Avantra SAP security FAQ

We understand the importance of security when it comes to your SAP system(s) within your organization. As cyber attacks continue to become more successful, it is essential to have a process in place.

Below are several frequently asked questions regarding security to provide some insight on our approach and how Avantra can help you navigate through this journey.

1. How is Avantra deployed?

This is largely up to you, or your service provider. We are fully multi tenant and deploy anywhere. Most commonly, customers deploy Avantra within their network, either in a Virtual Machine environment or on a Hyperscaler.

2. What does this mean about data security?

Your Avantra data is your data, fully owned by you and managed by you. We don’t have access to it.

3. What about in a multi tenant environment?

Avantra was designed from the beginning to be a multi tenant solution, and many of our service provider customers have a single Avantra system that manages many customers. There are network gateways that restrict the flow of traffic, and tenant isolation within the Avantra software itself; this means service providers can grant team members partial access for specific customers.

4. Does Avantra collect usage data?

Yes, we collect limited activation data around the number of systems used and some metrics regarding which features are used, to help us improve the product. We never collect personally identifying data, or any business data from your SAP systems. We’re very transparent about what data is being sent and customers can inspect the exact content directly in Avantra itself.

5. What is your approach to cybersecurity?

Security is of the utmost importance to us, as it is to our customers, so we take a rigorous approach to cybersecurity. We scan our libraries daily to look for known security vulnerabilities and make an assessment based on the severity. We will update the library in a newer version of Avantra for less severe issues, and immediately cut a new release and notify customers for those more severe.

6. Do you have security certification?

Yes, we are ISO27001 certified and have implemented a secure development process, a process of continual security improvement. We have an annual external audit, six monthly internal audits and quarterly meetings to review progress, as well as daily actions as needed. We identify longer range ways to improve Avantra and include them in our annual Avantra major release.

Our Information Security Policy as well as our ISO 27001 Certificate are available upon request.

We are also certified by SAP for both, S/4HANA and RISE with SAP, and have taken advice from SAP on securing our SAP transport to only allow specific functions and data to be accessed by Avantra.

7. Does Avantra have super user access to SAP?

No, our agent based approach to SAP means that we take an allow-list approach to SAP functions and data. We also use a polymorphic approach to SAP transport management. This means we have just one transport for all SAP monitoring, and one for automation, which reduces the overhead on security teams.

8. What about penetration testing?

We complete an annual penetration test as part of our ISO27001 certification, and any issues found are mitigated and periodically reviewed according to their severity.

Several of our Fortune 50 customers also do their own annual penetration tests and code reviews, which we take input from and add into our risk management process.

9. Do you have a bug bounty program?

Absolutely, the details are available here. Please note that the bug bounty program applies to the Avantra software itself and is thus restricted to customers.

10. Can I have more details for my security review?

Definitely, please read our security whitepaper.

11. Can I do my own security review?

We encourage you to read our security whitepaper first, but if you find the need to do a security review after that, then please contact us and we will help you get started. The Avantra Server and Agent are based on Java, and we also have a significant amount of SAP ABAP code, which you can review.

Final words

We take security very seriously and greatly appreciate the customers who take the time and resources to provide feedback. If you have security feedback for us or security questions you’d like to see on our FAQ, please let us know.

If you want to prevent costly performance and security issues with the SAP system, talk with one of our SAP experts today.