SAP Security: Between Wish and Reality
Recently, the German-speaking SAP User Group e.V. (DSAG) again surveyed a select group of members, including companies from Switzerland, on the subject of SAP security. The survey was divided into a general and a subject-specific part and brought, among other things, the realization: Security by default, security by design and security management tools are urgently needed and SAP must make a decisive contribution to this.
According to the DSAG trend analysis, the willingness to invest additionally in the security of SAP systems has fallen by 13 percent to 42 percent compared to the previous year. In addition, the view prevails across all company sizes that cloud solutions require different security strategies and concepts than conventional solutions. This is a topic on which 91 percent of large companies and 88 percent of small companies agree. "We also demand security by design and security by default for the cloud environment. The DSAG Cloud Security working group is addressing this issue," comments Dr. Alexander Ziesemer, spokesman for the DSAG Security & Vulnerability Management working group.
Security Dashboard required
Only 11 percent (previous year: 15 percent) use a security dashboard to gain an overview of their security-specific settings. 76 percent do not use this (previous year: 72 percent). A proper dashboard is the central prerequisite for being able to develop and implement imperative better security concepts. "We already communicated the requirement for a standard for a comprehensive SAP security dashboard to SAP last year. Unfortunately, there has not yet been a solution for this," summarizes Dr. Alexander Ziesemer.
There is also a gap of several percentage points between wish and reality in terms of satisfaction with SAP's support for system security. Only 4 percent of respondents gave this a grade of 1 (grade 6 in Switzerland) and 18 percent a grade of 2 (grade 5 in Switzerland). A score of 3 (in Switzerland, a score of 4) was awarded by 49 percent. Values that have deteriorated compared to 2018. "This is a clear indication that even better support is needed from SAP in the form of regular up-to-date white papers, recommendations for action, and security guides," says Dr. Alexander Ziesemer, explaining the result.
According to the survey, these are used for the company's internal SAP security guidelines (72 percent), as guidance during operations (64 percent) and as an argumentation aid vis-à-vis management and business departments (48 percent).
Security by default required
In the technical part of the survey, one of the topics was the demand for security by default. In other words, security components in new releases and services should be delivered already activated as standard. While 78 percent of respondents said this in 2018, 84 percent expect this "service" from SAP one year later. "The close cooperation with SAP shows that more security by default is also possible for the future. Significant progress has already been made in specific areas such as encryption, logging and monitoring," says Dr. Alexander Ziesemer.
Security in the on-premise area remains important
Large companies (45 percent) and midsize companies (41 percent) see integrating SAP cloud products into an appropriate security concept as a very big challenge. Only 35 percent of small companies share this impression. Interestingly, however, the topic of the cloud did not make it into the top three of the most important areas for action. As last year, security by default is in first place, followed by SAP security policies. Patch management took third place, displacing SAP security awareness. "For companies, security issues around on-premise will continue to be a focus alongside cloud security. Because not all that glitters is cloud," summarizes Dr. Alexander Ziesemer.
Conclusion of the survey
The central finding of the trend survey is that more security by design and by default is still an important requirement. Better security concepts, especially in the cloud environment, are absolutely essential, but are still difficult to implement without a proper dashboard. In other words, more standards and even better support from SAP are needed in the area of SAP security. DSAG is already working with SAP on this topic.
However, Dr. Alexander Ziesemer also derives specific recommendations for action for user companies from the results: "Gain transparency about the security and landscape of your SAP systems for planning further activities. Start with security basics such as interfaces, encryption and settings." The key, he said, is to bring IT security awareness to all levels, from employees to executives to managers. In addition, he said, it is important to regularly update SAP security policies due to the high pace of innovation. Furthermore, new SAP systems should be installed with the essential current security settings (security by default). Not forgetting outsourced systems, e.g. in the cloud, which also need to be securely connected to the corporate network.
Source: www.dsag-ev.ch
