SAP Security: Looking the Other Way Doesn't Help

A recent survey among members of the German-speaking SAP User Group (DSAG) sheds light on interesting trends in dealing with security in the SAP environment and derives specific demands from it.

On the positive side, 87 percent of the DSAG members surveyed are aware of general guidelines or a strategy for SAP security in their companies. In addition, 55 percent of respondents have made additional investments in the past twelve months to make their SAP systems more secure and minimize risks.

In this context, 78 percent of respondents thought it would make sense if appropriate security components were already activated by default in updates, new releases and services for SAP systems (security by default).

SolMan instead of SAP Security Dashboard

As imperative as security concepts are, they can hardly be implemented without a proper dashboard. Yet 72 percent of respondents do not yet use a central SAP security dashboard to keep track of their security settings.

"Some users rely on SAP Solution Manager for this. However, in our view, its primary task is not currently to map the functionalities of a comprehensive security dashboard.

Together with us, SAP could develop a standard for a complementary SAP security dashboard to meet the security requirements from DSAG's perspective."

Alexander Ziesemer, spokesman for the SAP Security Vulnerability Management working group in the Security working group, is convinced.

Network security with room for improvement

In terms of network security, 54 percent of respondents have separated and protected their SAP server network from other networks.

"A good result, but one that still has a lot of room for improvement. This figure still needs to increase significantly. Because it currently means that 46 percent have not yet taken appropriate security precautions."

Alexander Ziesemer appeals to the companies.

Currently, 20 percent of those surveyed have concepts for securing Internet-of-Things-supported processes. Here, too, DSAG board member Ralf Peters sees a need for action on the part of both companies and SAP:

"Internet-of-Things projects require an end-to-end security architecture or corresponding control models. Appropriate solutions are needed for both."

Cloud work order

SAP initiative continues to be called for with regard to cloud computing. More than half of the respondents (55 percent) have connected SAP systems to a cloud and call up corresponding functionalities directly via the Internet.

There is broad agreement (87 percent) that cloud solutions require different, special security strategies and concepts. In addition, 81 percent see a very great or great challenge in integrating SAP cloud products into their own security concepts.

"From this, we derive the requirement for SAP to continue working intensively on the security of cloud products, e.g., through uniform identity and authorization management integrated into the processes"

Ralf Peters summarizes the facts.

Top Topic Interfaces

In this context, it is worth noting that the cloud issue is currently still secondary for the respondents.

"Currently, interface security, SAP security policies, and training to raise awareness of the issue across all levels of the organization are rated as primary.

For example, security training on SAP-relevant content is on the agenda of only twelve percent of the companies surveyed so far."

comments Alexander Ziesemer.