SAP Security and Compliance – make or buy? It’s your choise!

SAST-ManagedServicesThe topic of IT security is ranked # 1 in market trends *. However, securing complex IT landscapes effectively is a big challenge for many companies: there is often a lack of trained IT staff and even more of the necessary security know-how.

Gunar Funke, Head of Services SAP Security at AKQUINET, describes his experiences and presents possible solutions.

Mr. Funke, how often do you or your colleagues meet companies with an almost perfectly secured SAP system landscape?
Gunar Funke: We know from our pen test experience that every system is vulnerable, but it’s a question of how difficult and time-consuming it is. At our initial visits, we rarely find SAP systems where both the infrastructure has been hardened in the best possible way, and effective authorization management is implemented with regular SoD analyzes (SoD = functional separation conflicts). Real-time monitoring to respond immediately in critical cases is still an exception.

What are the reasons why companies have not fully focused on securing their SAP system landscapes?
Gunar Funke: For many companies, it’s difficult to stay up to date – especially with regard to IT security, which is constantly and rapidly evolving. In addition, internal IT is much more of an interface between the departments and the users. In addition to its actual core tasks, internal IT also supports the implementation of numerous internal projects, like the digitization of processes is on top of the agenda of many customers. Extras, such as the protection of critical SAP systems from the (supposedly) unlikely case of a cyberattack, are often hindered. Everything is better than to continue to wish hopefully not be next with a serious attack.

What could a solution scenario look like so that IT divisions can manage the balancing act between day-to-day business, project support, and protection against deliberate or accidental manipulation?
Gunar Funke: One possibility is to have sections of specialized external service providers supervised, such as the safeguarding of SAP landscapes by AKQUINET. Through an SLA (Service Level Agreement), we define the tasks and performance of services with our customers and define response times for critical events – usually 1 hour.

What are the benefits for Managed Services for companies that need to make a decision? Make or Buy?
Gunar Funke: In our Managed SAP Security Service, of course, our customers benefit from our wealth of experience in securing SAP systems for more than 10 years. Our team is always up to date through continuous training and uses the most up-to-date security settings and attack databases to analyze customer systems. And of course our customers benefit from best possible process- and result-oriented support. Employees to build own security teams are difficult to find on the market. They’ re expensive in education and training and unplanned downtime are not always covered. Because of the ease of scalability, Managed Services are much more flexible, cheaper and more efficient, making it attractive to many companies. In my opinion, the topic of managed services will therefore continue to gain in importance in the next few years and grow significantly.

Is a managed service similar with outsourcing, which is a known term in IT industry?
Gunar Funke: No, not at all. There are big differences. Outsourcing means, entire departments or systems are often outsourced to another company. Managed Services cover highly specialized areas of IT based on clearly defined service level agreements (SLAs). Employees of the internal IT can concentrate on their core tasks, because the responsibility and control of the agreed services remains completely at the customer site.

What services are included in the SAP Managed Service of AKQUINET?
Gunar Funke: We offer a Vulnerability Scan Service to effectively eliminate system vulnerabilities and comply with compliance requirements. We check the system for critical settings and check critical permissions such as Segregations of Duty (SoD) conflicts.
Furthermore, we offer a “Threat Detection Service”. In this phase, we monitor the agreed customer systems in real time for critical transactions, reports, unauthorized user or system changes and of course also unwanted downloads from the systems. After identifying vulnerabilities or attacks, we immediately notify our customers and provide them with contextual information and recommendations.
Based on customer requirements, we also take care of their identity and access management, role management, checking the ABAP code of their own developments, and of course the much-neglected system interfaces.

Thank you for the interview and the informative insights.

Gunar Funke
Head of Services SAP Security, AKQUINET

Benefits for you at a glance

Experienced SAP security experts. Systems are analyzed by experts with many years of experience and ongoing training.
Cost Reduction. Our Managed SAP Security Services lowers your operational costs by eliminating license and maintenance contracts. Service package instead of software purchase.
Maximum security. We only use long-established and SAP-certified tools. All recommendations of the BSI, the DSAG and SAP as well as your specific regulations can be integrated.
Always up to date. We use permanently updated security settings, as well as attack databases and regularly exchange information with other security providers.
Real-time monitoring. We will notify you immediately when identifying vulnerabilities or attacks.
No cryptic incident Messages. Statistics and log data in messages without explanations will not be helpful. Therefore, we provide you context information and recommendations for action.
High Quality. Our standards guarantee a uniform process and a defined availability.
The Best of Two Worlds. AKQUINET is currently the only experienced managed security service provider with a significant SAP focus.

Are you interested in our Managed SAP Security Services? Then contact us:

* Source: Bitkom-Branchenbarometer 1. half-year 2017