With my roots as a SAP technical consultant(ABAP/BASIS), I admit that I was always annoyed by having to implement and abide by SAP security roles and segregation of duty(SOD) policies. I, like most of my peers, always felt that these mechanisms were a hinderance to effectively do our jobs. Well, over the years with the growth of criminal and state sponsored hacking, my views have changed 180 degrees.
In the past, the attack surfaces for SAP applications had been generally ignored by the larger hacking community….somewhat analagous to Apple OS and its applications being less likely to be compromised than MS Windows applications a few years ago. This has changed for Apple, and it has changed for SAP too.
If I were the owner of an SAP environment and ultimately accountable for it, i would ask myself what is the worst outcome of my system being compromised by a hacker or state agency? I would think the answer lies somewhere between career ending and apocalyptic
As a cautionary tale, remember the infamous OPM hack a few years ago. You and millions of others may have received a letter from OPM stating that your personal information may have been inadvertently disclosed . It has generally been confirmed that the access point of this breach was from an SAP system owned by a government contractor USIS. The hackers were able to breach USIS’s SAP system and pivot from this system into OPM data stores. Well,suffice it to say, USIS is no longer in business.
DOD SAP customers generally have a strong cyber security framework and more specifically have adopted SAP specific security practices. They are taking the necessary proactive steps to harden their SAP environments recommended by SAP and other organizations such as NIST.
Federal Civilian SAP customers, in my experience, are somewhat behind their DOD counterparts in terms of cyber and SAP specific security. This is unfortunate since these types of systems are often accessible through public networks making them even more vulnerable than DOD.
There are a few ’boutique’ security firms that specialize in SAP security such as Onapsis. You might want to check out some of their white papers and documentation on their websites. I found it eye-opening as to how vulnerable the majority of SAP systems may be.
While security is not ‘sexy’ in that it does not make any business processes flashier or more efficient; it is the ultimate means of covering your *** ‘ CYA’. While most hardcore security folk proclaim that no system is totally secure, this is no excuse for not doing your due diligence. If your SAP system gets hacked, you are going to get ‘help’ from your larger organization determining how your system was breached. Their forensic analysis will comment as to how well your system was protected. Therefore, you better be sure you that you can prove that you are following best practices and doing everything reasonable to detect and prevent security breaches. Right now, in my experience, this tends to be the exception rather than the norm.