Deadlines are looming! SAP will provide mainstream maintenance for SAP ERP Central Component (SAP ECC) and the SAP NetWeaver 7.5 platform or lower until the end of 2027. A deadline like this requires attention to the SAP Solution Manager system because it is the perfect place for a malicious actor to strike. It connects to almost every other SAP system, thus allowing the cybercriminal to extract significant data.
Indeed, the S/4HANA and ECC systems are essential, and attention should be paid to them, but the cybersecurity relationship between S/4HANA and SAP Solution Manager should be examined. In many instances, the Solution Manager system handles the upgrades, transports, daily operations, and monitoring going into S/4HANA. If the SAP Solution Manager system is compromised, every system connected to it could be at risk of “lateral movement”—from Solution Manager into other SAP systems.
You have undoubtedly spent time and resources protecting your ECC and S/4HANA primary systems. Solution Manager is hooked up, too—it’s part of this system. Indeed, this link in the information chain must be secured just like all the others. All ends of an interface must be hack-resistant.
Breaches can occur anywhere. But, let’s say it happens in Solution Manager, resulting in malicious lateral movement to other SAP systems. Whether or not you secured the SAP S/4HANA system will be of no concern to the public who receives the news that your company’s information system—the customer’s data—has been breached.
Don’t allow your SAP Solution Manager to be a trojan horse, delivering threat actors directly into your S/4HANA system! This article will be in two parts. The first will introduce the facets that comprise the Solution Manager, and the second will explain how to protect the system.
What is SAP Solution Manager?
SAP Solution Manager is a centralized management platform that orchestrates and optimizes the operation of all other SAP systems within the enterprise. It can be considered the home of many separate management functions. In addition to implementation support, monitoring, and administration, Solution Manager is known for its Change and Request Management (ChaRM) solution for Transport Management.
Many “modules” or tools comprise the SAP Solution Manager suite of capabilities. Here are the Solution Manager applications from SAP Help:
- Business Process Operations—Your Basis team and Business Process Owners might use this application to examine job runtimes and document backlogs. They can also monitor performance, optimization, automation, and even data consistency, all with an eye toward an associated/impacted Business Process.
- Custom Code Management – Your ABAP Development team might use this capability to manage the entire lifecycle of the custom code. This could include usage logging by Usage and Procedure Logging (UPL) or its successor ABAP Call Monitor (SCMON). This logging might consist of information from managed systems where the usage logging from managed systems is extracted, relayed to the Solution Manager, and centrally stored in the Solution Manager.
- Change Control Management—Your Dev and Basis teams might be utilizing this application for any of these capabilities: Change and Transport System (CTS), Transport Execution Analysis (TEA), Change Diagnostics, Central Change Transport System (cCTS), Quality Gate Management (QGM), Change Request Management, and Release Management.
- Requirements Management—This capability can be used as a stand-alone management application or integrated with SAP Project Planning and Management (PPM).
- Data Volume Management – Your SAP Basis Team and SAP Architects might use this application to supplement your company’s overall Data Lifecycle Management. Your company might also have a Data Governance Team (or even a Chief Data Officer) that relies on this application. This application looks at the data volume of your managed systems with a data eye on monitoring, analysis, sizing, forecasting, compression, archiving, allocation, and usage.
- IT Service Management (ITSM)—You might run your internal SAP “ticketing system” out of your Solman system. If enabled, it could also be integrated directly into SAP for your company’s SAP vendor support tickets. It could also be integrated with other SAP or third-party help desk ticketing systems.
- Test Suite – Solution Manager might be used to administer and operate testing in your QA environments. Your SAP Test Lead will know if this is the case.
- SAP Engagement and Service Delivery – Utilized if your company engages with SAP Services.
- Project Management – Integrates with SAP Best Practice packages.
- Process Management – Connects solution documentation with project management and requirement management.
- Landscape Management—Your Basis team uses this capability to gather data from the existing SAP system landscape directory (SLD) and agent data from the technical systems. This data is then collected into the Landscape Management Database (LMDB).
- Application Operations – Comprises multiple sets of tools across the following categories (see link for more details):
– System and Application Monitoring
– Root Cause Analysis and Exception Management
– Technical Analytics and Dashboards
– Technical Administration
As evidenced above, the SAP Solution Manager suite of capabilities is extensive, and all facets must be adequately secured from bad actors. The SAP Solution Manager is equally essential to the ECC and S/4HANA regarding cybersecurity measures due to its position as the go-between for many other systems. Now that you understand what the Solution Manager is and does, part two will look for ways to protect it.
Barry Snow
Barry Snow is the Technical Account Manager atSecurityBridge, where he leverages over a decade of experience in SAP cybersecurity and technical account management. Before joining SecurityBridge, Barry served as a Technical Account Manager at Onapsis, providing strategic guidance and customer advocacy in SAP cybersecurity, including managing customer renewals, expansions, and license oversight. He has a rich background in implementing and optimizing cybersecurity solutions, having worked as a Professional Services Implementation Engineer, where he advised on threat remediation, incident monitoring, and SIEM integration. Barry also consulted for IBM and RHEA Group as an Implementation Project Manager, overseeing the rollout of the Onapsis Platform, ensuring customer success through comprehensive implementation and customer retention strategies. Barry’s expertise spans SAP vulnerability management, patch management, and cybersecurity best practices, making him a trusted advisor for organizations looking to enhance their SAP security posture.
