English | Deutsch | Español

SAP® Security: Do you know your SAP Security Situation?

January 30, 2018 | From Caroline Neuber, Virtual Forge GmbH

IT security has many facets. Your SAP® systems are only one of them, but they are the most important ones. They contain personal data of your customers, employees and partners and depict the business processes that are vital for your survival. An attack on your SAP systems has serious consequences for your company. Not only considerable costs for detecting and correcting the attack, but also production downtime, high penalties and enormous damage to the image can be the result.

Understanding SAP Security

The progression of digitalization and the resulting increase in networking of system landscapes (driven by trends such as the Internet of Things) is enabling hackers to exploit ever new ways of attacking. What can you do to avoid leaving a completely green field to hackers?

First of all, the following questions need to be answered:

1.) What about your SAP security?
2.) Who is responsible for SAP security in your company?
3.) How many incidents occur monthly in your SAP systems and how long does it take to detect and fix them?

Could you answer these three simple questions straight away? In our experience, the question of responsibility is the biggest challenge. In many companies, the topic of SAP security in particular is very much neglected. Responsibility is shifted from department to department - a classic case of responsibility diffusion.

Therefore, make sure that your company is an exception and that the roles are clearly defined. It is important to note that SAP security differs significantly from general IT security.

In addition to the familiar topic of roles & authorizations and securing the IT infrastructure, the following areas should also be included in your SAP security concept.

  • Configurations
  • Code of own developments
  • Transportation / Software Installations and Updates

In our experience, most security vulnerabilities occur in these areas.

To stay at least one step ahead of attackers, make sure your systems are properly configured. Your self-written code should be continuously scanned so that obvious security vulnerabilities can be eliminated as soon as possible. Also, be sure to check out new developments and third-party solutions before transferring them to your production systems.

Your way to more SAP Security

You want to feel secure when it comes to your SAP systems? The following approach has proved its worth.

Understanding your risk
Start by uncovering the vulnerabilities in your SAP systems. Get an overview of your current risk situation before someone else does and uses it for their own purposes. Weakness analyses or penetration tests are the accepted methods for this purpose.

Get Clean
Once you have gained an overview of the weak points, the actual work begins. It's time to clean up. Draw up an action plan and make sure that the worst security vulnerabilities are gradually removed. Many reports of vulnerability analyses or penetration tests already provide a categorization of the severity of found errors as well as recommendations for action and proposed solutions. In addition, there are automated solutions that take over a large part of troubleshooting for you. Of course, you can also call on an external expert to do the work for you.

Stay Clean
Parallel to the cleanup, you should ensure that automated and regular checks do not leave new vulnerabilities in your systems and that they are protected against attacks in the long term. In this way, you ensure that the work from the other two phases is not made obsolete in the shortest possible time by transports, in-house developments or changed settings. Don't skimp on this essential phase. A serious mistake made by many companies.

Live this approach and you can enjoy your coffee without worries.



Topics: UnderstandYourRisk