What Are Companies Currently Concerned About When It Comes to SAP Security?
To get a realistic picture of the current threat situation, we asked our SAP security experts Daniel and Nils. They provide insights from their daily consulting practice and report that SAP security is often treated as an isolated special topic in everyday business life, turning the SAP system into a black box.
The lack of communication between SAP departments and central IT security is particularly challenging. There is often a veritable wall between the departments, meaning that risks remain undetected for a long time. Information security officers also often feel uncertain when dealing with SAP systems.
“The biggest problem is that those responsible do not look at risks together and SAP security is often viewed in isolation. Risks from SAP should be assessed in the same way as in the rest of the IT area.”
What Risks Are Often Underestimated in SAP Systems?
Many companies assume that their SAP systems are secure, but internal threats in particular are underestimated. Unlike traditional external IT attacks, internal perpetrators play a central role in the SAP context. A particularly common mistake is the generous granting of permissions: Employees are given extensive rights (keyword: SAP_ALL), often out of convenience or ignorance. “We cannot emphasize this enough: excessive permissions are one of the biggest weaknesses,” our experts conclude. The risk is not always malicious; sometimes processes are simply completed in the shortest possible way, with far-reaching consequences in the audit.
Another serious problem is patch management. Security updates are often installed too late or not at all.
“Unpatched SAP systems are a gold mine for attackers. After each patch is released, a race begins, and those who are too late open the door to attackers and risk serious security incidents.”
In addition to patch management and authorization management, logging within the SAP system is a frequently overlooked aspect. Many companies set the relevant parameters incorrectly or do not activate the audit log at all. However, it is now essential to be able to trace what has happened in the system, and this is only possible with proper logging and effective alerting. Once again, this highlights the fact that SAP must not be a black box.
The Three Biggest Risks in SAP Systems at a Glance
How Will SAP Security Develop in the Coming Years?
The basics remain the same: patching and clean authorization management are still the foundation. However, the technical landscape is changing rapidly. Hybrid architectures, cloud services, and multi-vendor environments are significantly increasing complexity. Whereas in the past, all systems were located in a single data center, today they are distributed and networked. This makes it even more important to view SAP not in isolation, but as part of the overall IT infrastructure. Otherwise, the proverbial house of cards threatens to collapse.
What Does SAP Security Mean to You Personally?
Security is primarily understood as a matter of trust. “Security means that I can trust my system and my company tomorrow, just as I do today.” Anyone who invests in SAP security is ultimately investing in the future viability of their business.
Our Top Tips for Enhanced SAP Security
At least 8 to 15% of your IT budget should be allocated to security. For critical infrastructures, financial service providers, or data-intensive business models, the budget is often significantly higher. "Security is always a cost factor, but never a profit factor. Nevertheless, it is an investment in your own trustworthiness and the future viability of your company." A proven budget split is 80% for prevention (e.g., awareness, system hardening, monitoring) and 20% for response (backups, emergency management, recovery).
Consistently Patch and Check Authorizations
These basics should be a regular part of your agenda: keep your systems up to date and regularly review your authorization management for compliance. "We cannot emphasize this enough: patching and authorization management are absolutely essential."
Many attacks or incidents go unnoticed because logs are missing or incorrectly configured. The bare minimum is being able to trace what has happened - and that is only possible with proper alerting and logging. This is the only way to take targeted action when needed.
How Does in4MD Service Support Companies with SAP Security?
Our consulting process starts with an individual analysis: Together with the client, we assess their current situation and identify what is truly needed. Only after this step do we carry out a detailed pre-audit to uncover vulnerabilities and areas requiring action. Whether triggered by a security incident, an audit, or existing services, our approach is always methodical and tailored to the client’s specific needs.
We take a holistic view of SAP Security and support companies across all areas of security. Our range of services includes:
- SAP Security Consulting: Comprehensive analysis and assessment of your SAP security posture.
- Monitoring & Managed Security Services: Continuous monitoring of your systems to ensure maximum transparency and rapid response.
- Patch Management: Development and implementation of efficient patch processes to quickly address security vulnerabilities.
- Authorization Management: Optimization and control of permissions to avoid over-privileging and minimize risks.
- SAP Security Workshop & Roadmap: Together, we build a customized SAP Security roadmap for your company.
With this holistic approach, we ensure that all security-relevant aspects are considered – from strategy through to operational implementation.
Conclusion: SAP Security Is a Matter of Trust
SAP security does not take care of itself. Companies cannot simply assume that their systems are secure by default; instead, they must take proactive measures and continuously make adjustments. Patching, authorization management, and logging remain the most important actions and we cannot stress this enough. Those who master these basics and review them regularly lay the foundation for a secure SAP landscape in the long term. Only in this way can SAP transform from a risk factor into a trustworthy part of your IT security strategy.
