One of the reasons organizations use enterprise resource planning (ERP) systems is to do away with outdated data models that silo information throughout the different departments of an organization. ERPs like SAP allows companies to keep their critical assets, data, and intellectual property in one place, resulting in improved efficiency, less data duplication, and more.
Of course, that also means it’s vital to protect this information from unauthorized access, both from outside threats like malicious agents and malware, as well as inside threats, such as employee errors or even an intentional data breach.
Cue SAP Security.
SAP offers extensive protection and security monitoring for your most sensitive data. Read on to learn about what SAP Security is and how it can benefit your organization.
What is SAP Security?
SAP Security is a module within SAP that grants users access where they need it (and only where they need it). Think of it as a digital deadbolt that keeps your organization’s data secure and protected from external and internal threats.
As an example, let’s imagine a warehouse employee who creates purchase orders.
While this person obviously needs access to the creation of those purchase orders, they don’t also need the ability to approve those orders. Without this added level of security, you could end up with someone creating and approving all sorts of orders without any oversight. SAP cyber security ensures that employees are able to access the functionalities of SAP that are part of their job responsibilities, but that’s all.
How SAP Security Works
The SAP system consists of many applications dealing with human resources, accounting, customer relationship management (CRM), sales, finance, and more. For the solution to be effective, you need to integrate these processes and centralize management.
SAP Security acts as a comprehensive umbrella over the whole SAP system, ensuring everything works smoothly with no security issues or unauthorized data access. Let’s take a look.
Network Security
SAP uses standard network security features like firewalls and demilitarized zones (DMZ), network ports, SAP Router, and more. A firewall is a network security system that monitors and controls incoming and outgoing network traffic based on predetermined security rules. In this case, SAP Web Dispatcher and SAP Router are some of the application-level SAP gateways used for filtering SAP network traffic.
Application Security
Secure Socket Layer, also known as SSL, is a standard security technology for establishing an encrypted link between a server and client. SSL allows you to authenticate the communication partners by determining the variables of encryption. With SAP, data transferred between both the client and server is protected so you can detect if there’s any manipulation during the transfer. That data is also encrypted to add an extra layer of security and maintain data integrity.
SAP Internet Transaction Server Security
In order to access SAP applications from a web browser, you need a middleware component —SAP Internet Transaction Server (ITS). SAP created its ITS architecture with a variety of built-in security components, including running the WGate and AGate on separate hosts, offering greater control for SAP Security solutions.
STAD Data
STAD data provides security against unauthorized access to SAP’s functionality using transaction codes. It can track who accessed certain functionalities and when they did so, allowing you to monitor, audit, and analyze security access and SAP authorization permissions.
SAP Cryptographic Library
The SAP Cryptographic Library is the default encryption product from SAP. It’s used for providing Secure Network Communication (SNC) between different SAP components.
Single Sign-On
The single sign-on function throughout SAP systems allows you to configure the user credentials that have access to specific SAP applications. By controlling access to each application, you can reduce security risks from both internal and external threats.
Audit Information System
Audit Information System (AIS) is an SAP Security monitoring tool that helps thoroughly analyze the security features of SAP. You can use it for system and business audits.
Why Rethink SAP ERP Security Roles?
Businesses that use the SAP Security module trust the solution with all sorts of sensitive information that needs to be kept secure, as it can handle everything from business secrets to private employee data.
Now, you might be thinking to yourself, “I already take advantage of Governance, Risk, and Compliance (GRC) procedures, so why does SAP Fiori Security require new security roles?”
Good question! Here are two big reasons why:
1) GRC’s False Negatives
With Fiori’s predecessor, SAP GUI, many GRC access control solutions ensured that only authorized users were able to perform a given transaction by checking transaction authorizations against a set of Segregation of Duties (SoD) rules.
But because SAP Fiori doesn’t directly interact with transactions, the authorization model has changed. So if you relied on SAP GRC to check for SoD conflicts, you might get false negatives that could affect your system’s security standards.
2) Creating New Roles vs Tweaking Old Ones
Let’s say that your development crew is tasked with tweaking old security roles/GRC so that everything plays nicely in Fiori, or if that fails, simply creating new roles from scratch. That sounds like a great idea…until you’re dealing with 50 apps and 50,000 custom users.
Whether you’re talking about reworking your old SAP authorizations or building brand new security roles, either strategy is pretty time-intensive (and that doesn’t include the time and energy you’ll spend keeping up with change management).
Key Areas of SAP S/4HANA Security
Authorizations and Roles
Like any upgrade to SAP, a key component of securing your implementation is updating your SAP authorizations and roles. A strong grasp of how best to use SU 24 (Maintain Check Indicators) and SU25 (Upgrade Tool for Profile Generator) should help when it comes to authorization object checks, transactions, and more.
In addition, SAP S/4HANA sees the inclusion of new SAP Fiori apps. User access control permissions aren’t new, but the way app catalogs are integrated and how one communicates and syncs with the publishing instance are new to the role-building transaction PFCG.
Securing Your Infrastructure
In older SAP setups, opening business processes to those outside the company required using the SAP Portal or asynchronous processing via email. Luckily for you, SAP S/4HANA makes things simpler and easier.
A strong security architecture is always a necessity when it comes to business-critical system access, and SAP S/4HANA is no different. To secure your infrastructure, you’ll want to ensure that everyone is on the same page about who has what network access, how traffic should flow through the network, how firewalls should be set up, and so on.
Cloud Integration
Companies that use SAP S/4HANA have access to Cloud Connector, an easy and safe way to connect on-premise systems like SAP S/4HANA with SAP Cloud Platform applications.
Here are a few key things to remember when it comes to SAP Cloud security:
- Establish and run the Cloud Connector securely to protect important data
- Use SAP Cloud Platform Identity Authentication and SAP Cloud Platform Identity Provisioning services to grant the correct permissions to cloud applications.
The Cloud Connector is a helpful security tool, but it can only be as secure as your network administrators make it.
User Access and Authentication Management
Access type coordination is important in maintaining SAP S/4HANA security. Overly restrict access, and users have to repeatedly log in with their password. Overly lax restrictions, however, give users access to systems they shouldn’t. At best, those users don’t realize they have this access and never use it. At worst, critical information could fall victim to unauthorized modification or sharing.
To prevent those threats, your security team needs to have a firm handle on both federated single sign-on and Security Assertion Markup Language (SAML) 2.0. In addition, your SAP system needs to be capable of provisioning users whether they’re using cloud systems, on-premise systems.
Setting up SAP Security
When getting started with SAP Security, you need to ensure access to both application and database servers are controlled. User accounts need to be defined as roles with specific permissions to prevent unauthorized access.
Here are a few security concepts and best practices to keep in mind when setting up your SAP cyber security solutions:
- Align settings with organizational policies
- Create emergency procedures for when a security incident arises
- Continuously monitor who has access to data and reevaluate as roles change
- Use advanced security tools to help further reduce your risk of attack or breach
Partner with SAP Experts
While complex, security is absolutely critical in today’s world. A security threat to your organization can have a devastating impact, from severe financial loss to a major hit to your company’s reputation. By protecting your system and data with SAP Security, you can help prevent these sorts of scenarios and ensure that the data in your system continues to remain safe and sound.
If you’re ready to get started on the SAP Security work your organization needs, or you could use a hand with any other sort of SAP project, our team of senior-level SAP consultants is here for you. And, to give you an idea of what to expect when partnering with us, we’ve included a snapshot of one of our SAP consultants:
Surety Senior SAP Security Consultant
- US Citizen
- 18+ years experience with SAP Security
- 4 Full Cycle Implementations – 2 Implementations as sole SAP Security Administrator/Team Lead
- 5 Full Cycle Upgrade Projects of SAP; 1 Full Cycle SAP Security Layer Redesign Project
- Well-versed in SOX Compliant environments
- Extensive and expansive SAP GRC experience
- Role design/build experience with SAP Fiori/HANA; Comfortable in SAP S/4HANA
Contact us today to learn more.
