Three Cybersecurity Best Practices for SAP You Should Know About29, October 2018
When people talk about cybersecurity, the focus is commonly limited to external concerns, such as firewall configuration, network segmentation, cloud security, and the list goes on. However, today, the conversation cannot end there, rather it needs to extend deeper to include an organization’s internal applications.
Below are several cybersecurity best practices that take into account internal cyber defense. This is not an exhaustive list because the number of threat actors and tactics evolve daily. The focus is on three critical cybersecurity best practices that are industry- and application-agnostic, with an emphasis on SAP applications.
1. Routine health checks of SAP ERP applications – Why? Outdated systems are not secure systems!
I can’t emphasize this point enough: SAP Security Notes are as important today as ever, especially as more organizations are consciously exposing ERP systems to the outside world. Security patching is an important practice that all organizations must adopt. The Security Patch Day of SAP takes place on the second Tuesday of each month on which SAP supplies an updated list of security notes in the SAP Community Wiki. SAP uses the Common Vulnerability Scoring System (CVSS) to help customers understand the severity of vulnerabilities and assist with the prioritization process. Below is an example process workflow that organizations can deploy to effectively review SAP Security Notes.
The following are three key process steps during a review:
- Check which Security Notes are relevant for the various systems in your landscape
- Perform an analysis of the criticality and potential impact of each in-scope Security Note
- Decide the timing for implementing the Security Notes to be applied immediately versus the ones to be deferred
2. Build with security in mind – Why? Security needs to be in the initial conversation, not an afterthought.
Gone are the days of security as the black sheep in the room – security is now at the beginning of the conversation. This is true for new implementations and on-going support procedures alike. Make sure to devote the right resources (time, money, tools, and people) to your organization’s development and change management processes. Security is a critical cog in these processes to effectively identify and test for new risks when implementing security controls in any application. By embedding security in the design process, organizations can greatly reduce their costs by avoiding rework, regulatory fines, and reputational damage in the event that insecure applications are promoted to a production environment.
For SAP environments, there is a wide array of tools that can support proactive tactics, such as application code scanners, penetration and vulnerability tools, and GRC tools, to name a few. However, equally important to enriching an organization’s risk posture is to have an effective Software Development Lifecycle (SDLC) in place that properly incorporates people, processes, and technology.
3. Automate GRC activities – Why? Reduce human error and optimize processes with GRC tools that provide completeness and accuracy.
Without such a guarantee of accuracy, internal and external auditors will be at a loss when it comes to performing reviews which ultimately increases the cost and time spent on performing audits manually. According to a May 2018 Americas’ SAP Users’ Group (ASUG) survey of executives, IT, security and audit professionals, as automation increases, GRC challenges such as user provisioning, user access reviews, segregation of duties (SoD) analysis decrease.
As organizations develop and update cybersecurity strategies GRC access control is of the utmost importance for protecting SAP environments. A GRC access control tool should have the functionality to assist with the strategies described in our infographic, Reducing Insider Risks in Six Easy Steps. In order to fully optimize an organization’s security efforts, an integrated, end-to-end automated GRC tool is critical to gauging the pulse of an organization’s risk and level of compliance. Over time, management should see risks decrease; otherwise, it’s time to revamp the strategy.
In conclusion, internal threats are an important aspect of every organization’s cybersecurity strategy. The best practices above are merely the tip of the iceberg when it comes to fully securing an organization in a compliant effective manner.
For solid advice on creating a holistic cybersecurity strategy to guard against both internal and external threats, view the on-demand webinar: Protecting Your Assets in SAP – A Holistic Approach.