What is SAP Security?

First, I’m making an assumption that the asker knows what SAP is — for that, there are many answers that can be looked up.

In today’s world, SAP Security is usually:

• creating and managing the user IDs in all of the “clients” in an SAP landscape of systems, usually multiple landscapes (this is sometimes mitigated by automated user ID provisioning processes and Single Sign-On)
• creating and maintaining the SAP authorization “roles” to be assigned to the user IDs in order to grant them “access” in the SAP clients (these generate “authorization profiles” … hardly anyone assigns access directly via profiles anymore)
• making sure these roles do not provide too much access (individually or in combination) to allow illicit activities on the part of the users (i.e., Segregation/Separation of Duties) … users need access to at least the minimum to do their jobs, but not access to the things they definitely should not have, and everything else is a middle-ground/”grey area” where it essentially does not matter if they have that access or not

For me, that is most of the job. But it stays interesting (for me) because one is generally doing most of this for Development, Quality Assurance, and Production systems (at minimum) multiplied by covering ECC, BW, and SRM landscapes, plus GRC, Gateway, XI/PI systems, etc. It also stays interesting because we are steadily deploying new things that need new roles (for new locations, new functionality, etc.) and performing periodic functions such as copies from Prod to QA and Support Packs that require further SAP Security support.

Essentially, SAP Security is a complex set of different areas with different responsibilities. There are several ways how to separate it into discrete parts to work with. SAP Security can be divided into application and business layers or platform and customization level. On the other hand, it can be grouped by approach such as detection and response or organizational and technical. SAP Security can constitute distinct areas in accordance with platform types (ABAP, JAVA, HANA and so on).

In fact, SAP Security can be perfectly divided by responsibility into Segregation of Duties, Custom Code Security, and Application platform security. Each one is commonly a responsibility of different departments. However, I think a company should have one point of contact for all those areas and the aim of CISO is to be this person.

The first area is Segregation of Duties and access control. It consists in protection of the system against users who have insufficient privileges or combination of those privileges. For example, if some employees have access to critical functionality such as read any table, they can escalate their privileges by simply looking at a table with passwords. This area is the most known, however, it’s not as important as others.

The second area is Code security. As you may be aware, programs written in ABAP language (SAP’s proprietary language to develop extensions to SAP products) can have vulnerabilities and, more importantly, they can be used as backdoors.

The third and main area is Application platform security. It covers all kinds of vulnerabilities, misconfigurations, encryption, logging, enabled unnecessary functionality, and other technical issues. Simply saying, here we deal with all issues that can lead to unauthorized administrative access to SAP system and in most cases an attacker doesn’t need any SAP account to conduct an attack.

If we compare these 3 areas, it’s clear that in terms of Cybersecurity the last one plays a vital role. Of course, it doesn’t mean that you shouldn’t pay attention to other areas at all. However, imagine the worst-case scenario, you have the weakest access control and SoD configuration ever, say, you have SAP_ALL access for every user, this issue can only be exploited by someone who already has an access to the SAP system. However, if a flawless SoD control is in place, but a company’s portal is exposed to the Internet and has an authentication bypass vulnerability, hackers can penetrate into the system and cause irreparable damage.

I hope this post helped you to get to know what SAP Security is and how you can be involved in this growing world of opportunities.

SAP security is one of the most important technical modules where the SAP security managers are in charge of the development and administration of client rights on SAP frameworks.

For progress and powerful capacities in each association, standard SAP security module must be implemented at all levels. When we are implementing SAP security we have thought of some as important focuses.

. What should be secured inside or outside treats to the association?

. From whom it should be secured.

. What moves are to be taken to keep this treats.

. When creating security, you should first figure out what you need to be safe.