SAP security is paramount to avoid risks in your operation.

Did you like our article?

SAP security is a topic to which organizations are giving more importance. Years ago, it was left for a later stage in the implementation process, but the greater concern to avoid risks and fraud has given it more visibility.

This article is aimed at SAP system users, both in small and medium-sized companies, as well as in large national and international organizations, who are not always aware of all the risk vectors to which an SAP system is exposed, and the different “layers” in which controls must be applied.

Layer 1 – Access Control

How is access control performed in an SAP system?

A few years ago, SAP security was managed with less complexity and was handled through authorization profiles, which are very similar to a role.

Roles are a means of allowing access or executing a particular function within a transaction. A profile is a set of authorizations that were assigned directly to a user. People today talk about roles in SAP terminology, but in current SAP versions, you work with profiles underneath the roles. For each role there can be one or more profiles created automatically by the SAP system that will be the ones that effectively activate the authorizations.

Profiles can be created manually and assigned to a user or an existing one. There are also profiles that come with the installation of an SAP system that can be assigned to end users and that often contain extremely broad authorizations, such as the SAP_ALL profile that contains all system authorizations. Assigning a user, the SAP_ALL profile constitutes a major security risk for the SAP system. If a user has this profile, he has full control of the system, a situation that the client often tends to minimize.

Tips for good practices in SAP ERP change control and SAP solutions.:

• Changes in organizations that have SAP ERP can be for: program maintenance, table maintenance (customizing), user roles/profiles (maintenance contemplates creation, modification, deletion).
• Changes should be made in a development environment and tested in a quality environment before being put into production. It is not recommended to make changes directly in a productive environment, according to SAP best practices.
• It is recommended to have a SANDBOX environment to make certain functional testing changes, as these should not be made directly in the quality environment (QAS) because it would lose the purpose of being a test environment just before production.
• The production environment must remain closed and protected in such a way that no transport can be made from this client to another client (it cannot be the client of origin of a change; only the client of destination). Changes must not be transported from the production environment to quality

For organizations with many users or that need to continuously modify users and profiles, we recommend the use of the SAP Business Objects GRC suite, which helps automate the internal control model in relation to functional segregation of access, process control and integrated risk management.

Layer 2 – Architecture Security

SAP supports a wide number of architectures and platforms, where it is possible to assemble different SAP system environments (usually called landscapes). Securing IT infrastructures that host SAP systems (whether in cloud, multi-cloud, on-premises, or hybrid environments) must be a priority, as it will be the fundamental foundation that will provide a security and compliance framework for the entire system. So is safeguarding data and ensuring the continuous and secure operation of SAP systems, avoiding potential security breaches, cyber-attacks, and leaks of confidential information.

The main items in this layer are:

• Advanced threat monitoring and detection: Advanced threat monitoring and detection: constant monitoring of SAP systems to detect potential security threats, such as intrusion attempts, malware, or suspicious activity. Today, artificial intelligence algorithms and techniques are used to enable early response and proactive risk mitigation.
• Application firewall and network security: Advanced threat monitoring and detection: constant monitoring of SAP systems to detect potential security threats, such as intrusion attempts, malware, or suspicious activity. Today, artificial intelligence algorithms and techniques are used to enable early response and proactive risk mitigation.
• Identity and access management: Implement a robust identity and access management (IAM) system that manages OS user privileges and controls access to SAP systems. This ensures that only authorized users have access to sensitive information and prevents account misuse.
• Data encryption: protect the confidentiality of stored and transmitted data, using advanced encryption techniques. Data must be encrypted both at rest, within databases and storage systems, and in transit, during communications between the different components of the system.
• Auditing and reporting: Implement official security baselines. Record and audit all activities performed on the systems, generate detailed and periodic reports on security events, identify possible security breaches, forensic analysis and compliance with regulations and security standards.
• Updates and patches: implement a controlled and continuous management of vulnerabilities and updates of the different components of the systems and packages used, to minimize attack breaches. Today there are solutions that allow automating this management, with prioritization based on risk.

Layer 3 – SAP vulnerability management, patching and updates

Just like any of the other software in your architecture (including the operating system and its components), SAP is also susceptible to programming or component design errors, which can be exploited by cybercriminals to exploit the vulnerability and steal data or bring your operation to a halt.

Today there are solutions that can analyze your SAP Landscape on an ongoing basis, identify configuration recommendations based on market best practices, and the compliance status of your system based on the level of patching and application of updates.

These solutions include inventory and support in planning and tracking the implementation of upgrades or updates, and in many cases automating the installation of various types of SAP patches and security notes, which minimizes the man hours as well as the time an SAP system is exposed to vulnerabilities exploitable by cyber criminals.

Layer 4 – Cyber threat monitoring

This layer is related to “real time” security controls, i.e., it allows us to identify specific cyber threats to the SAP system, at the very moment they happen, in order to contain them and minimize their impact. Like any other system, SAP generates valuable information through its event system, which allows, with the right solution, to detect from attacks to the system (such as a “brute force” access attempt, an automated technique, usually used to guess passwords) to misuse of access (for example, a massive download of unauthorized SAP data).

Today, solutions are available to exploit these detection capabilities at a much lower cost than a few years ago, when implementing a SIEM solution in SAP was very expensive.

Additionally, these solutions allow integration with other security systems that the client has, as well as connecting the company’s existing processes and incident response teams with its SAP ecosystem.

Novis has all these solutions available to offer its clients and “shield” the entire attack surface of their SAP system.

Additionally, if you already have these capabilities and are looking to lower your operating costs, we invite you to learn about our solutions so you can compare proposals.

We invite you to contact us so we can advise you on how to improve the security of your organization.

Feedback/discussion with the author Flavio Fernandes, CISO Novis, flavio.fernandes@noviscorp.com

Related Note:

• SAP Security Notes – Keeping up to date