SAP Security – Why Segregation of Duties is not Enough

Segregation of duties (SoD), as a security principle, is designed primarily to prevent fraud and errors. This objective is achieved by disseminating tasks and associated privileges for a specifc business process among multiple users. A common example of this principle is requiring two signatures to validate a cheque.

For several years, the Auditing and IT Security industries have considered that the deployment of SoD controls was enough to enforcethe security of SAP systems. Therefore, today when many professionals refer to the term “SAP Security”, they are only discussing the processes of creating and managing the SAP roles and profles which are assigned to an organization’s users to restrict their activities over the business information.

While this kind of controls is of absolute importance to the overall security of the SAP landscape, there are many other threats that are overlooked and involve much higher levels of risk: the security vulnerabilities in the technological components that build up SAP platforms (business runtime).

Examples of these components include: SAP Web Application Servers, SAP J2EE Engines, SAP Enterprise Portals, SAP XI/PI, SAP BI, SAP ITS, SAP Web Dispatchers, SAProuters, RFC interfaces and other technical services such as the SAP Gateways and SAP Message Servers.

According to a study conducted by the CERT Coordination Center at Carnegie Mellon University, 99% of intrusions result from two factors: exploitation of known vulnerabilities (for which there are patches or corrective countermeasures) and confguration errors.

While SAP rapidly reacts to newly discovered security weaknesses through patches and provides security guidelines to confgure systems securely, still many organizations face a tough time keeping all of their business-critical platforms protected against these threats.

Download the entire whitepaper or contact us for more information:
[email-download download_id=”10″ contact_form_id=”143″]