Secure Your Critical Business Data
Security and risk are becoming increasingly challenging as businesses become more connected. It requires data sharing between different systems, applications, and enterprises.
According to Forrester, companies will double their budgets for data strategy over the next five years and according to Gartner, transparency and traceability are among the Top Ten Strategic Technology Trends for 2022. Smart spaces, they claim, will offer better business opportunities.
It was found in another recent report by Onapsis that between 50,000 and 100,000 organizations use SAP systems that are vulnerable. An example that made the world aware of the importance of data security is the case with the New Zealand government. An immense data breach in which firearms, addresses, and names of gun owners were exposed led SAP itself to apologize to the government. There was no hacking involved in the breach, but 66 dealers got access to sensitive information because of a change in user access given to dealers participating in the buyback scheme.
Between 50,000 to 100,000 organizations use SAP systems that are vulnerable.
Apparently, SAP is working on various solutions to increase the security of data. In addition, it reminds clients that security is a collaborative effort, and emphasizes the importance of proper system configuration.
The importance of security in SAP
Data breaches and ransomware attacks are on the rise, and the global pandemic presents new opportunities for cybercriminals. Many employees today access corporate resources through virtual private networks (VPNs). The shift to remote work has resulted in a more permissive VPN policy, which compromises corporate networks in an indirect way.
There is a need for IT security teams to accomplish more with less budget or with the same budget. It is part of their job responsibility to manage day-to-day IT and security operations, find and retain skilled security talent, identify and address security capability gaps, and maximize the return on investment (ROI).
Almost seven out of ten organizations do not place a high priority on securing their SAP systems. Considering the recent spike in cyber-attacks, it is essential to secure SAP systems. We have put together a list of 10 tips you can use immediately to secure your critical business data in SAP system.
1. Own it – Don’t blame
When a security breach occurs, who is responsible? A recent survey by Onapsis found that half of the respondents believe SAP is to blame for security breaches – not anyone within their own organization. Another 30% believe that no one is responsible. A small percentage of people believe that the CIO or CISO is responsible for a security breach.
50% blame SAP for security breaches
30% have no idea
20% say it is CIO/CISO’s responsibility
63% of C-Level executives underestimate the risks associated with insecure SAP applications
The dangers associated with insecure SAP applications are underestimated by 63% of C-level executives.
2. Regularly update the EHP & SPS
One of the most significant steps to staying secure is to keep your system up to date. Enhancement packages are delivered by SAP to deliver new innovations/functionality or “enhancements” to customers without disruption. Ensure you have the latest enhancement packs installed, and that you aren’t several versions behind. It is always risky to be a first adopter, but it is also imperative to avoid falling behind (n-1 is always recommended). Technology and computer security are constantly improving, so it is important to keep your system up to date with patches, fixes, updates, and enhancement packs.
As part of its Support Package Stacks, SAP releases periodic security solutions. The Support Package Stacks are patches for a given product that should be applied together. It is recommended that these stacks be applied at least once a year, and SAP specifies the maintenance schedule on its website. In addition, ToggleNow can help you identify your system’s most critical SPSs.
3. The Right SODs make a difference
As business processes rapidly evolve, employee roles and responsibilities are also changing. By establishing boundaries between roles assigned to an employee and conflicts of interest that may arise from the employee’s responsibilities, segregation of duties aims to reduce internal fraud risks. For example, one employee processes a PO while another verifies and approves it. This adds more control and prevents payments to ‘fake’ vendors.
It is becoming more common for mature organisations to look for ways to improve Segregation of Duties management while reducing costs. It is imperative for businesses to integrate an advanced, quick, and easy-to-install Access Management tool that fits with their systems. This will avoid conflicts after an employee’s role or tasks change.
This can be achieved either by implementing the SAP GRC Access Control solution or ToggleNow’s SoD Analysis solution for SAP. The SAP Security Assessment services provided by ToggleNow will identify the right solutions for your organization. Additionally, if you have SAP GRC implemented, explore the various SAP GRC services that are offered by us.
With the help of our SMEs, you will be able to implement the right separation of duties strategies and ensure that you comply with the various regulations and mandates.
4. Ensure the quality of your code
SAP systems typically have over 30 percent proprietary code, depending on the industry. Statistics indicate that one critical security defect occurs for every 1,000 lines of ABAP code.
It is possible that SAP system performance will be adversely affected. It is estimated that the average SAP system contains 2,151 risks, and 70% of enterprises fail to audit their ABAP custom code for compliance and security.
It is possible to simplify the security process for your code. It is no longer necessary for organizations to invest time, money, and manpower in major security projects. An analysis of your code beforehand will enable you to identify and prioritize any risks and issues before you begin an upgrade.
To ensure security, performance, maintainability, robustness, and compliance with ABAP standards, integrate coding and quality assurance into a single activity.
Finally, you should only keep the custom code you need. It introduces unnecessary risks and increases the amount of effort needed for unnecessary code corrections when redundant unused custom code is used.
Wondering how to handle the situation? Here is a solution – SAP Solution Manager CCLM is a fantastic solution that addresses the majority of these requirements. Refer to this blog
5. Implement SAP Solution Manager – Security Optimization Service (SOS)
We are often asked by clients what tools are available to check the security of SAP systems? Additionally, to Early Watch Alert (EWA), SAP Solution Manager (SOLMAN) has a Security Optimization Service (SOS) report that focuses on security.
Security Optimization Service for the SAP NetWeaver Application Server ABAP checks the security of your SAP system(s) and perform the following checks:
• Basis administration check
• User management check
• Super users check
• Password check
• Spool and printer authorization check
• Background authorization check
• Batch input authorization check
• Transport control authorization check
• Role management authorization check
• Profile parameter check
• SAP GUI Single Sign-On (SSO) check
• Certificate Single Sign-On (SSO) check
• External authentication check
You’ll need the latest version of SOLMAN and the latest support pack to set this up. The managed system must also be configured and setup in SOLMAN without any errors and the instance is correctly defined in LMDB. (Status Green). Additionally, the OS collector must be running on your target instances and database.
It is important, however, to answer the following before setting up the SOS:
• Does your organization have the capacity to manually review those reports and act on each recommendation?
• It is set correctly so that your team has ample time to review and act on the reports.
Read ToggleNow’s success story on this subject. We have implemented Solution Manager 7.2 for one of our clients who is a leading refractory company in India since 1958.
6. Regular health checks keep the system healthy
Yes, you heard that right. Humans and systems alike benefit from regular health checks. Ponemon Institute reports that organizations lack visibility “into the security of SAP applications and lack the expertise to detect, prevent, and respond to cyberattacks quickly.”
Early detection is the key to staying healthy or secure. A frequent ERP system check helps you get a comprehensive picture of your ERP landscape before making changes and identifying areas for improvement. This is just like healthy people need annual checkups and preventative medicine to stay healthy and detect problems early. Regular health checkups can identify security gaps. Additionally, EWA and SOS reports provide an in-depth analysis of the system. According to experts’ recommendations, SAP Solution Manager must be configured to support these modules.
7. Implement an Antivirus scan
How confident are you that the documents attached in SAP are virus-free? A vulnerable code might be included in a file your users use/attach in SAP, allowing hackers to gain access.
If you use SAP software, you should use a virus scanner to protect against computer viruses, and SAP recommends this. However, SAP does not investigate, recommend, or release antivirus software as part of its server product validation program.
Many anti-virus software packages protect your SAP deployments using Deep Security, protecting critical information from threats such as malware, cross-site scripting, and SQL injections.
A Virus Scan Adapter (VSA) must be installed on the host before a Deep Security scan can be performed. SAP note 2081108 explains how to set up and configure the VSA system and SAP note 1494278 provides a list of the AV products that are supported.
Additionally, SAP administrators can define the types of documents that are allowed based on various policies. After selecting the right AV product, this can be determined.
8. Implement re-certification processes
Reviews of dormant IDs and dormant roles make a great start. Regularly reviewing the user IDs and deactivating those that are no longer needed is always recommended. This will not only increase the application’s security but also reduce licensing costs. If you already have an SOP in place and are still performing this activity manually, here is a solution for you. ToggleNow’s UserSentry automates both dormant ID review and Role review by taking the appropriate action according to defined rules. Thus, you can comply with a critical audit requirement.
9. Implement additional Security measures
In addition, we recommend that additional security measures be implemented. Back then, experts used to advise setting up complex password policies like keeping password lengths between 8-12 characters and forcing users to change their passwords frequently. Keeping strong passwords alone is no longer sufficient considering technological advancements.
It is recommended to implement additional security measures such as 2-factor authentication (2FA) or multifactor authentication (MFA), validating a user’s machine ID (aka mac ID) at log-in, and adding geofencing validations, verifying the availability of anti-virus software, checking the firewall status, etc. All these features are included in ToggleNow’s UserSentry application, which helps next-generation enterprises implement them quickly.
10. Transform your business with digital technology
The waterfall era has ended. Agility has won. By embracing digital transformation and getting fast and frequent feedback, organizations can respond quickly to critical security issues. By doing this, security issues aren’t ignored, and crises can be averted.
If you are worried about the Subject matter expertise and resource availability, ToggleNow can step in and take over this critical piece. The FourEdge Service offering is a great reliever for many organizations that are seeking to start their GRC transformation journey. Remember to be in the race, or else your competitors will take over.
These are the best tips to secure your critical business data in SAP systems. Talk to our SMEs today and leave rest on us for your business data security.