SAP Cyber Security

The topics connected to data security are becoming always more important as time goes on. Today, in fact, it's not possible anymore to think about IT security management as a single topic to manage.

It becomes essential to think about this topic as a whole. Also because an exposed attack surface can be used to tackle vulnerabilities and therefore get to more protected systems. All of this must be considered in the various on-premise or cloud contexts, from applicative to technological levels.

Over time SAP has taken a Security By Design and Security By Default path; on the other hand, there are still many aspects that have to be configured and therefore the "but SAP is a secure system by definition" isn't so real (at least right now).

That's why checking that everything is configured in a correct way and verify that there aren't vulnerabilities becomes non only suggested but necessary and with ever greater frequency.

In the past audits or periodical vulnerability assessments could've been sufficient. Today it's necessary to have a constant control if possible. This isn't always achievable by everyone but nowadays there are tools that let ITs or limited security teams (in terms of resources) to have very advanced control instruments.

Indice

Cyber Security/Sicurezza informatica
Quali sono le macro aree di intervento?
Quali sono i principali strumenti/configurazione da attivare?
Come Aglea ti può aiutare per la gestione della Governance dei sistemi SAP?

Cyber Security/IT Security

This term identifies all the actions taken for the protection of IT systems. Meaning with the intent of guaranteeing the availability, the confidentiality and integrity of the systems (CIA principle: Confidentiality, integrity and availability).

It's a commonly used term nowadays and often inflated by cyber security companies.

Which are the macro-areas of intervention?

Communication security (activating cryptography)
- Meaning the activation of cryptography in SAP communication channels, therefore SNC (Secure Network Communication) or HTTPS.
Security of archived data (data cryptography)
- Activation of the database cryptography mechanism, in the case of HANA-native systems
Application Security (SAP Security)
- Definition of a security model or SAP authorization concept

Identity management
- Activation of a system for the management of identities, for example Identity Management
System hardening (infrastructural/operating systems/database)
Correlazione e log degli eventi security, ad esempio, tramite SIEM (security information and event management)
Management of security incidents
Training
- To all the staff as security awareness and professional training to SAP Security specialists. Today this represents the main security problem. After protecting the physical and logical security.

Which are the main tools/configurations to activate?

In some cases there are simply functionalities to activate in SAP, which are already present in the system. In other cases it's necessary to activate solutions (often included in the SAP suite). In others it's needed to buy specific softwares.

Therefore there are different scenarios that can be used depending on the context and on the attack surface that you want to preside over.

"Cyber Security's function is to involve and train the company too!"

How can Aglea help you in the management of Cyber Security in SAP?

People that take care of IT security as their job know that often in a company there aren't sufficient resources to tackle all the thematics that should be managed.

In SAP's case, it's seen as an "internal" product in the company. Therefore it's not directly exposed. Or like a "black box" that "people who know SAP" know about and that must not be touched or else the business processes stop.

This is partially true. But on the other hand, by taking on the argument step by step, you can discover that there is a path and if followed correctly you can obtain important results.

This is exactly what we do, trying to bring two very different worlds closer to each other, the IT security world and the SAP world. Doing this with a precise and guided path, also for who doens't know about SAP, but knows the aspects of IT security.

Contact us if you want to knwo more or discuss the above thematics!

Articoli Suggeriti

SAP Cybersecurity - SAP Enterprise Threat Detection cosa è?

Cosa puoi fare quando si parla di Cyber Security in ambito SAP?

Esiste uno strumento che SAP ha sviluppato chiamato SAP Enterprise Threat Detection che può essere utilizzato.

Cyber Security SAP ERP

Cosa significa questo termine?

Quali sono le azioni che possiamo fare per proteggere un sistema SAP?

SAP Cyber Security, solo l'IT è coinvolto? Cyber Security Culture

In passato erano sicuramente una nicchia le tematiche legate alla sicurezza dei dati. Oggi gli aspetti di Cyber Security sono tenuti in considerazione in maniera molto maggiore, in parte anche per i nuovi paradigmi di accesso es. le soluzioni SAP cloud.

Ma quanto parlare di Cyber Security fa riferimento al solo dipartimento IT? Probabilmente una visione completa di questi aspetti deve andare ben oltre il solo dipartimento dei sistemi informativi.