SAP Security at a Simple Starting Point
Over the years I have been contacted to perform various security-related tasks in support of our customers, and typically the issue we are summoned to fix is the result of an initial oversight on the part of the network security or an underlying process/policy. As a matter of fact, most organizations when interviewed on the potential of security breaches occurring within their environment point to business espionage and/or competitive rivals as the focus of their defenses. Here lies the problem with technical security and how it is addressed at most companies. The reality with security is that protection is usually required against internal-employees accessing internal assets.
In 2013, the majority of “security-incidents” reported were due to the following: curiosity, accidental access, and intentional access, with a very small percentage associated to hackers and corporate espionage/rivalry. In my opinion, this brings information technology security to a level playing field. It’s no longer only a concern for the Fortune 500 giant that is maintaining 1,000+ systems for their vast list of clients. It is a real threat to businesses of all size, and in all geographic location(s).
One of the areas that we spend a great deal of time working with our clients is in the arena of SAP/ERP security. This can be a very difficult area for organizations to address, yet it is crucial to attaining the success the SAP system was designed to serve. The bottom-line is that a decision needs to be made with regards to how important the data stored in your SAP system is to your business.
A couple of items that surface on a regular basis with our clients dealing with SAP security issues are:
- Security Policy – A large percentage of companies don’t maintain a policy that outlines certain levels of security for users and the appropriate definition for roles/responsibilities of users.
- Regular Audits – I mentioned previously in this article about “initial oversight” and this is where it comes into play. How can you determine the effectiveness of your security posture if nothing has ever been tested or assessed? Seems like a silly question I know, but we have been surprised on more than one occasion with the absence of regular audits.
How difficult is the SAP Security Transition?
The above items can be difficult to incorporate initially, but you may find it easier to tackle with the proper assistance. From a security policy perspective, there are two factors that need to be considered for allowing an effective policy to be implemented. The first step in this process is determining the various types of company data and the sensitivity associated with it. Once this has been completed, you develop a Risk Profile, which simply assesses the sensitivity of an organizations data against the various levels of access (e.g., physical, network, system, etc,.). Once you are able to develop a risk profile and identify the potential security risks, you have essentially established an organizational security policy. These tasks can be accomplished relatively easy with assistance from third-party companies such as ours, or even searching the internet for various knowledge-based templates from organizations such as SANS Institute.
The second item we briefly touched on above is the need for regularly scheduled audits. While audits are familiar for companies that are required to meet certain compliance mandates (HIPAA, PCI, SOX), compliance alone should not be the reason they are conducted. With a SAP or System(s) audit, an organization is pursuing a security posture in line with confidentiality, integrity, and availability (CIA Triad).
When conducted properly, information gathered should identify:
- If an organizations SAP system will be available for business at all times – Availability
- If an organizations data will be potentially disclosed to unauthorized individuals – Confidentiality
- If an organizations data will be accurate, reliable, and timely – Integrity
SAP Security Conclusions
While there is obviously more to consider with SAP security, an organization trying to forecast for the future and be proactive in their security responsibilities would be ahead of the competition by starting with these simple items.
Realizing that SAP landscapes can be very complex and require different expertise with security for such things as Human Capital Management (HCM), Business Information Warehouse (BWI), and SAP Portal, Praetorian Secure leverages our business partnership with Onapsis, Inc. to deliver security and auditing capability unparalleled in the industry. To learn more about our capabilities or to schedule a call, please contact us at 855-519-7328 or click here to submit our online customer form.