Cybersecurity Extension for SAP, Version 5.2: Support for SAP BTP, Critical Access and SOD for SAP ECC, and More
The new release of the Cybersecurity Extension for SAP is scheduled for general availability in October and includes several important enhancements.
Version 5.2 includes 40+ alerts for security related incidents in SAP BTP. This includes application changes, remote logins, role changes, role grants to users, and cloud transports. The alerts monitor events logged in the BTP central audit log. Events in the log are replicated to the Cybersecurity Extension for SAP to support forensic analysis. Log records include details such as the log event ID, description, timestamp, terminal ID, and application details for each event. Similar to existing alerts for ABAP, HANA, and Java system types, as well as databases, operating systems, and SAProuter and Web Dispatcher installations, BTP alerts can be integrated with SIEM solutions for centralized monitoring.
Earlier releases provided coverage for business-level critical access and segregation of duties in SAP S/4HANA. The new release extends the coverage to SAP ECC. Despite the scheduled end of mainstream maintenance for SAP ECC in 2027, many SAP customers have yet to migrate to S/4HANA and therefore ECC will be a mainstay within SAP landscapes of many organizations for several more years. Version 5.2 of the Cybersecurity Extension for SAP includes 350+ functional checks for access to sensitive ECC transactions and conflicting combinations of transactions. The checks cover processes such as Finance, HR and Payroll, Materials Management, Order to Cash, and Procure to Pay in ECC. Users can add custom checks for transactions and combinations not included in the standard ruleset. This includes custom transactions. The coverage includes all of the relevant access risk IDs monitored by SAP GRC for ECC. Users and user groups can be excluded for specific checks to tune the coverage and prevent false positives. Usage rights are included in the standard license for the Cybersecurity Extension for SAP.
The new release also includes checks and alerts for the deactivation of SAP UI Masking & UI Data Protection Masking solutions. The solutions protect access to sensitive data in SAP user interfaces by masking or clearing fields. The contents of the fields containing sensitive data are only revealed to users with the required roles or attributes.
Finally, version 5.2 includes alerts for the execution of new ICF services with known security vulnerabilities. The services are not yet widely known or included in the scope of vulnerable ICF services that should be deactivated based on SAP recommendations in frameworks such as the SAP Security Baseline. There are also additional checks for the Secure Storage in the File System (SSFS), new sensitive transaction codes, dangerous function modules and external programs, and dynamic changes for specific security-related profile parameters.