How can you execute an SAP Security Audit?
Sükrü Ilker BIRAKO?LU
Managing Partner - CTO @ SAGESSE TECH / Securing SAP and other ERP Systems with state-of-the art products and solutions
When we have a look at the architecture and usage of SAP Systems, we see immediately that SAP Systems are complicated, highly customizable and business critical applications. These features make the security of SAP Systems distinctive from the traditional cybersecurity.
To conduct a security audit in an SAP System, we must take into consideration all layers of SAP Application Platform and the infrastructure on which SAP System is running. In an SAP Security Audit, following areas (list can always be enhanced) must be covered:
·??????Infrastructure Security (Network and Operating System)
·??????Database Security
·??????Vulnerability Check of SAP Systems
·??????Access Control Checks / Segregation of Duties Checks
·??????Code Security
·??????System Configuration Analysis
·??????Interface and System Connections Security
·??????Password complexity and Privileged Users
·??????Business Integrity Monitoring (Compliance and Fraud Checks)
·??????SOX, GDPR and other compliance checks
It is obvious that that executing a security audit covering all layers, different modules and technical components of an SAP System is a quite complicated task.
Infrastructure security is about taking care of security of the systems where SAP is installed. It is about securing the operating system and all third-party applications which are installed on the same operating system where SAP is installed.
Database security is about checking the compliance, audit records, availability, and configuration of the database on which SAP System is running. In most of the cases, it is about checking security of SAP HANA or ORACLE Databases which are very often used as database of various SAP Solutions.
Vulnerability Check is about checking if the latest component releases are installed, SAP Security Notes are implemented, and security configurations are up to date in an SAP System. To approve those vulnerabilities do not exist, security experts must scan the SAP System using a black-box approach and try to exploit the vulnerabilities.
领英推荐
Access Control Checks is about assigning right authorizations to SAP System Users and implementing a right Segregation of Duties concept. Additional to that, access to RFC function modules, web services and other APIs must be protected using a well-thought authorization concept.
Code Security is about checking custom ABAP Code for faulty or missing authorizations and checking code which contains ABAP Commands open for Code Injection. Detailed information about code security can be found in my article which can be read using link below:
System Configuration Analysis is about checking values of SAP System Parameters. There are hundreds of parameters in an SAP System of which value has a direct affect on encryption, authentication, monitoring, access control and logging. We must check the validity of values of these parameters.
Interface and System Connections Security is about checking security configuration of connections and interfaces of an SAP System. An SAP System has hundreds of connections with other SAP and third-party applications. These can be point to point connections or connections built using SAP’s Enterprise Service Bus called SAP PI (Process Integration).
Password Complexity and Privileged Users is about checking password setting rules and strengths of passwords in SAP Systems. Privileged Users (Firefighter Accounts, DDIC User) can execute almost any action on SAP Systems and their actions must be monitored. Detailed information about password security can be found in my article which can be read using link below:
Business Integrity Monitoring is about improving the detection of anomalies in business transactions to mitigate fraud risk and reduce losses.
SOX, GDPR and Compliance other compliance checks is about checking SAP System Compliance with respect to global and industry specific compliance guidelines like GDPR, SOX, PCI, GLBA, HIPPA etc.
Executing all these checks in SAP Systems and correlate these findings with each other is a very complicated task. Additionally, these checks are not one-time checks, they must be run, and the results must be monitored continuously. Detection of security problems is just one face of the problem. After a problem is detected, a convenient response must be given to remedy security problems in an SAP System. This is also a complicated task which can be solely executed by an SAP professional who has a deep understanding of SAP Systems, unless you have predefined manual, automated or semi-automated playbooks in your arsenal for solving the security problems.
?Answer to these complicated problems is our LogPoint for SAP Solutions. Our SAP Security Solution in connection with LogPoint’s Converged SIEM Platform ( SIEM + UEBA + SOAR ) provides an end-to-end SAP Security Solution for SAP Systems.
You can find more information about our SAP Security Solutions under the link below:
You can find more information about our Converged SIEM Solution under the link below :