1 Introduction

SAP security and GRC (Governance, Risk & Compliance) are getting more and more important for many of today’s organizations. While traditional systems like HR (Human Resources), ERP (Enterprise Resource Planning), CRM (Customer Relationship Management), SCM (Supply Chain Management) or BW (Business Warehouse) are at the core of fundamental business processes, the move towards SAP HANA, Big Data and cloud solutions introduces another, either parallel or integrated, pillar of technology.

Ensuring an adequate level of security and compliance for the continuously changing SAP infrastructure system landscape is of utmost importance. Achieving compliance to legal and regulatory requirements is one essential business driver. Beyond that, more and more organizations understand that providing an adequate level of security is a key requirement for protecting the organization’s intellectual property and for safeguarding essential business data, e.g. highly sensitive customer information.

Forward thinking organizations integrate strong security into all of their processes and systems which surely is a unique selling proposition for security-savvy partners and customers. An adequate corporate security strategy (typically defined in an appropriate policy framework) covers a wide range of aspects from Audit and Fraud Management to IAM and Risk and Process Management.

Conventional SAP Security focuses on Access Governance, i.e. the management and control of authorizations, users, roles and profiles. This includes role modelling capabilities and the design and implementation of life cycle and workflow processes, including request approval and recertification. A typical next step is the control of business-oriented processes such as applying SoD (Segregation of Duties) rules or maintaining compliance with the principle of least privilege access.

Being highly important criteria, these business aspects must not be the only focus when it comes to SAP security. SAP systems are sophisticated and complex software infrastructures, that have to be secured on every relevant level. Starting at the system level this requires a hardened and well-tested operating system basis. On the network level inappropriate access to the system has to be prevented. All SAP components and all additional third-party components have to be kept up-to-date by applying mature software update management. Comprehensive information (e.g. Security Notes) about required patches and the vulnerabilities of outdated software versions is available. The application of well-defined best-practices for the configuration of individual components and the overall SAP infrastructure is a constant challenge. Detecting and preventing information leakage are probably one of the most important aspects when it comes to protecting essential data assets. When looking at the constantly changing threat landscape involving internal and external threat actors, the real-time detection or prevention of anomalies and undesirable behavior by implementing sophisticated analytics technologies becomes more and more important. Ideally this is complemented by initiating targeted notifications or applying adequate, automated responses.

The market for GRC solutions for SAP systems is rapidly evolving. Akquinet AG, a Hamburg-based German vendor, provides services and solutions in the area of standard software like SAP or Microsoft Dynamics. One main area of expertise is providing software and services for SAP Security and GRC - the SAST SOLUTIONS. Leveraging the experiences and expertise resulting from a substantial number of successful SAP GRC and SAP security projects, AKQUINET continuously improves and extends their own, independent product suite for GRC, access control, and security for SAP environments.