SAP Security and the Risk to the Value Chain

There is a lot of discussion in risk management circles on how risks within the value chain can often be ignored. Paul Proctor, Vice President of Research at Gartner, recently presented a webcast titled “Digital Business and the CIO’s Relationship with Risk.” He indicates:

“If businesses start to address risks within the value chain, they will become more competitive, grow faster and add value to the business decision makers.”

Take a moment and think about how SAP supports an organization’s value chain. Organizations use SAP to track and manage, in real-time, sales, production, finance accounting and human resources in an enterprise.

Specific examples include:
Finance: General Ledger (GL), Account Payable (AP), Account Receivable (AR) and Asset Accounting.
Controlling: Includes Cost Center Accounting, Profit Center Accounting (PCA) Product Costing, Profitability Analysis and Internal Order (IO).
Sales and Distribution: Customer master data, sales, plants, sales organizations and sales conditions.
Human Resource: Resource hiring, salary, employee benefits etc. It is highly integrated with finance and controlling (FICO) modules.
Project Systems: Budgeting, planning, forecasting.


Other key systems such as email, web front end apps, and Microsoft applications also support the value chain and are of focus for many traditional perimeter and archaic security technologies. However, though these systems are important, are they as critical to the value chain as SAP?

I’ve found that many organizations assume that a combination of reactive security measures (i.e. perimeter-based, static controls and siloed management systems) is enough to “cover all their SAP Bases” (no pun intended). To ensure that risks within the value chain are properly addressed, security and SAP teams must work together and take an adaptive approach to securing their business-critical applications.

This approach includes:
◾Transforming compliance initiatives to include SAP systems in audits.
◾Deploying an effective approach for implementing efficient, automated and integrated ways to measure, monitor and review the state of compliance on SAP applications.
◾Performing risk analytics with an established risk model that identifies, assesses and tracks emerging risks to key data and processes running on SAP.
◾Ensuring the organization includes business context in the risk analytics information to ensure preparation for major events that can impact reputation.

One risk calculation for determining the impact of risks to SAP applications should include the probability of a compromise to SAP applications and expected impact of loss when compromised. In fact, on CISO of a fortune 500 company recently stated, “If our company’s SAP System is breached, it will cost us $22M per minute”. Knowing that there is that much on the line makes it imperative for an organization to have an adaptive security approach in place. To do so, organizations need to have ensured visibility into all SAP assets, the vulnerabilities that are prevalent on the systems, and any already compromised SAP assets. Additionally, it is crucial to prioritize the fixes based on business context and ultimately impact. Finally, organization must put in place proactive and behavioral based controls that continuously monitor key business-critical applications.

Leading organizations have embraced the fact that their SAP infrastructure is not secure and have already begun taking a different approach to SAP security. Being proactive, and identifying gaps in existing security plans before an attack takes place is now critical for success.

Over the course of the last month, Adrian has published an ongoing blog series titled “Building an Enterprise Application Security Program.” This is a great series with use cases and recommendations for best practices around how to build an effective security program for your SAP landscape. During the live webcast, Adrian will expand on the issues presented in his blog, and will discuss security challenges that are likely facing your organization.

For more information on SAP security recommendations visit the Onapsis Blog at: