Coherent security strategy vital

By Julie Hodgson, Managing Consultant, Platform and Technologies on
Having specialised in SAP security for the last 10 years, I thought we had it pretty much ‘in the bag’. The Profile Generator has been around for years and is stable and reliable. We have a couple of options for maintaining users, Identity Management and Central User Administration (CUA ), or can leverage other 3rd party identity management solutions. We have GRC Access Control to provide a good governance framework and monitoring tools across the SAP system environment. All was right with the world.

So what’s changed?

Just about everything else. We have cloud based solutions such as SuccessFactors and Ariba with their own security solutions. They are robust, reliable and easy to maintain – reducing the need for specialist security consultants. We now have HANA with great solutions such as Simple Finance. The Business Suite is moving to the next SAP iteration – S/4. Much of the security requirement will remain in the application layer, however, HANA provides the flexibility for native developments and real time analytics running directly on the database. That opens up a whole new level of risk. Developments need to be planned and executed with security and data restriction requirements in mind, to ensure they reflect the level of risk tolerated elsewhere in the IT landscape.

What of UX – User Experience? It’s frequently mentioned that the Fiori Launchpad and Netweaver Business Client are “role-based”. What does that mean and how does your existing security design align with this role based paradigm? Implementing an improved UX adds complexity to the SAP role design and requires care to ensure the user interface you choose renders access to both the front end applications and back end authorisation objects. With the flexibility of Fiori and UI5, SAP can be available on mobile devices anywhere, anytime, adding yet another level of complexity to your security solution.

I mentioned Cloud solutions at the beginning of this blog but we also need to consider the implications of moving systems to either a managed or private Cloud, or introducing a hybrid model with some systems remaining on premise. Partnering with trusted service providers and understanding the implications are of the utmost importance to provide peace of mind to your stakeholders that your systems and data will not be compromised.

So where does this leave the role of your traditional SAP security consultant?

On one hand the changes in the SAP landscape have reduced the necessity for complicated security solutions and reduced the maintenance overhead. On the other hand, managing the requirements for improved UX and ensuring access rights are consistent across an increasingly diverse landscape are of the utmost importance and have effectively increased the security solution complexity. User experience; multiple solutions, systems and interfaces; access from multiple device types and locations require a coherent security strategy. Multiple disciplines are involved in securing data, processes and infrastructure. It’s more important than ever to have a good system of governance in place and, conversely, it’s more important than ever to provide an agile response to the shifting sands of business requirements, user experience priorities and innovation. Your security solution needs to become agile and easy to maintain. Simplifying and standardising your role design may be the first step required to prepare for improved UX, HANA or migration to Cloud.

How is your SAP security solution looking now? Does it need a Healthcheck?

Oxygen, a DXC Technologies Company can help. We offer a five day SAP Security Healthcheck tailored to your requirements. We will review your current systems, identify any quick wins, identify gaps and areas for improvement, and define a short and long term strategy to enable you to more easily adapt to changes as they occur.