Considering that the SAP baseline template was first published over 10 years ago, and it’s often still perceived as “Roles and Authorization” or associated with the SAP GRC product, we need to take this a step further. When we are talking about SAP Security we need to think about the multifaceted nature of SAP Security. Many people out there are using Cybersecurity or IT-Security as a buzzword and unfortunately it is often more popularized by marketing or community usage than precise technical definition. And I dare say that the unprecise wording and abbreviations what we use in our daily business are one of the bigger communication issues what we have in security. It leads to misunderstandings, wrong expectations, and at the end to a lot of frustration and unnecessary efforts. So, what are we talking about?
Terms, frameworks and meanings
Probably you haven’t heard it the first time from me, but a Security Incident is not always the same. Depending on the framework what we are using, the meaning of a term can instantly change. We just need to compare the definitions of ITIL, NIST or ISO 27001. One term has 3 different definitions:
ISO/IEC 27000:2018: information security incident
Single or a series of unwanted or unexpected information security events that have a significant probability of compromising business operations and threatening information security.
Source: not freely accessible
NIST.FIPS.200: Incident
An occurrence that actually or potentially jeopardizes the confidentiality, integrity, or availability of an information system or the information the system processes, stores, or transmits or that constitutes a violation or imminent threat of violation of security policies, security procedures, or acceptable use policies.
Source: https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.200.pdf
Axelos ITIL Service Operation: Incident
An unplanned interruption to an IT service or reduction in the quality of an IT service. Failure of a configuration item that has not yet affected service is also an incident – for example, failure of one disk from a mirror set.
Source: https://www.bu.edu/tech/files/2018/10/ITIL%C2%AE-glossary-and-abbreviations.pdf
ISO and NIST are quite alike, whereas the ITIL definition focus more on service management.
Different teams, different contexts
Different stakeholders may have varying expectations, especially if we don’t use consistent terminology and as the scope of SAP Security is very broad it’s natural that we need to deal with many different teams. Understanding their backgrounds and goals is essential.
The origins of SAP Security frequently reside within the SAP Basis Team, whose primary responsibility is maintaining system stability and proper operations and therefore often viewed from a service perspective. Furthermore, SAP Security may be regarded as a secondary concern due to missing time in the daily business. This dynamic often results in limited opportunities for team members to develop expertise in information security or to adopt necessary perspectives. Moreover, implementing security controls typically requires additional effort and specialized knowledge during routine operations.
For instance, IT Security staff may lack knowledge of Information Security frameworks or Risk Management. Each team tends to focus on its own issues, creating silos that need to be bridged. Assuming that we all know what we are talking about will cause issues in the collaboration.
SAP Security, IT Security or Information Security
Let’s revisit the vague language in our security field and discuss the distinctions of security. In general, the overarching layer or foundation of SAP Security are in my opinion always the Information Security core principles: confidentiality, integrity and availability. And if we are talking about information, we are not only talking about digital information. Information can be stored on paper, verbal communication or knowledge of employees.
In the multifaceted nature of SAP Security, we have a lot of information stored in SAP systems: Pay slips, recipes, invoices, sales orders, employee information and many more. All these assets can cause serious problems if they fall into the wrong hands. Furthermore, an SAP system is information technology which is in many cases connected to Cyberspace.
Oh, wait a minute. Now it gets interesting: when we talk about cyberspace, we need to have a closer look at cybersecurity. Unfortunately, there are hardly any definitions for cybersecurity. Even the sources which are available are not always fitting 100% together. Let me showcase this with the following examples:
NISTIR 8170 with reference to CNSSI 4009 (March 2020)
Cybersecurity is the ability to protect or defend the use of cyberspace from cyber attacks.
Source: https://nvlpubs.nist.gov/nistpubs/ir/2021/NIST.IR.8170-upd.pdf
US Committee on National Security Systems CNSSI No. 4009 (April 6, 2015)
Cybersecurity is prevention of damage to, protection of, and restoration of computers, electronic communications systems, electronic communications services, wire communication, and electronic communication, including information contained therein, to ensure its availability, integrity, authentication, confidentiality, and nonrepudiation.
Source: https://rmf.org/wp-content/uploads/2017/10/CNSSI-4009.pdf
In the first example of NISTIR8170, it is the protection against cyber attacks from cyberspace, where the cyberspace is defined as the interdependent network of information technology infrastructures based on the Cybersecurity Policy.
The second example appears to be quite similar with the same sources but written in a different form. Does this indicate that Cybersecurity and IT-Security are equivalent? And what would this mean in case of air-gaped environments. I would say there is still room for interpretation…
The Multifaceted Nature of SAP Security
All things considered, there is thus an overlap between the information security, IT-Security, Cybersecurity and physical security, where I see SAP security or application security positioned somewhere in the middle (see following illustration).
Some areas will overlap more than others. Nevertheless, companies should assess all security facets and adjust perspectives to communicate clearly across teams and prevent misunderstandings.
Align on the perspective which you take or define your own glossary to ensure that everyone is clear about the meaning. But keep in mind that not all frameworks match each other, you probably need to make some compromises or delimitations.
Stay tuned for the next article about the complexity of SAP security.
