One of the main problems of SAP security is the complexity of the system. Time management is a critical task, especially because of the inconsistency in documentation which is sometimes scarce, sometimes copious. The complexity is further amplified when new found SAP vulnerabilities are generally rectified by installing additional options that come with their own set of parameters. This alters relations between settings, creates lengthy manuals for specialists to interpret if they need to rectify a system. On top of that, an average SAP system is 50 % customizable, which creates even more problems on top of typical configurations. With the standard system configuration that spans over 7000 security-related options, an array of advanced configurations along with critical access rights for various objects like transactions, tables, RFC procedures, etc. and a hundred other web interfaces for system access, it’s a workload to bear.
With the enormous line-up of configuration jobs and dozens of servers required for a typical infrastructure, ensuring security could take a long time. Even if initial hiccups are taken care of, additional source code security risks and customized programs developed by third party developers need to be shielded and controlled from backdoors and errors.
Lastly, it is about Segregation of Duties and access control since SAP departments spend time on analyzing risks related to access control.