How to Protect BW?
1) Check the core: SAP Components – Basis.
Many of the potential exploits that are possible on other SAP NetWeaver ABAP systems are possible also for BW/4HANA, even though it is no longer considered part of the SAP NetWeaver family of products. For example, SAP Patch Tuesday is still relevant for BW/4HANA system administrators in the same way that it is still relevant for S/4HANA system administrators.
Use an SAP security scanning and monitoring solution for BW/4HANA. These solutions can perform a vast amount of specific compliance checks and monitor for potential exploit actions on systems that are built on the SAP ABAP stack, and that still includes BW/4HANA.
2) Tailor SAP cybersecurity specifically for BW-related vulnerabilities.
An SAP security solution can help you make your BW/4HANA system more cyber-resilient. Your BW system has some unique qualities that distinguish it from other SAP systems. Did you know:
- There are SAP Security Notes that are specific to BW components.
- There are SAP Authorization Objects that only exist in BW.
- There are SAP Transaction Codes (aka T-codes) that only exist in BW.
3) Check for Missing SAP Security Notes that are specific to BW/4HANA.
Utilize SAP security solution patch management capabilities on BW/4HANA to make sure that all the SAP Security Notes that are specific to BW components are checked and confirmed to be installed.
4) Check for Sensitive Access via Authorization Objects that are unique to BW/4HANA.
Authorization Objects that are unique to BW are mostly grouped into a naming convention that starts with S_RS_.
Your SAP cybersecurity solution must be able to work with these Authorization Objects in the scanning and monitoring options. An SAP security solution can support these options for BW’s unique Authorization Objects.
Here are some key Authorization Objects that are unique to BW, sourced from SAP HELP:
Monitor When Critical Transaction Codes Are Executed in BW/4HANA
When you choose an SAP security solution for threat detection, you will be able to detect the execution of critical transactions and programs. For example, you will have the ability to include the BW-specific Transaction Codes RSU01, RSECADMIN, RSECAUTH, and RSECPROT in your list of critical transactions. These BW-specific transaction codes are sensitive because they enable the tailored administration of authorization for your BW reporting technical objects such as InfoObjects and InfoProviders.
Concluding Thoughts
- Do not neglect BW/4HANA systems in your SAP Cybersecurity Scoping and Planning discussions.
- BW/4HANA contains sensitive company data, sourced directly from S/4HANA.
- BW/4HANA will be around for a long time to come.
- Include a Solution Architect to help you with this important mission.
- BW/4HANA still needs efficient management of the SAP Security Notes monthly cycle of updates. The solution architecture should include patch management.
- BW/4HANA has unique technical objects not found in other SAP environments. The solution architecture should include vulnerability management and threat detection capabilities.