In practice, we often see SAP security projects that only offer a partial solution. Only rarely do such projects involve an end-to-end examination of all layers – from operating system to databases and applications, as well as concepts and policies. At the same time, an all-encompassing approach to security is essential for projects involving the implementation of or migration to SAP S/4HANA, because the database, user interface, gateway, applications, and authorizations have all grown closer together. As a result, access to important data has become both more complex and more difficult to monitor – especially due to media discontinuity and access options at different layers. This means your framework authorization concept has to combine all these topics prior to implementation and define an end-to-end security strategy. Ideally, all the security expertise needed for a comprehensive solution like this will come from a single source. This will guarantee perfect interplay between design and management, as well as monitoring, administration, and auditing. And you will also cover all the security areas, in the sense of a comprehensive SIEM system. In this webinar, we will show you why SAST SOLUTIONS, with our highly specialized SAP experts in combination with our SAST SUITE solution, have just what you are looking for. Topics of focus: • The challenges of successful SAP S/4HANA security projects • How to make sure your SAP S/4HANA implementation or migration is a success • Benefits of support by SAST SUITE tools • Best practice tips ------------------------------------------------------------------------------------------------------------- Für Informationen auf Deutsch, sprechen Sie uns gerne an: sast@akquinet.de

1. End-to-end SAP S/4HANA
security projects are
child’s play – if you have
the right tools.

2. WELCOME!
Introducing your host today:
AXEL DALDORF
Senior PreSales Consultant SAST SUITE
Tel: +49 40 88173-4438
Email: axel.daldorf@akquinet.com
Web: sast-solutions.com
ROOZBEH NOORI-AMOLI
Deputy Head SAST CONSULTING
Tel: +49 40 88173-2719
Email: roozbeh.noori-amoli@akquinet.com
Web: sast-solutions.com
- 2 -

3. Agenda
What does security mean from a holistic perspective?
What factors need to be considered?
The SAP Security Pyramid
Frequent security gaps at the various levels
Take Homes Messages

4. What does security mean from a holistic perspective?
Ensuring confidentiality, integrity and availability
Holistic security
Information Security
IT Security
SAP Security?
Task and responsibility of the management
▪ Example of process control: ISMS
▪ Example of process method: PDCA cycle
System of principles, conception, responsibility,
processes, procedures and resources
Comprehensive strategy of technical and
organizational-process aspects
▪ Integration of solutions such as SIEM and SOC
▪ Creating visibility and awareness
- 4 -

5. What factors need to be considered?
Often the factors are interlinked as follows
Company
Laws and
Contracts
Information-
safety
Dangers
Cybercrime
IT Security Act
Norms and standards
Risk Management
Privacy
Awareness
Disasters
Certification
Holistic concept
Existence
BCM
Tools
Prevention Specifications
Reaction
Mindset
People
- 5 -

6. The SAP Security pyramid
With holistic security, all levels must be considered.
Hacker attacks
Espionage
Manipulation
Misuse of rights
Data theft
✓
✓
✓
✓
✓
- 6 -

7. The SAP Security pyramid
A holistic security view should consider the following aspects:
Management
 Mindset
 Security governance
 Processes and concepts
Business
 Business process protection
 Protection of sensitive business data
 Access regulations
Basis
 System and application configuration
 System availability & data integrity
 Presentation layer (UI, encryption)
Technology
 Database & operating system security
 Network security
 More platform security topics
- 7 -

8. Lack of awareness for IT security
 "It's always been that way - and we don't need that now."
Action: Creation/support of a central control instance such as ISB/ITSB, CISO or IT security coordinator.
Mindset of the employees
 Security processes are not demanded, promoted and lived.
Action: Regular training and workshops.
Lack of control processes
 The necessary resources for a holistic view and treatment of information security are lacking.
Action: Definition of a holistic security policy. Implementation of an ISMS. Introduction of a central
security monitoring concept.
Common security gaps at management level
- 8 -

9. Assignment of critical authorizations
 Unhesitating assignment of critical authorizations → main thing is that employees are fit for work.
 Non-observance of the minimum principle for roles and authorization assignment.
 Example: Base roles are assigned to non-base employees.
Action: Establish a recertification process, create job roles.
No concepts
 Authorization concepts not available or only rudimentary.
 There is no separation of framework authorization concepts and subject authorization concepts.
Action: Creation of appropriate authorization concepts and regular updating and acceptance of the
documents.
Dealing with SoD conflicts
 SoD conflicts must be deliberately accepted due to resource deficiencies.
Action: Mitigation of unresolvable SoD conflicts to keep them under control.
Common security gaps at the business level
- 9 -

10. Missing or insufficient encryption
 SAP systems are not secured with SNC.
 Encryption is not enabled at all levels.
Action: Implement SNC with appropriate encryption tools such as SAP CryptoLib, Kerberos or SSL.
Important log files are not generated and not checked
 Gateway logging and security audit log is disabled or insufficiently configured.
Action: Enable and configure logging and evaluate the data.
Interfaces are not secured
 RFC interfaces are not encrypted and can be used by dialog users.
 Gateway ACL files are not present or provide access for all programs and users.
Action: Create guidelines for configuring secure RFC connections and ACL files and implement them.
Common security gaps at SAP Basis level
- 10 -

11. Security guides not implemented / missing patches
 Essential hardening measures for the operating system and database have not been implemented.
 Security notes and patches have not been applied.
Action: Introduction of patch and update processes.
Lack of network protection
 SAP systems are often not separated on the network side.
Action: Segmentation of SAP systems according to priority and criticality.
Lack of monitoring
 Safety-relevant system events are not logged and monitored.
Action: Activation of operating system and database logs and their regular evaluation with regard to
security-relevant incidents.
Common security gaps at the technical level
- 11 -

12. Security Gaps in the Migration SAP ERP -> S/4HANA
SAP ERP
6.0 EhP7
AnyDB
(Oracle, SQL
Server, DB2)
SAP ERP
AnyDB
(Oracle, SQL
Server, DB2)
SAP ERP
6.0 EhP7
SAP HANA
on Linux
SAP
S/4HANA
SAP HANA
on Linux
EhP System
Copy
S/4HANA
Conversion
Initial status + EhP7 Suite on HANA S/4HANA
1. Security Gaps: Application server
▪ Parameter
▪ Revision
▪ Security patches
▪ …
2. Security Gaps: Operating system
▪ Authentication Settings
▪ Network settings
▪ Service and file permissions
▪ Protocols and reporting
▪ …
3. Security Gaps: Database
▪ Authentication Settings
▪ HANA authorizations
▪ Audit settings
▪ Security patches
▪ …
4. Security Gaps: S/4HANA authorizations
▪ Critical permissions
▪ Function separation conflicts
- 12 -

13. Definition of risks: Unclear which risks have which relevance/criticality for my company.
Risk identification: Lack of transparency about possible vulnerabilities in systems and processes.
Risk Handling: Lack of strategy and processes to deal with risks.
 Establishment of a SIEM solution for continuous monitoring of the system landscape.
 Definition and regular updating of a holistic security policy.
 Establish global SAP security dashboards to visualize current security status.
 Monitoring of existing user authorizations as well as the assignment processes.
 Monitoring of critical transactions, applications and log files.
 Intelligent analysis of user behavior and alerting on suspicious events.
 Management and monitoring of highly privileged users (Firefighter).
 Mitigation strategy for existing risks.
Security Monitoring - holistic!
- 13 -

14.  A holistic security solution is usefully supported by a suitable tool.
 A tool is to be used uniformly to monitor the various levels and security areas.
 Assured interaction of all components from a single source:
 holistic conception
 Management processes
 Monitoring
 Administration
 Auditing
 In addition, the various security areas should be managed by an overarching
SIEM should be used to manage the various security areas.
Support tools
- 14 -

15. Create awareness for security in management and among employees.
Take everyone with you and strengthen the mindset in the company.
Holistic SAP S/4HANA security projects
Take Home Messages
Concepts. Act according to plan and create suitable security concepts and
implement them in a structured manner at all levels.
+
More than permissions. Keep an eye on threats at all levels.
Get Clean - Stay Clean. Check and secure your SAP systems according to
specifications, recommendations and best practices - ideally with tool support.
Actuality. Always keep your operating system and database up to date and apply
patches and security advisories regularly and promptly.
+
+
+
+
- 15 -

16. DO YOU HAVE ANY QUESTIONS?
WE ANSWER. FOR SURE.
© Copyright AKQUINET AG. All rights reserved. This publication is protected by copyright.
All rights, in particular the right of reproduction, distribution, and translation, are reserved. No part of this document may be reproduced in any form (photocopy, microfilm or other process) or processed, copied, or distributed using electronic systems without the prior
written agreement of AKQUINET AG. Some of the names mentioned in this publication are registered trademarks of the respective provider and as such are subject to legal provisions.
The information in this publication has been compiled with the greatest care. However, no guarantee can be given for its applicability, correctness, and completeness. AKQUINET AG shall assume no liability for losses arising from use of the information.
ROOZBEH NOORI-AMOLI
Deputy Head SAST CONSULTING
Tel: +49 40 88173-109
Email: mail@sast-solutions.de
Web: sast-solutions.com