Secure by Default in SAP S/4HANA: The minimum level of security!?

Preamble

Every company must secure its IT landscape. They do their utmost with the resources available to implement what is necessary. However, when implementing comprehensive security measures, those responsible encounter obstacles that consume so many resources that the work is often not completed or even begun. SAP addresses this problem head-on with the “Secure by Default” concept (SbD), which guarantees a minimum level of security that can be implemented as efficiently as possible with the resources available.

What does “Secure by Default” mean?

SAP has now taken the initiative to set clear recommendations for configurations. When updates or migrations involve the SU Toolset (Software Logistics Toolset) or SUM (Software Update Manager), the recommendations are automatically set and must be deactivated by the user (see SAP Note 2926224). SbD is setting a new, more secure standard by providing concrete guidance instead of leaving it to the user to make decisions.

Which systems use the “Secure by Default” concept?

SbD is used in all SAP S/4HANA and SAP BW/4HANA systems. Anyone moving to S/4HANA will be affected by this. The following graphic shows the different scenarios in which the concept is and is not applied.

How can I check which configurations will be changed?

Before migrating to S/4HANA, you must first determine which configurations will be converted using SbD and whether they can be retained. The automatic setting of parameters can have significant consequences, so it is essential to perform a compatibility check before migrating the data.

SAP provides an Excel overview of all configurations that are automatically set by SbD. This list can be obtained in the attachment to SAP Note 2926224. You must manually check the system settings to determine if they are at the same level or a lower level of security.

For instance, the SACF configuration (Switchable Authorization Check Framework) is now enabled by default. SACF allows you to activate additional authorization checks in specific scenarios. Without SACF scenarios, additional functional authorization checks will not be enforced.

What happens if I do not perform a compatibility check?

A compatibility check is essential to avoid unexpected complications during the new system’s initial setup. Without it, the availability and functionality of applications will be significantly impacted.

To avoid potential migration issues like this, it is essential to perform a comprehensive compatibility check in advance.

How can smarterSec help?

The smarterSec Security Platform (SSP) automates processes and controls for your SAP systems. The SSP provides a comprehensive audit catalog that immediately identifies compatibility issues during S/4HANA migration. This approach prevents potential problems and saves valuable time and costs.

Is my SAP landscape sufficiently secured by “Secure by Default”?

The name “Secure by Default” creates the false impression that this concept is guaranteed to be secure as part of the standard. In fact, there are still many open points, which is why SAP recommends taking much more extensive measures.

The following aspects, among others, must be checked:

• Insecure standard users
• Custom code security
• Assignment of critical authorizations, roles and profiles

Protecting your SAP landscape is important, and SbD is a crucial step in doing so. It’s essential to take action now when it comes to SAP security and not wait until the transition to S/4HANA. The most efficient way to secure your SAP systems is through automated tools.

What does the smarterSec Security Platform offer?

SAP systems must be monitored continuously and automatically using comprehensive vulnerability analyses to ensure they are adequately secured. The smarterSec Security Platform (SSP) does this for you. It monitors all security and compliance-relevant settings and events in your SAP system landscape.

The integrated best practices cover the security and compliance of ABAP and HANA-based SAP systems and thus ensure platform-independent, comprehensive protection.

Related Topics: smarterSec Security Platform // Managed Security Service Provider for SAP®