SAP Security
What does SAP Security mean?
With this term (SAP Security) we identify a cluster of activities of securing SAP systems and of all information contained inside of them.
There are many activities which can be executed regarding the area of data security and SAP information security, for example:
- On the applicative level
- Definition of an SAP authorization concept both for end users and IT personnel, or super users
- Securing basis authorizations. These are the purely IT authorizations that often are mistakenly assigned to end users
- Critical actions and/or critical permissions verification. In this topic the IT or ICT authorizations are included, but also critical business authorizations (i.e. master data maintain, purchase order releases management and so on)
- Definition of an authorization model for system and interface users.
- Definition of a model for the compliance to the Segregation of Duties
- Definition of a model for the compliance to particular regulations like ISO, GxP, GDPR.
- Authorization revising or review of an already existing model
- Management of Cloud systems access and hybrid models
- On the infrastructure level (Presentation, Communication, Database)
- SAP systems hardening. Many security configurations are not active by default. They have to be activated
- Communication cryptography
- Securing of SAP GUI
- HANA Security configurations activation (for HANA database)
- On the programming level
On of the most underestimated aspects is the cycle of life from a SAP code (ABAP) security stand point. All the aspects of applicative security are based on controls defined inside of programs. It is essential to follow logics of Safe programming in SAP
Keep on reading to learn what SAP Security means!
Indice
New Projects
During a new project of SAP ECC or S/4HANA installation (or other SAP systems, Cloud or On-premises) the definition of an authorization concept allows for an early and optimal organization, with the objective of simplifying the management of authorizations and grant a true compliance to regulations such as GDPR, SOX, ISO, GxP).
It’s however frequent for authorizations to be put behind compared to other project priorities. In many cases this means a project go-live with wide authorizations and not completely under control.
In these situations, it’s easy to end up, after the go live, with authorization models that can bring to a decline of governance and to a very burdensome maintaining in the day by day activities. That is why in many cases companies notice authorization problems only after the go-live phase. Some of the main problems that an inadequate authorization model bring are the following:
- Authorizations are hard to maintain in terms of effort
- There is no authorization model that can be applied to the company if this evolves (merges/acquisitions).
- There is no quick and easy check on “who does what”
- Non-conformities are often found by internal or external auditors.
- Users are always given more authorizations but these are never removed (in spite of function switches).
All the technical tools for simplification that SAP puts at disposal are not used (for example collective roles and derived roles)
Projects of SAP authorizations review
As seen above, often companies start an SAP project and only later note authorization problems. A company with thousands of SAP users can be managed (from an authorization standpoint) by a small team of people or by tens of people, depending on which authorization concept has been adopted.
Even though there may already be a live and productive system, it’s possible to review SAP authorizations without locking business activities.
What above is possible by the use of methods and instruments that allow to re-design SAP authorizations based on real uses by SAP users.
While the authorizations logics may be the same, some SAP systems have very specific verticalizations. For example, HR, CRM; BW and Industry Solutions systems.
HR systems peculiarities
For SAP HR/HCM (Human Resource e Human Capital Management) systems a particular knowledge is needed. Since the authorization in Human resource module is very close to the business. More than the rest of the ERP.
Segregation of Duties Management
Do you have to manage a project of Segregation of Duties (SoD) for your company?
Read here how to take on a project such as this. You’ll see how to approach
the various phases:
- Risk Definition
- Risk Analysis
- Remediation
- Mitigation
- Continuous compliance
Read here on how SoD helps protect company data.
Remember that the remediation and more importantly the mitigation part can be very demanding. During the project but also during the day by day needed activities.
SAP Identity Management (SAP IDM)
In complex landscapes, many systems are to be managed and
are heterogeneous. It is important to have a tool that manages
the user’s lifecycle, for these reasons:
- New users
- Job changes
- User discontinuation
The SAP tool that makes all of this possible is the SAP identity management.
This tool can be connected to SAP systems, or non-SAP systems in order to conduct provisioning and de-provisioning of users/roles in the various systems linked, through the definition of approval workflows
Sicurezza SAP infrastrutturale (Cyber Security SAP)
It’s common to think that:
- SAP is secure by default
- SAP Profiling (applicative security) is enough to get to a good enough level of safety for the systems.
This is however not always the case. Even though some SAP systems may be secure right at the start, many are not. All the needed configurations need to be enabled, in order to improve the security.
One example is cryptographic communication. Cryptography is not enabled by default in all systems. This means that communications between presentation server (SAP GUI for example) and application server are not protected.
That is why A 360-degree view on Cyber Security thematics, even in SAP, is important
Secure Coding
It has always been considered a secondary aspect, however in the latest years, even in places where this practices were unknown the theme is taken into consideration more and more.
It is not easy and immediate of a process that of securing the internally or externally developed programs, especially if the programming languages are different. Which company has an expert in secure programming for n languages? And even if this person existed, how could they be capable of processing manually all the developments in a reasonable timeframe?
That is why it’s essential to adopt systems where it’s possible to check the developed code, not only from a security standpoint but also, for example, from a performance, usability, and suite S/4HANA support standpoint.
The SAP tool that makes it possible to run this checks is called Code Vulnerability Analysis.
How can Aglea help you?
We’ve been exclusively working as SAP security consultants since 2003, both in Italy and abroad.
We realized tens of SAP security concept design projects and authorization reviews projects. Our experience made us build project accelerators and tools that help the IT department (Usually very technical) interface with the business. All of this with the objective of simplify the communication between involved actors and improve the control of systems.
We configure and install SAP products for the management of governance and security (SAP GRC Access Control - Process Control - Risk Management, SAP Information Lifecycle Management - ILM, SAP Identity Management, SAP Code Vulnerability Analysis, SAP Field Masking & Read Access Logging, SAP Enterprise Threat Management, SAP Audit Management, SAP Fraud Management, Unified Connectivity UCON)
We are teachers, on behalf of SAP Italy, of the followings catalog courses:
- ADM900 SAP System Security - The Fundamentals
- ADM940 ABAP AS Authorization Concept
- ADM945 SAP S/4HANA – Authorization Concept
- ADM950 Secure SAP System Management
- ADM960 SAP NetWeaver AS – Security
- ADM920 SAP Identity Management
- BIT665 SAP Information Lifecycle Management (ILM)
- HR940 Authorizations in HCM
- BW365 User Management and Authorizations
- GRC100 SAP BusinessObjects Governance, Risk, and Compliance (GRC) 10.0 Principles and Harmonization
- GRC300 SAP Access Control 10.0 Implementation
- GRC330 SAP BusinessObjects Process Control 10.0 – Implementation and Configuration
- GRC350 SAP Business Integrity Screening (BIS)
- HA240 SAP HANA- Authorization, Security and Scenarios
- During projects we organize training sessions to make the client autonomous in the management of SAP authorizations
Take a look at our certifications (About Aglea - Aglea) and case histories (Case history - Aglea)
Do you need to define a SAP security concept? Do you need a SAP Security or Segregation of Duties consult?
Suggested Post from our SAP Security Blog
Tables, Roles, Profiles and Authorizations in SAP
SAP contains hundreds of thousands of tables. In some cases the direct access to these tables allows one to retrieve data faster. Below a list of tables for each defined area:
- SAP Roles
- SAP Profiles
- Users
- Authorizations
- Authorization objects