SAP Security Pillar

SAP Security

By definition as a software vendor, SAP solutions may contain sensitive business and personal information which must be safeguarded from improper access and stored in conjunction with a number of privacy and security laws.

 

SAP takes security seriously and has developed a robust set of best practices and applications to ensure that data is secure and only accessible by those that should be accessing it. Further, SAP provides a handful of front-facing features for end users to utilize when performing their daily tasks and transactions.

 

Table of Contents

  1. General Security Concepts
  2. Security within SAP Solutions
  3. SAP's Security Solutions
    1. SAP Cloud Identity Access Governance
    2. SAP Code Vulnerability Analyzer
    3. SAP Data Custodian
    4. SAP Dynamic Authorization Management by NextLabs
    5. SAP EarlyWatch
    6. SAP Enterprise Digital Rights Management by NextLabs
    7. SAP Enterprise Threat Detection
    8. SAP Fortify by Micro Focus
    9. SAP Governance, Risk, and Compliance
    10. SAP Identity Management
    11. SAP Information Lifecycle Management
    12. SAP MaxAttention & SAP ActiveAttention
    13. SAP Trust Center
    14. SAP Watch List Screening
  4. Compliance
  5. Other Key SAP Security Terms
  6. Additional Resources
    1. Blog Posts
    2. Books by SAP PRESS
    3. Videos

 

General Security Concepts

SAP utilizes the following security concepts throughout its suites of products: segregation of duties, access control, cryptography, user management, data locking, multiple authorization roles, logging, user authentication, development testing such as ABAP debugging, field masking, UI logging, SSO, SSL, and SAML.

 

SAP Easy Access

 

SAP also encourages complex password requirements and provides vulnerability and penetration testing, multiple encryption types, and monitoring. Additionally, SAP offers a whole host of security options for individual databases such as Oracle, Microsoft SQL, and SAP HANA.

 

SAP releases regular security patches to its solutions, on the second Tuesday of every month, to fix any new vulnerabilities unearthed.

(Back to ToC.)

Security within SAP Solutions

SAP provides numerous business applications based on different architectures: NetWeaver AS ABAP and Java, BusinessObjects, SAP HANA, and cloud-based applications such as SAP SuccessFactors or SAP Ariba.

 

The first line of defense for each of these solutions are the system backends, where admins can implement security, define roles, create access requirements, and configure the concepts listed above. Additional security functionality exists within the solutions themselves as each has its own considerations. For example, cloud-based applications have different security needs than on-premise solutions.

(Back to ToC.)

SAP’s Security Solutions

Beyond basic system administration and solution-specific security, however, SAP offers multiple security-related products to be used in tandem with the existing functionality. Here are the key SAP security solutions.

 

SAP Cloud Identity Access Governance

SAP Cloud Identity Access Governance is a cloud-based tool for admins to use in simplifying governance processes. Functionality includes continuous access analysis, user assignment optimization, preconfigured audit reporting, and more.

 

SAP Code Vulnerability Analyzer

Also known as SAP NetWeaver AS Code Vulnerability Analysis (CVA), the SAP Code Vulnerability Analyzer is an ABAP add-on that analyzes source code and secures it from potential attacks before delivering applications to end users.

 

SAP Data Custodian

SAP Data Custodian is a solution for public cloud users to consult when looking for security information on their specific cloud, providing greater transparency and increased trust for those involved in the public cloud.

 

SAP Dynamic Authorization Management by NextLabs

This application is a joint venture between SAP and NextLabs, a data security software firm. SAP Dynamic Authorization Management provides secure collaboration tools so stakeholders across the business network can work together, regardless of whether they’re employed by the same company.

 

SAP EarlyWatch

SAP EarlyWatch is a diagnostic tool that provides solution status, health, performance, growth, and security checks. Admins can set up automated SAP EarlyWatch Alert reports to see what needs attention. Additionally, these reports will call out critical SAP Notes and configurations that have yet to be implemented in a system. SAP EarlyWatch is available to any customer with an SAP Solution Manager system.

 

SAP EarlyWatch

 

SAP Enterprise Digital Rights Management by NextLabs

Another collaborative project with NextLabs, SAP Enterprise Digital Rights Management focuses on file protection including encryption, access rights management, and more.

 

SAP Enterprise Threat Detection

SAP Enterprise Threat Detection is a tool that leverages SAP HANA to process large amounts of security events in real time, such as a cyber attack. It offers insight on how to neutralize attackers and find anomalies or damage in the system landscape following an intrusion.

 

SAP Fortify by Micro Focus

SAP Fortify is an application quality management and security vulnerability testing tool that helps admins both plan security infrastructure and keep existing functionality in top shape. SAP Fortify provides businesses with a central security center, static code analyzer, and automation capability to identify and fix issues as they become known.

 

SAP Governance, Risk, and Compliance

SAP Governance, Risk, and Compliance (SAP GRC) is a suite of solutions focused on managing multiple aspects of a business. Security components include process and access control for authorizations, audit management tools, and business integrity screening to detect fraud and screen potential business partners.

 

SAP Identity Management

SAP Identity Management is a tool used to cover the entire identity lifecycle of a person. With this tool, admins can ensure that the people accessing data in a system are who they say they are. Similar to the SAP GRC Access Control functionality, SAP Identity Management provides password self-service capabilities to users and helps in role provisioning.

 

SAP Information Lifecycle Management

SAP Information Lifecycle Management (SAP ILM) is a tool that allows the blocking and deletion of data from an SAP system. This is especially important in instances where data privacy laws such as the General Data Protection Regulation (GDPR) and California Consumer Protection Act (CCPA) require businesses to delete customer data upon request.

 

With SAP ILM, admins can create defined lifecycles for data; for example, how long to keep data (retention) and where to keep it prior to archival (residence). It also allows deletion exceptions for data used in legal proceedings, permanent data destruction, and secure data storage.

 

SAP MaxAttention & SAP ActiveAttention

SAP also offers several proactive security-related services under its MaxAttention and ActiveAttention support plans:

    • Reviewing the technical architecture of SAP security products and solutions
    • Defining unique security and compliance road maps
    • Identifying critical gaps and optimizing potential in security areas

SAP Trust Center

Because a majority of security concepts for cloud solutions, such as physical security, hardware, software platform, some applications, and more are the responsibility of SAP and not the customer, SAP has set up a public website that provides content on the ways SAP is securing their cloud products. It is called the SAP Trust Center and while not an SAP solution per se, should be mentioned in relation to SAP security.

 

SAP Cloud Trust Center

SAP Watch List Screening

SAP Watch List Screening helps vendors vet potential business partners to ensure they are not on watch lists published by governments and international organizations like the United Nations.

(Back to ToC.)

Compliance

With all these tools at its disposal, SAP is confident it is compliant toward multiple financial and security-related privacy laws, including but not limited to:

    • California Consumer Protection Act (CCPA)
    • Children’s Online Privacy Protection Rule (COPPA)
    • Data residency rules in China and Russia
    • EU Privacy Bill of Rights
    • EU Privacy Shield Framework
    • General Data Protection Regulation (GDPR)
    • General Data Protection Act (GDPA, also referred to as LGPD)
    • Health Insurance Portability and Accountability Act (HIPAA)
    • Personal Information Protection and Electronic Documents Act (PIPEDA)
    • The Privacy Act of Australia
    • Sarbanes Oxley Act (SOX)

(Back to ToC.)

Other Key SAP Security Terms

In addition to the information laid out above, there are a handful of important SAP security terms you should also know:

    • Kernel: A set of executables files and shared libraries that make up an SAP NetWeaver AS ABAP system.
    • Layers of assurance: Four SAP security principles that govern cloud security. They are contractual agreement, independent validation, security standards management, and secure architecture.
    • SAP Global Trade Services: A logistics solution focused on international trade with security consideration in regards to national security rules.
    • SAP HANA Cockpit: A monitoring, configuration, and performance tool used to set up and maintain security within SAP HANA.
    • SAP Identity Analytics: An application that identifies unused, actively used, and orphaned roles within a system.
    • SAP Master Data Governance: A data governance solution that defines how to manage data, who gets access, etc.
    • SAP S/4HANA Asset Management: A line of business dedicated to the lifecycle of physical assets, which may include security infrastructure.
    • SAP Solution Manager: An application lifecycle management platform used across all SAP solutions, including system monitoring and access control functionality.
    • Secure software development lifecycle (Secure SDL): A development methodology that SAP uses to develop secure software.

(Back to ToC.)

 

Additional Resources

Want to learn more about SAP security? Additional information can be found in the blog posts and books listed below.

Blog Posts

Books by SAP PRESS

Videos

What Next?

Learn more SAP from our official Learning Center.SAP PRESS Learning Center

And to continue learning even more about SAP security, sign up for our weekly blog recap here: