Security Compliance for SAP RISE / Cloud ERP
Guidance for complying with security hardening requirements for SAP RISE / SAP Cloud ERP
Are you an SAP RISE / SAP Cloud ERP customer or System Integrator for SAP customers? Are you considering RISE with SAP/ Cloud ERP for your transformation journey? Are you aware that SAP customers are required to comply with strict security standards as part of their SAP contracts? Failure to do so may impact support from SAP and lead to legal risks.
This article provides practical guidance for understanding the security requirements for SAP customers. It will discuss how you can use the Cybersecurity Extension for SAP (CES) to ensure quick, effortless and cost-effective compliance with the requirements. CES is an SAP-certified addon that automates compliance management for SAP RISE/ Cloud ERP security requirements.
Secure Your Transition to SAP S/4HANA
Manage User Risks, Secure Custom Code and Protect Cloud Systems
Your Security Obligations for SAP RISE/ Cloud ERP Solutions
Solutions such as S/4HANA Cloud provisioned and supported by SAP as part of the RISE with SAP / Cloud ERP business transformation offering adhere to the principle of Secure by Default. This means the solutions are delivered to customers with specific settings that are embedded into system builds to comply with security standards defined by SAP.
Settings can be modified by customers in SAP solutions after delivery. This can occur during implementation and migration projects, but it is also possible during the run or operational phase for transformations. The changes can expose systems to security risks. In order to deal with changes by customers that may undermine Secure by Default settings and provide general guidance, SAP defines security requirements for customers in note 3250501 – Information on Mandatory Security Parameters & Hardening Requirements for ABAP Systems in SAP Enterprise Cloud Services (ECS). The note is regularly updated by SAP for new requirements and therefore customers need to monitor for updates.
The requirements are mandatory. In other words, compliance is obligatory. SAP customers must comply with the security requirements. Failure to comply may impact the terms and conditions for support as part of RISE with SAP/ SAP Cloud ERP. It may also impact liabilities in the event of security incidents and breaches.
The requirements cover the following areas for RISE systems:
Since SAP customers are accountable for managing the configuration of the ABAP stack in their systems, the requirements are intended to align customer responsibilities to SAP’s cloud security framework for protecting RISE/ Cloud ERP systems from cyber threats.
Overall, there are more than 130 requirements for systems such as S/4HANA Cloud. The requirements must be met for each SAP System ID (SID) in every environment within RISE system landscapes. Based on the evidence of numerous compliance scans performed by Layer Seven Security, 100% of RISE systems are non-compliant with one or more requirement. The average compliance level is just 77%.
Auditing compliance across multiple systems in each landscape is a complex and resource-intensive process. Auditing also needs to be continuous since changes can reverse security hardening and lead to configuration drift. Benchmarks for compliance also need to be regularly updated in line with changes in SAP requirements.
The Cybersecurity Extension for SAP addresses these challenges by automating compliance audits for SAP RISE/ Cloud ERP systems. The SAP-certified addon performs daily automated scans to identify compliance gaps in solutions such as S/4HANA. Interactive dashboards enable users to monitor compliance and drilldown to findings. The addon also enables users to maintain and track remediation plans for compliance gaps. Detailed reports are available in formats such as PDF, CSV and Excel with options for scheduling and automatic email distribution. The benchmarks in the addon are regularly updated for changes in SAP RISE security requirements.
The Cybersecurity Extension for SAP requires approximately 6 hours of effort from SAP Basis and Security teams to install and configure, supported by our Solution Engineers. The software is installed in SAP systems using the SAP Add-On Installation Tool SAINT.
Once installed, the Cybersecurity Extension for SAP scans the target systems for compliance gaps. The results are available immediately and analyzed using applications accessed from the SAP Fiori launchpad. The solution also supports monitoring for other security frameworks such as NIST, GDPR, SOX and PCI-DSS, as well as SAP frameworks such as the SAP Security Baseline and the SAP Security Guide for S/4HANA.
The Cybersecurity Extension for SAP enables organizations to meet security obligations in SAP RISE / SAP Cloud ERP as part of a shared model of responsibility with SAP.
In addition to compliance management, the Cybersecurity Extension for SAP supports:
The Cybersecurity Extension for SAP ensures your SAP RISE/ Cloud ERP systems are compliant, protected and equipped for audits and certifications. Flexible licensing options let you choose between 30–90-day terms for one-time assessments or 12–36-month plans for sustained monitoring. From targeted security assessments to continuous monitoring, contact Layer Seven Security to discuss how you can leverage the Cybersecurity Extension for SAP to comply with SAP security requirements for RISE/ Cloud ERP solutions and protect your mission-critical SAP systems from cyber threats.
Sign Up for a Demo
Schedule a live demo of the Cybersecurity Extension for SAP® Solutions to experience industry-leading protection for your SAP systems.
We are proud to work with some of the World’s most renowned brands.
