putilov_denis - stock.adobe.com
5 steps for boosting SAP ECC security
Cybersecurity remains a top priority for organizations. Learn some key steps that companies with SAP ECC should follow to boost their security and stay safe.
Cybersecurity remains a top priority for enterprises around the world as high-profile hacking incidents have highlighted the risks of doing business in a highly connected world. Organizations continuing to run SAP ECC must do even more to stay ahead of cybersecurity threats.
Companies with on-premises SAP ECC must take particular care. In past years, conventional wisdom held that cloud-based software was in some ways more vulnerable than on-premises systems, but the opposite may now be true. Companies running on-premises software are generally responsible for protecting their own systems, while a 24/7 staff often takes care of hosted SaaS environments, monitoring systems and fending off threats.
Here are some key steps companies with SAP ECC should follow to boost their security as concerns increase.
1. Assign clear SAP security ownership
SAP systems are complex and multifaceted, and distinct security specializations exist around ECC, BW, HCM, CRM and the many other applications under the SAP umbrella. This complexity means organizations must put experts in place who understand the nuances of SAP software and who can dedicate adequate bandwidth to monitoring vulnerabilities, auditing system security, and setting and enforcing policies.
Vulnerabilities at the level of the database or operating system are incredibly important concerns, so effective communication and processes among various security staff specialists is essential.
2. Stay on top of users, roles and authorizations
Organizations often take a lax approach to users and permissions management. SAP ECC includes individual users, each of which may possess one or more roles. SAP provides a collection of pre-configured roles, and administrators should check that list before creating a new one from scratch. Another best practice is to use the SAP Profile Generator when adding or maintaining roles and authorizations in ECC. Doing so ensures that nothing gets overlooked during the process, including potentially granting overly broad access.
As with any system, organizations should audit users, roles and authorizations routinely. Are any permissions defined too broadly? Are administrative rights limited to those who truly need them? Should users revoke any current permissions? Does the company revoke user credentials immediately when an employee leaves the company?
3. Promptly address SAP's Security Notes
SAP systems security often focuses mainly on user permissions, but companies must also stay on top of SAP's Security Notes.
SAP routinely issues Security Notes about potential cybersecurity concerns. SAP normally issues them on the second Tuesday of each month, which coincides with the company's Security Patch Day and is coordinated with other software companies. When organizations receive a Security Note, many weigh the risk against the potential costs of immediate remediation. If system downtime is a concern, organizations can defer some fixes, but companies making that choice should carefully assess the level of risk exposure.
4. Deploy the right threat detection tools
Most enterprises use a security information and event management (SIEM) tool to detect threats and alert administrators when immediate action is required. These generally attempt to protect IT infrastructure by monitoring questionable network traffic, failed logins and any other concerns. SIEM tools aren't usually built to specifically address application security.
SAP provides its own security monitoring tool, SAP Enterprise Threat Detection (ETD). While SIEM software focuses on infrastructure and network traffic, ETD examines ECC's application logs and checks for anomalous behavior and vulnerabilities.
Although users can configure some SIEM tools to track SAP logs, ETD could help companies with ECC in a variety of ways. SAP routinely updates ETD with new threat patterns when they emerge, providing an additional layer of protection as new SAP vulnerabilities come to light. In addition, ETD captures log data as it's recorded, so ETD preserves the information even when hackers aim to cover their tracks by deleting those files.
Several companies have developed third-party tools for threat detection and security auditing for SAP applications as well. Organizations that want to automate security and routinely perform comprehensive audits should consider deploying those tools.
5. Develop security awareness among users
Companies face a constant danger from social engineering. Hackers routinely try to convince authorized users to hand over their credentials through phishing emails and legitimate-sounding phone calls, among other tactics. End users must learn to be suspicious of email attachments, rogue websites and unauthorized desktop applications.
An effective SAP ECC security program should include end-user awareness training that teaches employees to identify potential issues and report them promptly to the right people.