Thousands of security-relevant settings in a common SAP system do not make it easy to implement a comprehensive security check. Although the DSAG test guide and other standards explain what should be checked, they do not show how this can be done, and certainly not what the ideal approach is. Therefore, in this webinar we will show you how you can effectively and efficiently control the security status of your SAP ERP and S/4HANA systems and what advantages a tool-based check offers you. Topics of focus: • Challenges with the implementation of security guidelines • Overview of relevant regulations • Project methodology for a security management process • Advantages of tool-supported checks with the SAST SUITE • Best practice tips ------------------------------------------------------------------------------------------------------------- Für Informationen auf Deutsch, sprechen Sie uns gerne an: sast@akquinet.de

1. Konvertierung
Ihrer ERP-Rollen
auf SAP S/4HANA
Der SAST Role Conversion Service
Best Practice
Guidelines Security
How to check your SAP systems
for security.

2. WELCOME!
Introducing your host today:
TIM KRÄNZKE
CSO SAST SOLUTIONS
Tel: +49 40 88173-2735
Email: tim.kraenzke@akquinet.com
Web: sast-solutions.com
- 2 -
RALF KEMPF
CTO SAST SOLUTIONS
Tel: +49 40 88173-251
Email: ralf.kempf@akquinet.com
Web: sast-solutions.com

3.  Missing or unclear security status of SAP systems.
 Insufficient information about risk causes for decision-makers/security managers.
 Intransparent presentation of all risk and their mitigation.
 Customers have many ideas - some even have tools - but no overarching integration.
 Many (> 100 systems) must be monitored continuously.
 Customers need internationally experienced partners with comprehensive know-how.
Why customers have entrusted T-Systems with hardening and
monitoring their SAP systems?
- 6 -
The challenge
SAST SUITE analyzes and visualizes the status of all SAP systems with one push of a
button and enables the provision of a managed security solutions.
✓

4. Testing and know-how is necessary at all levels.
Make or buy?
- 7 -

5. Relevant set of rules
 DSAG auditing guide for SAP ERP 6.0
 SAP security baseline template (OSS Note 2253549)
 Best practice guide role management HANA DB (March 2019)
 Best practice guidelines for development
 Best practice implementation SAP GRC
 SAP security guides for various products and databases
 Subject and industry-specific regulations or requirements (e.g. critical infrastructures)
On which basis should people work?
- 8 -
Company-specific security regulations must always be developed with regard
to organization, technology and willingness to take risk.
The use of auditing tools can reduce this effort, but not eliminate it.

6. Security Management Process
- 9 -
Guideline
SIEM
Guideline
Config/Auth
Guideline
Incident
Learn and Improve
Prevent Detect Respond Recover

7. Project Methodology
- 10 -
Definition of the SAP policy and the set of rules
Implementation of a monitoring tool
Security hardening on all SAP systems
Activate real-time monitoring
Launch of management reports and transparency
Policy compliance

8. Monitoring of vulnerabilities AND threats in real time:
Vulnerability and authorization scans
SIEM threat detection (SYSLOG or file)
Cyclical
Real time
Configuration of SAP landscape
User and authorizations
Process and change management
Analysis of logs and behavior
- 11 -

9.  Total scope: 200 ABAP (incl. Java-Dual-Stack) and
76 Java systems.
 Non-ERP incl. BW, SRM, CRM, etc.
 Dashboard and real-time monitoring on all
80 production systems.
 Technical authorizations were cleaned up in
60 ABAP production systems.
 Technical system parameters and gateways were
cleaned up in all 276 systems.
 RFC connections, profile adjustments (SAP_ALL)
were cleaned up in all 200 ABAP systems.
 Changes in the system followed the system
landscape (development - quality - production)
with stakeholder testing to avoid any impact
on the business.
Scope and Timeline: analysis, hardening and monitoring.
- 12 -
87
119
144
226
260 270 276
0
50
100
150
200
250
300
2015 Q4 Feb. Mar. April May Jun. July August Sep.
SystemNumber
Baseline
Actual

10. Procedure of safeguarding (Hardening):
- 13 -

11. Policy-based security and vulnerability scans.
- 14 -

12. Policy-based security and vulnerability scans.
- 15 -

13. SAP Managed Service: Security Monitoring
- 16 -
SOC
TEAM

14. Policy-based security and vulnerability scans.
- 17 -

15. Reliable service levels
Coordinated response times depending on the severity of events
Immediate information on highly critical policy deviations and events
Support times according to your needs
Regular reports on
 security status and audits performed
 all incidents and audits occurred
Our Managed Services for you
Full transparency :
- 18 -
+
+
+
+
+

16. Target: Increase the added value for the customer.
✓ Fixed priced
Useful reporting on technical
compliance
Best practice templates
Reliable server operation
Rapid deployment
Proof of concept possible
✓
✓
✓
✓
✓

17. Amount
FTE
SAP dialog user: 2,5 00
SAP systems: 3
Amount
FTE
SAP dialog user: 10,000
SAP systems: 10
Staff: Procurement and training 20.000 € 20.000 €
Staff: 1st Level Monitoring 0,3 30.000 € 1,0 100.000 €
Staff: 2nd Level Monitoring 0,3 30.000 € 1,0 100.000 €
Staff: Team Management / Service Contact 0,1 10.000 € 0,3 30.000 €
Staff: Software / Rule Maintenance 0,1 10.000 € 0,1 10.000 €
Software: SIEM SAP 7.500 € 7.500 €
Software: Maintenance 7.500 € 7.500 €
Annual costs „make it yourself“ 115.000 € 275.000 €
Annual costs „SAST Managed Services“ (all-in) 45.000 € 80.000 €
SAP Security & Compliance: make or buy?
An exemplary cost comparison*
- 20 -
* FTE costs p.a.: ~ 100.000 €
Software costs SIEM SAP p.a., depreciation on 5 years : ~ 37.500 €
Maintenance costs p.a.: ~ 7.500 € (Maintenance 20%)
Basic version (real-time monitoring without further functions)
Cost reduction of up to 70% !

18. Best Practice Guidelines Security
Take Home Messages:
SAST SUITE contains comprehensive checks according to the DSAG audit guidelines,
BSI recommendations and SAP security guides - automated and across all levels.
The standard software already contains more than 4,000 checks and security notes.
All checks and evaluations can be customized.
You receive clear recommendations for the elimination of your vulnerabilities.
Significant increase of your SAP security by reducing risk.
Optional:
Strengthening your resources by our experts, who will relieve you in the shortest
possible time and deliver first results within a few days - including real-time monitoring.
- 21 -
✓
✓
✓
✓
✓
✓

19. DO YOU HAVE ANY QUESTIONS?
WE ANSWER. FOR SURE.
© Copyright AKQUINET AG. All rights reserved. This publication is protected by copyright.
All rights, in particular the right of reproduction, distribution, and translation, are reserved. No part of this document may be reproduced in any form (photocopy, microfilm or other process) or processed, copied, or distributed using electronic systems without the prior
written agreement of AKQUINET AG. Some of the names mentioned in this publication are registered trademarks of the respective provider and as such are subject to legal provisions.
The information in this publication has been compiled with the greatest care. However, no guarantee can be given for its applicability, correctness, and completeness. AKQUINET AG shall assume no liability for losses arising from use of the information.
TIM KRÄNZKE
CSO SAST SOLUTIONS
Phone: +49 40 88173-2735
Email: tim.kraenzke@akquinet.com
Web: sast-solutions.com