Businesses are now inseparable from their IT systems, computers, networks and data; companies are their ERP, which in turn enables most of their business processes. Accordingly, risk management, security and compliance are increasingly viewed as board level concerns.

Maintaining awareness of potential security incidents all the time, every day, is difficult, and knowing how to react to incidents is more difficult still. Your company needs to be ‘right’ all the time, but intruders only need to be ‘right’ once. Imagine an IP, Design, Customer Data, Financial data theft from your SAP system! It can lead to both a reputation loss and a loss of business.

Companies that run SAP ERP & their security teams should understand how vulnerable your SAP system is! Here are some facts that might shake you:

  1. In a typical SAP environment, data transferred between a client and the server is unencrypted. E.g. Any communication with the SAP server using a Desktop or mobile device or client app or portal transmits unencrypted data! It is a high risk area, “client to server un-encrypted communication”, and makes your entire SAP system highly vulnerable.
  2. To fix this gap, SAP has recently introduced “SNC Encryption module” in
    October 2011 and is a free release for the SAP clients. Through this
    small upgrade you can quickly fix one of the most vulnerable areas of
    your SAP system. Point to note here is that this un-encrypted
    communication vulnerability existed for a long time in your SAP system
    and even now you are vulnerable without this fix.

SAP did two acquisitions to provide a Secure SAP system and these are recent events.

  1. SAP acquired MaxWare Identity Management solution in 2006. This is incorporated as SAP Netweaver Identity Management solution & sold with a licensing model.
  2. SAP acquired SECUDE (a Swiss SAP Information security company) software assets in March 2011. With this acquisition came Single Sign-On (Secure Log-In), ESSO – Enterprise SSO and SNC Encryption.

There is a lot to catch up and be compliant with these security solutions – to ensure a secure SAP environment. To bring you up-to-date on the SAP security and improve your SAP Security posture – you need a roadmap.

The road map broadly should focus on a combination of business focus, scenario analysis and SAP security tools. The combined knowledge of your security experts and a purpose driven SAP security assessments, provide you with a world-class SAP security service at a low cost.

High Performance SAP Security road-map is developed with a three phased approach:

1. Assessment – This phase is designed to understand the ‘as-is’ risk profile of your organization, and how it fits with the business requirements of your enterprise. Based on this assessment you should tailor SAP Security design and controls to monitor and protect key business assets as well as the enabling IT of your enterprise.

2. Implementation – Deployment of controls processes and tools to put the right monitoring capability in place, and building of the right rule-sets to prioritize and escalate events in line with business priorities.

3. Ongoing Management –SAP Security process that works on intelligent escalation as required and continuous improvement of your risk management and security posture with a managed SAP Security service. A Security Management Portal should be built so that your company can drill down into the status of threats and remediation actions underway.

The benefits of a high performance SAP Security includes:

  • Business-focused security delivery model: guard your business, not just your SAP ERP
  • Improved security efficiency as a result of wider SAP Security situational awareness and Business asset aligned prioritization
  • SAP Security and compliance tools, dashboards that provide you with a view of your security posture and results of security improvement programs
  • Improved manageability and reduction in security operating costs
  • Reduced security ‘distraction factor’ so that you can focus on your core business objectives.

Author:

Dr. Jagan Nathan Vaman PhD CGEIT CISA

Chief Consulting Officer

Aujas Risk Management Services