SAP Security Automation

SAP security: does plausible deniability cut the mustard?

By
2 Minute Read

Plausible deniability

We recently offered a large organisation a complimentary SAP vulnerability risk assessment. The risk assessment software would assess key areas of potential vulnerability within their SAP systems and report the results. Although the team saw the value of the assessment, they didn’t take us up on the offer.

The reason?

The team was certain the assessment would reveal areas of vulnerability, and they simply didn’t have the resources to do anything about it. So, rather than know and not do anything, they would rather not know at all, perhaps to ensure ‘plausible deniability’ in the event of an issue.

Not the best response, but I get it.

SAP teams don’t have the resources. I hear it over and over again.  When asked why a team doesn’t apply all the SAP security patches, the answer is always the same, “We don’t have the resources”.

But is this good enough, given the current security climate?

Lessons from Medibank

The Australian Information Commissioner (AIC) is taking Medibank to the Federal Court, alleging contravention of the Privacy Act.

These allegations are based partly on Medibank’s size, resources, the volume of the personal information held, and its failure to take adequate steps sufficient to its circumstances to protect it.

What does this mean?

Well, in layman’s terms, Medibank is big enough and has adequate resources to take the required steps to protect the personal information it holds, and it is alleged it did not.

This begs the question.

What if a company has the means to ensure adequate resources but does not, and this lack of resources is shown to be one of the reasons behind a security breach?

For example, what would happen if a company didn’t have the resources to apply a particular security patch, and this vulnerability allowed the access that resulted in the breach?

Would the AIC believe the company, based on its size and resources and data held, also needed to take adequate steps sufficient to its circumstances to protect the data? If the AIC were to believe it was, then many SAP-using organisations may be contravening the Privacy Act.

Few, if any, have the resources to implement every SAP security patch when it is released or to monitor user authorisations across the organisation—the two areas that keep SAP security teams awake at night.

You can read the AIC filing here: Australian Information Commissioner v Medibank Private Limited concise statement.

Automation can help

Despite the above, SAP teams won’t be getting more resources soon. How can they minimise SAP system risks with the least effort?

With automation.

Automation can’t do the work, but it can ensure teams know what work needs to be done to minimise risk.

Automated SAP vulnerability analysis software, such as that provided by smarterSec, has the knowledge and scope of access to identify and bring SAP vulnerabilities from every corner of the infrastructure to the surface in one place.

Highlighting known, unknown, and newly identified vulnerabilities from configuration to connections and ABAP custom code, SAP IT management can be as sure as possible about the security state of their SAP infrastructure.

Plans can be made based on internal requirements and risk profiles to mitigate identified vulnerabilities to an acceptable level over time.

Ongoing monitoring then ensures the systems stay secure, highlighting newly introduced vulnerabilities or overwritten previous remediation efforts for immediate action.

About us.

Leg Up Software is an expert in SAP IT operational and infrastructure software automation solutions, including those that support SAP security.

We know the SAP operations and infrastructure automation solutions landscape and have already done the legwork identifying the best available solutions.

We have excellent relationships with many software vendors, including those providing automated SAP vulnerability analysis mentioned here, and can negotiate an evaluation process that best suits your circumstances and budget.

Why not set up a time to start the conversation by putting something in our calendar?

Chat with Rick

Rick Porter

Rick Porter

With over two decades of working within the SAP ecosystem, Rick has met and worked with SAP IT professionals from broad backgrounds and experiences. Rick knows the stresses and strains experienced by those managing SAP systems and enjoys bringing these insights and reflections into conversations.

Author