Information security is an expensive item that not everyone can afford, but the lack of well-functioning security is even more expensive for the company.
- Ensuring security in SAP, SAP Professional Journal Russia, September – October No. 5 (76), pp. 149–150. © 2019, Irina Laevskaya, SAP Security Consultant at axl & trax.
System security is a sign of a company's information maturity. While the company is growing and developing, the shareholders think little about security. “The main thing is to make it work ASAP” - commands the director, and the team of developers deploys an attack plan. As soon as the business is launched and the processes are started, the company is focusing on something that shows instant results and returns: a new market, a new sales line, a new process.
And that's great, companies need to grow, even better when they grow fast.
Another question is that during the growth process, some processes were hedged by “crutches”: there was not always enough time to think over the complete architecture, assess risks, draw up a competent plan. The fact that security was not thought at the beginning of the implementation does not mean that one should not think about it at all. Better late than too late.
The first chapter of the SAP Security Guide (SAP SG) begins with a very serious problem: defining the role of a SAP system administrator. In particular, the emphasis is on the fact that the administrator must be aware of his area of responsibility and involvement, and business, in turn, should listen to the system administrator and his/her security recommendations.
These are two sides of the same coin: nobody listens to the administrator during meetings and kick-off of the project at the planning stage, the administrator does not offer unscheduled updates to eliminate security breaches and does not take the initiative again. The business is not notified of vulnerabilities, the business does not know that they exist.
To a certain extent, the above-mentioned problem is the result of a lack of resources. Often, administrators do not have time to think about new vulnerabilities discovered in the SAP system - they need to close their current work. And business is primarily engaged in business. But the main reason for such situations is a strict hierarchical system, where security administrators and IT managers are on considered as performers, not partners. Safety is a continuous process; it needs to be grown in a company, nurtured in a corporate culture, tools, training and learning.
One should also understand that in modern companies, the administration of an information system is usually monitored not by one system administrator, but by a whole team of specialists. Team members are either interchangeable, or they share responsibilities - in any case, the roles and responsibilities of the head of such a department are described in SAP SG under the general definition of a security administrator - a kind of IT magician, day and night, guarding the SAP system.
SAP SG lists the main types of threats that security administrators face. To some, these threats will seem obvious, even outdated. Nevertheless, their age does not affect their relevance. Like 30 years ago, today fraud, theft, data leakage and the human factor are still applicable. The attack methods and tools have changed, but the threats remain the same. Perhaps, from the point of view of enterprises in the Russian Federation, the least attention is paid to the threat of fraud - as this threat affects internal users, and usually there is a large credit of trust to them. Psychologically speaking, it seems that everything inside the enterprise, is considered behind a stone wall. But according to statistics, almost 69% of all data leaks were triggered by either negligence or intentional fraud of internal employees.
It is not at all difficult to organize a system where everything will work - in the end, you can give everyone SAP ALL - and business processes will be launched in no time. Another question is that these processes can also stop at the same moment when someone, through ignorance or malicious intent, destroys the entire system. Therefore, organizing a secure system is more difficult.
In the first chapter of SAP SG, there is often a reference to SoD - Segregation of Duties - access control. A similar phrase is increasingly found in the description of roles and responsibilities in the IT departments of large Russian companies - not just as a desirable skill, but as the knowledge necessary for successful work.
Segregation of Duties is a practice to organize access settings so that users do not combine too many rights in their profile. For example, so that the employee who is involved in the registration of the master data for buyers is not also responsible for sales - with this combination, the user can create a buyer and “sell” him something, while fraud will not be immediately detected because actions will be on the user's daily responsibilities list.
In practice, the system administrator cannot handle the SoD task alone. Just because the administrator's job is to ensure the technical functioning of the system. SoD is mostly a task for business: 60% of the time is spent on clarifying requirements, 40% - on implementation. Only paired with business, i.e. with people responsible for the processes, administrators can set up separation of duties, permissible combinations of rights, determine the order of transfer of access from one person to another, control and analysis.
The process of building an access architecture is not simple, but not as complicated as it seems. With proper settings and transparency of the titles in roles and access, subsequent additions and audits will go quickly and “painlessly”.