Following on from our recent introduction to our SAP Security and Authorisations (S&A) team, we have carried out a Q&A with Senior SAP Application Management Services (AMS) consultant Will Dunkerley and SAP AMS consultant Laurel Christer to get some more in-depth insights on best practices in S&A and understand its vital role in ensuring seamless operations for SAP users.
What makes S&A such an important area of SAP?
WD: It’s not just important; it’s fundamental to a functioning SAP implementation. Security underpins every functional and technical element of an SAP system. Without effective security, there’s a constant risk to your data, finances, intellectual property, reputation and system availability.
LC: There are also legal responsibilities depending on location such as GDPR for those operating in Europe or Sarbanes-Oxley for many in the US. There are also some industry specific regulatory frameworks such as HIPAA in healthcare where a breach from inadequate security could lead to a significant financial penalty for your organisation.
What kind of S&A-related work have you been doing at The Config Team?
WD: The S&A team gets involved in all elements from project work to general security support. We provide authorisations to support delivery projects, including software implementations for solutions such as PreBilt™. We also do lots of work around SAP S/4HANA migrations and public and private cloud.
LC: We also work with SU25 upgrades, technical user security and general role management and support. We often begin a relationship with a customer through an EarlyWatchAlert (EWA) report review or other vulnerability assessment and develop our relationship from there.
What do you think S&A’s importance is to The Config Team’s projects?
LC: Any development providing new or updated functionality in SAP includes an authorisations deliverable. This ensures the development functions correctly and that both end users and technical users are appropriately authorised, maintaining Segregation of Duties (SoD) and audit compliance. While some customers can handle this themselves, we can take on this workload to ensure the solution is fully functional and secure. Because we deliver authorisations in a best-practice format, this also makes future management easier for the customer.
WD: It’s important for the S&A team to get involved early on in project work so we can build and shape the requirements from the get-go and help ensure a smooth go-live. Although at The Config Team we’re rightfully known as the SAP supply chain experts, our authorisation work spans all functional modules, especially more recently as our S&A team has grown. Lots of our customers are talking to us about SAP S/4HANA migration, private and public cloud and global template projects. With that comes an even greater need for S&A expertise to make sure the solutions delivered are secure and future proof.
What have been some highlights for you in your career in SAP S&A?
WD: We’ve delivered projects for some very large global organisations with a vast in-house SAP resource, but I get just as much satisfaction from helping those businesses with smaller internal SAP teams secure their systems. It’s nearly always a work in progress, but every step we take improves their security. I always enjoy passing knowledge on to customers and seeing them develop their own security skills and awareness. It’s particularly satisfying when we close vulnerabilities that the customer wasn’t even aware of, so they couldn’t possibly mitigate or remediate them. Those “unknown unknowns” used to keep me awake at night as a security manager, so it’s great to help others resolve them and give them peace of mind.
LC: I always find it really satisfying to meet a customer and fix what may be a big issue to them, but to me is an interesting challenge. One of the things I love about how The Config Team operates is that best practice is a core fundamental rather than a marketing buzzword. It’s great to help fix issues and educate customers on how to do things correctly, ultimately improving their overall level of security and knowledge.
Are there any common challenges or pain points you frequently come across in your customer work?
WD: Yes, the biggest issue we tend to see with customers is that their authorisation concept is badly maintained and as a result it deteriorates from day one, resulting in security vulnerabilities and significantly increased management costs. Because we specialise in best practice authorisations management, we design, build and maintain authorisations that are robust, sustainable and scalable as the business grows or streamlines. When a customer’s role admins don’t follow the same approach, they can do more harm than good.
LC: Agreed, one example of this is with RFC or batch users, who over time can become massively over-authorised and open to abuse. Often the customer isn’t even aware of this risk (for those reading, this may be worth checking out!). A best practice authorisation approach will control this risk and make future management of such technical users easier and less risky.
What role do you see S&A playing in SAP’s future, and what are you excited about?
WD: S&A will always be an integral part of SAP’s future because the security of your data is paramount. As security tools such as SAP GRC provide more assistance and automation of general audit and compliance, the risk tends to shift more towards complex security vulnerabilities, and this provides us with a lot of interesting and varied work. As SAP encourages customers towards S/4HANA solutions in either private or public cloud, this is an area we are very much looking forward to working on with more new customers.
LC: At the same time our core work revolves around support services and ad hoc S&A project work, which is always varied and interesting regardless of the platform, so we are also looking forward to more of the same!
What would be one piece of advice you’d give to someone who is reading this but doesn’t know where to start?
LC: As I mentioned earlier, our relationships with customers often start with a vulnerability assessment like an EWA report review. I would recommend you start off by simply looking at your own EWA report. It comes as standard, is easy to download and provides critical insights into lots of areas like potential security vulnerabilities, outdated components, missing HotNews notes and critical authorisations.
WD: If you need help interpreting the report, have any uncertainties, or simply want a second opinion on a specific aspect, I suggest reaching out to S&A experts (like us!) to begin the roadmapping process. It’s never too late to enhance your security, but it’s essential you start somewhere, and this is an excellent starting point.
To organise an EWA report review or discuss how our technical AMS experts can help with any of your support or project requirements, get in touch today.