SAP Cybersecurity for CISO

This book is intended for every CISO or security manager who wants to be sure in the security of his or her “crown jewels” namely Enterprise Business applications and ERP systems. If you did not hear about SAP or its cybersecurity aspects, this book is also for you. Interest in SAP security is skyrocketing and the main factor driving this concernment is a plethora of cyberattacks. As SAP systems enable all the critical business processes from procurement, payment and transport to human resources management, product management and financial planning, all data stored in SAP systems can be used in espionage, sabotage or fraud. As an example, breaches revealed in the SAP system of USIS, a government contractor, are resulted in the company’s bankruptcy. Analysts from Gartner, IDC, 451 Research, KuppingerCole and Quocirca agreed on the significance of ERP security tests and lack of this functionality in traditional tools. Indeed, Gartner added Business Application Security to the Hype Cycle of Application Security in 2017 since an innovative niche, and top consulting companies have already included ERP security services in the portfolio. Are you prepared for changes and do you have qualified expertise and stable processes to address ERP security market? This book incorporates 10 years of SAP cybersecurity history. It starts with the history of SAP cybersecurity and answers to questions why and how SAP cybersecurity differs from IT security. Then the most critical risks for organizations are described. You will be able to catch the details of all SAP systems such as ABAP or HANA and their vulnerabilities supported by the real-life examples of attacks on SAP systems. Finally, the book provides guidelines on establishing processes to secure SAP systems from different angles including secure development, SoD, vulnerability management, threat detection, and anomaly user behavior. The end of this book contains an Appendix with SAP Cybersecurity Framework, a guide to SAP security that implements Gartner’s approach to adaptive security architecture in ERP security realm describing four categories of SAP protection predictive, preventive, detective and responsive. The Framework articulates 20 critical areas of actions, describes the desired outcomes and provides a three-step approach to succeed in each area of ERP security. The Framework is a perfect step-by-step guide on operationalizing SAP cybersecurity.