This huge architectural change has meant that the application can be redesigned to simplify processing steps. For example, the SAP ECC Finance module relied on many different tables to separate headers, line item details and supporting master data attributes, which made for a very complex data model. 

With SAP S/4 HANA, the database is able to cope with greater data volumes and complexity within single tables or views. So the volume of tables and structures are simplified. This should therefore make reporting easier, and as such increase the transparency of information. This simplifies the landscape options, as it means that there is the opportunity to consolidate the system landscape. 

Now there is no need for separate SAP Advanced Planning and Optimisation (APO) or Business Warehouse systems, as you have the HANA database. Also, by mandating SAP HANA as the database, you’ll further reduce the complexity of your deployment options, while presenting a cost saving opportunity through the removal of separately licensed third-party databases. 

Despite this code base change, there are familiar aspects to SAP S/4 HANA. The table structure is flatter, but the majority of the standard SAP ECC tables still exist. From the user interface perspective, there is still an ABAP user interface, which looks and behaves in a very similar manner to SAP ECC. However, this is intended for use by administrators only. For end users, the intention is to use the SAP Fiori user interface. 

With S/4 HANA, SAP has also recognised that customers are expecting more agile deployment approaches, so they have also offered different implementation scenarios to align more with a cloud deployment model. As such, SAP S/4 HANA is available as a traditional on-premise solution but there is also a version available as a public cloud option. There is also a managed cloud option to provide the middle ground

SAP S/4 HANA has been designed with simplicity in mind, although that is generally intended for the end-users, rather than implementers, systems integrators or administrators. From a security perspective, you can expect significant involvement in an SAP S/4 HANA implementation, as there are some fundamental changes to the way in which these simple processes are delivered to users.

Download the rest of this guide to gain a practical understanding of the new security considerations that come with implementing SAP S/4 HANA – helping you side-step the mistakes of the previous ERP implementations.

This article is sponsored by Turnkey Consulting

The post Understanding the Differences Between SAP ECC and SAP S/4HANA appeared first on InsideSAP Asia.

The quarterly ‘Emerging Risks Report’ identified cloud computing as the top concern for the second consecutive quarter.

Social engineering and GDPR compliance were cited as most likely to cause the greatest enterprise damage if not adequately addressed by risk management leaders, according to Gartner.

“Executives are right to expand cloud services as part of their digital business initiatives, but they need to ensure their cloud security strategy keeps up with this growth,” said Matthew Shinkman, practice leader, Gartner. “Leaders should start by clearly identifying their most at-risk areas, which remain obscure to many large organisation leaders.”

Gartner expects cloud computing to be a US$300 billion business by 2021, as companies increasingly adopt cloud services to release their desired digital business outcomes. But companies continues to struggle with security – despite record spending on information security in the last two years, organisations have lost an estimated US$400 billion to cyber theft and fraud worldwide. To respond to an increasing number of cybersecurity events and data breaches, organisations elevate IT security to the board level.

“Executives should promote risk awareness throughout the organisation,” Shinkman said. “A strong risk culture helps employees make the right decisions and mitigates poor outcomes.”

The post Cloud computing still top emerging business risk: Gartner appeared first on InsideSAP Asia.

“Keeping SAP business-critical applications protected and compliant can be a constant struggle for security, compliance and BASIS teams alike,” said Ashish Larivee, chief product officer, Onapsis. “This means that even securely-configured systems often unknowingly drift back into an insecure or non-compliant state.”

Based on feedback from hundreds of global SAP customers, Onapsis developed Enforce and Protect to overcome the threat of configuration drift, which can leave organisations vulnerable to both attack and regulatory penalties.

Onapsis researchers discovered that, because SAP system misconfiguration fixes have long been documented in security notes, attackers may be able to gain access to valuable business data or take control of the system.

Configuration drift can be caused by emergency fixes and problem resolutions, or by deploying new functionality. In fact major business projects such as digital transformation can be the source of configuration drift. Onapsis cites incorrectly assigning high-privilege access or turning off critical audit logs and RFC connection configurations as examples of common problems leading to configuration drift.

“This new capability will prevent such risks and help protect SAP systems that contain the crown jewels for many businesses,” said Larivee.

Enforce and Protect, available in June, will enable OSP customers to:

• automatically stop critical system changes
• receive an alert if an update could make the system insecure or non-compliant
• approve out-of-band configuration changes
• record and log changes for audits and investigations
• maintain secure configuration settings, and
• ensure configurations adhere to corporate policies.

The post Onapsis adds SAP system “lock down” functionality appeared first on InsideSAP Asia.

The General Data Protection Regulation (GDPR) is an EU regulation which concerns the protection of EU data subjects’ personal and sensitive information. Recent research conducted by the UK and Ireland SAP User Group shows 86 per cent of SAP users do not fully understand how GDPR will affect their SAP landscapes and how to reach compliance.

Onapsis’ new functionality will allow customers to quickly evaluate if their SAP systems are meeting the requirements of this mandate to protect EU data subjects’ information.

“In speaking to our customers, we know that GDPR is a complicated mandate and many organisations are struggling to determine if or how their SAP landscapes are relevant. With this in mind, Onapsis’s newly released audit policy within the Onapsis Security Platform automatically evaluates any SAP system through the lens of the data protection requirements of the GDPR. This includes both data at rest, data in transit and the assessment of data access or authorisations,” said Alex Horan, director of product management, Onapsis.

By using this policy, enterprises can identify SAP systems that do not have adequate protection of the data and processes, and receive detailed guidance on how to address these security gaps.

The post Onapsis upgrades platform capability for GDPR requirements appeared first on InsideSAP Asia.

Rapid growth in cloud adoption has made this year’s Hype Cycle of particular interest as organisations struggle to understand security issues in the cloud. It’s a double-edged sword, according to Jay Heiser, research vice president, Gartner.

“Security continues to be the most commonly cited reason for avoiding the use of public cloud. Yet paradoxically, the organisations already using the public cloud consider security to be one of the primary benefits,” said Heiser.

The Hype Cycle charts technologies along a maturity curve travelling through five stages of expectation from innovation and the peak of inflated expectations, through the lows of disillusionment to the slope of enlightenment and finally to the plateau of productivity.

In the innovation stage this year, and expected to mature within two to five years, are cloud infrastructure security posture assessment, container security, and security rating services. Also at this stage, but expected to take 5-10 years to mature, are immutable infrastructure, cloud data backup, digital security and open ID connect.

Technologies at the peak of inflated expectations this year include data loss protection for mobile devices, key management-as-a-service, and software defined perimeter. Gartner expects all of these technologies to take at least five years to hit the plateau of productivity.

In the trough of disillusionment stage this year are disaster recovery as a service (DRaaS) and private cloud computing, both of which Gartner predicts will achieve mainstream adoption in the next two years.

The slope of enlightenment is the stage at which new technologies are beginning to be adopted in an increasingly diverse range of organisations. This year data loss protection (DLP) and infrastructure as a service (IaaS) are both on the slope and expected by Gartner to mature within two years.

Gartner found four technologies to have reached the plateau of productivity: tokenisation, high assurance hypervisors, application security as a service, and identity-proofing services. Only the latter remains at the plateau stage from last year’s Hype Cycle, with the three others new to the stage this year.

“The Hype Cycle can help cyber-security professionals identify the most important new mechanisms to help their organisations make controlled, compliant and economical use of the public cloud,” said Heiser.

The post New cloud security technologies mature: Gartner appeared first on InsideSAP Asia.

According to the report, cybercriminals are increasingly targeting emerging digital business models, such as ridesharing apps and media streaming organisations.

A major driver in the increase in cybercrime is the rise of new account origination fraud, which has risen 30 per cent since Q1. Stolen data obtained through security breaches is being used to apply for new loans or create banking and eCommerce accounts, as well as to perform large-scale identity credential testing and attacks on less tradition industries. Media companies have been more affected by this trend, with a 527 per cent increase in new account origination attacks.

“Highly organised criminal gangs have set their sights on disruptive, mobile-heavy industries like media streaming and ridesharing. As new business models take the digital economy by storm, innovative methods of monetising stolen credentials found on the dark web are emerging,” said Vanita Pandey, vice president of product marketing and strategy, ThreatMetrix. “With ridesharing apps, for instance, fraudsters are taking trips using stolen credit cards or propagating two-party fraud by using a fake driver account and ‘accepting customers’ using stolen credentials.”

This quarter’s report also saw Japan join the list of top five attack destinations for the first time.

The ThreatMetrix Q2 2017 Cybercrime Report can be downloaded here.

The post Global cybercrime increases nearly 100 per cent since 2015 appeared first on InsideSAP Asia.

RCI researches and develops missile systems, guided weapons and advanced avionics for the Indian armed forces, and uses SAP as its core ERP system. With confidential information residing inside this system, any unmonitored leak, data breach or theft could potentially cause huge disruption to operations and compromise India’s national security.

“We are in a very serious domain – technology for national security. Naturally, we take extreme precaution to protect our data inside and outside our premises. SECUDE convinced us of the robustness of its SAP data security solution, HALOCORE, after a string of discussions, demonstrations and a pilot project to gauge its performance within our operational environment. With SECUDE’s HALOCORE, we are now doubly reassured of the security of our data despite multifarious threats,” says Gautam Mahapatra, director, technology and systems, RCI.

HALOCORE’s four modules – Monitor, Block, Protect and Data Stream Intelligence – are currently being utilised at RCI, with audit functionality providing RCI visibility into all data extracted from the enterprise, and the ‘Block’ module being used to provide an additional layer of security to the company’s purchase order transactions.

In the coming months, the solution will be extended across all other materials and finance processes in RCI. As a chosen data security solution for the SAP landscape, HALOCORE forms an integral part of DRDO’s plans to expand its SAP-based enterprise solution to their other labs.

The post SECUDE secures Indian defence data appeared first on InsideSAP Asia.

The book is authored by Jonathan Haun, director in the business intelligence group at global consulting firm and SAP Gold Partner Protiviti. He has previously co-authored two other books.

The guide uses practical examples, case studies and detailed instructions to help readers develop a complete security model. It explains how organisations can protect and defend against breaches, includes details of security options such as authentication and encryption, and shows readers how to secure database objects, provision and maintain user accounts, and develop and assign roles.

The book also offers in-depth reviews of authentication, certificate management, auditing, security tracing and other recommended steps for organisations to help protect their SAP HANA data systems.

“Keeping data secure is an important focus for any business that maintains a database,” said Shaheen Dil, a Protiviti managing director and global leader of its Data Management and Advanced Analytics practice. “I consider Jonathan’s new book to be required reading for anyone who supports solutions based on SAP HANA within their landscape.”

A full-time consultant, Haun has over 15 years of IT experience in the field of business intelligence and database administration across a variety of industries. He holds several certifications including: BOCP-BusinessObjects Enterprise; BOCP-Crystal Reports; SCAA-SAP HANA 1.0; SCTA–SAP HANA 1.0 and SCTS-SAP HANA 1.0 Installation.

SAP HANA Security Guide is available now from SAP Press.

The post New book on SAP HANA security released appeared first on InsideSAP Asia.

The vulnerability, which according to security research firm ERPScan, is one of the most widespread and severe SAP server-side issues so far, was originally discovered in SAP HANA in 2015, with a fix released in SAP Security Note 2234226 shortly thereafter.

However, further testing by ERPScan’s head of SAP Threat Intelligence, Mathieu Geli later revealed that the vulnerability was still able to exploited. Because TREXNet, an internal communication protocol used by TREX, did not provide an authentication procedure, the door was still open to attacks on numerous SAP applications via insecure protocol.

“I reversed a protocol for HANA and then for the TREX search engine. As they share a common protocol, the exploit has been easily adapted. SAP fixed some features, but not everything affecting the core protocol. It was still possible to get full control on the server even with a patched TREX,” Geli said.

The vulnerability, which allows an attacker to forge a special request to the TREXNet ports to read OS files or create files, has now been patched via SAP Security Note 2419592.

On the issue, an SAP spokesperson said, “SAP collaborates frequently with research companies such as ERPScan to ensure a responsible disclosure of vulnerabilities. The vulnerabilities in question have been fixed by SAP and the patches have been made available for download. For details please visit the SAP Product Security Response page. Our recommendation to all our customers is to implement SAP security patches as soon as they are available – typically on the second Tuesday of every month. Timely security patching of SAP systems is the best policy to protect SAP infrastructure from attacks.”

The post TREX loophole closed in latest patch appeared first on InsideSAP Asia.

The vulnerability allows an attacker to make all endpoints with compromised SAP GUI clients automatically install malware that locks their computers when an SAP user logs in to the system. When the user next logs into the SAP GUI application, the malicious software will run and prevent them from logging on to SAP Server.

“There are two factors that worsen the situation. Firstly, in this case, patching process is especially laborious and time-consuming, as the vulnerability affects client side, so an SAP administrator has to apply the patch on every endpoint with SAP GUI in a company and a typical enterprise has thousands of them,” said Vahagn Vardanyan, senior security researcher, ERPScan.

The vulnerability was patched by SAP with a fix as part of its March Security Note 2407616.

An SAP spokesperson confirmed that a SAP GUI vulnerability was fixed in the March Patch Day, with further details available via this blog post.

“It has a priority of High, based on CVSS rating of 8.0 (but not Very High). We have no information or evidence of this vulnerability being exploited at a customer but advise all customers to patch their infrastructure immediately. Customers are required to apply the SAP GUI patch released on their landscape using their standard client software distribution and update tools (which they would have in place for end-user software licensed from other vendors as well),” the spokesperson said.

The post SAP GUI vulnerability “most dangerous” since 2011: ERPScan appeared first on InsideSAP Asia.