Skip to content
  • Home / Your BW/4HANA System: Is it truly Cyber-Resilient? 

Your BW/4HANA system: Is it truly Cyber-Resilient?

A lot of SAP customers and consultants look at SAP BW/4HANA as a “lower-class” SAP system.  Something for “someone else” to worry about.  They forget about all the work that went into setting up their company’s Data Warehouse in SAP BW/4HANA… or further back, like some of my early SAP Consulting projects… on BW7 and BW3.5.  And now, with the big push for S/4HANA migrations by 2027, the priority for anything related to BW seems to be going lower and lower.  It sounds like the perfect place to attempt an exploit… in a forgotten system.  This post can serve as your reminder to protect your investment in SAP BW/4HANA.   

And if you are still running on BW7, you can listen in.  Most of this will still apply to you, as well 😉 

Why Protect BW/4HANA?
💡 It contains your company’s most important Data.

Think about “Big Picture” Data Flow: The most important system to protect is your S/4HANA since it is the as “system of record” for so much data.  Also, remember that BW/4HANA is a key “downstream” system which contains much of the same data. The Business Warehouse (BW) architecture is set up by design to extract important data from S/4HANA, stage it, and make it readily available in BW/4HANA. It is a Data Warehousing Architecture, after all.  So, the data protection policies and investments in place for the data in S/4HANA should carry over and be in place to protect the data on BW/4HANA as well. 

Think Logically – You have invested so much to protect your ECC and S/4HANA primary systems.  Then, you set up approved Data Extractors to copy much of your most valuable IT assets (DATA) onto this BW system. . . But then you fail to protect that same valuable Data on the BW system??  That doesn’t make sense. Right? 

Think about Public Impact – Risk of Damage to Reputation: If your company’s BW/4HANA system is breached, the public will not care whether the sensitive data was obtained from an S/4HANA system versus a BW/4HANA system.  The public PERCEPTION will simply be that your company has a “data problem” and trust in your company’s brand will go down.  In a more extreme case, a business partner (customer, vendor, employee, or former employee) could pursue legal action if they can show harm from your company’s data breach.  

Why Protect BW/4HANA?
💡 It’s going to be around for many more years.

Recently, I have interacted with over a hundred BW/4HANA consultants.  From those discussions, I have 3 top observations: 

 

  • There is some early movement to migrate (or at least, integrate) to SAP Datasphere. 

  • Most customers are staying on BW/4HANA for the near future.   

  • Consultant interest in learning BW/4HANA and getting certified is still VERY high.  Meanwhile, I am not seeing as much demand to learn and get certified on SAP Datasphere.   

 

S/4HANA is the main reason for this delay in moving from BW/4HANA to SAP Datasphere.  S/4HANA is taking more time, budget, & resources than previously anticipated.   The hyperfocus on S/4HANA will naturally occur during the ECC to S/4HANA initial migration.  S/4HANA will also compete for focus in follow-on projects around optimizations and integrations. 

Meanwhile, SAP has released two “Statements of Direction” for BW and SAP Analytics.  These documents help SAP BW Customers with Roadmap Planning: 

 

  • The BW Statement of Direction 

  • BW covers:  BW, BW/4HANA, and SAP Datasphere 

  • SAP confirms support for BW/4HANA until 2040!! 

  • The SAP Analytics Statement of Direction 

  • SAP Analytics covers: Business Objects, Crystal Reports, Lumira, and SAP Analytics Cloud. 

  • SAP Analytics Products are separated from BW, but certainly, the two groups of products are deeply connected.  So, they should be considered together in the overall migration planning process. 

 

(BIG BANG migrations excluded) If companies are already feeling the pressure to move from ECC and migrate to S/4HANA by 2027. . .and if BW/4HANA is supported until 2040. . .then in most cases, SAP BW customers will defer any migration from BW/4HANA to SAP Datasphere until AFTER they are stabilized on S/4HANA. 

Since BW/4HANA is going to be around for a while, you need to include it in your scope for SAP CyberSecurity. 

What is the top Cyber Risk for BW/4HANA?
💡 Data Exfiltration

Think like a Hacker – if you wanted to exfiltrate data from a company.  And you knew they had the same data on 2 different servers… Thinking like a hacker, you would go after the data on the more vulnerable server. 

…But it gets worse… the more vulnerable server is also less likely to detect the exfiltration activity!  This type of exploit is known as “Silent Exfiltration” … your company could lose data… without even realizing it!!!  The attack would never be detected… until your company’s proprietary data was discovered accidentally “in the wild” … outside of your company.   And then, MAYBE it could be traced back to a breach period on the BW system. 

Think Data Sensitivity – Where does your BW/4HANA system get its data?  S/4HANA is the major data source for BW/4HANA.  The data that comes over from S/4HANA to BW/4HANA has the same sensitivity and should have the same or similar protection as it had in S/4HANA. 

 

How to protect BW ?
💡 Check the core: SAP Components - Basis

Many of the potential exploits that are possible on other SAP NetWeaver ABAP systems are possible also for BW/4HANA, even though it is no longer considered part of the SAP NetWeaver family of products.  For example, SAP Patch Tuesday is still relevant for BW/4HANA system administrators in the same way that it is still relevant for S/4HANA system administrators. 

I recommend the scanning and monitoring solution from SecurityBridge for BW/4HANA.  SecurityBridge can perform well over a hundred specific compliance checks and it can monitor for potential exploit actions on systems that are built on the SAP ABAP stack… and, that still includes BW/4HANA. 

How can I protect BW ?
💡 Tailor SAP CyberSecurity specifically for BW-related vulnerabilities

SecurityBridge can help you make your BW/4HANA system more Cyber-Resilient.  Your BW system has some unique qualities that distinguish it from other SAP systems.  Did you know:   

 

  • There are SAP Security Notes that are specific to BW components. 

  • There are SAP Authorization Objects that only exist in BW. 

  • There are SAP Transaction Codes (aka T-codes) that only exist in BW. 

✔️ Check for Missing SAP Security Notes that are specific to BW/4HANA

Utilize the SecurityBridge Patch Management capabilities on BW/4HANA to make sure that all the SAP Security Notes that are specific to BW components are checked and confirmed to be installed. 

✔️ Check for Sensitive Access via Authorization Objects that are unique to BW/4HANA

Authorization Objects that are unique to BW are mostly grouped into a naming convention that starts with “S_RS_” 

Your SAP Cybersecurity Solution must be able to work with these Authorization Objects in the scanning and monitoring options.  SecurityBridge supports these options for BW’s unique Authorization Objects. 

Here are some key Authorization Objects that are unique to BW, sourced from SAP HELP: 

 

Auth Obj 

Tech Name 

Authorization 

Object 

Description 

S_RSEC 

Infrastructure of analysis authorizations 

Authorization for assigning and administrating analysis authorizations 

S_RS_AUTH 

Analysis authorizations in role 

Authorization object for including analysis authorizations in roles 

S_RS_ADMWB 

Data Warehousing Workbench – Objects 

Authorizations for working with the Data Warehousing Workbench and the BW Modeling tools. 

S_RS_B4H 

BW4HANA Edition – Administration 

Authorizations for executing programs RS_B4HANA_CHECK_ENABLE and RS_B4HANA_WHITELIST_MAINTAIN 

S_RS_IOBJA 

InfoObject 

Authorizations for working with individual InfoObjects with InfoAreas and their subobjects, processing and activating master data. 

S_RS_DS 

DataSource 

Authorizations for working with DataStore objects and their subobjects 

S_RS_TR 

Transformation rules 

Authorizations for working with transformation rules and their subobjects 

S_RS_ADSO 

DataStore Object (Advanced) 

Authorizations for working with DataStore objects (advanced) and their subobjects 

✔️ Monitor when Critical Transaction Codes are executed in BW/4HANA

When you choose the SecurityBridge Platform as your Threat Detection solution, you will be able to detect the execution of critical transactions and programs.  For example, in SecurityBridge, you have the ability to include BW-specific Transaction Codes:  RSU01, RSECADMIN, RSECAUTH, and RSECPROT in your list of critical transactions.  These BW-specific transaction codes are sensitive because they enable the tailored administration of authorization for your BW reporting technical objects such as InfoObjects and InfoProviders. 

Concluding Thoughts

  • Do not neglect BW/4HANA systems in your SAP Cybersecurity Scoping and Planning discussions.   

  • BW/4HANA contains sensitive company data, sourced directly from S/4HANA. 

  • BW/4HANA will be around for a long time to come. 

  • Include a Solution Architect from SecurityBridge to help you on this important mission! 

  • BW/4HANA still needs efficient management of the SAP Security Notes monthly cycle of updates.  The solution architecture should include SecurityBridge Patch Management 

  • BW/4HANA has unique technical objects not found in other SAP environments.  The solution architecture should include SecurityBridge Vulnerability Management and Threat Detection Capabilities. 

 

References:

  • BW key authorization objects to review 

Overview: Authorization Objects | SAP Help Portal

 https://help.sap.com/docs/SAP_BW4HANA/107a6e8a38b74ede94c833ca3b7b6f51/4c658f3245e31ca6e10000000a42189c.html 

 

  • Statement of Direction:  SAP’s Overall Data Warehousing Strategy:   

SAP Business Warehouse, SAP BW/4HANA, SAP Datasphere 

https://www.sap.com/documents/2016/06/a2df037d-767c-0010-82c7-eda71af511fa.html 

 

  • SAP Analytics Business Intelligence Statement of Direction  

Statement of Direction:  SAP Analytics Cloud, SAP BusinessObjects Business Intelligence (BI) solutions, SAP Crystal Reports, SAP Analysis for Microsoft Office, and SAP Lumira Designer. 

 https://www.sap.com/documents/2020/03/908ee705-8a7d-0010-87a3-c30de2ffd8ff.html 

  • An FAQ to accompany the SAP Analytics Statement of Direction: 

https://www.sap.com/documents/2020/03/908ee705-8a7d-0010-87a3-c30de2ffd8ff.html 

 

 

Posted By
Barry Snow