Ensuring the Security and Quality of Custom SAP Applications

How safe is your business?

In order to better serve specific business requirements,  SAP standard solutions are often enhanced with custom applications. In many industries, the proportion of proprietary developments in SAP systems averages more than twenty five percent, provided either by  internal IT specialists or third-party companies.

Whether SAP applications are at the heart of your business or it is your business to develop SAP add-on applications, you need to both ensure that business critical processes and sensitive data remain safe, and reduce the risk of security breaches or data loss whilst meeting compliance rules and standards.

Download the brochure: Ensuring the Security  and Quality of Custom SAP Applications

Download the entire whitepaper or contact us for more information:
[email-download download_id=”11″ contact_form_id=”143″]

SAP Security – Why Segregation of Duties is not Enough

Segregation of duties (SoD), as a security principle, is designed primarily to prevent fraud and errors. This objective is achieved by disseminating tasks and associated privileges for a specifc business process among multiple users. A common example of this principle is requiring two signatures to validate a cheque.

For several years, the Auditing and IT Security industries have considered that the deployment of SoD controls was enough to enforcethe security of SAP systems. Therefore, today when many professionals refer to the term “SAP Security”, they are only discussing the processes of creating and managing the SAP roles and profles which are assigned to an organization’s users to restrict their activities over the business information.

While this kind of controls is of absolute importance to the overall security of the SAP landscape, there are many other threats that are overlooked and involve much higher levels of risk: the security vulnerabilities in the technological components that build up SAP platforms (business runtime).

Examples of these components include: SAP Web Application Servers, SAP J2EE Engines, SAP Enterprise Portals, SAP XI/PI, SAP BI, SAP ITS, SAP Web Dispatchers, SAProuters, RFC interfaces and other technical services such as the SAP Gateways and SAP Message Servers.

According to a study conducted by the CERT Coordination Center at Carnegie Mellon University, 99% of intrusions result from two factors: exploitation of known vulnerabilities (for which there are patches or corrective countermeasures) and confguration errors.

While SAP rapidly reacts to newly discovered security weaknesses through patches and provides security guidelines to confgure systems securely, still many organizations face a tough time keeping all of their business-critical platforms protected against these threats.

Download the entire whitepaper or contact us for more information:
[email-download download_id=”10″ contact_form_id=”143″]

Onapsis Success Story: Siemens

The Challenge
As part of its information security strategy, Siemens continuously performs security assessments and penetration tests of its IT assets. As a Senior Information Security Expert at the Computer Emergency Response Team (CERT) at Siemens, Robert Ingruber, was aware that the organization’s numerous SAP systems, which contain the organization’s most sensitive data, were not fully tested and assessed. While the operating systems and databases running the SAP platform were being evaluated with the rest of the IT infrastructure, the SAP application itself was mostly addressed at the top business-logic layer.

Download the entire whitepaper or contact us for more information:
[email-download download_id=”9″ contact_form_id=”143″]

Gulfmark Offshore: EPI-USE Labs success story

Tackling an SAP HCM Upgrade
Recently GulfMark upgraded their largest region to their Global HCM framework. The project was very high impact and extremely complex, affecting Payroll and Crew scheduling and necessitating an entire payroll transformation. The challenge was how to engage a team that was risk averse and complete the project on time.

Other considerations included the impact of the project on the entire HCM business community. Change Control and an aggressive timeframe were handled with no failure on day-to-day business impact.  After examining a number of options, GulfMark found the EPI USE Labs’ solutions would provide the functionality and completeness they needed. For the copying of HCM data they used Object Sync™ for HR from the Data Sync Manager product suite, and for the parallel testing phase they used Variance Monitor™.
The main obstacle was the amount of time and planning it took to refresh non-production instances. Several weeks of planning and many days of execution were needed prior to the project to refresh the systems. (“It used to be a very tedious process” said Sandeep Pulavarty, the SAP Development Manager.)

All development scenarios were created manually, which naturally took many hours to complete for each scenario. This affected the ability to troubleshoot production problems.

Download the entire whitepaper or contact us for more information:
[email-download download_id=”8″ contact_form_id=”143″]

Security Compliance Suite

We would like to introduce to you a new GRC Suite that may be of interest to you:

The Security Compliance Suite is an SAP-centric application used to manage system compliance, provision temporary authorization for system support, and to manage permanent authorization change requests. The solution includes best practices SOD rule set. It can be initially configured in your system for evaluation purposes in less than 90 minutes.

Continue reading Security Compliance Suite

OpenSQL Editor

We have teamed up with Hovitaga, a software development company founded in 2009 located in Budapest, Hungary. Hovitaga focuses on development of add-ons for SAP systems. Its mission is to develop innovative software products for SAP customers to improve productivity, optimize business processes and support decision making.

This blog will feature Hovitaga’s products which can be purchased at a special discounts just for our readers. Mention Home4SAP.com should you contact them directly.

Continue reading OpenSQL Editor

FDA Compliance and Single Sign-On Co-Existence

Non-compliance with the FDA Regulations can lead to fines and cost millions of dollars, making the risk of ignoring these issues high.

The SAP ERP business applications include standard functionality that allows organizations to be FDA 21 compliant; this functionality requires a user to re-authenticate when they are signing and approving electronic records. To support the FDA requirements the SAP System contains standard support for electronic or digital signatures, which enables a user to sign and approve digital documents, but it makes the assumption that the user identifies themselves with a SAP user ID and password. The signature ensures that the person signing a digital document is uniquely identified and that the signatory’s name is documented along with the signed document, date and time. Continue reading FDA Compliance and Single Sign-On Co-Existence

Hovitaga Notification System

There are plenty of information at a company which loses its value drastically as time goes on. This means that it’s possible to spare a lot of money if this information is sent to the respective people. This is why it’s critical for an ERP system to notify the employees about critical business and IT operational events as soon as possible. It is also important that the decision makers work with up-to-date data, so receiving key business data on mobile devices can help making good business decisions. Continue reading Hovitaga Notification System

Hovitaga Data Visualizer

Every customer who uses SAP relies on reports. Whether standard ones shipped by SAP or developed specifically for the customer, those are crucial elements of the whole IT solution. Every business process comes down to SAP reports at the end.

Business users use reports throughout their daily jobs and decision makers rely on monthly, quarterly and yearly reports. A very common tool besides R/3 reports is SAP Query. It offers the possibility to build reports without ABAP coding, but at the end data is still displayed with a simple list. Almost all reports have a simple list as an output as well, with very basic features. The user interface of SAP Business Warehouse is still based on Microsoft Excel and it does not offer the latest visualization possibilities. Continue reading Hovitaga Data Visualizer

Data Sync Manager

Data Sync Manager is a proven and popular product comprised of four main components:

Client Sync: Create reduced SAP clients with full functionality by selecting subsets of data, with the ability to maintain document flows and scramble the data. Reduced SAP clients save a substantial amount of data storage and faster system refreshes eliminate costly system downtime.

Object Sync: Copy object data on demand, ensuring valid, up-to-date data for production support, accurate testing and effective  training. Scrambling ensures security, while templates control access but empower users.

System Builder: Make a complete copy of all repository objects and client-independent data in Production, to create a  new non-production system with Client 000 (contains basic client-dependent customisation for new clients), and optionally, Client 001 (customisation copy of Client 000) and Client 066 (used by SAP for support).

Data Secure: Provides in-place masking of sensitive data, to ensure that SAP clients or data are secured. It has been optimized for large data volumes, and can perform parallel processing. It can work on its own, or hand-in-hand with Client Sync.

Request the whitepaper today!

Fill out the form below to have the Whitepaper e-mailed to your inbox.

[email-download download_id="7" contact_form_id="143"]