SAP Security Extends Security and Risk Management
SAP security consultants are becoming more valued because businesses depend on SAP systems to help maintain crucial business operations, and these can be subject to a wide variety of cybersecurity threats. Serious damage to the reputation and finances of a company can result from successful cyber attacks like data leaks and fraud, and these can originate within or outside of an organisation.
Security and risk management leaders are responsible for protecting the organisation from external and internal threats, and run security operations centres. Their job is to define security roles, responsibilities and expectations for each area of the business. They can analyse an existing security system and determine the level of threat within an environment. They also asses the extent to which an organisation is aligned with the principals of security business operations and ensure a business and their partners are compliant with data protection legislation.
In order to maintain a secure environment for business operations, security and risk management leaders need to ensure businesses consistently invest time in training the workforce in best practices for business systems security. They also need to maintain a high level of technological investment in order to keep up with evolving cybersecurity threats.
Alongside these more established security roles within a business or organisation, ERP systems like SAP need IT consultants to administer a variety of SAP security solutions which promote and automate security best practices.
This week IgniteSAP is taking a look at the emerging role of the SAP security consultant.
Challenges for SAP Systems Security
As with other areas of SAP technology, there is a shortage of skilled SAP security professionals who specifically attend to SAP application security. This shortage is partly the result of the move to the cloud which brings with it a faster rate of application development, and a wider distribution of technology infrastructure.
On premise systems benefit from firewalls, but the necessary move toward cloud provision of software services presents a different set of challenges. Digital enterprises running cloud-based SAP systems find it hard to source the talent with the skills to deal with this, so the shortage is leading to greater career opportunities for IT consultants specialising in SAP Security.
Because those looking to gain access to business data and systems are constantly testing the water and creating new threats, large corporations like SAP have to release monthly security patches, updates and advisories. This workload becomes difficult for businesses to manage because they are sometimes running ten or twenty SAP applications, so SAP security consultants are required to put in place methods to automate and streamline security updates in order to avoid building a backlog of security tasks.
Christof Nagy, CEO of SecurityBridge has said: “Patching is not like Windows where a pop-up tells you a new patch is coming… It’s a disconnected process, and customers need to look for patches. SAP has a patch day every second Tuesday, and customers are responsible for reviewing the patches to see if they apply to their products.”
SAP security consultants understand the principals of business systems security as well as SAP systems, and they ensure that security concerns and updates are addressed rapidly and configured correctly to avoid data breaches.
The volume of work for SAP security consultants is increasing, and so is the complexity of the group of challenges they are required to resolve.
More Than Just Access Control
Users of SAP systems often assume that SAP systems are digitally secure by default, but this is not the case. SAP security solutions need careful configuration and management as the task of securing business data and processes is constantly changing.
The established method of securing business systems is to assign roles and profiles for users which limit access according to predefined permissions. Along with traditional access control, SAP systems can track user’s interactions with a system and provide more granularity in the degree of access granted to each user.
SAP security consultants can contribute to the design of a business system during an implementation project to ensure it is aligned with the general security principals, right down to the level of custom code.
They are asked to configure connectors with other systems that fall outside of the SAP system as these are often a point of security weakness. The SAP system, the non-SAP system and the connector all need to be verified as security compliant.
Onapsis Research Labs investigates vulnerabilities in SAP systems, and their chief technical officer Pablo Perez-Etchegoyen has said migrating to the cloud need not be a security risk as long as the connections are secure.
Customisations can also result in vulnerabilities so each time a customisation is performed, it needs to be assessed for compliance with the security of the wider system.
The secure configuration of an SAP system is a complex task that needs to cover a many areas, including: governance and regulatory compliance, access management, data privacy, authentication, application security, server security, SAP HANA database security, data encryption, network and communications security, risk management system configuration, and infrastructure and cloud hosting security.
SAP S/4HANA and Fiori Security
As an illustration of the complexities of SAP security, we can look at SAP S/4HANA. Implementing a secure instance of S/4HANA requires certain considerations specific to that SAP product and SAP security consultants need to understand S/4HANA as well as the solutions it connects to, in order to maintain integrity of the system.
For example, if users need access to the HANA database, the security design needs to include the HANA privilege concept (a higher level of access), and security and developer staff need to be made aware of this.
Also, the Fiori user interface is accessible by multiple mobile devices and connecting so many more devices to an SAP system provides a huge number of points of access for potential security breaches, so SAP consultants working with Fiori need to use the Mobile Device Management solution to ensure security standards are maintained.
Working With The SRM Team and Others
SAP security consultants need to work closely with system architects and other team members as well as the security and risk management team when an SAP system is being created. They also can be tasked with assessing the level of security of an existing system and providing solutions to security weaknesses in the application layer.
The security of the application layer falls outside the traditional skills of a security and risk management team. These analysts assess IT infrastructure like firewalls, physical endpoints and virus scanners.
Now the SAP consultants are being integrated into security management teams because SAP security requires understanding of many SAP applications at many levels, from configuration to coding.
Another aspect of the role of the SAP security consultant is to ensure that everyone knows that security is a shared responsibility at all levels of the organisation. They may be required to provide training to promote the awareness of general security best practices of the specifics of an SAP security project.
SAP Security Training and Certification
As we have seen, specialising in SAP security can lead to an extremely fruitful consulting career because there is a shortage of skilled practitioners and the need for these professionals is only going to increase with time.
If you are interested in learning more, and eventually attaining global certification to support your SAP security consulting career, the free SAP resource openSAP is a good place to start.
The SAP Learning Journeys describe a route of training courses and certification for a variety of SAP specialisms and the SAP System Security and Authorisation Learning Journey provides a comprehensive introduction to information security in SAP, and this leads to a recommended SAP Certified Technology Associate qualification in SAP System Security and Authorisations, with the potential to qualify as an SAP System Security Architect.
If you are looking to find a new role as an SAP security consultant, or any other SAP solution specialist then our team can set you on the path to a highly rewarding career so join us at IgniteSAP.