limkedin Skip to main content

SAP auditors are getting more thorough – and so should you

By 10 April 2020January 7th, 2022No Comments
SAP auditors

The following scenario is a typical one:

You are running SAP systems to support your business-critical processes.  Your landscape probably contains SAP ECC, SAP Solution Manager and maybe some other solutions like SAP Business Intelligence, SAP Process Orchestration or SAP CRM.

In order to comply with local and international regulations, you have your internal and external audit teams and SAP auditors checking those systems on a regular basis. You have also put a proper authorisation concept in place and for years in a row, your audit report shows that you are pretty much covered apart from the standard findings on SAP access rights.

But that might be about to change…

We have noticed a shift in audits from not only looking at SAP authorisations but also at SAP cyber security controls such as SAP parameters for log- and ACL files and the more technical systems like SAP Solution Manager.

This a positive development as far as the security of your SAP systems is concerned. However, it may be less welcome news for the large number of SAP customers who are not geared to safeguard these systems. SAP cyber security is often a blind spot that makes organisations very vulnerable. This causes severe incidents, compliancy breaches and in some instances even bankruptcy.

One such example is the message server exploits that were published last year (also known as the #10KBlaze exploit). But only last week critical SAP security notes were published for the SAP Solution Manager.

A recent study done by Turnkey consulting showed that 75% of respondents believed that ÏT security will be a higher priority in SAP deployment”, while 89.6% of respondents said that “security specialists should be recruited to support SAP S/4 HANA transformation initiatives.”.

Although auditors are getting more competent in technical areas, there are still parts of your SAP systems that they miss, and which are therefore not included in their reports.

We firmly believe that the goal should never be to simply pass an audit. It should be to proactively deploy a risk-based SAP security policy to protect your business-critical SAP systems.

We know that this is a big ask as securing SAP systems is a complex matter: there are dozens of SAP parameters, settings and components which must be secured across multiple SAP systems, and this can no longer be done manually.

It was exactly with this in mind that we started developing Protect4S more than 5 years ago: to automate this process and give SAP customers fast and thorough insight into the risks they run.

By utilizing a de-installable SAP add-on that operates without any agents you can have full insight into your SAP systems’ cyber security within only a few hours. This also gives you a jump start for your periodic audit and, more importantly, helps you in an efficient and effective way to boost the overall SAP Security of your business-critical SAP systems.

The unique features of Protect4S are:

  • A continuous improvement process consisting of 3 repeated steps: Scan, Analyse, Mitigate
  • It can be used by any type of user, for example SAP Basis admins, security officers, etc. who don’t need any special training
  • It is built as an SAP Web-Dynpro application on a stable SAP Solution Manager; you don’t need additional hardware which saves a lot of money.
  • It is agent-free which means you don’t introduce extra security risks and you don’t have to maintain any agents in all your SAP systems.
  • It is easy to deploy; you can start executing your first scans minutes after installation.
  • We are the only party that offers a security notes functionality with automatic implementation of up to 70% of missing ABAP Security notes.

Since we believe that seeing is believing we offer SAP customers a completely free, 30 days, Proof of Concept license with full functionality to experience these unique benefits first hand. No strings attached! See our website for more information.