Principles for SAP Security
What can and should SAP customers do to close the gaps in their SAP security? Swiss SAP experts Itesys provide tips for a secure SAP landscape. To protect themselves effectively, SAP customers should assume that the attacker has already successfully penetrated their SAP landscape, whether from the inside or the outside. The right starting point for increasing the level of security in SAP landscapes is the zero trust approach. If the attacker is always already in the system, IT managers cannot trust anyone or anything and must check everyone and everything.
In order to develop an effective security concept based on the zero trust approach, SAP customers should be guided by the following principles: strong authentication should be enforced always and everywhere, and all communications should be secure. In addition, authorizations should be granted only to the extent that users need them to do exactly what they are supposed to do, and no more. It is also important that is always clear and verifiable who has made what changes to the settings, and that all these changes are logged. Zero trust means permanent mistrust, which is why user rights and their roles, transactions, services, etc. are checked regularly.
It is also important to note that the entire IT stack, from hardware and operating system to databases and SAP applications, must be kept up-to-date. Accordingly, SAP customers should regularly evaluate and install security updates as soon as they are announced. In addition, the IT landscape should be able to compensate for partial failures, for example, by segmenting the network and securing it with its own policies and measures, or by regularly practicing service recovery. These principles form the basis of an effective zero trust architecture, which SAP customers and partners can implement using appropriate tools and processes.
To the partner entry:
