The Most Common Security Challenges with SAP Implementations


As SAP technology evolves to enhance and simplify the user experience, the issue of SAP security is conversely more challenging than ever.

While increased mobility and interconnectivity deliver clear productivity benefits, such advances also leave SAP infrastructure increasingly open – representing significant risk in an era that sees online threats at an all time high.

It’s not just the threat landscape that’s growing in ferocity, either. The potential costs of system downtime or data loss also continue to rise in tandem.

New regulations such as the GDPR are making their presence felt, with British Airways recently suffering the heaviest fine yet under the new data law; £183m the cost for losing more than half a million customers’ data to hackers.

In Australia, organisations are now subjected to more stringent data protection too –  with the introduction mandatory reporting of data violations under the recent Notifiable Data Breach scheme, which came into effect in 2018.

Clearly, there’s a significant price to pay for organisations failing to meet the SAP security challenge – and it’s a challenge further complicated by the looming countdown to 2025.

With SAP ECC set to run out of support, more and more businesses are preparing their migration to S/4HANA, a platform that brings a brand new set of security considerations due to the increased complexity of its underlying architecture.

And, considering S/4 implementations are typically carried out alongside other new SAP cloud technologies (Success Factors for HR and Ariba for procurement, for example), security often has to be managed across yet more layers still.

It all adds up to a set of cyber risks and security considerations more wide-ranging in nature than ever, but organisations are united by some common security challenges.

These common issues, familiar to virtually all SAP implementations, were the subject of Turnkey’s roundtable discussion when the global leadership team got together in Sydney, Australia, this year. 

Key Questions: Managing Today's SAP risks

You can view that discussion (the first in a series of seven videos) here – or read on for a summary of the key challenges identified by our leadership team:

Challenge 1 – Security by design

Businesses implementing SAP often have their focus firmly set on realising the operational benefits, and fail to identify security as one of the project’s key elements. Failure to identify risks and build security into the foundations of the project can have damaging consequences for the business going forward.

Challenge 2 – Integration with IT

Efficient, effective implementation of SAP means solid integration with your wider IT landscape. Organisations must therefore consider security across multiple points of connection with other systems, and look at the overall identity and access management life cycle.

Challenge 3 – The functionality focus

Systems Integrators are typically focused on the delivery of functionality, with set milestones to hit along the project timeline. This can lead to corners being cut, and security being overlooked – with SIs reluctant to carry out the extra layers of testing that may slow down delivery.

Challenge 4 – Retrospective changes

Where SAP security is overlooked in the initial stages of implementation, the most likely upshot is a raft of costly retrospective changes. Often, these fixes have to be made in a live SAP environment – only increasing the risks of downtime.

Challenge 5 – Authorisation only

All too often, an organisation’s consideration of SAP security extends only to authorisations and roles. More resilient protection of SAP infrastructure is required, such as Privileged Access Management at database and operating system level, and ‘hardening’ the SAP environment from external threats.

Challenge 6 – Late and limited testing

While testing is one of the most crucial aspects of SAP security, it’s rarely afforded enough time. When testing is carried out, it’s almost always rushed, or left to the very last minute. Many projects specifically suffer from limited negative testing, which is vital for role design to ensure it’s meeting the criteria for the business.

Challenge 7 – Change management

As well as managing the SAP implementation, there’s a key requirement to manage the business change. Change management principles should always be built into the project early on, ensuring appropriate communication with users and the provision of appropriate training.

All of these challenges, plus a wide range of other fundamental SAP issues, are explored in more detail in Turnkey’s 7-part roundtable video series.

Among the many topics discussed are the fresh security challenges of S/4 HANA, the art of working with Systems Integrators, and how businesses can drive more value from GRC investment.

Watch the series now at

Share this post

submit to reddit

Leave a Reply

scroll to top