Implementing SAP Security Baseline v2.6 with Onapsis

With the myriad amount of technology that is utilized within an enterprise it can be a challenge for even seasoned cyber security professionals to be aware of all the technology in use, let alone understand how best to ensure the technology is secured in line with the enterprise’s requirements.

Mature providers of critical business applications understand the challenges faced by infosec teams within an organization and provide guidance to help them understand what is required to run their technology in a secure way.

SAP is no different, having released and maintained the SAP Security Baseline, now on version 2.6 (details of this version in SAP KB Article #2253549). This baseline serves as a standardized framework defining minimum security configurations, parameters, and user access rights required to protect business-critical SAP systems from vulnerabilities and threats. 

Per SAP, the baseline requirements “…must be fulfilled by all SAP systems regardless of any risk assessments. They are general best practices and apply to all systems, regardless of their security level.”

Sources of the Baseline

SAP produces new versions of the baseline based on two key sources:

1. Recommendations: Insights from SAP security services, such as the security chapter of the EarlyWatch Alert (Note 863362) or the SAP Security Optimization Service.
2. Documentation: Product-specific Security Guides on help.sap.com, Security Whitepapers, and SAP Security Notes.

SAP recommends the baseline be extended within each enterprise by organizational requirements, such as their overall Security Policy, IT Security Policy, or other security requirements for the differing levels of criticality for SAP systems.

The Onapsis Solution

Regardless of any extensions to the published baseline, ensuring you stay compliant with the latest version is critical. Onapsis Assess makes this easy. We provide a shipped policy, maintained by Onapsis, that covers 100% of the in-scope Control Points, broken down as follows:

• 69 Critical
• 92 Standard
• 53 Extended

Note: Only 27 control points in the published baseline are for technology currently not supported by the Onapsis Platform.

Automated Updates & Remediation

The same month SAP released their latest version of their Security Baseline (v2.6) Onapsis published an update to our shipped Security Baseline policy, ensuring our customers could automatically transition to scanning their systems against the latest SAP guidance with no operational changes on their part.

And, as with every result by the Onapsis Platform, if Onapsis Assess determined that one or more SAP systems were not meeting or exceeding the recommendations by SAP, clear guidance is given on the steps needed to bring the SAP system to an appropriately secure configuration.

Conclusion

The continued publication by SAP of evolving security guidance and the rapid deployment by Onapsis of updated content, delivered via automatic updates, is another reminder of why Onapsis Assess is the most effective and efficient way to monitor your critical business applications for deviations from your accepted security posture, all with no manual action required.