Companies that use SAP software, as well as the German-speaking SAP User Group (DSAG), are demanding security dashboards to provide for greater transparency and indicate necessary activities. The most critical risks, however, are those that arise as a combination of other events, which are not critical in and of themselves. After all, even the best dashboards aren’t able to display this kind of unidentified security incident.
Takeda, Japan’s largest pharmaceuticals company, manages its business processes in a global, heterogeneous IT landscape. From SAP ERP to SAP Cloud applications, employees work at a variety of levels, depending on their involvement in processes, and therefore need access to a number of systems. As a result, the company has to constantly review conflicting authorizations to meet strict compliance requirements, such as segregation of duties (SoD). Most standard software solutions on the market only monitor SoD conflicts and risks in a single system, however, which led the company to search for an end-to-end solution.
Incorrect parameter settings in the SAP system, operating system, or database often result in serious security deficiencies. Numerous companies using a central auditing policy developed as a document are up against the same challenges. Typically, parameter values are compared manually with the target requirements, which of course is time consuming. This a lot of effort even just for one single system. As you might imagine, making the comparisons on system-landscape level is that much more complicated. By centralizing monitoring with an automated solution, you can use resources more efficiently while boosting your IT security.
Ralf Kempf, CTO SAST SOLUTIONS, and his team have already guided many enterprises through their migration to SAP S/4HANA. He talked about his recipes for success in an interview with Ulrich Parthier, publisher of it management magazine.
Excerpts from the interview are provided below.
In September 2020, the attack made headlines:
- Hackers responsible for IT disruption at Düsseldorf University Hospital.
- Hackers under investigation: Woman dead after attack on University Hospital.
- Hacker attack on Düsseldorf University Hospital: Investigation into involuntary homicide opened.
A hacker attack can be fatal. Data, goods and assets aren’t the only things to consider: Human lives are at stake where public spaces, in particular public health, is concerned.
There are many methods for assessing the risk potential of SAP landscapes and identifying potential vulnerabilities, so it isn’t always easy to keep track of all the alternatives. Options range from vulnerability scans to audits and penetration tests. But which approach is the right one for identifying vulnerabilities depends entirely on your individual requirements.
It is well known that SAP systems present an attractive target for hackers and manipulators. After all, SAP systems gather all the sensitive company data in one place, making it all the more important to protect them against unauthorized access. In addition to conventional measures for improving SAP security and compliance, this includes extensive anti-virus protection adapted specifically to the requirements of SAP systems.
The Security Audit Log allows users with extensive authorizations to be monitored. This is particularly useful for ensuring compliance with both internal security policies and external legal requirements. The SAP standard tool gives an overview of critical activities relevant to security and logs them.
SAP systems require special attention when it comes to their security and this is no longer news to anyone. More often than not, the ERP systems supplied from Walldorf in Baden-Württemberg store some of the most crucial and sensitive company data. That said, what is the best approach to achieving the optimum level of security? A security audit would fit the bill!
To answer the question of which Security & Compliance check is right for you, we must first remember that the term “vulnerabilities” can refer to very different levels of your system landscape and thus refer to a number of attack vectors.
This ranges from system-side levels (e.g. operating system and network security) to the underlying database including the current parameterization of your SAP systems down to the authorizations required for operations and applications, including any SoD conflicts.
So, the first question is – how sure are you that you know where your vulnerabilities are? Continue reading