Are You Bridging the Gap Between SAP Security and SAP Cybersecurity?
Jul 31, '19 by Joerg Schneider-Simon
It’s an understatement to say that your SAP system contains and controls your most mission-critical data and processes. Keeping your applications safe and secure, therefore, isn’t a one-person job: It requires a team of professionals, all performing different roles.
With this division of duties, however, comes a very real risk of certain vital tasks falling through the cracks. And unfortunately, SAP cybersecurity has been an all-too-frequent casualty.
Why is this happening, and how can organizations keep their SAP system safe? First, let’s look at the roles that are being played.
Your SAP System and Organizational Roles
Savvy organizations know that threats can come from outside the organization … and from within. Having strong security controls within the organization can go a long way toward preventing any issues, be they malicious or inadvertent, and can also serve as a simple way to pinpoint where any problems have taken place.
To that end, securing SAP typically relies on three teams:
This role involves ensuring that an organization’s governance, internal controls, and risk management are meeting or exceeding regulatory requirements. Very large organizations may fill this role in-house, while others may hire outside consultants to review and develop risk management processes. In short, these people set up the policies that determine who has access to specific SAP functions and data and the processes that keep any one individual from having too much access and not enough oversight.
This role deals with day-to-day segregation of duties, authorizations, and implementation of security policies. This team would deal with user role change requests, role mapping, troubleshooting user access problems, and ensuring that processes and policies are adhered to.
This role (which can also fall under the aegis of Information Security) deals with the protection of online data and systems. This team handles the security of files, networks and endpoints, the installation and maintenance of firewalls, and the monitoring of activity, among many other tasks.
Where Is the SAP Cybersecurity Gap?
One would think that between these three roles, SAP cybersecurity would be well and truly covered. Unfortunately, that isn’t always the case. As our friends at Onapsis have identified, SAP security teams tend to believe they have security covered through their processes, segregation of duties and access controls.
So, that leaves the IT/IS team to cover SAP cybersecurity, right?
Well, as it turns out, it’s not quite that simple.
While IS/IT professionals are experts at keeping operating system files and networks safe, SAP is a discrete system with its own structure and its own risks. Thus, it needs a completely separate layer of expertise to adequately protect.
And unfortunately, that expertise is hard to find. There’s already a worldwide cybersecurity shortage, meaning that time-crunched IT/IS teams are already scrambling to keep up with threats targeting standard servers and applications and are rarely able to devote the considerable amount of time and resources needed to gain any meaningful expertise in the field of SAP cybersecurity.
In addition, the problem is exacerbated by the fact that some tasks don’t lend themselves to a cut-and-dry delegation of duties. For example, let’s look at keeping SAP updated with patches. Some patches are cybersecurity-related, but many are not: Whose job should it be to stay on top of these updates and patches?
Bridging the SAP Security/SAP Cybersecurity Gap
The question is: Where is the gap in your organization? To figure this out, it’s important to take the time to sit down and figure out the many roles and responsibilities that go into keeping your SAP system and applications secure from internal and external threats.
From there, have an honest look at the resources you have available. Does your existing team have the time and the expertise to manage all aspects of SAP security and SAP cybersecurity? If so, great! By clearly delineating duties and reporting, you can ensure that all gaps in responsibility are eliminated.
But what if your existing team can’t do it all? This is a common situation – after all, as we mentioned, SAP cybersecurity expertise is not particularly easy to come by. At this point, it’s wise to consider external solutions or teams that will cover any skill or bandwidth shortages.
By being fully aware of what’s needed to keep your SAP system completely secure, and by also being aware of what your team can and should be doing, you can much more easily identify any gaps, bridge them as efficiently and effectively as possible, and move forward with the confidence that your SAP system will remain safe from all threats.