SAP is so vital to daily operations that it has grown into something that is separate from normal data centre operations.
The Importance of SAP
From their early history developing payroll and accounting mainframe programs to the behemoth that they are today, it is not an exaggeration to say that organisations are built on SAP. With offerings like the NetWeaver solution stack to the HANA data platform, SAP is the foundation to entire business processes. If something were to go wrong with SAP, entire businesses would come to a halt. SAP is so important, in fact, that it has grown into something that is separate from normal data centre operations. SAP Competency Centres exist in many businesses as an integrated delivery centre for SAP services to the business.
SAP has so many specific requirements that nearly all products that touch SAP must be certified by SAP. These Competency Centres are data centres within the data centre. Even though the hardware platform that you have supporting SAP might be SAP-specific there is the possibly that it is a different standard to the ‘outside’ infrastructure, or non SAP applications used within an organisation.
Separate but not Completely Separated
Everything from certified hardware, databases, tools, extensions from other vendors that feed into SAP exists in its own world, speaking its own language. In this world everything is as integrated as possible, for a seamless experience. For businesses underpinned by SAP, they must take meticulous care of their SAP environment or risk everything. In certain very large manufacturing businesses, the manual for steeling SAP from failures and vulnerability runs to several hundred pages.
While SAP is its own world, it is not a world that has no outside connection. As soon as something leaves the SAP platform, SAP does not manage it. A single SAP instance can have a huge number of interfaces and connections. So while the SAP system itself may be hardened, if the connected systems that can access the data held on SAP are not as secure, then there is an issue. And that issue is around access to the SAP system.
If a connecting system is compromised and in turn allows ‘approved’ access to highly critical roles like SAP_ALL role, then game is over. Access to roles must be managed and secured beyond SAP’s governance, risk, and compliance capabilities.
How wrong could things go?
Access to the right SAP system in a given business could lead to theft of new product information or new technology developments, deletion of orders or alteration of transactions. The effects could include a drop in future revenue to the production line grinding to a halt because steering wheels have been ordered in the tens, not the thousands and there are not enough to go around. Material damage, in other words—not to mention the risk of incurring GDPR-related penalties.
To guard against this, it’s necessary to look beyond SAP to the wider business, where threats are more likely to emanate from. All privileged access to SAP and the associated infrastructure—operating system and database in particular—must be secured, by monitoring SAP privileged user activity and managing, protecting and controlling the use of SAP privileged accounts, thus helping to prevent against privileged access-related risk and credential compromise.