Classical SAP Security Audit
- Need to install additional software on SAP server or Linux server (ABAP program then you can’t uninstall)
- Need to reserve/waste time for access provisioning. In most cases the vendor can’t provide role with minimal required access
- All data security based on signed NDA. How to control all processes on contractor side? They prefer to hire students, you know. How to control their actions in system? Can they download sensitive data?
- If performers launch different types of exploits against real production SAP it could cause the system to crash
Contactless security assessment with Offline Security
- Quick start. No user creation and access provisioning
- Full control over the data that leave the company. All sensitive data is anonymized
- Contactless approach. No damage/harm is possible in principle
- The minimal cost. Local employees are responsible for data collecting
- Possible option: Temporary deploy offline security server in corporate network if needed (Windows/Linux)
How the whole process might look like?
- Fill out the survey form
- Download manuals how to collect required information (tables)
- Run Offline Security Client scripts to anonymize all sensitive data (usernames, roles, system names, hostnames, …). It means: no GDPR violation, no data breaches. There is no way to use the anonymized information against an anonymous company (without users, sids, …)
- Check all transmitted information in advance (if needed)
- Transfer all information to the server
- Get the report and do inverse transformation (in report you will see original names)
