Using CSA’s Implementation Guide for SAP to securely migrate and operate ERP applications in the cloud.
Blog Article Published: 10/09/2020
By Juan Perez-Etchegoyen, chair of the Enterprise Resource Planning working group, and CTO of Onapsis.
With the increasingly growing adoption of cloud models across Enterprise Resource Planning (ERP) applications, organizations need to increase the level of attention and controls provided to the most critical assets in the organization. To address this growing need, CSA released the second part of our Critical Controls Implementation for SAP, a document with the implementation details on all the top 20 critical controls, focusing on specific ERP technologies. This document, authored by CSA’s Enterprise Resource Planning (ERP) Working Group, takes a more technical, granular approach and is designed to help organizations securely migrate to and operate ERP applications in the cloud.
Helps companies streamline digital transformation & cloud migration.
The release of the document comes at a crucial time, as with the hit of the pandemic, organizations have started to streamline digital transformation and cloud migration projects, to enable more users and employees to operate from remote locations through a digital experience. Additionally, with the increase in threat activity and risks affecting ERP Applications (as discussed in RECON (CVE-2020-6287) and its impact on Cloud Applications) this document covers the controls that could prepare the organization for the increasing threat landscape on ERP Applications. It’s our hope that this set of guidelines serves as a springboard for SAP administrators in their journey to implementing and securing their ERP solutions.
The controls implementation and the checklists apply to SAP NetWeaver(C) ABAP(C) and all its versions and provide a detailed description of the control implementation. The checklists provide general steps as well as some direction on how to carry out the implementation of the controls. Combined with the previously released Top 20 Critical Controls document, it explains who would be typically responsible in an IaaS or SaaS scenario.
Controls covered by this guide.
This document is an implementation of the Top 20 Critical Controls for Cloud Enterprise Resource Planning (ERP) Customers (released in June 2019), which took a more general approach. In this version it combines all of the guidance into a single, comprehensive document. Now, SAP administrators have a more detailed examination of controls implementation, as well as a set of checklists for all of the following 20 controls.
- APP01 - Secure Landscape
- APP02 - Baseline Secure Configurations
- APP03 - Security Vulnerabilities
- INT01 – Secure Integrations and
- API DAT01 – Continuous Monitoring
- DAT02 – Data Separation
- DAT03 – Data Encryption
- BUS01 - Inventory of Business Assets, Data and Processes
- BUS02 - Business Process Controls
- BUS03 - Continuous Compliance
- USR01 - Secure Authentication
- USR02 - User Accounts Management
- USR03 - Role-based Access Control
- USR04 - Emergency Access
- USR05 - Segregation of Duties
- USR06 - Secure User Provisioning/Deprovisioning
- USR07 – ERP Accounts Security
- APP04 - Secure Communications
- APP05 - Change Management Controls
- APP06 - Secure Extensions
Learn more by downloading the full implementation guide.
You can access the full implementation guide for free here.
Contribute to future research initiatives from CSA.
The Enterprise Resource Planning Working Group seeks to develop best practices to enable organizations that run their business on large ERP implementations, such as SAP or Oracle applications, to securely migrate to and operate in cloud environments. Individuals interested in becoming involved in future ERP Working Group research and initiatives are invited to join group here.