Top-5 key lessons learned
SAP Security predictions for the new year: in our view, a popular yearly returning flow of security-related predictions or loose guesses pushed out to the world by security vendors around the year change.
And while some of them may come true, this is not really our game. We’d rather look back at the past year and provide you with some help for 2022 to stay in control and ahead of risk.
Based on our experience and the assessments done at customers last year we noticed a further increase in security awareness, specifically for the topic of SAP hardening and Vulnerability Management. And not just for the fortune 500 SAP customers, but noticeably also for the smaller SAP shops. This is good news. Yet, in our view, when it comes to SAP Security, there is still a big group of SAP customers that can and should step up their game and implement proper security hygiene and a continuous Vulnerability Management process. Some tips that might help you in this quest:
- Involve all stakeholders when working on SAP Security. This is not just the problem of the SAP Basis team! The security of your business-critical systems is a joined responsibility and needs cooperation of the business, IT and other stakeholders.
- If not done already start by checking your SAP assets, what SAP components do you have? What is their current security status (your starting point)? In which areas do we have risk? This is sometimes hard to answer as SAP landscapes can be complex in terms of setup, configuration, many parameters, connections between systems, etc. Automation helps here and an assessment can help to get the much-needed insight. Don’t forget about your SAProuter, Web Dispatcher, sandboxes, etc, etc.
- Once you have insight in your risks, make sure to have a plan before starting mitigation and remediation activities. Make sure your people and budget are set to work efficiently and effectively by focusing on the high risk findings and automate where possible. Also look at systems that are internet-facing with more caution for example.
- Embed SAP Security activities in a process! This is not a one-time effort and should be periodically worked on. An option is to align with SAP Security patch Tuesday for example to make sure you have a least a monthly point-in-time to check the security state of your SAP systems including patch management, configuration, etc.
- Once your SAP Security hardening / Vulnerability Management foundation is laid out and you are ‘in control’, optionally start to look at other areas such as (real-time) monitoring (Threat Detection), code security for your custom ABAP code, etc.
For SAP customers, Protect4S can support the vulnerability management process, provide insight, automate scanning and patching of SAP ABAP Security notes and lower risk in your business-critical SAP systems. Try out Protect4S for 1 month for free or request a demo!
For more SAP security-related news, articles, and whitepapers, please follow us on LinkedIn!