Did you ever hear about it? What does it do?

How does it work and what are the attention points of this tool?

What is the Secure Optimization Service?

It is a tool, included in the Solution Manager suite that allows you to carry out checks on the aspects of SAP Security.

If you already saw the Early Watch service in SAP, produced through the Solution Manager too, well it's really similar. But there are a couple of differences.

If Early Watch wasn't meant for SAP security, it for sure contains some indications, the SAP SOS (Secure Optimization Service) is specific for security aspects. Furthermore, it can be customized, meaning that for some types of searches it's possible to define personalized alert levels.

In the Word or PDF document that is made you can find all the researched findings, as shown below.

What do you use the Secure Optimization Service for?

It's used to periodically carry out security controls on you SAP systems. But what controls are made? There are many on different areas.

In some cases they can be customized, in other words they can disable some evidence that I think are correct (this isn't possible in EWA - Early Watch).

• Authentication
  • Password Policy
  • General Authentication (users that don't use the system)
  • Single Sing On
• Basis administration and SAP Security Authorization
  • Basis Administration
  • Batch
  • OS Access
  • Incoming and Outcoming RFC
• Change Management
  • Data and Program Access
  • Change Control
  • Development
  • Transport Control
• User Authorization
  • User Management
  • Super User
  • Standard User
  • Role and Authorization Management
• Web application server
• Internet Communication Framework

These are some of the macro areas of controls.

In the OSS Note "1484124 - Guided Security Optimization Self Service - Prerequisites" you can find the pre-requisites that the solution manager must have for this functionality to be available.

Once all the configurations have been done it's possible to plan the execution of the SOS through the SM_WORKCENTER transaction.

Through the use of a survey it's possible to customize the emerged exceptions for different findings.

What are some attention/limit points?

The SAP SOS is a great tool to start keeping under control your company's SAP systems.

On the other hand, there are some limitations that have to be considered:

• It doesn't let you easily export the evidence found in an EXCEL format (excluding custom program), it's only possible to export them in PDF or Word format
  
  
• It doesn't have the possibility to have centralized dashboards, also to have multiple systems under control in one place
  
  
• It doesn't carry out real time checks
  
  
• It doesn't check for missing patches or security notes, in this case there's a SAP Solution Manager functionality called System Recommendations
  
  
  
  
• In the case of SAP HANA, at the moment this service is not included to be done by yourself. It is a paid service provided by SAP on request.
  
  
• The SOS doesn't carry out a risk analysis of the Segregation of Duties for example

But are these truly limitations?

Actually, no in my opinion. The SOS is ideal to begin a path of enterprise maturity and start a process of remediation. Also considering what said above.

To carry out a further maturity path the natural solution would be to activate the SAP Enterprise Threat Detection.