Structured security planning and streamlined authorizations are just two elements of protecting SAP systems against cyberattacks and manipulation. In this interview, Ralf Kempf (CTO SAST SOLUTIONS at akquinet AG) talks about the pitfalls to avoid during an SAP S/4HANA migration and what you can do to use SAP S/4HANA securely.
The following interview between Helge Sanden (Editor in Chief of IT-Onlinemagazin) and Ralf Kempf first appeared on December 11, 2019, in IT-Onlinemagazin.
Mr. Kempf, what questions do we need to ask regarding security and compliance during an S/4HANA migration? What are the old and the new issues?
The topics of SAP Basis parameters and database security settings remain largely unchanged. So are the classic authorization issues that we’ve known for years from the SAP ERP environment, such as critical authorizations and separation-of-duty risks. When we talk with customers about protecting an S/4HANA installation, we generally deal with the area of “roles and authorization” first.
What is new in the S/4HANA environment, however, is that the technical infrastructure has changed, which means risks now have to be evaluated and monitored at different levels (front-end server, back-end server, database). When it comes to user access, you have to pay attention to which apps satisfy the users’ needs for information. To enable this, companies should already start getting their business process descriptions up to date.
In addition to the activities involved with authorizations, there are also other essential topics, such as systematic security – particularly with a focus on the HANA DB and web access – and system hardening and the elimination of custom ABAP code.
When you think back to meetings with user companies, what would you like to forget most?
If you ask me, the most severe mistake is to only consider SAP security and compliance issues after all the systems have already been configured. It is essential to consider these aspects as part of the migration plan, not least because SAP S/4HANA migration also requires a change of platforms. The switch to a new technology and a new operating system goes hand in hand with additional demands on system security.
All too frequently, companies also neglect to clean up their custom ABAP code in the heat of the moment. We recommend making these corrections before the migration and compare the process to moving house: Declutter first, then move. And this work will pay off, because our experience shows that up to 90 percent of customer ABAP developments consists of nonfunctional ballast. And it ultimately prevents customers from using S/4HANA efficiently.
Last but not least, it’s also about modifying and updating the specialist authorizations, to enable proper use of new transactions and processes from the start.
At which point should the security issues be clarified and what is involved in safeguarding an S/4HANA migration?
Security and compliance topics should be integrated in the project plan firmly from the very beginning. If this is done, the security issues will virtually resolve themselves during the architecture phase. Things then get down to into the details directly afterwards, with the technical security of the target platform. The first new converted system (DEV or sandbox system) creates a good foundation that the persons responsible can build on.
What experiences have you gathered on the project with TGW Logistics?
It was especially helpful – and this is related to what I said before – that we developed a coordinated project plan together ahead of time, with defined phases for preparation, execution, and acceptance of the test and production phases for the authorizations. As a result, any necessary adjustments later could be communicated quickly and efficiently.
Workshops with the different departments and their respective requirements also helped ensure that the majority of the necessary transactions and programs were directly available to the appropriate user groups.
Targeted tool support during the project was a big help in carrying out the necessary tasks efficiently – both for us and the customer. And in light of the greenfield approach, it proved to be extremely useful to use the SAST Safe Go-Live approach to define the necessary authorizations in both the test and production phases.
What will you be talking about at the IT online conference 2020?
In addition to insights into a “best case” project, it is also important to us to demonstrate project “fails” – that is, actual situations in which security and compliance were tackled too late, not extensively enough, or not at all when drawing up the project plan. Because it’s these mistakes that can provide valuable tips for your own S/4HANA conversion and ensure that your migration can be completed within the planned time and budget framework, without any nasty surprises.
Can you reveal an SAP security recommendation in advance?
In general, we talk about four decisive steps for achieving a secure S/4HANA migration. First and foremost, the project owners should always examine the structure of the target platform. This is followed by system hardening at all levels (OS, database, application server) and the implementation of SAP Security Notes. Activities in the test system must be documented continually, to ensure that further systems are set up accordingly. Last but not least comes the testing (with the SAST SUITE, for example), to identify potential vulnerabilities and security risks. The actual data migration isn’t performed until after all these steps.
In one word (or sentence), what do you expect the dominating topic to be in the SAP community for the next 12 months?
Answering that question with “successful S/4HANA migrations” is probably too obscure. We expect to hear of a constantly increasing number of highly successful projects. But we will also see initial companies fail in their efforts – at least with regard to the planned project duration or budget. It will also be exciting to see how companies that continue to delay the changeover will deal with the expected increasing scarcity of qualified personnel and consultant expertise.
Thank you for the interview.
Helge Sanden, Editor in Chief of IT-Onlinemagazin, asked the questions.
TIP: Would you like to dive deeper into this subject? We recommend the Expert Talk with Helge Sanden. Manuel Rosenthaler (TGW Logistics Group) and Ralf Kempf will be guests at the IT Online Conference 2020 “S/4HANA Conversion and Process Optimization with SAP: What Are Other Companies Doing?”, where they will report extensively on their project and make recommendations.
Ralf Kempf (CTO SAST SOLUTIONS)
Helge Sanden (Editor in Chief IT-Onlinemagazin)