Kathryn Rennard, Global Topic Owner – Security in SAP Enterprise Support Value Maps, interviews Victoria Carroll from the SAP Data Science, Automation & Technology team.
Victoria, you are one of the SAP experts that deliver the Security Optimization Service EGI. Can you first explain what an “EGI” is?
An Expert-Guided Implementation (EGI) is a delivery methodology from SAP that balances and blends virtual classroom training with practical hands-on experience. An expert, such as myself, delivers these sessions and is available for questions and guidance throughout, making the empowerment experience effective and meaningful.
How is an EGI different from standard training offered by SAP?
An EGI is a multi-day workshop with each day beginning with a 1-2 hour virtual Empowerment session where the instructor explains and shows the activities that need to be done. Each afternoon, the participants execute the demonstrated steps within their own project environment putting the theory immediately into practice. Throughout the EGI, the participants have direct access to the trainer as an Expert-on-Demand to support them remotely as necessary. It is this combination that makes the EGI so special.
The content builds day-upon-day so that by the end of the training, the participant has successfully completed the class objective with a verified setup in their own environment, has developed a solid understanding of the material, and is comfortable and confident to repeat the activities as and when required.
What is the SAP Security Optimization Service?
The SAP Security Optimization Service (SOS) is a deep dive security analysis of an SAP system in a customer’s landscape.
Depending on the SAP Solution, there can be up to 300 different checks in the SOS that reflect SAP best practices and recommendations. The focus of the service is on both internal and external system security:
- To improve the internal security, system settings, customizing settings, and many critical authorizations are checked.
- External security is improved by checking the accessibility of the system and the authentication methods used.
The outputted SOS report identifies potential gaps with various security risk severities and (importantly) includes recommendations to reduce, mitigate or counter the vulnerabilities.
What is the value of the SAP Security Optimization Service?
Security touches everything from the design of a new system, its implementation, and then the ongoing maintenance and operational activities. The SOS is an excellent starting point for technical basis administrators, security and compliance teams, to review that security is in line with SAP best practices.
Analysis is the key to this value and the heart of the service. Visibility offers the insight to take appropriate measures to:
- Decrease the risk of a system intrusion
- Ensure the confidentiality of business data
- Ensure the authenticity of users
- Substantially reduce the risk of costly downtime (perhaps due to wrong user interaction if the user is over-privileged)
How often should an SOS be performed?
SAP suggests executing an SOS annually for all applicable productive systems at a minimum. Core system more frequently. Other scenarios include:
- After maintenance activities, such as an upgrade
- As part of an implementation project or GoLive
- In preparation for an internal or external security audit
If SAP can deliver an SOS for a customer, why is the EGI necessary?
Although SAP experts can deliver an SAP Security Optimization Service for you, it must be scheduled with a minimum 4-week advance request, with additional days for completion, delivery, and review. To make this information readily accessible, SAP created the capability for customers to analyze their own systems using their SAP Solution Manager system in a simple guided self-service form.
This 4-day Expert Guided Implementation guides you through the steps to configure the session as a self-service for use upon demand using your inhouse resources. Furthermore, it can be customized to your specific needs and context, in other words: you can exclude well-known power users with extensive access that are risk-approved for use within your organization. Ultimately, this allows customers to analyze ABAP technology, Java technology and SAP HANA systems as needed… with immediate results and recommendations!
SAP Enterprise Support and PSLE customers can use the full functional scope of SAP Solution Manager which includes this functionality as standard (i.e. there are no additional license costs).
What do you cover in this EGI?
During the EGI, we cover the necessary pre-requisites to ensure a smooth experience. The pre-requisites differ based on the SAP system being analyzed, and each of the scenarios is reviewed.
We cover how to properly use the optional questionnaire to sharpen the focus on the real risks (the unknowns) whilst removing known exemptions. Attendees are guided on how to define additional customized sets of authorization checks to be included in all future SOS self-service report executions. This means that customers can get the SAP Solution Manager to do even more to support the corporate requirements.
We then explore how to define an action plan so that the findings of the Security Optimization Service are included into the continual security improvement process – since the whole purpose of the SOS is to drive positive change that closes gaps and enhances the security of the respective system, and the landscape as a whole. Trying to fix everything is not practical, so a strategic approach is covered.
The EGI includes a discussion around other valuable tools that assist customers, such as the SAP EarlyWatch Alert Workspace, and utilizing System Recommendations as part of a workable SAP patch management strategy.
So, this EGI really equips the participants with an effective toolbox!
Who should attend this EGI?
This Security Optimization Service EGI is relevant to multiple teams, we recommend at the minimum to include:
- Technical basis administrators for configuration
- SAP security and authorization administrators
Other key stakeholders include:
- Project manager for implementations, upgrades, maintenance activities
- Audit or Governance Risk and Compliance team members
For multiple participants from the same customer, it is best if attendance is coordinated for the same session delivery date to remove any complications in the implementation or configuration of the service. Access to the ‘SAP Learning Hub, edition for SAP Enterprise Support’ is included in SAP Enterprise Support and SAP Enterprise Support, Cloud Edition, as well as in SAP Product Support for Large Enterprises, see Program Entitlement.
So, how can customers register for this EGI?
The Expert-Guided implementation (EGI) is powered by SAP Enterprise Support Academy and registration (*) is via the SAP Learning Hub. Simply search the learning content for “Security Optimization Service” or “SOS”, to find the schedule of events in your region.
*Note: Before you can access the link above, a one-time registration in SAP Learning Hub, edition for SAP Enterprise Support, is required. A detailed step-by step guide to registration can be found here.
Last words of advice?
I hope to see you soon at one of our upcoming EGI’s!
If you would like to explore more about SAP Security, please explore our content on the SAP Enterprise Support Security Value Map and the Security landing page of the SAP Support Portal https://support.sap.com/sos for the SAP Security Optimization Services Portfolio including our Media Library. There are great resources there so these links are worthwhile bookmarking.
Victoria has a passion about making the lives of Security Teams and Basis Administrators easier through the efficient use of centralized Application Lifecycle Management platforms. As a Business Process Consultant, she is involved in service deliveries and service development, and this includes working with customers to get the most from SAP tools and functionalities. With cybersecurity foremost in the minds of most customers, she sets out one of the core SAP offerings that is simple, and powerful!
Related blog posts/services:
- New Security Optimization Service Continuous Quality Check for SAP Business Technology Platform (CQC SOS for BTP) | SAP Blogs
- Deep dive into Security with the enhanced self-service Security Optimization Service (SOS) | SAP Blogs
- Get more from our reimagined SAP Enterprise Support value map for Security | SAP Blogs
- Monthly Security Patch Day Webinar