Managing security and risk in SAP has evolved over the years. One could argue that the complexities of implementing compliant security models and access management programs has increased drastically as time progresses. Early versions of SAP utilized a profile concept before introducing the vehicles to deliver authorizations known today as roles. In 2015, S/4HANA was introduced unlocking tremendous capabilities for customers with its in-memory HANA database, Fiori front-end, and over 400 million lines of code rewritten to develop the next generation ERP offering. As of March 2021, there are more than 250 products listed in SAP’s Product Portfolio.
Today, we have more capabilities than ever before in the SAP ecosystem. As a result, we are seeing landscapes of interconnected systems, new securable objects, multiple versions of internet-facing applications, real-time data synchronizations, and much more adding to the complexities of managing security and access risk. There is also an increasing number of companies utilizing various applications to facilitate specific business process or areas of specialization. With today’s APIs and integration capabilities, heterogeneous enterprise landscapes are a noteworthy trend. These can be a mixture of SAP and non-SAP applications with their own security models and objects. The ability to manage access risk in multi-application and cross-application risk scenarios is paramount for organizations with business processes spanning across multiple applications.
Irrespective of your landscape, risk is all around us: segregation of duties, excessive security authorizations, data privacy, customizations, cyber-attacks, configurations, and much more.
In this blog series, we will narrow our focus to look at the Usual Suspects of SAP Access Risk:
- Configurations, Parameters, and Patching
- System Authorizations and Accounts
- Security Architecture and Design
- Custom Programs and Transactions
- Access, Risk, and Controls Governance
While this blog covers the common risks, it is just the tip of the iceberg when it comes to system hardening, network security, and other key cybersecurity aspects. SAP has outlined many of these in the Secure Operations Map.
Figure 1 – The SAP Secure Operations Map
For now, we would like to provide you with some resources that will help you understand and manage risk in your SAP application:
SAP Resources on Security
- The SAP Secure Operations Map – A discussion of the SAP Secure Operations Map and explains each of the building block within the model.
- ABAP Platform Security Guide – Useful administration, authentication, and network security information.
- SAP Security Notes & News – Review SAP Security Notes, plan for upcoming SAP Security Patch Days, and read critical SAP Security News.
- SAP NetWeaver Application Server for ABAP Security Guide: Protecting Standard Users – Provides an overview of the security aspects and recommendations for using ABAP.
Fastpath Resources for SAP Security
- Fastpath virtual booth at SAPinsider – Visit Fastpath virtually and see some of our products and resources for SAP.
- Fastpath SAP Integration Page – contains Fastpath’s SAP product suite, including User Provisioning and SoD tools, Audit Trail, Emergency Access, Risk Quantification, and Custom Code Checker.
- SAP Resources – access to Fastpath’s collection of SAP-related eBooks, blogs, and on-demand webinars
- Recent SAP blog posts