SAP S/4 HANA transition cannot be avoided, but it can be managed well

What can the new version do?

S/4 HANA is SAP's next-generation platform. It can already be seen that its implementation will bring technological changes at least as important as the change from R/2 to R/3. At that time, nearly 30 years ago, SAP switched from mainframe systems to a client/server architecture. The new platform enables real-time data analysis and forecasting with a simplified data structure.

Get ready for change!

Although there are still a few years to go until 2027, those with foresight should start developing their S/4 HANA implementation strategy now. The transition to S/4 will impact every segment of your business, so strategic planning requires significant resources and organization. The remaining preparation time does not seem so long in light of this. Process efficiency, information security and legal compliance should be among the most important pillars of this strategy.

But let’s look at the bright side! The S/4 HANA transition gives companies the opportunity to start with a clean slate in terms of process, information security and compliance with a new generation SAP platform

- says Zoltán Szöllősi, Director of
IT risk management services at Deloitte.

Ways of S/4 HANA implementation

S/4 HANA can be implemented in a number of ways, depending on the system maturity and how long the company has been using the system. There are basically 3 implementation scenarios:
 

1. Greenfield S/4 HANA implementation: this approach is suitable for companies that have not used SAP systems before or want to completely replace their existing ECC (which is the most modern version of the R/3 platform) systems.

2. Brownfield S/4 HANA implementation: companies that wish to upgrade their SAP ECC system to S/4 HANA fall into this category. For these companies, a technical migration of their current systems seems to be the most sensible strategy, as many of the design decisions have already been made and the process, security and compliance configuration has been set up in the ECC system. The focus here is to ensure and test that this configuration and the existing controls work well in the S/4 HANA environment.

3. Bluefield S/4 HANA implementation: the third category includes companies that are already using SAP ECC, but see the migration from ECC to S/4 as an opportunity to start afresh. These companies see the time as right to rethink their business processes and plan to upgrade the functionality of their current systems, in addition to the technical migration.

Challenges and risks

What are the SAP security and authorization challenges that all companies face when implementing S/4 HANA, regardless of the implementation scenario chosen? Let's look at the four risks that are considered the most important!

1. Business process re-engineering will lead to changes in SAP roles: the move from SAP ECC to S/4 offers an opportunity to re-engineer business processes, which most companies will probably take advantage of to a greater or lesser extent. However, it will also require a restructuring of the SAP roles involved.

2. Critical Segregation of Duties (SoD) risks may be present in S/4 HANA roles. These risks are almost impossible to identify and remedy without the right SoD tools. If there is no adequate tool to identify and detect these risks, the SAP system will be vulnerable to conflict of interest at the SAP application level, where a significant portion of the data assets are stored.

3. Inappropriate design of the Fiori configuration. The Fiori interface is the new face of S4 HANA, providing access to traditional and next-generation SAP applications with a new, modern look and feel. As the Fiori interface is often used outside the corporate firewall on mobile devices, the potential for public attack increased.

4. Security of the HANA databases. Ensuring proper security of the database has also become a direct task of the SAP S/4 HANA project, which in previous versions was the responsibility of dedicated teams of database vendors. The design of the S/4 HANA database security should fit into the overall S/4 HANA security strategy.

Learn from past mistakes

In summary, we need to learn from the mistakes of previous SAP implementations, where security and authorization issues were only clarified at the end of the project and ended up resulting in costly security patches.

- said György Kálmán, SAP security expert at Deloitte.

Business process design and security, as well as legal compliance should be a priority from the design phase. It makes sense to engage experienced experts with the right skills and technical tools to develop a comprehensive S/4 HANA strategy and successfully implement S/4 HANA.