IT2media Protects Its Systems With SAP Partner SecurityBridge
A large, diverse SAP landscape with ECC, S/4, BW, HR and gateways, used by the company's own parent company (Sellwerk Group), various telephone directory publishers and media companies throughout Germany, sounds difficult to administer, and yet for years it was only done by one person: Björn Hatzelmann, Team Leader SAP Basis Core at IT2media, a medium-sized IT-SAP system house headquartered in Nuremberg.
TakeASP supports SAP users in all matters relating to SAP Basis and SAP security and is also a partner of SecurityBridge for the implementation and operation of the security solution in the SME sector. Björn Hatzelmann's problem is shared by many medium-sized companies that use SAP or provide SAP systems for other companies, such as a system house. The workload is increasing and increasing, and specialists are hard to come by. Although the administration of the systems is running, IT2media has so far relied solely on the SAP on-board resources for security issues. The monthly SAP patch day was a must, and all new security notes were downloaded regularly. "With a very large landscape, however, it is no longer possible to guarantee this for all systems at all times," explains administrator Hatzelmann.
SAP components on the web
The fact is that the threat situation for SAP users has increased. Although there has not yet been an attack on IT2media's ERP landscape itself, some SAP components are on the Internet, and the ESS, for example, can be accessed from outside. Although two-factor authentication is used here, Björn Hatzelmann is convinced that there is no software that cannot be bypassed. The S/4 Hana system is also connected to the outside world via a cloud connector.
To avoid being exposed to growing threats, the company wanted to protect itself proactively. TakeASP therefore recommended putting security issues in the hands of the SecurityBridge platform in future. Björn Hatzelmann took his first look at the product at the DSAG Congress 2023 and was immediately hooked: "The breadth of functions is amazing, the GUI is extremely appealing and you can find your way around straight away." A prototype was set up in November of the same year, which led to the purchase of the software shortly afterwards.
Threat at module level
The prototype helped the SAP service provider to explain to its customers why the individual modules are needed. When it comes to security measures, the first comment is always: Do we really need this? What does it cost? In view of the growing threat situation, however, most people quickly realize that it is better to spend one euro too much now and not need it than to have to pay for the immense damage caused by an attack later on.
An SAP security platform is a major purchase for any medium-sized company. It is therefore helpful if you can start with individual modules step by step, as is the case with SecurityBridge. IT2media started with Patch Management and the Security Compliance Monitor: on the one hand for the SAP gateway to the Internet to ensure that the latest information is always observed, and on the other for the ECC system - an expiring product that has been modified by thousands of Z developments in recent years. Björn Hatzelmann: "There would be little point in carrying out a code vulnerability analysis here; no one would be able to fix everything by 2027."
Basic hardening through patch management therefore seemed more practical, without the full all-round attack. Instead, IT2media is doing this with the complete SecurityBridge suite for its new S/4 system. This is already being used by a first major customer from the publishing industry; other companies (and later also the parent company) that are still working on the ECC system will be gradually transferred to S/4 Hana via their own clients. The aim is to control what is programmed in the system right from the start. The Interface Traffic Monitor from SecurityBridge is used to closely monitor RFC connections and check which users may have too many authorizations.
With Patch Management, it is no longer necessary to gather all the information in detail from SAP help pages. Instead, the administrator is presented with the patch notes in a tile. They can see immediately where there is an acute need for action and what needs to be done. An incredible time-saver, as Björn Hatzelmann reports. TakeASP supports him in operating the SecurityBridge platform, for example when setting up the Identity Protection Self Service or building up expertise via submenu items and setting options for the solution below the tile interface.