Posted: 10 Sep. 2024 3 min Lukuaika

Safeguarding SAP S/4HANA today to avert expenses tomorrow

Cybersecurity and Privacy Matter in S/4HANA Projects

This blog is part of our Nordic blog series, ” Why cybersecurity and privacy matter in S/4HANA projects”. Explore other blog posts from this series here:
Part 1 - Setting the scene
Part 2 - Know your data
Part 3 - Ownership & governance
Part 4 - Access management & available tools
Part 5 - Security hardening, monitoring & available tools
____

SAP is a versatile and effective “business out of the box” solution that provides a variety of API possibilities, seamless workflows and interoperability with nearly all other systems, supporting business operations and helping drive profitability. As organisations tap into the full potential of SAP, the need for robust security measures becomes increasingly important. While SAP cannot guarantee that its products are “secure out of the box”, the same versatility that makes it an outstanding business tool also means it is prone to vulnerabilities. Each customisation aspect, hardening, logging, privacy and vulnerability mitigation for SAP landscapes requires specific and extensive knowledge.

Investing in cybersecurity at the outset of extensive SAP projects is critical in preventing potential negative consequences. Security measures that fall short may have negative consequences that include significant financial losses, emergency security operations leading to system shutdowns, regulatory penalties, reputational harm and unanticipated expenses as a result of emergency IT support and resource allocation.

Understanding and implementing SAP security measures

Navigating SAP security necessitates an unceasing awareness of evolving privacy needs, compliance requirements and dynamic threats. Over the years, security considerations have not consistently held a central position in projects, they have often been missing from business plans and they have occasionally not even been recognised as an essential requirement. This has led to a gradual accumulation of security gaps, complicating mitigation over time. As organisations contemplate the transition to S/4HANA, Deloitte emphasises how crucial it is to prioritise security. Doing so not only strengthens your SAP system from the outset, but also allows you to enjoy the advantages of improved security measures. This proactive approach not only saves substantial additional costs but also helps to mitigate risks and ensure a smooth transition to S/4HANA. You may now set up a secure SAP environment and put your security strategy in place right from the start.

The process entails a collaborative effort by various teams — including the platform, database, network, business, developers, key users and the cybersecurity teams.

The backbone of SAP’s operational capabilities rests in its technical foundation, termed SAP Basis, that ensures the seamless functioning of SAP applications. However, when it comes to security, the responsibility does not fall on the shoulders of SAP Basis alone. In reality, the process entails a collaborative effort by various teams — including the platform, database, network, business, developers, key users and the cybersecurity teams. Moreover, the organisation’s privacy and compliance team plays a crucial role in SAP security, ensuring alignment between the organisation’s use of SAP and relevant privacy regulations and compliance standards.

The range of items on the security hardening list for S/4HANA is huge, but to name a few, they include the following:

  • Message servers
  • Gateways
  • Portals
  • Internet communication manager (ICM)
  • Remote function calls (RFCs)
  • Security audit logs (SALs)
  • Unified connectivity (UCON)
  • Secure network communication (SNC – Encryption)
  • Database audit trails
  • Read access logging (RAL)
  • Code reviews
  • User interfaces (SAP Gui / Web Gui / NWBC / Fiori / Cockpit / HANA Studio / Secure Client)

Furthermore, user roles and authorisations play a crucial role in safeguarding sensitive data and ensuring the integrity of the SAP environment — critical aspects that directly impact on regulatory compliance and data governance..

Utilise this unique opportunity and secure your SAP right from the start

PPrioritising security concerns from the outset should be a “no brainer”. When your organisation is planning for a Greenfield or Brownfield implementation, you can proactively establish your security parameters already during the planning phase without impacting business processes of the productive environments. Plan ahead for necessary adaptations and enhanced security measures.

Ensure your organisation’s security teams are onboarded to your SAP projects and consistently informed. Avoid skipping over any security matters and maintain a firm approach to them throughout your SAP landscapes — or any crown jewel — and start off your S/4HANA journey with a fresh and secure platform.

We suggest keeping it simple and structured, and recommend the following approach:

  • Assess your landscapes. Even in the event of significant challenges, have the courage to thoroughly examine the situation and, above all, maintain honesty in your assessment. When confronted with challenges, address them promptly rather than as a “post-mortem” exercise. We suggest considering the Security Maturity Model approach as it is not a one-time audit-style assessment and instead offers a comprehensive overview of both mature areas and potential areas of improvement.
  • Prioritise actions. Which challenges can you address that could have the most impact? What implementations are the easiest? What actions can be directly integrated during the landscape set-up? Regardless of your prioritisation strategy, the most important objective is to initiate and sustain progress.
  • Implement your plan. Upon finalising your plan, start implementing it. Establish a network with robust security measures, ensure the platform remains up-to-date and regularly patched, plan ahead for future releases and upgrades, and devise a comprehensive strategy for fail-over and resilience. Most importantly, formulate a continuous process with which to keep security measures within the SAP sphere and foster the maturation of security protocols.
  • Ask for help. If you have any questions, want to assess your landscapes, want to know how to improve a certain area of security of your SAP landscapes, face challenges identifying or mitigating, want to expand your tooling or simply want a “second opinion”, please do not hesitate to reach out to professionals.  

Our team is available to assist and advise you on securing your SAP landscapes so that your SAP platform is operating securely. 

___
Authors:

Christian Wischnack

Get in touch with our team

Reach out to your local S/4HANA & cybersecurity contact:

Finland & Denmark

Jouni Viljanen

Jouni Viljanen

Operational Risk Leader

Jouni toimii Deloitte Suomen operatiivisten riskienhallinnan palveluiden johtajana. Hänen erityisosaamistaan on teknologian ja analytiikan hyödyntäminen organisaatioiden riskienhallinnassa ja sisäisessä valvonnassa. Hänellä on myös pitkä kokemus IT-riskienhallinnasta sekä IT-kontrolliympäristöjen ja tietoturvan auditoinneista osana sisäisiä ja ulkoisia tarkastuksia. Briefly in English: Jouni is working as partner in Operational Risk services at Deloitte Finland. His special expertise is to leverage modern technology and analytics in Risk Management and Internal Controls. He has long experience in risk management and leading the audits of IT controls and IT security as a part of external and internal audits.

Anh Nguyen

Anh Nguyen

Partner

Anh is part of the technology enabled GRC team focusing on business driven transformations from an Internal Controls and Compliance perspective. He has extensive experience designing and optimizing Risk Management processes and frameworks including managing business impact and change management Anh is specialized in technology enabled optimization incorporating innovation in transformation projects, turning risks into competitive advantage.

Norway & Sweden

Erling Pettersen Hessvik

Erling Pettersen Hessvik

Partner

Erling er partner i Risk Advisory og hjelper våre klienter med å håndtere teknologirisiko og cybersikkerhet.

Peter Ostlund

Peter Ostlund

Partner

Peter Östlund is a Partner within Risk Advisory. He is responsible for our IT Risk and Assurance services. He has many years of experience from working with IT and Cyber Risks, Information security, IT audit and third party assurance reports. Peter holds a master´s degree in Computer Science and a bachelor´s degree in Business administration from Uppsala University, Sweden.