Whether you’re considering a switch from SAP Business Suite to SAP S/4HANA in the future, you’re in the process of making the switch right now, or you changed from the former to the latter in the recent past, your organization needs to be thinking about how to secure your SAP implementation. Although Business Suite and S/4HANA share the same SAP NetWeaver AS ABAP core, S/4HANA is an application server as well as a database, which means you’ll need to consider a few more things when securing it. Here are five key areas to think about.
Authorizations and Roles
Like any upgrade to SAP (and it’s important to remember that changing to SAP S/4HANA is an upgrade), a key component of securing your implementation is updating your authorizations and roles. A strong grasp of how best to use SU 24 (Maintain Check Indicators) and SU25 (Upgrade Tool for Profile Generator) should be a big help when it comes to authorization object checks, transactions, and more.
In addition, SAP S/4HANA sees the inclusion of new SAP Fiori apps, which essentially act like web services. The fact that users will need authorization to access these apps isn’t new, but the way app catalogs are integrated and how one communicates and syncs with the publishing instance are new to the role-building transaction PFCG. After all, creating roles incorrectly could create some major vulnerabilities in your SAP org.
SAP HANA System Security
Because SAP HANA development and admin activities are now primarily performed through web interfaces, how you should secure your system has changed as well. SAP HANA databases now need new security settings and authorization setups to not only reduce the chances of improper access but ensure that it’s operated correctly as well.
If you’d like to make the most of your SAP HANA engine and take advantage of SAP HANA extended application services, advanced model, (also known as “XS Advanced”), it’s important to know that the authorization- and role-building processes have changed significantly compared to the traditional methods of securing a regular SAP database. An expert will not only help you build these out correctly but also assist you in getting the most “bang for your buck” out of your SAP org.
Securing Your Infrastructure
In older SAP setups, opening business processes to those outside the company required using the SAP Enterprise Portal or asynchronous processing via email. In comparison, SAP S/4HANA (or more specifically, SAP Fiori) makes things simpler and easier. Publishing dedicated small apps to user groups is a snap in SAP S/4HANA, giving users real-time access to their transactions and process change steps. However, “easier” doesn’t mean “impenetrable.”
A strong security architecture is always a necessity when it comes to business-critical system component access, and SAP S/4HANA is no different. To secure your infrastructure, you’ll want to ensure that everyone is on the same page about who has what network access, how traffic should flow through the network (using tools like Web Dispatcher and SAProuter), how firewalls should be set up, and so on.
Giving external user groups access to cloud solutions is not only easier than giving them access to on-prem applications—as many activities already take place in the cloud—but it’s more secure as well. To that end, companies that use SAP S/4HANA have access to Cloud Connector, an easy and safe way to connect on-prem systems like SAP S/4HANA with SAP Cloud Platform applications.
The key things to remember when it comes to security and Cloud Connector are setting up and running Cloud Connector securely (using it with products other than SAP Cloud Platform or S/4HANA Cloud is a big no-no, for example) and using the SAP Cloud Platform Identity Authentication and SAP Cloud Platform Identity Provisioning services to grant the correct permissions to cloud applications. The Cloud Connector is a great tool, but it can only be as secure as you make it.
User Access and Authentication Management
Especially in a hybrid cloud/on-prem setup, access type coordination is vitally important to the security of your SAP S/4HANA org. Overly restrict access, and users have to log in with their password over and over (and over…). Overly lax restrictions, however, give users access to systems they shouldn’t. At best, those users don’t realize they have this access and never use it (or only accidentally make easily fixable mistakes). At worst, business-critical information could be tampered with out of ignorance or malice.
To prevent these scenarios from happening, your security team needs to have a firm handle on both federated single sign-on and Security Assertion Markup Language (SAML) 2.0, as well as a well-thought-out plan for your identity management solution. (Losing track of individual accounts that need to be created and maintained is a recipe for trouble.) In addition, the latter needs to be capable of provisioning users whether they’re using cloud systems, on-prem systems, or both, depending on how you choose to set things up.
If you’d like help securing your SAP implementation, Surety Systems’ expansive network of US-based, senior-level consultants is here for you. Contact us today to get started.