efficient sap patch management – the key to system ... · the stability and security of your sap...

Efficient SAP Patch Management – the key to system stability and security

kpmg.com

SAP® Patch Management

SAP landscapes are not only

complex, they are constantly

evolving. This causes challenges for SAP customers, including an increase in the number of SAP patches, performance issues, security vulnerabilities and potential misconfigurations.

How can your support team members address these challenges while keeping up with their daily tasks, let alone new projects? At KPMG LLP (KPMG), we say the answer lies in effective patch and configuration management processes that fully leverage your existing technology solutions. This approach utilizes investments already made in technology while minimizing risk to the organization and driving value to the bottom line.

The challenge of maintaining stability and security in a changing landscape

1

© 2016 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. Printed in the U.S.A.

Patch management is critical to supporting the stability and security of your SAP systems. Recently, the volume of SAP patches has increased substantially, and companies are struggling to identify, assess, and implement

these patches on a timely basis. Some organizations are finding the task so daunting they’ve given up installing the patches altogether—a perilous decision to say the least.

Failing to keep up with patches increases the risk of unexpected system downtime and performance degradation, and can leave your organization exposed to cyberattack. To mitigate these risks, every organization running SAP needs a comprehensive, dependable, and cost-effective patch management process.

KPMG assists organizations in implementing technology-enabled patch-management processes that can minimize the following risks:

• Unplanned system downtime

• System performance issues and degradation over time

• Unpatched system vulnerabilities

• Losses from data theft and confidential data exposure

• Indirect losses through sabotage

• Reduce uncertainty of which patches to implement

Overview

2 SAP Patch Management


Expanding SAP system landscapes, increasing numbers of components, and the growing complexities have resulted in a substantial increase in the patches released by SAP. Customers are struggling to keep up with the frequency and the volume of patches.

SAP customers lack a strong Patch Management strategy and the necessary governance to oversee the deployment of patches. Without a strategy and governance process, achieving the desired patch level is an uphill task.

Testing of patches poses another challenge. Migrating the patches without repeatable regression and impact testing processes can lead to unexpected system behavior which can be costly or difficult to recover from.

KPMG’S APPROACH

Maintain an up-to-date inventory of current patches and information pertinent to each release.

Identify and implement only the patches that are relevant to the systems in the landscape.

Help prioritize patch installations based on the criticality from a security perspective.

Provide real-time information about installed service packs and patches on each SAP component in the landscape.

Reduce the amount of resources needed for patch management.

Eliminate the need for expensive third-party solutions.

Challenges

• Keeping pace with the frequent release of updates and patches

• Administrators unaware of existing vulnerabilities and relevant patches

• Unavailability of resources

• Absence of a robust patch and configuration management strategy

• Assessing the large volume of patches based on their criticality and applicability

• Unfamiliarity with the risks of unpatched systems

• Absence of cost-effective patch management processes

Challenges that SAP customers face:



KPMG Framework

SAP Security

Governance

SystemRecommendation

System Config Management

OperationManagement

SOLUTIONMANAGER

• Vulnerability Management • Security Patching

• Configuration Validation• CertificateManagement

• System Performance • Technical Monitoring• Integration Monitoring

• RCA

• Patch Identification • Patch Evaluation

• SOS• BPCA

• Parameter Changes • Change Validation • Transport Mgmt. • SAP Gateway

• Policies and Procedures• Reporting and Monitoring

• Risk Management Framework

• Roles and Responsibilities• Landscape

Management Strategy

KEY POINTS

• Solution Manager is at the core of KPMG’s approach to managing patches, plugging process gaps, and addressing vulnerabilities.

• Utilizes a methodology to help resolve the underlying issues in SAP environments and provides a sustainable and cost-effective solution.

• Helps optimize the utilization of SAP Solution Manager capabilities eliminating the need for expensive third-party software solutions.

• Focuses on enabling and centralizing a real-time monitoring solution for business processes, interfaces, technical landscape, and system performance with automatic notifications.

• Helps optimize core processes, IT infrastructure, and governance driving operational excellence and standardization of systems.

KPMG has developed a framework that can be leveraged to address challenges companies face with patch management and aid in optimizing core support processes while helping to

ensure standardization of systems. At the core of this framework is the optimization of SAP’s Solution Manager capabilities and implementation of efficient processes to drive operational excellence. Through applying KPMG’s framework and methodology, we can position support organizations to streamline the process for evaluating and applying patches as they are released, efficiently monitor systems for potential problems, and reduce the potential for serious misconfigurations in the supported SAP environments.

SOS – Security Optimization Service; BPCA – Business Process Change Analyzer; RCA – Root Cause Analysis

5


KPMG Methodology

Migration

Change Management

Iterative process betweentesting and migration

Realization/Testing

Evaluation

Identification

TECHENABLEMENT

• Streamlined Patch Identification• Minimal Staff Requirements• Periodic report generation

• Optimizing existingtech solution

• Process Enablement• Landscape Management

Strategy

• Implementation Plan• Effective Test Plan

• Robust impact assessment• Risk-based Prioritization

and Planning • Effective Teams

Coordination

• Technology enabled processes• Post Import Validation

KPMG’s approach provides a fresh perspective to help optimize SAP patch management. Our methodology is comprised of simple yet highly effective processes for patch management. Our knowledge helps organizations streamline the cumbersome

processes of identification, evaluation, selection, and deployment of SAP patches.

Our methodology focuses on optimizing the people, process, and technology used in patch management.

This includes:

• Holistic and real-time patch management and implementation strategy

• Effective and timely evaluation of released patches

• Automated selection of applicable patches

• Efficient deployment of patches

• Automated system performance monitoring

• Eliminating the need for third-party software

• Developing a cost-effective, sustainable, and scalable solution to fit your needs

• Limiting implementation costs, while helping to maximize return on investment



Leveraging Solution Manager Capabilities

System Recommendationand Patch Identification

SecureOperationService

ConfigurationValidation

Early Watch Alert

SAP PATCHAND

LANDSCAPEMANAGEMENT

• Performance Indicators• Landscape Information

• Data Quality• Application Profiling

• Security

• Assess Security Risks• System Readiness

• Consistency Checks

• System Reference Checks• Trend Analysis• Target System

Maintenance• Reporting

• Patch Identification• Patch Evaluation

• Patch Realization and Deployment• UPL, BPCA Implementation• Security Risk Assessment

KPMG’s approach enables SAP Patch Management in an integrated system landscape and prepares the environment for implementing key solution manager capabilities such as:

• Technical Monitoring for SAP solution landscape

• BPM to enable the proactive and process-oriented alerts for core business processes

• CDMC for custom code development management

• CCLM for custom code life cycle management

• ChaRm for change request management

• Third-party integration leveraging certified integration options

• E2E Root Cause analysis for end-to-end diagnostics

• Service Desk for ITSM capabilities

• Solution Documentation to enable document repository with work flow

KPMG’s methodology for Patch Management sets clients up for using additional capabilities of their Solution Manager platform. In addition to patch management, KPMG helps clients utilize other Solution Manager tools such as EWA, SOS, and Configuration Validation to

further automate and help optimize support-related tasks.

EWA – Early Watch Alert; BPM – Business Process Monitoring; CCLM – Custom Code Lifecycle Management; CDMC – Custom Development Management Cockpit; E2E – End to End (Root Cause Analysis); ChaRM – Change Request Management; ITSM – Information Technology Service Management; UPL – Usage and Procedure Logging

7


KPMG Roadmap

Patch Identification and Analysis Enable efficient processes to keep systems patched

and up-to-date.

• Analyze, identify, and map patch components to respective SAP functions.

• Document all SAP services and landscape details.

• Leverage industry leading practices to determine the systems and sequence for patch application.

• Perform impact analysis and downtime requirements.

• Provide a plan for patch application time line and make recommendations.

Solution Manager Configuration Optimization

Strategically optimize Solution Manager configuration and enable additional functionality to automate existing support processes.

• Review and validate Solution Manager configuration.

• Identify configuration gaps compared to leading business practices and make recommendations.

• Leverage KPMG methodologies to prepare impact analysis, including the risk of not plugging the configuration gaps.

• Prepare and present work plan on proposed use of configuration to generate work plan.



Early Watch Management Provide real-time alerting and monitoring processes

to proactively address system issues minimizing impact to customers.

• Identify and map performance indicators for respective SAP systems.

• Enable the alerts for providing heads-up for needed database and file system adjustments.

• Provide process to identify system changes ahead of time, so system managers can plan the needed down times, resourcing, etc.

• Benchmark the performance parameters and develop a plan to test performance periodically.

SAP Landscape Monitoring Monitor your system for dangerous configurations

and security violations to maintain the desired security posture.

• Identify possible security vulnerabilities and suggest solutions.

• Provide process for periodic system consistency checks of all key transaction and reporting systems.

• Develop road map to monitor the key systems.

• Provide industry leading solution to monitor SAP systems using Solution Manager delivered content.


Contact us

KPMG’s SAP Governance, Risk and Compliance professionals combine deep SAP security and controls knowledge to help organizations protect their SAP environment.

To learn more, contact one of the following KPMG professionals:

Tony Torchia National Practice Leader GRC Technology 212-954-3540 [email protected]

J. Kent Cowsert National Practice Leader SAP GRC 214-840-2702 [email protected]

Todd Babione Managing Director SAP GRC 614-249-1957 [email protected]

KPMG LLP, the audit, tax and advisory firm (www.kpmg.com/us), is the U.S. member firm of KPMG International Cooperative (“KPMG International”). KPMG International’s member firms have 155,000 professionals, including more than 8,600 partners, in 155 countries.

About KPMG

IV

Some or all of the services described herein may not be permissible for KPMG audit clients and their affiliates.

The information contained herein is of general nature and is not intended to address the circumstances of any particular individual or entity. Although we endeavor to provide accurate and timely information, there can be no guarantee that such information is accurate as of the date it is received or that it will continue to be accurate in the future. No one should act on such information without appropriate professional advice after a thorough examination of the particular situation.

© 2016 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. Printed in the U.S.A. The KPMG name, and logo are registered trademarks or trademarks of KPMG International.

efficient sap patch management – the key to system ... · the stability and security of your sap...

Documents