SAP Security Maturity: A Crash Course

的系统, 应用程序, SAP平台是一套软件应用程序，被99家财富100强公司和全球近2.7亿基于云的用户使用.¹ 组织通常在SAP供应商关系管理(SRM)和SAP人力资本管理(HCM)环境的同时运行他们的SAP365买球网站下载资源规划(ERP)系统. These integrated solutions improve decision making through a centralized data storage, 分析, 和报告系统，赋予365买球网站下载新的见解，以更好的业务流程.

通常, SAP平台变得如此庞大，以至于组织失去了对其复杂性的跟踪，因为传播产生了更多的攻击向量，为坏人打开了大门. 不安全的网络蔓延给IT专业人员识别漏洞带来了额外的压力. Network vulnerability identification is a small part of hardening the SAP platform, and most individuals who enter this realm discover it is an ongoing process, 不是目的地.

建立SAP安全性的每一次旅程都应该从IT人员通过引入所有涉众安全性来识别控制弱点开始, 审计, 合规团队也加入进来. 这个过程常常使365买球网站下载认识到，他们业务的许多领域是没有文件记录和没有组织的. 这样的实现可能会启动一系列的抽查，并提高对第一个SAP安全责任开始实现的位置的认识. 随着SAP成熟度之旅进入将流程和策略放置到位以及定义和实现各种标准的阶段，清楚地定义这些新的职责是至关重要的.

在定义责任之后, 组织实现了一种主动状态，在这种状态下，活动是自动化的，实现是完全监控的. 达到这些水平后, they can move into the security information event management (SIEM) integration phase, wherein extended security controls, 风险管理整合, 人工智能的支持, and continuous improvements are made. 然而, 如果不首先建立一个定义良好的SAP基线，SAP安全之旅就不可能成功.

定义SAP基线

可以将SAP安全基线视为最佳将来状态的蓝图，它将有助于实现安全的操作和配置. The blueprint resembles an inverted pyramid where the broad base is the top level, 表示外部和内部需求以及第三方建议的组合—对于提供有价值的见解至关重要.

供应商推荐是关键. 它们基于对组织的SAP环境的丰富经验产生专家见解. 然而,, while these external guidelines are invaluable, the heart of the baseline often reflects the enterprise's culture, 固有的价值, and unique approaches to challenges.

The SAP Security Strategy is at the inverted pyramid’s core, 哪些是形成供应商建议和365买球网站下载文化的指导原则(例如.g., strategy, people, process, technology). The human factor cannot be underestimated. 员工和供应商对有效的SAP安全模型的态度可能是一种资产，也可能是一种障碍. Motivated and conscientious individuals streamline the implementation of security controls, while apathetic individuals tend to make the task arduous.

Finally, at the tip of the inverted pyramid is the Concepts level. SAP安全概念可以分解为访问控制、数据和应用程序安全. 这些概念在构建SAP安全基线中起着关键作用，并且是所有其他考虑的基础. 需要注意的是，SAP Operations Map是帮助建立基线的有价值的工具. This tool is divided into 5 layers, segmented into 16 blocks.² 当与倒金字塔级别结合使用时，它有助于指导用户开发一个整体的SAP安全性基线.

审计观察

倒金字塔基线有助于指导组织使用逻辑流程来组合安全SAP操作所需的信息. 然而, 这种结构化的安全信息在帮助蒸汽线平台审计方面也起着另一个重要作用. Remember, 审计ors are not the enemy. They are a valuable collaboration resource. Organizations must document every action related to processes, 配置, 变化, or access logs to prepare for an 审计. 该文档为审计员提供了清晰的信息，并可作为安全漏洞或审计等事件的关键参考点.

审计师不是敌人. They are a valuable collaboration resource.

Organizations must document every action related to processes, 配置, 变化, or access logs to prepare for an 审计. 该文档为审计员提供了清晰的信息，并可作为安全漏洞或审计等事件的关键参考点.

When an 审计or reviews an SAP system, generally their top 10 observations are:

1. 不安全的RFC—Remote Function Call (RFC) destinations contain stored credentials. RFC users have privileged authorizations (e.g., SAP_ALL) that can be leveraged for lateral movement in the SAP landscape.
2. 补丁管理长期存在的, 众所周知, high severity SAP Security notes are not taken into account, manual corrections are not made and a patch strategy is not implemented.
3. 关键的授权—Critical profiles are assigned to dialog and system users. 规则手册中缺少必要的访问规则，自定义代码中不包括授权检查.
4. 变更管理-在生产或测试阶段传输关键对象和表并进行直接更改. Program differences are identified between production and nonproduction.
5. 用户id安全关键活动不能追溯到指定用户，标准用户/授权被复制到自定义用户(e).g.* * * * * * * * * *.
6. 密码-使用旧密码算法, access to password hashes is not protected, and security policies are overridden.
7. 转换—Security is not embedded and the security baseline is not updated (e.g., with S/4HANA and BTP requirements).
8. 天堂之门Sec_info和Reg_info文件中没有设置限制，防止未授权的外部程序启动和外部连接.
9. 日志记录关键活动没有记录，日志文件不完整，审计日志过滤到位.
10. 治理—The target operating model is nonexistent, 必须遵守基线, and a proper management view is required for decision making.

结论

Securing any SAP environment requires meticulous attention and expertise at every phase. Many enterprises must understand that they have security gaps, 特别是在文档和组织方面，忽略这些问题只会使问题恶化. 好消息是，存在定义良好的模板来帮助组织建立SAP安全流程，从而不可避免地取得成功. 在所有部门之间建立清晰的沟通是成功的基础.

除了, recognizing and addressing potential vulnerabilities is crucial, as showcased by the 审计 observations. 来自审计的详细见解强调了持续警惕和适应的必要性. 组织可以通过注意这些观察和整合经验教训来加强他们的防御, 确保他们的SAP环境是兼容的，并且能够抵御不断变化的威胁.

伊凡芒

Is an experienced SAP technology consultant who has worked in the SAP space since 1997. 2012年，他与人共同创立了 SecurityBridge. In his current role as chief technology officer (CTO), he is a motivated driver who inspires people and pushes technology, contributing to the continuous innovation of the SecurityBridge Platform. 近年来, Mans has been a regular speaker at SAP events where he evangelizes about SAP security.

¹ SAP。”SAP的历史”
² SecurityBridge。”SAP安全操作图， 2021年11月22日