SAP Security Assessment

Secnic Consultancy Services (SCS) is a security partner advising SAP users on security issues. Our most outstanding professional services include: SAP architecture design within a secure environment, Security configuration and parametrization in SAP, Security audits, Compliance (SOX, PCI and ISO 27001), and Penetration Testing.

SCS has been working and advising in SAP security issues since 2014, under UNIX, Windows and AS/400 platforms. As from 2014, they show an intense activity in the detection of vulnerabilities and have made significant contributions towards their solution.

Following is a description of SAP system security related services rendered by SCS:

Design of SAP architecture within a secure environment

The object of this service is to design or re-design the architecture of SAP with the highest security level possible.

This service is focused on defining security in the network topology of SAP components (SAP Applications Servers, Database Servers, Administrators and Final Users).

It covers the development of a secure network scheme and the security measures to be adopted: Firewalls, DMZs, Encryption, applications Firewalls, Operating system security, Database security and SAP security, among others.

SAP Internal security configuration and parametrization

This service provides Organizations with the necessary advise to specify the internal security level they expect for their SAP applications.

Among others, various aspects taken into consideration are:

  • Security of implemented SAP version and modules.
  • Hot Packages installed.
  • Definition and distribution of Clients.
  • Password parameters.
  • Ability to alter Systems and clients.
  • Default users password.
  • Users with unlimited transaction access.
  • Existence of blocked transactions.
  • Access to sensitive transactions.
  • Modification of system parameters and profiles.
  • Workbench Organizer Configuration.
  • Transport system access.
  • Table editing.
  • Users access level to software.
  • Existence of transportation order logs
  • Use of SAP*, SAPCPIC, Earlwatch.
  • Use of SAP_ALL, SAP_NEW profiles.

SCS shall apply all the security measures necessary to achieve the highest security level.

SAP Infrastructure assurance

This service is aimed at reaching the highest security level possible along the entire infrastructure supported by SAP: Operating System, Database, SAP Application, Interfaces and user access.

SCS will assist in the implementation of the security measures needed to reach the highest security level.

In order to ensure the security level of the operating system we work at: security configurations; audit logs; users, access passwords and profiles; permissions to critical directories, installed patches, security of enabled services, among others.

For database security purposes, we work with computer security patches, database auditing, permissions in Database directories and files, analyses of the Database owner, default passwords and specific database security parameters, among others.

For SAP Application assurance, we work in each of the aspects mentioned in item 2, SAP Internal security configuration and parametrization.

Existing interfaces (strong encryption, authentication, etc.) with other external systems providing or receiving SAP are assured.

We work on secure access on SAP users’ and administrators’ side.

The outcome of this service will be the operation of SAP with the highest security level possible.

Security compliance audits (SOX, PCI e ISO 27001)

These are aimed at assessing and determining the current and actual security level of SAP infrastructure, applying security auditing techniques. To complement the audits, a GAP analysis regarding regulations such as SOX, PCI* and ISO 27001 can be conducted.

The audit consists of:

  • Security review of the operating system, data base and SAP application.
  • Security analysis of SAP parametrization.
  • Security analysis of connectivity to external systems.
  • Analysis of defined users and profiles

As an outcome, companies who are SAP users will have objective information about their own security level available.

The GAP analysis allows you to assess the fulfilment levels to the international regulations on the matter.

Revision and assurance of Web Services (Enterprise Portal/ICM/ITS/BC/Applications)

In its continuous evolution, SAP, through the use of tools such as ITS and Business Connector, allows systems to be available from outside with the subsequent increase in the risk level.

SCS experts assess the actual security level of the implementation of tools for external access to SAP through the Web establishing existing vulnerabilities, bringing forward and implementing alternatives to address them so as to increase their security level to the utmost.

Our work covers the assessment of network topology, the analysis of the current operating system and web server security. The security level of the implemented tools (ITS, Business Connector, etc), and the interconnection with the internal SAP system are assessed as well.

This service will result in the Organization having a secure use of remote functionalities at their disposal.

Analysis, design and implementation of secure interfaces

Interfaces meant for sending and receiving information in system’s security.

The object of this service is to make available secure interfaces among the several systems that operate with SAP.

SCS can develop a secure interface model taking into account data encryption, authentication between the involved parties, the interface internal security and its secure programming, among others.

The secure model developed is applied to the existing interfaces.

SAP Penetration Testing

This is aimed at having an objective external assessment on the actual security level in SAP infrastructure.

In order to carry out this test, SCS experts will connect to the external network without having any kind of information available, and will try to access the systems supporting SAP infrastructure (base operating systems, databases, application servers, etc.).

This methodology allows us to determine the actual security level and rapidly detect security risks so as to move towards their solution.

Leave a Reply

Your email address will not be published. Required fields are marked *