Critical Security Considerations

SAP infrastructure is the beating heart of their business, hosting business-critical data and operations. Organizations need improved availability so all necessary teams can connect to business processes, and as a result they prioritize moving enterprise workloads to more flexible platforms. This requirement has increased the complexity of SAP environments, which makes it even more difficult for organizations to secure their systems. Security teams must strike a delicate balance—protecting that data from outside threats and malicious actors while also ensuring that SAP environments have the right availability and access for members of the organization. Common security issues like cyberattacks can affect not just the SAP system, but also those of other connected systems. Issues like limited visibility and unpatched systems increase the likelihood of cyberattacks, as well as other system failures. When dealing with an interconnected SAP landscape, one issue can cause problems throughout the entire landscape. It is vital that organizations not only consider how to reduce the risk of cyberattacks but also ensure that their overall platform is secure. Of course, all organizations want to be as secure as possible. But the reality is many are not sure how they should go about securing their platforms. SAPinsider spoke with Grant Bennett, Global Vice President of SAP Sales at SUSE, to highlight five key considerations all organizations should make when designing their SAP infrastructure security strategy.

1. Secure, Reliable SAP Operating System

All security experts focusing on SAP will undoubtedly focus on the SAP landscape, but it is also critical that the SAP infrastructure is underpinned by a reliable operating system. Organizations should prioritize an OS with features that complement and enhance everything that SAP can do. “Organizations should ensure that their infrastructure includes a robust and secure operating system that leverages automation with management tools that have best practices baked into the code of the operating system by default. They should seamlessly integrate with SAP security tools and high-level security tools that you could have in your orientation, and that is prepared for other environments like edge containers,” said Bennett. SAP offers endorsements for certain preferred operating systems on their website so users can find an OS that has proven to be reliable and easy to use in the context of SAP. Using an operating system that does not have built-in best practices can leave gaps in a security matrix.

2. Key Security Certifications

One of the best ways to determine which operating system to use is to ensure that it has the highest levels of security and cryptographic certification. Some key certifications to look out for include:

• FIPS 140-2
• Common Criteria EAL4+
• Defense Information Systems Agency (DISA)

Certifications provide organizations with a list of processes to follow, providing security teams with a template for setting up their systems and reaching a required threshold of security. Companies should also ensure that they meet certification requirements for any industry-specific regulations and best practices that may apply.

3. Integration with SAP Platform Security Features

SAP offers its own security solutions, like SAP HANA Firewall and SAP Antivirus. But these are only useful if they are properly integrated with a user’s OS. To help enforce best practices, many SAP users rely on SUSE Trento to monitor the full SAP stack and validate systems and propose fixes when users fail to adhere to those best practices. One of the most common security mistakes that organizations make is thinking that safeguarding the SAP landscape is just the responsibility of the security team. In reality, all team members in all parts of the organizations must make security a priority. “Security must be transversal. It must be pervasive throughout the organization, for all processes, and all systems that you have,” said Bennett.

4. Vulnerability and Patch Management Tools

These operating systems can sometimes not be patched because they are not configured to provide the right patching ability, compromising security. “Users need the right management tools to know which vulnerabilities they have, which patches they need, and the status of the security of their environment,” said Bennett. After installing SAP, organizations sometimes forget that they need a vulnerability management tool and a patch repository because they are only thinking about day one. But long-term considerations are critical, and teams must consider which processes they are going to have in place for their entire security journey.

5. Security across the Entire SAP Landscape

Security implementations should cover the entire IT infrastructure. This includes containerized and edge environments, OS, applications, and more. To minimize risk, organizations should ensure that their SAP environment is homogenous. “Some customers choose to have the HANA database in one operating system and the application service in another. It is very important to keep the homogeny of the full SAP environment because it's the only way to be able to have full visibility. This reduces risk because you have the same life cycles and throughout the SAP environment,” said Bennett.

Cloud Implications

SAP users should take note that the cloud is not necessarily secured by default. Cloud security requires its own specific configurations and guides. Moving to the cloud for the first time is an involved process, and it takes time to connect, regardless of what type of cloud environment a user is connecting to. “Organizations need to understand how to integrate so they can face this challenge. This is the most important requirement; to understand that cloud security does not happen by default. Every environment is different. Users need health checks to make sure the environment has been set up to meet the requirements of their business processes,” said Bennett.

Secure SAP Platform

SAP infrastructure and its associated extensions are business critical. Cyberattacks, downtime, and other operations risks can cost companies more than just the money it takes to fix the problem; lost sales, lost customers, and reputational damage are risks that business simply cannot afford to take. SUSE offers solutions to automate manual tasks that can lead to errors, misconfigurations, and other vulnerabilities. It offers a secure SAP platform, regardless of where you run SAP, because organizations need a consistent level of security and reliability. You can visit SUSE at Sapphire to learn more about securing your SAP environment at www.suse.com/secure-sap