The secure handling of digital business processes in SAP systems is also of key importance for small and midsize companies. SMEs should tackle the subject of security as comprehensively as possible. In terms of SAP systems, this not only includes role and privilege rules, but also all components of the IT infrastructure. As the HTTP Internet protocol is being used increasingly with SAP solutions, databases are also essentially open to external documents and users can access their companies’ IT systems via the Internet.
Extending the protection of live systems
“SAP software landscapes have changed for good in recent years. While new SAP technologies, such as SAP NetWeaver, open up a wide range of possibilities for Internet-based business management, they increase the risk of unauthorized access to data and applications at the same time,” explains Eric Rotzoll, security expert for SAP applications at SAP service provider itelligence in Bielefeld. “This poses new challenges in terms of the security of SAP systems,” explains Rotzoll. All areas of SAP applications, such as their base technology, data transfer and exchange, systems access, and privileges therefore need to be subjected to appropriate scrutiny.
The topic is becoming increasingly critical as a result of the increasing integration of SAP-NetWeaver technologies, such as SAP Enterprise Portal (SAP EP) or SAP Business Intelligence (SAP BI), into mySAP All-in-One industry-specific solutions, and this is also true for small companies who use SAP Business One. The link to a parent company or, in the case of suppliers, to an OEM is created by SAP Exchange Infrastructure (SAP XI). Further, companies need to extend the protection of their live systems since a worst-case scenario might see the SAP environment compromised by computer viruses. SAP has reacted to this and has extended its test seal “SAP Certified Integration” to include interfaces for virus scanners. The first certified manufacturer of virus recognition software is H+BEDV Datentechnik in Tettnang with the “AntiVir” product range. Administrators of SAP systems can use the tested AntiVir adapter to specify which documents and program files should be tested on import to or export from SAP environments. According to SAP, there are now over 50 certified interfaces of security software for SAP solutions from various security-related technological fields. These include digital signatures, encryption, data backup on external media (Secure Store and Forward), directory services, external authentication, risk management, secure network communication, system analyses, and user maintenance.
Using SAP security features
However, SAP applications themselves also have comprehensive security features built in. As well as the traditional role and privilege rules, these features include authentication procedures based on Single Sign-On, tokens, certificates or PKI (Public Key Infrastructure) structures. Interfaces are secured via encryption, for example via Secure Network Connections (SNC) or Secure Socket Layers / Transport Layer Security (SSL/TLS). SSF (Secure Store & Forward) ensures that workflows are confidential and user-specific, since data in the SAP environment can be both digitally signed and encrypted. SAP also provides a cryptographic library for reliable partner authentication and encryption of communication. An automatic security check, the Security Optimization Service (SOS), analyzes safety-relevant vulnerabilities, such as with user roles and privilege rules in SAP environments, and summarizes them in a report. The service is intended to assist administrators in finding and eliminating vulnerabilities in the system more quickly. In all cases, the SAP systems need to be up-to-date with the latest patch level, they need to be configured according to security guidelines, and all communication must be encrypted.
“SAP systems do in fact contain a wide range of security functions,” summarizes Rotzoll. “The problem is that many companies that use SAP don’t take full advantage of the available security functions.” This is confirmed by a survey of some 40 companies that use SAP in Switzerland conducted by the Information Security Society of Switzerland (isss). The author of the study, Jörg Altmeier, MD of the IT consultancy firm wikima4, assesses the overall level of security of SAP systems used in Switzerland as high, but he identifies a series of shortcomings. For instance, half of all companies thought there were far too many authentication mechanisms, and the systems’ standard security management tools were under-utilized. Additionally, SAP users have insufficient security awareness and thus handle sensitive data too carelessly. This applies particularly to exporting SAP data for further processing in Office systems and printing. Even the best security functions and initiatives are totally ineffective if they are not implemented.
Increasing security of information in SMEs
SAP is aware of its responsibility in the area of security, which is why the corporation is supporting the “Deutschland sicher im Netz” (Germany safely online) initiative. SAP intends to use its commitment to the initiative to educate and support especially SMEs in increasing the security of their business applications. This includes aspects such as secure software development and teaching secure programming and IT security in university IT courses.
As small firms in particular often do not have sufficient resources to put all security aspects and topics comprehensively into practice, SAP will publish a supplementary set of safety guidelines that provides a quick overview of relevant aspects of IT security with the aim of increasing users’ security-consciousness and to establish it within corporate cultures. The guidelines should be available in the first half of 2005. As a supplement to this, SAP will offer its customers a free automated tool for security checks in the course of this year. The tool will be able to check key infrastructures in the SAP environment for vulnerabilities and security risks.
Security makes business more profitable
In order to ensure their systems’ security in the long term, SAP users also need to perform regular audits of the standards and document them via a quality seal. Any existing vulnerabilities are thus identified and remedied before they become expensive, since companies that have been audited are better safeguarded against claims for damages than those that are not. In Germany, this legal duty issues from corporate law and the “Gesetz zur Kontrolle und Transparenz im Unternehmensbereich” (German legislation regarding corporate control and transparency, or KonTraG). If an SME has put a company-wide risk management strategy in place that also includes IT, then this can also have a positive effect on its credit rating within the scope of Basel II. “If SMEs recognize IT security as a means of making business processes more efficient and as a result more profitable, then they have already come a long way,” summarizes Rotzoll.
For this reason, there is no way around the development of comprehensive security concepts. IT security covers more than just technology. It also extends to organization and people. In the organizational field, specifically defined roles, processes, and rules ensure that business processes are seamless. In terms of technology, “only those services that are actually needed should be made available,” states Rotzoll. However, the biggest weakness is still the third pillar, the human element, which is why Rotzoll prophesizes that there will “never be 100% security.”