This blog is part of our Nordic blog series, ” Why cybersecurity and privacy matter in S/4HANA projects”. Explore other blog posts from this series here:
Part 1 - Setting the scene
Part 2 - Know your data
Part 3 - Ownership & governance
Part 4 - Access management & available tools
Part 5 - Security hardening, monitoring & available tools
____
SAP is a versatile and effective “business out of the box” solution that provides a variety of API possibilities, seamless workflows and interoperability with nearly all other systems, supporting business operations and helping drive profitability. As organisations tap into the full potential of SAP, the need for robust security measures becomes increasingly important. While SAP cannot guarantee that its products are “secure out of the box”, the same versatility that makes it an outstanding business tool also means it is prone to vulnerabilities. Each customisation aspect, hardening, logging, privacy and vulnerability mitigation for SAP landscapes requires specific and extensive knowledge.
Investing in cybersecurity at the outset of extensive SAP projects is critical in preventing potential negative consequences. Security measures that fall short may have negative consequences that include significant financial losses, emergency security operations leading to system shutdowns, regulatory penalties, reputational harm and unanticipated expenses as a result of emergency IT support and resource allocation.
Navigating SAP security necessitates an unceasing awareness of evolving privacy needs, compliance requirements and dynamic threats. Over the years, security considerations have not consistently held a central position in projects, they have often been missing from business plans and they have occasionally not even been recognised as an essential requirement. This has led to a gradual accumulation of security gaps, complicating mitigation over time. As organisations contemplate the transition to S/4HANA, Deloitte emphasises how crucial it is to prioritise security. Doing so not only strengthens your SAP system from the outset, but also allows you to enjoy the advantages of improved security measures. This proactive approach not only saves substantial additional costs but also helps to mitigate risks and ensure a smooth transition to S/4HANA. You may now set up a secure SAP environment and put your security strategy in place right from the start.
The process entails a collaborative effort by various teams — including the platform, database, network, business, developers, key users and the cybersecurity teams.
The backbone of SAP’s operational capabilities rests in its technical foundation, termed SAP Basis, that ensures the seamless functioning of SAP applications. However, when it comes to security, the responsibility does not fall on the shoulders of SAP Basis alone. In reality, the process entails a collaborative effort by various teams — including the platform, database, network, business, developers, key users and the cybersecurity teams. Moreover, the organisation’s privacy and compliance team plays a crucial role in SAP security, ensuring alignment between the organisation’s use of SAP and relevant privacy regulations and compliance standards.
The range of items on the security hardening list for S/4HANA is huge, but to name a few, they include the following:
Furthermore, user roles and authorisations play a crucial role in safeguarding sensitive data and ensuring the integrity of the SAP environment — critical aspects that directly impact on regulatory compliance and data governance..
PPrioritising security concerns from the outset should be a “no brainer”. When your organisation is planning for a Greenfield or Brownfield implementation, you can proactively establish your security parameters already during the planning phase without impacting business processes of the productive environments. Plan ahead for necessary adaptations and enhanced security measures.
Ensure your organisation’s security teams are onboarded to your SAP projects and consistently informed. Avoid skipping over any security matters and maintain a firm approach to them throughout your SAP landscapes — or any crown jewel — and start off your S/4HANA journey with a fresh and secure platform.
We suggest keeping it simple and structured, and recommend the following approach:
Our team is available to assist and advise you on securing your SAP landscapes so that your SAP platform is operating securely.
___
Authors:
Christian Wischnack
Jouni toimii Deloitte Suomen operatiivisten riskienhallinnan palveluiden johtajana. Hänen erityisosaamistaan on teknologian ja analytiikan hyödyntäminen organisaatioiden riskienhallinnassa ja sisäisessä valvonnassa. Hänellä on myös pitkä kokemus IT-riskienhallinnasta sekä IT-kontrolliympäristöjen ja tietoturvan auditoinneista osana sisäisiä ja ulkoisia tarkastuksia. Briefly in English: Jouni is working as partner in Operational Risk services at Deloitte Finland. His special expertise is to leverage modern technology and analytics in Risk Management and Internal Controls. He has long experience in risk management and leading the audits of IT controls and IT security as a part of external and internal audits.
Anh is part of the technology enabled GRC team focusing on business driven transformations from an Internal Controls and Compliance perspective. He has extensive experience designing and optimizing Risk Management processes and frameworks including managing business impact and change management Anh is specialized in technology enabled optimization incorporating innovation in transformation projects, turning risks into competitive advantage.
Erling er partner i Risk Advisory og hjelper våre klienter med å håndtere teknologirisiko og cybersikkerhet.
Peter Östlund is a Partner within Risk Advisory. He is responsible for our IT Risk and Assurance services. He has many years of experience from working with IT and Cyber Risks, Information security, IT audit and third party assurance reports. Peter holds a master´s degree in Computer Science and a bachelor´s degree in Business administration from Uppsala University, Sweden.