Have you ever been asked by your manager to give them a specific security report (HEALTH CHECK) on your current SAP landscape?
Have your system been audited or going to be audited and you want to make sure that your system is secure?
Have you just did a major update or upgrade and want to make sure that there were no changes done to your SAP Landscape?
Many clients ask me what are the tools available to check the security of SAP system?
To answer this question we need to first confirm if your organization have the capacity to review those reports manually and then if you can take action for each recommendation in the report. Take note that cost of FTE is high so keep that in mind and also make sure that what is the outcome by running this health check. If you just want to run it once after for an example an upgrade or you want to make sure monthly that there are no changes to your security setting then you can effort running the report manually and take action after finding. Take note that this is not a real time monitoring and it is not a threat detection tool for that please look at ETD 2.0
. Once the above has been answered then the next question would be how frequency those report need to be reviewed. As you know this should not be a one time task but a reoccurring tasks and need a follow up. You need to make sure that your organization is supporting the initiative and that they are taking Cyber Attacks and SAP Security very seriously.
So lets get to the business, beside Early Watch Alert (EWA) there is another tool in solution manager SOLMAN that is completely focused on Security, the report is called SOS report. The Security Optimization Service (SOS) is designed to check the security of your SAP system. Please take note that in order to set this up you will need to be on the latest version of SOLMAN. Also apply the latest support pack if possible. Make sure that your instance correctly defined in LMDB and make sure your managed system if configured and setup without any errors in SOLMAN. (Status Green). OS collector need to be running on your target instances and database.
If you have a standalone HANA database then you will need to request for remote service from SAP. Yes there is a cost to do that. However there is another solution if you do not want to pay for that service and that is you can use SECURITY MINI CHECK of HANA. However it will take you more time and you will need to read the OSS notes on how to correct those security issues. This is not a report so if you need to give a report to your manager then you need to write it up.
Before using the report please make sure that you have your organization security policy handy.
This service comprises a system analysis and the resulting recommendations for system settings. It addresses system and customizing settings that impact your system security. It focuses on internal and external system security. To improve the internal security, many critical authorizations of the basis are checked. Moreover, you can verify the findings in your system anytime as described in the document SAP Security Optimization Service – Verifying the Findings. External security is improved by checking the accessibility of your system and the authentication methods used.
Scope of the Security Optimization Self Service for the SAP NetWeaver Application Server ABAP:
- Basis administration check
- User management check
- Super users check
- Password check
- Spool and printer authorization check
- Background authorization check
- Batch input authorization check
- Transport control authorization check
- Role management authorization check
- Profile parameter check
- SAP GUI Single Sign-On (SSO) check
- Certificate Single Sign-On (SSO) check
- External authentication check
Find the complete list of checks in the following documents in the Media Library:
For HANA you find a description of the available services and an overview about the checks in the presentation HANA Security Remote Service Content.
In addition you can view examples showing a formatted report:
The SAP Security Optimization Service is available as a Guided Self Service for ABAP based systems and as a remote service for ABAP and Java systems. In case of an “ABAP on HANA” installation you get the HANA checks automatically as a part of the SOS for ABAP.
SAP Note 1484124 describes the prerequisites to run the Guided Self Service for ABAP based systems.
Once you have your report the work is not done. You need to review the report at start taking decision for next steps:
1- Are all my instances in system landscape has the same result? Use Configuration Validation.
2- Does the report match your company policy? Start building your customize DASHBOARD.
In the end your organization need to believe that Cybersecurity is a worthy investment, and employees should learn to think of it as a tool, not a boring administrative evil. By strategically training employees, automating where it makes sense, and outsourcing some of the burden, growing companies can operate at their best. Being free from worry and able to focus not only on protecting what you have, but also growing your business, is an asset.
If you need an overview how to protect / detect against cyberattack please see the following blog post.