SAP S/4 Hana projects seem set to repeat security missteps
Management consultancy Turnkey’s managing director, Richard Hunt, cautions SAP customers not to repeat errors of the past by making security an expensive afterthought
SAP customers who are bracing themselves to move from Enterprise Core Components (ECC) to the supplier’s more modern S/4 Hana enterprise resource planning (ERP) system should take care not to repeat past mistakes of failing to make their new systems secure from the start.
This is the gist of an SAP security report from Turnkey Consulting, which specialises in the security and governance of SAP implementations. So far, so unsurprising, but the firm’s managing director and founder, Richard Hunt – also a Computer Weekly Security Think Tank contributor – has understated but expert advice to offer to SAP user organisations.
Hunt’s firm is a management consultancy that focuses on delivering, either directly or with others, SAP Security and SAP Governance, Risk and Compliance (GRC) systems. It has offices in the UK, the US, Germany, Switzerland, Malaysia, Singapore and Australia.
He says systems integrators (SIs) are often guilty of failing to implement SAP ERP systems securely upfront, which means companies end up having to carry out costly remediation projects, patching up security flaws that have been uncovered either by audits, or worse, hacks.
“With SIs,” he says, “there’s a lot of focus on getting the functional part right.”
This means the overriding priority is to get the system implemented, with the question of who has access to which parts of that system left as an afterthought.
“And security doesn’t always have an ROI [return on investment] – it’s intangible until you have a breach.”
Managing access risks
One basic hygiene principle in implementing an ERP is to ensure segregation of duties, whereby at least two individuals are responsible for the separate parts of any task. However, the Turnkey report, which surveyed just over 100 SAP customers at managerial level or above from the UK, Europe, Asia and the US, says that “often, organisations don’t have the right tools in place (such as risk analysis tools which utilise an SoD [segregation of duties] matrix) to shine a light on underlying access risks”, and that “given the granular and complicated authorisation concept used in SAP, identifying issues without such tools can be nigh on impossible”.
While this sounds technical, it can have severe consequences if not done properly, says Hunt.
“You can’t have the same person responsible for running payroll also able to change details of employees’ bank accounts. These duties need to be segregated to remove opportunities for fraud,” he says. “This happens more than you would think. It’s not the sort of thing companies tend to shout about. If, say, someone with sudden gambling debts is presented with the opportunity to commit fraud, they may be more tempted to do that.”
“You can’t have the same person responsible for running payroll also able to change details of employees’ bank accounts. These duties need to be segregated to remove opportunities for fraud”
Richard Hunt, Turnkey Consulting
More than two-thirds (68.8%) of SAP users, according to the report, believe their organisations have put insufficient focus on IT security during previous SAP implementations, and 53.4% indicate that it is “very common” for SAP security flaws to be uncovered during the audit process.
The research also revealed that most respondents were not fully equipped to manage risk. A fifth (20.8%) felt most businesses did not have the skills and tools to effectively secure their SAP applications and environment, with 64.3% saying they only had some skills and tools.
Nine out of ten (93.2%) people thought it was likely that an SAP audit would flag access management issues. Privileged or emergency access was also a major concern, with 86.4% believing it was “common” or “very common” to have audit findings specifically related to it.
“The findings of this survey mirror our day-to-day experiences – SAP security is often an afterthought on SAP deployments, with the result that not enough time and resource is allocated to the essential security activities that need to take place throughout the project,” says Hunt.
“However, it is encouraging to see that boardroom awareness is growing as the general business environment becomes increasingly focused on compliance, data protection and cyber security. This understanding will drive organisations to take the critical step of designing security into implementations from day one.”
Big changes ahead
Turnkey said, in a statement alongside the report, it undertook the research to “determine organisations’ preparedness as the SAP landscape undergoes a time of transition and the adoption of S/4 Hana approaches” and that “SAP ERP offers extensive user benefits in terms of increased interconnectivity and mobility, but risks leaving SAP applications and infrastructure open to exploitation”.
Hunt says his own and his firm’s experience suggests that organisation-spanning information security teams in companies tend not to have enough involvement in SAP projects and, moreover, project-specific SAP security professionals tend to have limited scope – essentially, determining who has access to what.
“Things fall between the cracks. CISOs [chief information security officers] are stepping up to take more accountability, but SAP teams aren’t responsible for securing the applications in their entirety, while IT security teams aren’t always involved in SAP projects,” he says, pointing out that it is a structural failure of governance, though the picture is changing.
“SAP applications come out of the box mainly insecure. But they have all the things you need to secure them, lots of bolt-ons for specific things, like fraud. The issue is that these all require thought, effort and resources to get the security right. So, while there is an equivalent of Microsoft’s Patch Tuesday, a lot of companies don’t have a robust strategy for managing that.”
This would all matter less if SAP had not reinvented its ERP. But it has. The leap from ECC 6 to S/4 Hana – though it might prove beneficial in the long run – is a big one.
“The big deal is that it’s a shift in an SAP platform that hasn’t been made for some time,” says Hunt. “Hana is a new data platform that means increased speed, but is still a new database. And then there is the ability to use the cloud-based element and take advantage of the web-based interface of SAP Fiori – again that is a lot of change.”
Mass migration to S/4 Hana
But are ECC 6 customers on the move in large numbers? Hunt says his sense is that they are. “We’ve seen an increase in the past two to three years. My sense is there are around five times more projects over the past year than in the previous one. Every customer has some kind of S/4 Hana plan – the challenge will be that everyone will want to access the same [third party implementation] resources at the same time,” he says.
As for the Covid-19 public health crisis, he says: “Everything that was up and running before the crisis is still going. Some customers have kicked pending projects down the road to the end of the year, others are spreading them out. We haven’t seen cancellations, but I wouldn’t rule that out.”
The firm’s report says: “A key final step in the security element of S/4 Hana migration is to consider the impact of SAP Fiori – SAP’s new primary user interface. Due to the architecture of the new technology, security of the user interface itself must now be taken into account when designing back-end roles. Many systems integrators do not tackle this challenge effectively and default to recommending the implementation of the SAP standard business roles, which are rarely sufficient.”
It also states: “With only 170 standard roles in the new system, compared to around 4,000 roles in ECC 6, S/4 Hana’s standard roles are not sufficiently segregated to minimise risk.”
Expanding on these points, Hunt describes Fiori as a new concept that needs to be got right. “A lot of customers are falling into the trap of using the standard roles, but they don’t necessarily have the right level of segregation of duties – these need to be tailored for each business,” he says.
