SAP Security Risks, Challenges and How to Address Them
As organisations increasingly rely on SAP for their day-to-day business processes, the stakes for potential security breaches have never been higher. From unauthorised access to sensitive data to the threat of cyber-espionage, the risks associated with SAP systems are growing more complex to navigate.
This article highlights several SAP security challenges that every organisation should be aware of. Understanding the risks associated with these challenges as well as how to address or mitigate them is essential to protect the organisation from data breach or fraudulent activity.
SAP Security risks to be mindful of
Inappropriate SAP access assigned to users
The technical and complex nature of SAP security (authorizations) can result in the creation of inappropriate SAP roles assigned to users. This exposure can lead to Segregation of Duties (SoD) risks and fraud, incurring financial and reputational costs. Audit findings are likely to increase significantly, and compliance tasks, like User Access Reviews will become more challenging and less efficient for reviewers.
How to address this challenge
Many organisations adhere to the ‘zero-trust’ or ‘least privilege’ principle, assigning SAP access with only the necessary permissions for job functions. Any additional access needs validation and approval by relevant stakeholders. For organisations facing inappropriate SAP user access, a process of identifying and removing such access is necessary. However, clean-up projects can be challenging, risking accidental removal of required SAP access resulting in business disruption and user frustration.
A crucial component to mitigating this risk is to ensure that the organisation has an access control (GRC) solution. An access control solution allows the organisation to analyse the SAP users and roles against a set of rules (access risks), highlighting those that are risk-bearing. All SAP access change requests can then pass through a ‘What-If’ simulation to make the organisation aware of any potential role assignment that introduces new access risks in the SAP environment.
Leveraging an access control solution like Soterion’s Access Risk Manager helps comprehend SAP access risk exposure and assists in access risk management activities.
Irrelevant rule sets to the organisation
An access risk rule set comprises of a set of conditions that if fulfilled, could pose a threat to an organisation. For instance, within a Segregation of Duty rule set, a rule might involve the capability to both ‘Create/Maintain a Purchase Order’ and ‘Release a Purchase Order’. This particular combination of permissions could potentially allow an SAP user to engage in fraudulent activities.
Most access control solutions come equipped with pre-defined ‘out-of-the-box’ rule sets, which are designed to suit a wide array of organisations across various industries. However, the recommended practice involves customising these default rule sets to align more closely with the specific needs of the organisation. Failure to customise the rule set can lead to monitoring risks that are not relevant to the organisation, or possibly completing omitting some risks that are unique to the organisation.
In the context of SAP, access risk rule sets typically encompass various categories of risks, including Segregation of Duties (SoD), Critical Transactions, and Data Privacy.
How to address this challenge
Begin with the access control solution’s standard rule set and embark on customising it to suit your organisation better. Review all access risks for relevancy and risk level, removing irrelevant ones from the default rule set. Simultaneously, assess custom functionality (Transaction Codes/Fiori apps) for potential inclusion in the rule set. Where possible, follow a ‘less is more’ principle. Prioritise the effective management of fewer relevant risks over ineffective management of numerous risks in the rule set.
Lack of S/4HANA security expertise
Increased complexity associated with Fiori components such as Catalogs, Spaces, and Pages has unfortunately heightened the challenges in ensuring adequate security measures. This heightened complexity poses the risk of implementing subpar security solutions, potentially leaving the organisation vulnerable to fraud. Moreover, inferior security measures may lead to increased business disruptions by limiting end-users’ ability to perform their job functions due to authorisation issues.
Less experienced S/4HANA security personnel may suggest relying on SAP’s standard business roles. However, these roles often do not align well with the diverse business processes of different organisations. Consequently, users may need multiple standard business roles to cover their functions, resulting in the assignment of wide and inappropriate roles to SAP users.
How to address this challenge
As expertise in S/4HANA grows through experience gained from multiple projects, the broader market becomes more informed about the ‘best practices’ (role methodologies) specific to S/4HANA. Yet, many organisations face tight deadlines for their S/4HANA upgrades and lack the luxury of time for their resources to accumulate necessary experience.
One potential solution to this pressing challenge is to consider outsourcing or engaging a managed service provider specialising in SAP security and risk management. Consulting firms focusing on SAP security and risk typically boast seasoned senior professionals well-versed in technical role building, risk management, controls, and audit. Often, organisations require this expertise intermittently. Therefore, leveraging a managed service provider for these specialised skills negates the necessity of maintaining such resources in-house on a full-time basis.
Lack of business buy-in
Establishing ownership of SAP access risk processes poses a significant challenge. Access risk directly impacts business operations. However, owing to the intricate and technical aspects of SAP security, including functions like SAP role build, role assignments, and GRC administration, there tends to be reluctance from the business side to engage in access risk management activities. Business users frequently express their lack of understanding regarding the expected tasks or find the activities and reports overly technical. Consequently, this leads to an underutilisation of the GRC solution, with IT running some ad hoc activities or merely using it as a backend system with minimally participation from the business users.
How to address this challenge
Create a comprehensive Policies and Procedures document outlining specific use cases, standard operating procedures, and their respective owners. Educate the business users on the access risks relevant to their area of responsibility. Discuss and debate each Segregation of Duty risk and how an SAP user could defraud the organisation with the conflicting access.
Business ownership and buy-in for access risk management activities is greatly improved once the business users have an understanding of what the SoD risk means and how fraud can be performed with that combination of permissions.
Effectively manage your SAP security with Soterion
Given the escalating risks to organisation’s SAP environments, implementing effective access control is now more vital than before. This endeavour, however, can present significant challenges.
At Soterion, we provide an extensive range of GRC solutions tailored to businesses. Our GRC solutions specifically target the SAP security risks highlighted. Through the utilisation of our services and products, your organisation’s security team can notably bolster their capacity to recognise and counteract SAP security risks.
At Soterion, we offer a comprehensive suite of GRC solutions. Our business-centric GRC solutions enhance business buy-in and accountability, ensuring a more risk aware organisation.,
Contact [email protected] to book a demo or if you would like more information on our products.