Traversing The SAP Governance Gap

Standards Are Not SAP Security Settings 

Organizations are challenged to meet the requirements of specific security standards such as  ISO, BSI, NIST, etc. But these standards only provide a framework for establishing security within an SAP system. Since SAP is simply an information-processing system, there is a common belief that these standards fully cover SAP security governance—this is incorrect thinking. The complexity of SAP systems is not adequately addressed in most standards, which presents a major consequence. Although a company may follow information security standards and meet the corresponding requirements, when it comes to SAP environments, SAP security measures reside entirely in the hands of the SAP Basis team—creating a dangerous and isolated operational silo.  

SAP is a highly complex and customizable environment, meaning it can be individualized. The SAP application is never an off-the-shelf standard product, and it requires security customization to adhere to governance requirements. The aforementioned standards (ISO, BSI, etc.) do not provide an adequate level of detail or guidance to correctly establish SAP security settings.  

Organizations need to think along the lines of risk perspective, security definitions, and appropriate measures to provide overall SAP security protection. If only one of these areas is considered and implemented, it’s not enough to provide the organization with proper protection and clear best-practice operational guidelines. The fact remains that there is an implementation and monitoring gap between a company’s high-level SAP framework standards and the actual SAP security settings needed to protect an organization.  

Reactive SAP Security 

SAP is not a silo application; it’s highly integrated into many business operations and departments—and all stakeholders among these departments must effectively communicate. These business departments need to actively identify and share information regarding risks that could occur from prospective security incidents. In partnership with business department stakeholders, information security and IT infrastructure personnel, which has jurisdiction over an entire organization, should also participate in the design and implementation of SAP security measures. 

All these parties should work together to drive security requirements and develop measures needed to implement sustainable SAP security practices. When these department leaders are in silo mode, it’s hard to drive risk-oriented methods, creating an ad-hoc approach to sustainable SAP security by: 

– Isolating the views of different parties that need to be involved. The bigger the organization, the more difficult it is to bring the right people together. 

– Implementing and planning SAP framework measures on a case-by-case basis. 

Not defining security requirements or providing sufficient documentation. This significantly complicates the assessment of whether the organization has the required expertise to conduct efficient SAP security measures. 

Sustainable SAP Security  

Sustainable SAP security is an overall organizational responsibility. To accomplish this, every stakeholder needs to communicate and define their risks. As opposed to a reactive SAP security environment, a sustainable SAP security approach is proactive and involves: 

– Establishing an organization-wide SAP security concept embedded into an overall information security strategy. 

– Ensuring that all SAP security measures are predefined parts of design processes, described in detail in the guidelines, and have preventative and responsive characters. 

– Defining responsibilities that link to functions and not to people. 

– Embedding the management reporting, as well as continuous improvement designs, into the SAP security concept. 

Continuous traffic monitoring is needed to maintain suitable SAP security, but it does not have to be a time-consuming process. Automated monitoring of SAP security does not sacrifice an organization’s manpower. SAP security dashboards can be created that show a visualization of all associated risks, verifications, and guidelines needed to create accurate responses. This physical representation of SAP security allows all stakeholders to see what areas are increasing or decreasing relative to security threats. In addition, security levels indicated on the dashboard are also tied to individual responsibilities, and are aligned  with benchmarks against the best configurations within a specific environment. The importance of establishing these baselines cannot be overstated. 

Baselines need to be based on individual requirements such as authorization and system parameters. The baseline results need to display risk descriptions and a drill-down menu into a knowledge base for more information. In addition, the classifications of each risk and resolution needs to be visible to build a strong individualized, automated SAP baseline to help increase the SAP security posture.  

Conclusion 

SAP security is highly complex, but it does not have to be overly time-consuming. Organizations must realize that the level of native SAP customization does not necessarily contribute to the standard SAP security and can lead to vulnerabilities that may cause security incidents. Therefore, it is necessary to clearly define what SAP security requirements are necessary for a particular organization based on the individual risks and measures needed to address these vulnerabilities.   

All security requirements need to be derived from a risk perspective. They need to be accurately documented and accessible to everyone responsible. Most importantly, SAP security needs to be constantly monitored—this is not a yearly practice when an audit is due. The SAP security settings need to be reviewed and reported continually so that any relevant change is immediately detected, investigated, and justified. To properly accomplish this, automation must be applied to achieve SAP security sustainability. 


About the Author

Christoph Nagy has 20 years of working experience within the SAP industry. He has utilized this knowledge as a founding member and CEO at SecurityBridge–a global SAP security provider, serving many of the world’s leading brands and now operating in the U.S. Through his efforts, the SecurityBridge Platform for SAP has become renowned as a strategic security solution for automated analysis of SAP security settings, and detection of cyber-attacks in real-time. Prior to SecurityBridge, Nagy applied his skills as a SAP technology consultant at Adidas and Audi.

Featured image: ©Sundry Photography