Security Compliance for SAP RISE Solutions

⇨ SAP RISE systems follow standard builds with default security settings.

⇨ CES automates security assessments for RISE solutions, providing detailed reports.

⇨ CES enables easy access to compliance results and scheduling reports for proactive security management.

S/4HANA and other ABAP systems provisioned by SAP for RISE customers are based on standard system builds. The builds include default settings to apply security by default based on hardening requirements and best practices. The settings are outlined in SAP Note 3250501 – Information on Mandatory Security Parameters & Hardening Requirements for ABAP systems in SAP Enterprise Cloud Services (ECS).

The requirements include recommended settings for security-relevant profile parameters, deleting unused clients, securing standard users, restricting access to password hashes, RFC gateway and message server hardening, deactivating critical ICF services, managing system and client change options, and applying transport layer security. There are over 120 specific requirements across 12 areas that customers must abide by to comply with SAP security standards for RISE solutions.

The Cybersecurity Extension for SAP (CES) performs automated gap assessments to ensure RISE solutions comply with SAP security requirements. The assessments are performed using Compliance Reporting accessed from the CES launchpad.
SAP RISE should be selected from the framework selection screen.

Once the framework is selected, a target system can be chosen from the available systems in the SAP RISE landscape and the ‘Execute’ option can be clicked. The results are then summarized for each requirement, with an overall compliance score calculated for the system. Each requirement can be drilled down into to navigate the detailed findings. Further information for each finding can be accessed by clicking on the > icon, enabling the creation of an action plan to manage the remediation of compliance issues.

The report filters are available to focus on specific requirements or results, allowing the suppression of compliant areas to isolate compliance failures. Shortcuts can be created and published to the Fiori launchpad for fast access to compliance results. These shortcuts can also be published as custom tiles to existing or new work groups.

Compliance reports can be scheduled to run on regular intervals, with automatic distribution in PDF or CSV format to recipients via email during each run. The Cybersecurity Extension for SAP, an SAP-certified add-on for SAP Solution Manager and SAP Focused Run, expects an add-on version for other SAP NetWeaver AS ABAP systems such as SAP GRC in Q4 of this year.