersecurity area.
SecurityBridge
Here at SecurityBridge, we are extremely lucky to have a team full of amazing professionals. Thanks to our team, we have achieved extraordinary things in the past couple of years. With that in mind, we thought it was time for us to start introducing you to the team that drives everything behind the scenes. And we couldn't have chosen a better example to start with than our very own, Harish Dahima! Read on and learn all about Harish's life as a Senior Product Developer, his role, and life at SecurityBridge.
SAP Cloud Connector
SAP Cloud Security- SAP Cybersecurity- Security News
Every organization constantly faces the challenge of minimizing the attack surface that an adversary could use to perform malicious operations. To do this, administrators must install the deployed components and understand them in detail to identify risks and proactively mitigate or prevent those. Today we are looking at what is necessary to protect the SAP Cloud Connector.
SAP Cycling event
Life at SecurityBridge- Partner News- Security News
It was John F. Kennedy who once said: “nothing compares to the simple pleasure of a bike ride”. And what a pleasure it has been! We had our annual bike ride with friends from Accenture, Deloitte, CGI, McCoy, Thales, KPN, Hunt &Hacket, and security leaders from major customers. We had a lot of opportunities for exchange in the cozy atmosphere among like-minded people who all love road cycling and have SAP Security improvement in mind.
SAP Expert Search
SAP Patch Management- Security News- Security Patches
After many years in the SAP eco-system, I know many good and bad practices exist in the IT Departments of – to be frank – every organization on this planet. Initiated by the SAP Security Patch Day in September 2022, our team has nudged me to share some knowledge. In this short how-to description, we want to explain the correct usage of the SAP Launchpad Expert Search to get the most accurate result looking for SAP Security Notes. If you want to find out how this powerful tool works, keep on reading.