The NO MONKEY Security Delta for SAP

Understand why security starts with PEOPLE and how a holistic approach can help your organization secure your SAP systems.

14 - 04 - 2021

A delta in computing is the difference between two things or values. When it comes to SAP security, this delta exists on two levels. The first level rises from the three lines of defense: operations, security, and audit. The second level comes from an organization's three main assets: people, process, and technology. Finding solutions or services to close gaps in this field of action of the NO MONKEY Security Delta can be a daunting task. This difficulty doesn't come from the number of companies offering solutions to protect SAP systems, but the problem arises from finding a holistic approach to address those two levels.

To get a deep dive into approaching security in a holistic approach, we begin our journey with a common scenario. Organizations usually put their efforts and focus on bringing a large amount of technology to protect their valuable assets. To address processes, they consider implementing or updating when an audit comes knocking. Finally, to address people security, they implement the good ol’ security awareness training and campaigns to achieve compliance; while not an awful approach, we continuously see how this has failed.

To understand why this approach fails, the following sections inspects the issues that rises and briefly introduce ways that NO MONKEY ADVISORY addresses the issues across both levels.

People

“They are up to no good!”

Audit

While awareness and phishing campaigns are necessary, we regularly underestimate or ignore recognizing our employees' skills, knowledge, and will, or lack of, to protect valuable assets and enable security to drive business requirements and goals. Employees run the processes of operating, maintaining, deploying, and implementing those technologies; with a lack of skills and expertise in handling any technology, risks manifest and turn into issues or threats. Identifying these skills and knowledge gaps allows organizations to have several options in addressing them. Some of these options include distributing resources (people) to areas where they are competent, delivering the required training to enhance skills or hire qualified people.

Another common issue we have identified in protecting SAP systems is the communication and interaction gap between the three lines of defense (operations, security, and audit). I’m pretty sure you have heard the phrase “security is everyone’s responsibility”, countless times, but take a moment to think of the different responsibilities for each line of defense, are they defined and do the people in each of these areas have a clear understanding of these responsibilities? Reflecting back to the earlier quote, responsibility and communication gaps between the three lines of defense are necessary to identify and address.

How can we help?

The services defined in the NO MONKEY Security Delta that address people security against the three lines of defense is designed to resolve the issues presented earlier. Some of the goals that the below services address is:

  • Finding responsibility and skill gaps within your teams.
  • Identifying opportunities within your teams that may support areas with little to no responsibility.
  • Identifying communication gaps between the three lines of defense.
  • Conducting table-top exercise to find additional threats and vulnerabilities across the three lines of defense.
  • Identifying behavioral gaps against different subjects, areas, and situations of the organization.

Services

Processes

“Nice to have, strenuous to maintain, and auditors love them.”

Security

Processes are a vital part of an organization’s success in driving business goals and requirements. When creating or adopting processes around protecting assets in SAP solutions, companies regularly fail or are not aware of how to link them with other parts of their processes. Several factors cause these issues to surface—first, the lack of information surrounding SAP security processes. Second, the lack of adoption or existence of a maturity model or baseline, and a way to include the companies use of SAP in security governance areas such as risk management, change management, and configuration management. Finally, one of the primary reasons that processes are an afterthought in SAP security is that external or internal auditors are mostly unaware and unskilled in addressing this area.

How can we help?

The services defined in the NO MONKEY Security Delta that address processes against the three lines of defense is designed to resolve the issues presented earlier. Some of the goals that the below services address is:

  • Identifying an organizations maturity level in protecting the SAP environment based on known standards and methodologies.
  • Implementing missing security controls that are critical to the organization.
  • Identifying solutions, vendors, and applications that aid the organization in increasing their SAP security posture.
  • Reviewing and evaluating the existing Software Development Life Cycle (SDLC) process to identify gaps and potential risks.

Services

Technology

“Our go-to punching bag to resolve all our problems.”

Operations

The amount of technology available to secure your SAP environment is abundant. Choosing the right one for your organization can be difficult for several reasons. These reasons can range from whether your employees are knowledgeable to operate on them or the tool used is capable of fulfilling the organization's security requirements; not to mention if a budget exists. Some pain points that fail to enable a successful implementation of tools used to secure, detect, or prevent threats to SAP environments can be numerous. A few points to consider:

  • The communication channels used within and between the technology are not secure.
  • Utilizing the necessary resources and processes to use the technology cannot achieve the organization’s security objective.
  • The tools are not configured or appropriately used to identify and prevent threats.
  • The vendor and technology are not flexible enough to keep up with the changing threat landscape and the organization's IT operating model.
  • The technology vendor does not provide diligent support.
  • A baseline does not exist to secure the technology itself.

How can we help?

The services defined in the NO MONKEY Security Delta that address technology against the three lines of defense is designed to resolve the issues presented earlier. Some of the goals that the below services address is:

  • Conducting a vulnerability assessment against the SAP systems to identify apparent threats.
  • Reviewing network security measures that are in place to protect your SAP environment.
  • Conducting a penetration test to identify exploitable vulnerabilities affecting the organizations SAP environment.
  • Identifying insecure protocols being used across the network.
  • Identifying vulnerabilities in the organizations network design, policies, and assets that may affect the SAP environment.
  • Identifying flaws and weaknesses in ABAP based 3rd party or custom applications and interfaces.

Services

The NO MONKEY Security Delta is designed to balance security needs and requirements between the first level, three lines of defense, and the second level, three main assets of an organization, with the different services offered by NO MONKEY ADVISORY - further information on the different services can be found here. The holistic approach, mentioned earlier, begins with understanding what’s in your arena of assets that help secure SAP systems, and this always needs to start with the organizations vital asset, PEOPLE.

Start with asking yourself the below questions and if you need help answering them, contact us.

  • Do you have people that understand SAP operational risk and are capable of translating these risks to the security team?
  • Does your security team understand SAP security?
  • Can your people verify the controls in place that maintain a maturity level in securing SAP?
  • Is your internal or external audit addressing SAP security controls?
  • Are you capable of identifying SAP threats and addressing them in a timely manner?
  • Is your technology helping you identify or detect SAP vulnerabilities or threats?

What do you think?

We're happy to get in touch with you and learn something about your view. Feel free to send us a message.

Leave Us a MessageBack to the Overview

About the Author

Waseem AjrabHead of SAP Security Advisory, NO MONKEY
  • Security professional with over seven years of experience
  • Involved in several areas of activities in cybersecurity, such as red team activities, blue team activities, audit, and compliance
  • Certified CISSP, OSCP, ISO 27001 Lead Auditor, CEH, CISCO CCNA

Stay up to date on the latest developments in SAP security

Follow us on LinkedIn