{"version":"1.0","provider_name":"Sify Technologies","provider_url":"http:\/\/www.sifytechnologies.com\/us","author_name":"Naveenkumar Chellamuthu","author_url":"http:\/\/www.sifytechnologies.com\/us\/author\/naveenkumar-chellamuthu\/","title":"SAP Security \u2013 A Holistic View - Sify Technologies","type":"rich","width":600,"height":338,"html":"<blockquote class=\"wp-embedded-content\" data-secret=\"oFeRa1AKDD\"><a href=\"http:\/\/www.sifytechnologies.com\/us\/blog\/sap-security-a-holistic-view\/\">SAP Security \u2013 A Holistic View<\/a><\/blockquote><iframe sandbox=\"allow-scripts\" security=\"restricted\" src=\"http:\/\/www.sifytechnologies.com\/us\/blog\/sap-security-a-holistic-view\/embed\/#?secret=oFeRa1AKDD\" width=\"600\" height=\"338\" title=\"&#8220;SAP Security \u2013 A Holistic View&#8221; &#8212; Sify Technologies\" data-secret=\"oFeRa1AKDD\" frameborder=\"0\" marginwidth=\"0\" marginheight=\"0\" scrolling=\"no\" class=\"wp-embedded-content\"><\/iframe><script type=\"text\/javascript\">\n\/* <![CDATA[ *\/\n\/*! This file is auto-generated *\/\n!function(d,l){\"use strict\";l.querySelector&&d.addEventListener&&\"undefined\"!=typeof URL&&(d.wp=d.wp||{},d.wp.receiveEmbedMessage||(d.wp.receiveEmbedMessage=function(e){var t=e.data;if((t||t.secret||t.message||t.value)&&!\/[^a-zA-Z0-9]\/.test(t.secret)){for(var s,r,n,a=l.querySelectorAll('iframe[data-secret=\"'+t.secret+'\"]'),o=l.querySelectorAll('blockquote[data-secret=\"'+t.secret+'\"]'),c=new RegExp(\"^https?:$\",\"i\"),i=0;i<o.length;i++)o[i].style.display=\"none\";for(i=0;i<a.length;i++)s=a[i],e.source===s.contentWindow&&(s.removeAttribute(\"style\"),\"height\"===t.message?(1e3<(r=parseInt(t.value,10))?r=1e3:~~r<200&&(r=200),s.height=r):\"link\"===t.message&&(r=new URL(s.getAttribute(\"src\")),n=new URL(t.value),c.test(n.protocol))&&n.host===r.host&&l.activeElement===s&&(d.top.location.href=t.value))}},d.addEventListener(\"message\",d.wp.receiveEmbedMessage,!1),l.addEventListener(\"DOMContentLoaded\",function(){for(var e,t,s=l.querySelectorAll(\"iframe.wp-embedded-content\"),r=0;r<s.length;r++)(t=(e=s[r]).getAttribute(\"data-secret\"))||(t=Math.random().toString(36).substring(2,12),e.src+=\"#?secret=\"+t,e.setAttribute(\"data-secret\",t)),e.contentWindow.postMessage({message:\"ready\",secret:t},\"*\")},!1)))}(window,document);\n\/\/# sourceURL=http:\/\/www.sifytechnologies.com\/us\/wp-includes\/js\/wp-embed.min.js\n\/* ]]> *\/\n<\/script>\n","thumbnail_url":"http:\/\/www.sifytechnologies.com\/us\/wp-content\/uploads\/2022\/06\/SAP-Blog-Web-Banner-01.jpg","thumbnail_width":1350,"thumbnail_height":500,"description":"With 90%+ of Fortune-500 organizations running SAP to manage their mission-critical business processes and considering the much-enhanced risk of cyber-security breach in today\u2019s volatile and tech-savvy geo-socio-political world, security of your SAP systems deserves much more serious consideration than ever before. The incidents like hacked websites, successful Denial-of-Service attacks, stolen user data like passwords, bank account number and other sensitive data are on the rise. Taking a holistic view, this article captures possible ways, remediation to plug in all the possible gaps in various layers. (Right from Operating system level to network level to application level to Cloud and in between). The related SAP products\/solutions and the best practices are also addressed in the context of security. 1.&nbsp;Protect your IT environment Internet Transaction Server (ITS) Security To make SAP system application available for safe access from a web browser, a middleware component called Internet Transaction Server (ITS) is used. The ITS architecture has many built-in security features. Network Basics (SAP Router, Firewalls and Network Ports) The basic security tools that SAP uses are Firewalls, Network Ports, SAP Router. SAP Web dispatcher and SAP Router are examples of application level gateways that can be used for filtering SAP network traffic. Web-AS (Application Server) Security SSL (Secure Socket Layer), is a standard security technology for establishing an encrypted link between a server and client. SSL authenticates the communication partners(server &amp; client), by determining the variables of the encryption. 2.&nbsp;Operating System Security hardening for HANA SAP pays high attention on the security topic. At least as important as the security of the HANA database is the security of the underlying Operating System. Many hacker attacks are targeted on the Operating System and not directly on the database. Once a hacker gained access and sufficient privileges, he can continue to attack the running database application. Customized operating system security hardening for HANA include: Security hardening settings for HANA SUSE\/RHEL firewall for HANA Minimal OS package selection (The fewer OS packages a HANA system has installed, the less possible security holes it might have) For any server hardening, following procedure is used \u2013 Benchmark templates used for hardening Hardening parameters considered Steps followed for hardening Post-hardening test by DB\/application team The above procedures should help SAP customers in securing their servers (mostly on HP UNIX, SUSE Linux, RHEL or Wintel) from threats, known\/unknown attacks and vulnerabilities. It also adds one more layer of security at the host level. 3.&nbsp;SAP Application (Transaction-level security) SAP Security&nbsp;has always been a fine balancing act of protecting the SAP data and applications from unauthorized use and access and at the same time, allowing users to do the transactions they\u2019re supposed to.&nbsp; A lot of thinking needs to go in designing the SAP authorization matrix taking into account the principle of segregation of duties. (SoD) The Business Transaction Analysis (Transaction code STAD)&nbsp;delivers workload statistics across business transactions&nbsp;(that is, a user\u2019s transaction that starts when a transaction is called (\/n\u2026) and that ends with an update call or when the user leaves the transaction) and jobs. STAD data can be used to monitor, analyse, audit and maintain the security against unauthorized transaction access. 4.&nbsp;&nbsp;&nbsp;SAP GRC SAP GRC (Governance, Risk &amp; Compliance) , a key offering from SAP has following sub-modules: Access control SAP GRC Access Control application enables reduction of access risk across the enterprise by helping prevent unauthorized access across SAP applications and achieving real-time visibility into access risk. Process control \u2013 SAP GRC Process Control is an application used to meet production business process and information technology (IT) control monitoring requirements, as well as to serve as an integrated, end-to-end internal control compliance management solution. Risk Management Enterprise-wide risk management framework Key risk indicators, automate risk alerts from business applications 5.&nbsp;SAP Audit \u2013 AIS (Audit Information System) \u2013 AIS or Audit Information System is an in-built auditing tool in SAP that you can use to analyse security aspects of your SAP system in detail. AIS is designed for business audits and systems audits. It presents its information in the Audit Info Structure. Besides this, there can be license audit by SAP and or by the auditing firm of your company (like Deloitte\/PwC). Basic Audit Here the SAP auditors collaborate strongly with a given license compliance manager who is responsible for ensuring that the audit activities correspond with SAP\u2019s procedure and directives. The number of basic audits undertaken is subject to SAP\u2019s yearly planning, and it is worth noting that not all customers are audited annually. The auditors perform below tasks (though they will vary a bit from organization to organization &amp; from auditor to auditor): Analysis of the system landscape to make sure that all relevant systems (production and development) are measured. Technical verification of the USMM log files: correctness of the client, price list selection, user types, dialog users vs. technical users, background jobs, installed components, etc. Technical verification of the LAW: users\u2019 combination and their count, etc. Analysis of engine measurement \u2013 verification of the SAP Notes Additional verification of expired users, multiple logons, late logons, workbench development activities, etc. Verification of Self Declaration Products, HANA measurement and Business Object. SAP Enhanced Audit \u2013 Enhanced audit is performed remotely and\/or onsite and is addressed to selected customers. Besides the tasks undertaken in \u2018Basic Audit\u2019, it additionally covers \u2013 Checking interactions between SAP and non-SAP systems Data flow direction Details of how data is transferred between systems\/users (EDI, iDoc, etc) 6.&nbsp;Security in SAP S\/4 HANA and SAP BW\/4 HANA SAP S\/4 HANA&nbsp;&amp; SAP BW\/4 HANA use the same security model as traditional ABAP applications. All the earlier explained components\/security solutions are fully applicable in S\/4 HANA as well as BW\/4 HANA. But these are increased security challenges posed by its component, SAP Fiori, which brings in mobility. But increased mobility means that data can be transferred over a 4G signal, which is not as secure and is easier to hack into. If a device falls into the wrong hands, due to theft or loss, that person could then gain unlawful access to your system. Its remediation is elaborated next. 7. Security in Fiori While launching SAP Fiori app, the request is sent from the client to the ABAP front-end server by the SAP Fiori Launchpad via Web Dispatcher. ABAP front-end server authenticates the user when this request is sent. To authenticate the user, the ABAP front-end server uses the authentication and single sign-on (SSO) mechanisms provided by SAP NetWeaver. Securing SAP Fiori system ensures that the information and processes support your business needs, are secured without any unauthorized access to critical information. The biggest threat for an SAP app is the risk of an employee losing important data of customers. The good thing about mobile SAP is that most mobile devices are enabled with remote wipe capabilities. And many of the CRM- related functions that organizations are looking to use on mobile phones, are cloud-based, which means the confidential data does not reside on the device itself. SAP Afaria, one of the most popular mobile SAP security providers, is used by many large organizations to enhance the security in Fiori. It helps to connect mobile devices such as smartphones and tablet computers. Afaria can&nbsp;automate electronic file distribution, file and directory management, notifications, and system registry management tasks. Critical security tasks include the regular backing up of data, installing patches and security updates, enforcing security policies and monitoring security violations or threats. 8.&nbsp;SAP Analytical Cloud (SAC) SAP Analytics Cloud (or SAP Cloud for Analytics) is a&nbsp;software as a service (SaaS)&nbsp;business intelligence (BI) platform designed by&nbsp;SAP.&nbsp;Analytics Cloud is made specifically with the intent of providing all analytics capabilities to all users in one product. Built natively on&nbsp;SAP HANA Cloud Platform (HCP), SAP Analytics Cloud allows data analysts and business decision makers to visualize, plan and make predictions all from one secure, cloud-based environment. With all the data sources and analytics functions in one product, Analytics Cloud users can work more efficiently. It is seamlessly integrated with&nbsp;Microsoft Office. SAP Analytical Cloud use the same security model as traditional ABAP applications. The concept of roles, users, teams, permissions and auditing activities are available to manage security. 9.&nbsp;Identity Management SAP Identity Management is part of a comprehensive SAP security suite and covers the entire identity lifecycle and automation capabilities based on business processes. It takes a holistic approach towards managing identities &amp; permissions. It ensures that the right users have the right access to [&hellip;]"}