What does SAP Security mean?
With this term (SAP Security) we identify a cluster of activities of securing SAP systems and of all information contained inside of them.
There are many activities which can be executed regarding the area of data security and SAP information security, for example:
- On the applicative level
- Definition of an SAP authorization concept both for end users and IT personnel, or super users
- Securing basis authorizations. These are the purely IT authorizations that often are mistakenly assigned to end users
- Critical actions and/or critical permissions verification. In this topic the IT or ICT authorizations are included, but also critical business authorizations (i.e. master data maintain, purchase order releases management and so on)
- Definition of an authorization model for system and interface users.
- Definition of a model for the compliance to the Segregation of Duties
- Definition of a model for the compliance to particular regulations like ISO, GxP, GDPR.
- Authorization revising or review of an already existing model
- Management of Cloud systems access and hybrid models
- On the infrastructure level (Presentation, Communication, Database)
- SAP systems hardening. Many security configurations are not active by default. They have to be activated
- Communication cryptography
- Securing of SAP GUI
- HANA Security configurations activation (for HANA database)
- On the programming level
On of the most underestimated aspects is the cycle of life from a SAP code (ABAP) security stand point. All the aspects of applicative security are based on controls defined inside of programs. It is essential to follow logics of Safe programming in SAP
Keep on reading to learn what SAP Security means!
During a new project of SAP ECC or S/4HANA installation (or other SAP systems, Cloud or On-premises) the definition of an authorization concept allows for an early and optimal organization, with the objective of simplifying the management of authorizations and grant a true compliance to regulations such as GDPR, SOX, ISO, GxP).
It’s however frequent for authorizations to be put behind compared to other project priorities. In many cases this means a project go-live with wide authorizations and not completely under control.
In these situations, it’s easy to end up, after the go live, with authorization models that can bring to a decline of governance and to a very burdensome maintaining in the day by day activities. That is why in many cases companies notice authorization problems only after the go-live phase. Some of the main problems that an inadequate authorization model bring are the following:
- Authorizations are hard to maintain in terms of effort
- There is no authorization model that can be applied to the company if this evolves (merges/acquisitions).
- There is no quick and easy check on “who does what”
- Non-conformities are often found by internal or external auditors.
- Users are always given more authorizations but these are never removed (in spite of function switches).
Projects of SAP authorizations review
As seen above, often companies start an SAP project and only later note authorization problems. A company with thousands of SAP users can be managed (from an authorization standpoint) by a small team of people or by tens of people, depending on which authorization concept has been adopted.
Even though there may already be a live and productive system, it’s possible to review SAP authorizations without locking business activities.
What above is possible by the use of methods and instruments that allow to re-design SAP authorizations based on real uses by SAP users.
While the authorizations logics may be the same, some SAP systems have very specific verticalizations. For example, HR, CRM; BW and Industry Solutions systems.
HR systems peculiarities
For SAP HR/HCM (Human Resource e Human Capital Management) systems a particular knowledge is needed. Since the authorization in Human resource module is very close to the business. More than the rest of the ERP.
SAP System Upgrade
One of the most underestimated, are upgrades and updates. SAP very often releases upgrades, both security and non-security ones.
For example, for every release change or package upgrades it’s essential to adapt authorizations accordingly. There could be a great number of authorization objects added, new authorizations or new SAP security functionalities. Some could even have been removed. Read here our blog post on upgrades if you want to learn more.
It is important to remember that if authorizations were made following SAP best practices, the upgrade will be easier and semi-automatic. On the contrary it might take many days of work.
Segregation of Duties Management
Do you have to manage a project of Segregation of Duties (SoD) for your company?
Read here how to take on a project such as this. You’ll see how to approach
the various phases:
- Risk Definition
- Risk Analysis
- Continuous compliance
Read here on how SoD helps protect company data.
Remember that the remediation and more importantly the mitigation part can be very demanding. During the project but also during the day by day needed activities.
GDPR - General Data Protection Regulation
Compliance to regulation UE 2016/679 and LGS. 101/2018 is mandatory for those who manage personal data.
Here too a precise step by step process must be followed in order to take on the task. This process also involves the Legal, ICT, Business, HR departments. SAP contains many personal data (hence sensible one). So it’s important to do a privacy risk analysis (PIA) in order to check for non-conformities and know how to manage them, for example with:
- Data Cryptography in SAP
- SAP Hardening
- Data Masking
- SAP data scrambling
- Personnel formation, i.e. Security Awareness
Read here how to take on the GDPR particularly in SAP to protect personal data
SAP Governance Risk and Compliance (GRC)
- ARA – Access Risk Analysis, Segregation of duties, all the steps of the SoD except for the Mitigation part for the controls testing (for this part GRC Process Control is needed)
- BRM – Role management which is used for the lifecycle of authorization roles
- EAM – Emergency Access Management, which is used for the management of emergency access (super users, firecalls, system admin)One of the instruments that SAP puts at disposal to control and check the company conformity to regulations is SAP GRC.
This tool is made up of various systems (read here more), and it allows, in the case of Access Control, to manage the following:
ARQ – Access Request Management, which is used for the management of the SAP users lifecycle through the use of approval workflows
SAP Identity Management (SAP IDM)
In complex landscapes, many systems are to be managed and
are heterogeneous. It is important to have a tool that manages
the user’s lifecycle, for these reasons:
- New users
- Job changes
- User discontinuation
The SAP tool that makes all of this possible is the SAP identity management.
Sicurezza SAP infrastrutturale (Cyber Security SAP)
It’s common to think that:
- SAP is secure by default
- SAP Profiling (applicative security) is enough to get to a good enough level of safety for the systems.
This is however not always the case. Even though some SAP systems may be secure right at the start, many are not. All the needed configurations need to be enabled, in order to improve the security.
One example is cryptographic communication. Cryptography is not enabled by default in all systems. This means that communications between presentation server (SAP GUI for example) and application server are not protected.
That is why A 360-degree view on Cyber Security thematics, even in SAP, is important
It has always been considered a secondary aspect, however in the latest years, even in places where this practices were unknown the theme is taken into consideration more and more.
It is not easy and immediate of a process that of securing the internally or externally developed programs, especially if the programming languages are different. Which company has an expert in secure programming for n languages? And even if this person existed, how could they be capable of processing manually all the developments in a reasonable timeframe?
That is why it’s essential to adopt systems where it’s possible to check the developed code, not only from a security standpoint but also, for example, from a performance, usability, and suite S/4HANA support standpoint.
How can Aglea help you?
We’ve been exclusively working as SAP security consultants since 2003, both in Italy and abroad.
We realized tens of SAP security concept design projects and authorization reviews projects. Our experience made us build project accelerators and tools that help the IT department (Usually very technical) interface with the business. All of this with the objective of simplify the communication between involved actors and improve the control of systems.
We configure and install SAP products for the management of governance and security (SAP GRC Access Control - Process Control - Risk Management, SAP Information Lifecycle Management - ILM, SAP Identity Management, SAP Code Vulnerability Analysis, SAP Field Masking & Read Access Logging, SAP Enterprise Threat Management, SAP Audit Management, SAP Fraud Management, Unified Connectivity UCON)
We are teachers, on behalf of SAP Italy, of the followings catalog courses:
- ADM900 SAP System Security - The Fundamentals
- ADM940 ABAP AS Authorization Concept
- ADM945 SAP S/4HANA – Authorization Concept
- ADM950 Secure SAP System Management
- ADM960 SAP NetWeaver AS – Security
- ADM920 SAP Identity Management
- BIT665 SAP Information Lifecycle Management (ILM)
- HR940 Authorizations in HCM
- BW365 User Management and Authorizations
- GRC100 SAP BusinessObjects Governance, Risk, and Compliance (GRC) 10.0 Principles and Harmonization
- GRC300 SAP Access Control 10.0 Implementation
- GRC330 SAP BusinessObjects Process Control 10.0 – Implementation and Configuration
- GRC350 SAP Business Integrity Screening (BIS)
- HA240 SAP HANA- Authorization, Security and Scenarios
- During projects we organize training sessions to make the client autonomous in the management of SAP authorizations
Do you need to define a SAP security concept? Do you need a SAP Security or Segregation of Duties consult?
Suggested Post from our SAP Security Blog
Tables, Roles, Profiles and Authorizations in SAP
SAP contains hundreds of thousands of tables. In some cases the direct access to these tables allows one to retrieve data faster. Below a list of tables for each defined area:
- SAP Roles
- SAP Profiles
- Authorization objects