SAP Security RISE

SAP RISE: Don't fire your security team just yet.

By
2 Minute Read

SAP Rise and security

I sat through a recent SAP run webinar on SAP RISE security. If I didn't know better, I'd have left believing that with RISE, SAP does it all. The systems are secure, and there is nothing further to do.

Unfortunately, this is most definitely not the case.

There were at least three crucial security components where the customer's significant responsibilities were left out.

1. SAP security notes application

2. SAP security risk analysis and risk remediation

3. SAP security monitoring

So, let's look at these and see what the presenters could have included to better inform SAP customers looking into SAP RISE.

You can check this by referring to SAP's RISE with SAP S_4HANA Cloud, private edition and SAP ERP, tailored option Roles and Responsibilities.

SAP RISE security notes application

Applying SAP security notes is one of the most important regular security activities an SAP team can perform.

Therefore, one would expect SAP's RISE standard services to take care of the Security Notes application, and you could rest easy.

However, the SAP RISE service provider isn't responsible for non-critical notes application, any associated manual activities, non-ABAP stack notes application or testing.

You must arrange for these activities to be taken care of outside a standard RISE services agreement.

SAP RISE security risk analysis and risk remediation

Understanding the vulnerability status of your SAP system and remediating identified risks is another critical security measure one would expect an SAP RISE implementation to take care of.

However, SAP RISE doesn't include risk analysis and risk remediation as standard SAP RISE services.

SAP RISE services don't analyse and identify SAP system security risks, remediate identified risks, or provide any RFC security support.

These are activities you must take care of yourself or make other arrangements.

SAP RISE security monitoring

To ensure a secure SAP RISE infrastructure, one would expect SAP RISE to include a monitoring service. It doesn't.

Standard SAP RISE services don't include security monitoring, reporting on security KPI', or remediation of identified risks.

Once again, you must arrange for monitoring services either with your internal team, or by other means.

Filling in the gaps

To fill in the gaps, you have several options:

· Purchase a relevant Cloud Application Services package,

· Raise Service Requests for your SAP RISE services provider to do the additional work,

· Complete the work internally, or

· Contract an AMS provider to do the work on your behalf.

Therefore, you must understand what the scope of services includes, the variable nature of the services, and how you can be assured the work is done.

Two birds with one stone

Given that overall security remains your responsibility, what oversight do you need to assure yourself, your executive, and the Board that your systems are secure?

Manual effort won't be good enough; there is too much to watch, and no one person can cross everything.

There is a solution that can be your eyes and ears and kill two birds with one stone.

That is the smarterSec SAP security platform.

This platform automatically analyses your SAP system for known vulnerabilities and provides ongoing monitoring.

It fills in a gap left by your SAP RISE service provider by way of omitted risk analysis and monitoring, and provides ongoing assurance that your SAP RISE provider, AMS partner, or internal team's security tasks are up to date.

About us

Leg Up Software is an expert in SAP IT operational and infrastructure software automation solutions, including those that support SAP security activities.

We know the SAP operations and infrastructure automation solutions landscape and have already done the legwork identifying the best available solutions.

We have excellent relationships with many software vendors, including those providing automated SAP vulnerability analysis mentioned here, and can negotiate an evaluation process that best suits your circumstances and budget.

Why not set up a time to start the conversation by putting something in our calendar?

Chat with Rick

Rick Porter

Rick Porter

With over two decades of working within the SAP ecosystem, Rick has met and worked with SAP IT professionals from broad backgrounds and experiences. Rick knows the stresses and strains experienced by those managing SAP systems and enjoys bringing these insights and reflections into conversations.

Author