SAP is the global market leader in business software applications. Today, SAP software solutions are installed in more than 40K companies, and they are used by about 12 million users in more than 120 countries around the world. Let’s see how SAP ensures the security of its applications and systems.
How can customers begin to get familiar with information about SAP security approaches, standards, and products?
SAP has its own training centers in numerous cities around the globe where people can attend courses and seminars dedicated to information security. Every year SAP holds special events where SAP reps talk about vulnerabilities, hacks, latest trends in the field of information security in a format that is understandable to different audiences. During such events, people learn the specifics of SAP products, watch demo hacks, and get acquainted with the SAP Secure Software Development Lifecycle.
You can also visit the educational portal or ask questions on the online community page. Another important resource is support.sap.com, where SAP Notes get regularly published on newly detected vulnerabilities and patches that have been released.
Information Security Recommendations
Sometimes SAP clients do not understand how to prioritize all those information security issues that they are told about at conferences, seminars, and other events. Most information security departments build information protection in traditional ways, which are well known only in a narrow circle of “security guards”. Until recently the SAP ecosystem was some kind of new world for them. But times are changing, and many customers’ IT security reps understand that the security of the SAP infrastructure can be and must be controlled using vendor solutions and services, including SAP GRC products (Cybersecurity and Governance, Risk, and Compliance).
If customers use the Premium Engagements support options, then they work directly with special consultants and AGS (Active Global Support). SAP specialists are ready to explain how to start building an information security system in SAP-based environments in order to help build a threat model when using cloud solutions. In addition, SAP experts may help to optimize roles and privileges, provide client code audits, and check system security configurations. It is not a secret that almost all of the SAP solutions have custom “add-ons”, which were developed by client internal teams (or integrators), often with some errors. The use of a code analysis system helps to correct these errors.
How to Use the SAP GRC Toolset?
It is well known that there are security risks in each and every infrastructure and these risks need to be managed. SAP GRC can help to identify the main risks and start to reduce them. This solution allows you to ensure that all business processes follow the rules. In fact, this makes it possible to detect fraudulent and illegal actions. SAP GRC allows you to automate many control rules for this.
The next step is risk management. Suppose we have an employee who started working as an accountant, then became a senior accountant and, as a result, a branch director. During his time at the company, he could have accumulated various privileges and access rights that were not related to his current position. IT personnel granted him some new rights but forgot to take them away afterward. As a result, he has accumulated a long “tail” of rights, which, for example, allow him to create a purchase request and approve it himself. This could potentially lead to fraudulent actions or open doors widely in case of a cyber attack.
The stages of coordination of privileges through SAP GRC allows all involved parties to see these risks and the potential dangers of fraudulent activities. Top managers can decide: “We accept this risk, or we do not accept it.” As a result, the employee does not receive new privileges or receives them, but there is always a procedure with strict rules to control his/her actions.
SAP GRC solutions also help to work with various data sources, and work with different types of inner fraud and rule violations, conducting online checks of all business processes. This toolset automates all internal control procedures and provides the ability to integrate a large number of data sources (because there is a high-speed database inside). Thanks to this, the client can integrate external data sources and analyze suppliers for possible affiliation with company employees.
Other Security Products
One of the important tasks is the need to protect the ERP (Enterprise Resource Planning) and the entire corporate network of the company. Many companies use SOCs – Security Operation Centers, where security officers usually monitor all security factors/events except those in ERP (because it is difficult to get access rights to ERP and analyze events there). SAP has a SAP Enterprise Threat Detection solution, which makes it possible to collect security information for all SAP systems and transmit it to your SOC. Alternatively, security specialists can build a SOC around it.
Finally, there is a CVA tool – Code Vulnerability Analyzer for ABAP. Many customers like to engage in self-development using the ABAP language. This often leads to a less than high-quality level of the final code. The CVA ABAP analyzer helps to check your code for critical vulnerabilities and errors related to the security of a newly created application.
SAP tools can help you control different risks, but you should understand that security is a process and that security measures add inconveniences. So many new hacks and data breaches, again and again, stress the need for basic security measures like strong passwords, backups, VPNs, antiviruses, etc. Anti-phishing employee training gets more important each day, too.