Recommendations

In order to get the most out of Protect4S VM, we recommend the following:

Managed Service Providers (MSP)

For MSP's we provide a demo-license to demonstrate the Protect4S VM solution to prospects. It is advised to have a separate Protect4S system for demo purposes that is separated from productive Protect4S VM installations to scan customer systems. This is to prevent mixing of sensitive data with demo scenarios.

We support the use of a single Protect4S system for multiple customer's systems, provided:

  • This system has been hardened (e.g. network separation)

  • Is kept up-to-date with the SAP Security notes

  • Access to it is strictly regulated

  • The customers are separated per system or per client.

Multi client support

If you are an MSP and want to use a single Protect4S system for multiple customers, then it is necessary to separate these customers per client to separate the data for these customers. For every customer it is required to:

  • Create a new client using a customizing-only (profile UCUS) copy from client 000 with transaction SCCL.

In the new client:

No support for strict data separation in Protect4S system with single client and multiple customers

We do not support data separation in a Protect4S system that has a single client for multiple different SAP customer systems.

This is because some Protect4S VM functionality would be merged and different SAP customers could see details of each other's SAP systems and security related information. Both the Connection map and Management overview would show the SAP systems of all customers, for example. If you want to use one Protect4S system for multiple customers where data of these customers is separated, then it is necessary to create a separate client per customer.

Server groups

  • Protect4S VM has no specific hardware requirements because its memory and CPU consumption is very low. But when running a project containing more than 10 scans, it is advised to monitor the use of system resources and make use of the server group settings in order to control the number of active work processes.

See Appendix E, "Using a Server group".

  • In order to fully utilize the Protect4S VM notification functionality, we recommend to configure the sending of emails from the Protect4S system. See the Quick Guide to SMTP Configuration in SAP Help for additional information.

  • When using the Mitigation of SAP Notes functionality it might be considered to set the parameter rdisp/max_alt_modes to a value higher than the default value of "6" to not run into issues when running multiple mitigation runs at the same time.

Protect4S central system

For best insight and visibility over the complete landscape (e.g. the connection map) it is advised to connect as much systems in the landscape as possible to one central Protect4S VM installation. (provided there are no hard boundaries like network separation, security restrictions, etc).

Also it is advised to install the Protect4S solution on a Productive system rather than a Development system for productive use. This to avoid connections from low security zones (Development, Sandboxes, etc) to high security zones (Production for example).

Last updated