Companies use SAP as a business application for their core business processes. They store their most important data, including intellectual property, in the SAP systems. This data must be protected from unauthorized access. Due to the drastic increase in the number of cyber attacks, it is essential for companies to keep the security of their SAP system as high as possible.

1. WHAT AREAS NEED TO BE CONSIDERED IN CONNECTION WITH SAP SYSTEM SECURITY?

• SAP Infrastructure: Security in the network, on operating system level and on database level.

• SAP application (standard): Security in your SAP application or in the maintenance of your SAP standard code.

• SAP Application (Customer Code): Security or maintenance of your SAP custom code.

• Access Management: Configuration and monitoring of system communication, users and authorizations.

Due to the complex and interconnected application landscape of SAP systems and other applications it is important to maintain and monitor all critical software componentens and settings.

So how can I ensure that I have met all the conditions to close security gaps and minimize the risk of unauthorized access or cyber-attacks?

In the context of SAP security, there are several measures you can take to prevent attacks. We will address the first two security areas below.

2. SAP-INFRASTRUCTURE

A secure setup of your SAP systems and the underlying infrastructure is essential. Above all, a secure and clean configuration of the servers, databases and basic components is crucial, as well as the logging of all changes to the infrastructure or SAP systems.

SAP, as well as all other software vendors, are increasingly affected by security vulnerabilities. These security vulnerabilities are continuously identified, analyzed, fixed and promptly provided to customers as hotfixes or patches by the manufacturers.

In the SAP environment, the following corrective measures can be considered here:

2.1 Corrections to SAP components using kernel or database patches

Patch management is an important part of IT security. Updates help to maintain the functional state and the highest possible security of the systems. In addition, patches are also required to ensure optimal interaction between hardware and software. Security updates should be distributed to the systems as fast as possible to make it more difficult for third parties to exploit security vulnerabilities.

Both SAP and other database vendors regularly issue critical patch updates to address software bugs or known vulnerabilities, but for a variety of reasons (maintenance windows, turnaround times, staff shortages) IT organizations are often not able to install them in a timely manner.

Operational patch assurance is an area that requires constant attention, especially with the various databases supported by SAP and the increasing distribution of database environments for high availability. Patch management is a multi-layered process of continuously providing the SAP landscape with the latest security updates.

2.2 Configuring and auditing your SAP system and database settings

System settings are the basis of SAP security, and there are numerous configuration options in SAP systems. Settings are made at database level, by SAP transactions or by SAP profile parameters. Security-relevant specifications for system settings must be observed both during installation and during ongoing operation of SAP systems.

The specifications include the form in which security settings are assigned in an SAP system. The topic of access management which communication is permitted in SAP systems. The operating system, database and application levels are particularly relevant. Each of these levels requires the correct configuration of security settings.

Regular audits of system configurations and effective application monitoring ensure a stable and secure state of your SAP systems. This allows problems or deviations in terms of stability, performance and security specifications to be identified and adjusted centrally across your SAP system landscape.

Deviations of system-critical parameters from the target state must be corrected as quickly as possible to prevent security gaps and thus possible unauthorized access from outside.

At the same time, central management ensures that in the event of audits or revision checks, you can easily and clearly display how your systems are configured or were configured at certain points in time.

3. SAP-APPLICATION (SAP STANDARD)

Regular and timely maintenance of installed SAP software using SAP Notes or Support Packages is critical to protect against new types of attacks or newly identified potential vulnerabilities.

3.1 SAP Security Notes

SAP delivers software corrections for this once a month (SAP Security Patch Day) in the form of SAP Security Notes, which focus exclusively on the security of SAP systems. These corrections are intended to protect SAP software from potential vulnerabilities or attacks. All Notes, especially the Security Notes, must be downloaded regularly from the SAP Support Portal, checked for relevance and imported accordingly on the individual SAP systems.

3.2 SAP Support Packages

Support Packages are a collection of corrections and optimizations of SAP standard functionalities, which have to be imported into the SAP systems in longer terms.

The process of importing and testing Support Packages and checking changes with regard to proprietary developments is more extensive and has a higher duration time than the individual import of security-relevant SAP Notes.

4. BEST PRACTICES FOR SAP-SYSTEM-SECURITY

Due to the numerous risk factors and the associated organizational tasks, it can be very difficult to avoid all risks equally well.

In the following, we would like to give you some recommendations for the regular maintenance of your SAP systems to support you in the topic of SAP security:

1. Define critical configuration parameters for your company

2. Regularly check your system settings against the company's specifications

3. Log your deviations for audit purposes

4. Clean up discrepancies as soon as they are identified

5. Create a maintenance plan for regularly updating your infrastructure components - follow the software vendor's recommendations (e.g. patch your systems at least every 3 months)

6. Create a maintenance plan for regular updates of your SAP software components - actively check the releases on SAP Security Patchdays

7. Use tools for automated monitoring and logging of system changes to quickly identify deviations from your company's or the software vendor's requirements.

automatics is specialized in automating most of the operations described above and helps you increase your SAP system security with small effort.

Follow us on LinkedIn or visit our website at www.automatics.ai