SAP systems contain business critical, sensitive and personal information that needs to be safeguarded from (cyber) security threats. We listed 7 secure habits that can help you with securing your SAP environment(s).
Habit 1 - Take actions before incidents can occur
SAP systems contain business critical, sensitive and personal information that needs to be safeguarded from (cyber) security threats. Securing SAP systems against these threats requires preventive countermeasures and monitoring over different areas. These areas can be divided into the network layer, operating system layer, application server layer, application layer and database level.
To make sure your system is hardened, (preventive) monitoring is needed in all these areas. Working in a preventive manner is alwaysbetter than detecting problems when they already occrued, so we recommend implementing as much preventive controls as possible. You should only look for other solutions if no preventive check can be used.
Habit 2 - Develop an SAP security statement
The SAP security statement should be described in the Governance model. This focuses on what you want to accomplish, and is your plan for a secure SAP system. With a clear goal, the security strategy can be spread through the organization. This SAP security statement (governance model) contains the goals, priorities, risk values and standards as agreed by the board and covers all areas that are related to the SAP system.
The conceptual layer is where the high-level management defines the security requirements on high level. This conceptual layer must be translated into the technical layer, by technical people. The main advantage is that the security model becomes transparent, high level management can focus on the governance aspects and the technical people can focus on the technical layer and get instructions through the governance layer.
Habit 3 - Simplify
Now that the Governance model is created, and the conceptual layer is clear, it can be translated into technical security measures. Keep in mind that, when implementing security checks, almost everything is possible, and you have to say "No" to prevent that the SAP security will become too complex.
Habit 4 - Win-Win
Win-win means that agreements or solutions are mutually beneficial and satisfying. SAP systems are used by many users within the organization and thus should support the business processes. Implementing security aspects can mean that the system can become less user-friendly.
Thinking win-win can be hard while implementing security aspects for SAP systems. Securing the system for vulnerabilities can lead to less user-friendliness. We advise to communicate to the organization what the risks are and why the security is needed. People will become more aware of the risks and understand why in some cases access can be taken away from them. Seek into possible win-win scenarios to get a secure SAP system in which people can still work efficiently.
Habit 5 - Communication
Communication. That is what it is all about.
Make people risk-minded, inform them about the changes that will take place and why these changes are necessary. Do not just inform people, make sure they understand.
Habit 6 - Organization wide
"The whole is greater than the sum of its parts."
When hardening the systems, keep all areas in scope. Focusing only on securing the operating system but leaving all people with full access on the application level, will not safeguard your SAP system.
Habit 7 - Keep knowledge up-to-date
Technology is changing. Now with HANA databases being adapted by organizations, we see that new security threats arise. Keep your knowledge about the security aspects up to date. When migrating to new systems or databases, make sure that the security aspect is part of the scope and is being implemented as part of the process.