On March 29th from Inprosec we conducted a webinar on “Security controls in SAP systems” taught by Miguel Fonte Diaz, SAP consultant. It was given from the CUVIV platform with two sessions of one hour each, one in the morning for the European public and another one in the afternoon for the Latam public.
This webinar was aimed at users with notions of SAP looking to expand their knowledge and they were able to intervene at the end of the session.
Below, we leave you with the contents that were taught in the webinar:
Due to increased computerization and digitization of business processes, security in their systems is becoming increasingly important for organizations to prevent possible incidents affecting production, information or management of these, and has begun to prioritize the security of their systems to a greater extent.
All organizations should have a minimum set of controls in place to ensure information security in its three key aspects: confidentiality, availability and integrity.
SAP’s first steps towards greater security
Around 2015-2020 is the turning point where different organizations begin to perceive the security of their systems as a priority.
Therefore, in 2019, SAP implements a series of technical configurations at the security level that will begin to be applied by default in all new SAP systems that are implemented from that moment on, and that will considerably increase the minimum security standards applied to the systems.
All these configurations had already been available for years in SAP systems, but each customer had to configure them manually to these higher security levels.
SAP Security Baseline
After this first measure taken by SAP, some time later SAP decided to publish what was to be called the SAP Security Baseline.
This document is basically a series of security controls that SAP defines as minimum to monitor and ensure the security of their systems, and are detailed in the following note published by SAP: 2253549.
These recommendations can be downloaded and implemented for monitoring in some of the system monitoring tools offered by SAP.
This is where we at Inprosec try to support our customers, offering a security configuration that, although based on the Security Baseline, offers other benefits for security control:
- Detailed descriptions of all controls
- Classification of controls by groups
- Detail of the potential impact of implementing that control on the system
- More than 70 major controls that can be configured with Security Baseline
Security Controls
ABAP
The first group for which SAP has designed security controls would be ABAP-type systems.
In these systems, we can divide the different controls into 5 main groups:
- ABAP Security
- Software
- Instance parameters
- Component maintenance
- System changes
JAVA
The second group to be reviewed will be JAVA type systems.
In these systems, we can divide the different controls into 3 main groups:
- Software
- System parameters
- Connected services
HANA Database
The third group to be reviewed will be the HANA Database type systems, where the most relevant groups would be:
- User management
- Auditing and traceability
- Security protocols
- Software
Business Technology Platform (BTP)
The last group to be reviewed will be SAP BTP type systems.
The main difference in relation to this type of system is that the configuration and management of the security control tool is performed by SAP itself.
All the steps that would have to be taken to request this report would be detailed in the following blog published by SAP: New Security Optimization Service Continuous Quality Check for SAP Business Technology Platform (CQC SOS for BTP)
Solution Manager – Configuration Validation
Configuration Validation is an SAP Solution Manager tool that allows you to check whether SAP systems are configured consistently and securely with the requirements defined by the company.
To review these controls, a virtual reference system containing the parameters reviewed by the SAP Security Baseline and the appropriate modifications could be established as a Target System.
There is the option of analyzing the reports in real time through the reporting application offered by the tool.
Another option would be to schedule the reports to be run periodically and sent by email to the interested parties.
Finally, a relevant advantage to use this tool would be that the report sent by email could be used to feed a dashboard of the security of SAP systems in PowerBI.