English | Deutsch | Español

SAP Security: Hot Topics 2018

March 29, 2018 | From Lars Kehrel

SAP Security DSAG 2018In times of increasingly linked IT systems and the growing relevance of systems and data in business processes, the business risk that IT carries on its shoulders is also increasing. 76% of all financial transactions worldwide pass through an SAP® system in at least one place!

In December 2017 and January 2018, the DSAG working group on SAP Security and Vulnerability Management invited its members and other members of the DSAG to participate in a survey on SAP securityApproximately 180 people answered the questions and thus ensured a quite resilient result. Among the participants are basic administrators, consultants, security specialists, developers, CISOs and more. Some results are presented below.

The working group derives several demands from the evaluation of the study. At the top of the list is the desire for more security by design and by default (78% want more "security by default" from SAP). For example, there are many security-relevant system settings that are not activated in the standard system. On the one hand, SAP is obviously addressed here, but of course this can also be applied to third-party solutions. "Significantly more standards and support are needed in this sensitive area. We would like to see even closer cooperation with SAP in this area," explains Ralf Peters, DSAG's Chief Technology Officer. (2) 

The second important finding is the desire for better security concepts. Since more than 70% of companies do not use a central SAP Security Dashboard, the implementation, but especially the monitoring of such activities, is not very efficient. The use of SAP Solution Manager currently seems to be the obvious, but not really satisfying solution. For IT security, a clean connection to existing SIEM systems is certainly also an important functionality for considering the SAP landscape as an integrated part of the entire IT. The challenge here is also to enable non-SAP specialists through technologies in such a way that security monitoring and reactions to risks can be carried out professionally and quickly.

As in every area, the cloud also plays an important role in IT security. More than one in two of those surveyed is running a SAP systems connected to a cloud. It is obvious that this figure will move towards the 100% mark within the next years. The integration of various cloud solutions into existing security concepts is therefore currently a major challenge. Interestingly, however, the DSAG survey shows that this topic, despite its actuality, is probably still being postponed a little and other topics are currently more acute. Top topics are interface security, SAP security guidelines and training.

This is a sign that important basics (guidelines, training,...) are not sufficiently available in many companies today. We, Virtual Forge, have also become aware of the relevance of interface security as a result of customer feedback in the past. Therefore, we map the interface security in detail in our Security Suite.

If the basics are missing, then this is often a sign that the competencies for SAP and IT security in a company are not interlinked well enough. However, this is urgently needed for efficient security management. SAP is more than just another application and usually contains the most important company data.

A proven method for significantly improving safety is the "Get Clean - Stay Clean" approach. It consists of three parts:

  • Understand Your Risk
    Here the status quo is analysed and the necessary measures are derived from the results.

  • Get Clean
    Risks that have been identified in the analysis are clustered according to urgency and divided into work packages. Now the cleaning of the systems begins.

  • Stay Clean
    Security walls are built parallel to "Get Clean". Protective mechanisms are being introduced in all relevant areas. The automation of many processes enables a holistic defence management.


If you would like to know more about the security of your SAP landscape, we would be happy to provide you with advice and assistance. An initial Vulnerability Asessment is always a good start to reappraise the topic SAP Security or to check existing activities. Please contact us.

Topics: UnderstandYourRisk