An SAP IT Security Team can spend months identifying and sorting out SAP S/4HANA security risks. Patches are implemented. User access Security settings are tightened. Mandatory ABAP settings are in place, and all the compliance boxes are checked.
This is important. Secure by Default settings, user role and authorisations settings, security patching, basis settings, and a host of other security settings and configuration are vital to ensuring a secure S/4HANA environment.
But then, over time, small changes start to creep in. A setting here, an authorisation there, and before you know it, compromise is everywhere. Your current state is no longer representative of your original state.
It’s drifted.
What Is Configuration Drift?
Configuration drift happens when the actual settings of your systems no longer match the baseline or intended configuration
Let’s take a current, practical example.
SAP recently published SAP Note 320501 listing a mandatory set of security parameters. It lists 81 SAP system profile parameters and 17 other settings for ABAP systems in SAP ECS.
20 or so of these are secure by default settings but the rest must be set manually. Suppose your SAP security team sets out to ensure each of these are in place and reports back that it’s all done.
This is when configuration drift begins.
Over time manual changes, software updates, or emergency fixes undo some of these settings. Initially, maybe just one or two are no longer compliant. But over time, this can easily drift out to 5 or 10, or more.
Best case, your systems are no longer compliant. The worst case, due to an opening your systems are compromised. Even small deviations can have big consequences.
Why configuration drift matters
There are many good reasons why configuration drift matters and should be a concern to every SAP IT and SAP Security Team. It may seem like a small issue, but over time, it can create serious security and operational risks.
For example:
Increased vulnerability
One of the biggest problems with configuration drift is that it opens the door to security vulnerabilities. When security settings change without being tracked or reviewed, systems can become exposed to threats.
Compliance issues
Another problem with configuration drift is that it results in systems out of compliance. This can lead to failed audits, fines, or even legal trouble if data is compromised.
Data and network security
If SAP application settings drift from their secure state, they can act like an open window in your network. Attackers look for these weak spots. Similarly, if access controls drift and someone outside the finance team gains access to payroll data, that’s a data breach waiting to happen.
How configuration drift happens
Drifting is usually unnoticeable. It happens gradually. But sooner or later, when you look up, you’re in a different place.
A user authorisation is changed for a short-term need; it’s not changed back. A junior basis person resets a basis setting for some reason and forgets to reset it back. Or an aspect of an applied security patch is overwritten as part of an update.
SAP systems are complex. They have layers of settings. User access, authentication, cloud connections, API’s, user roles, ABAP settings, basis settings, and so on. The list is long.
A lot of people are involved. Internal people of various experience levels. Out-sourced MSPs or AMS partners. People from different areas within the team.
When there is a lot that can change and a lot of people are involved, invariably configuration drift will occur.
Managing configuration drift.
In keeping SAP environments secure, consistency is key; however, it is almost impossible to maintain a consistent environment. Deviations are difficult to detect, and most SAP security teams have enough on their plate keeping up with security patches. There is little time to conduct regular security audits.
This is where automation steps in and solutions such as smarterSec do the work.
For example, #smarterSec knows each of the settings listed in Note 325051 and knows if each is set to its mandatory setting.
So, initially, smarterSec can let you know if you’re not compliant, and when you are, it will immediately let you know if something changes.
Drift is arrested. Systems remain compliant. Security settings are maintained.
About Leg Up Software
Leg Up Software is an expert in SAP IT operational and infrastructure software automation solutions.
We know the SAP operations and infrastructure automation solutions landscape and have already done the legwork identifying the best available solutions.
We have excellent relationships with many software vendors, including smarterSec mentioned here, and can negotiate an evaluation process that best suits your circumstances and budget.
Why not set up a time to start the conversation by putting something on our calendar?
