Securing SAP

SAP/ERP systems can provide considerable benefits for medium and large organisations but they can also introduce significant risk to the security of critical data and resources.
But what surprises me is that this risk is frequently not acknowledged or managed effectively when SAP/ERP systems are deployed.
Central to ERP is the commitment of all business function resources and information to a central ‘resource planning’ platform. Centralising information is essential for sharing data across the organisation but, should any malicious user gain access, the threat to the business is much greater.
What is surprising is that information security is not a central consideration as part of a standard SAP/ERP deployment. Instead, it tends to be treated as an after-thought. The result is that network security is inflexible or ineffective leaving corporate data and assets vulnerable to attack. Holes in the network perimeter via ‘backdoor’ access routes are not closed off, internal security risks are overlooked, usernames and passwords are passed un-encrypted. Where attempts are made to provide security, users face inflexible procedures that make SAP applications difficult to use and the user less productive.
The costs to business as a result of unauthorised access to corporate information are well documented and include not only direct costs but also a drop in share price and loss of customer loyalty. For organisations implementing and running SAP/ERP, information security should be recognised as a strategic issue.
By managing user access needs for the SAP/ERP system as a whole, including at the deployment stage, the relevant security issues can be fully addressed whilst also helping users make full use of the ERP environment. “Unified Access” is an information security model that aligns very closely with the SAP/ERP model, allowing security and user access policies for the whole system to be managed through a centralised access control platform.

(Thanks Malcom for the info)