Many large businesses run SAP to manage their business operations and their customer relations. Security has become an increasingly critical priority due to the ongoing digitalization of society and the new opportunities that attackers exploit to achieve a system breach. Recent attacks related to corrupt data, stealing personal information and escalating privileges for remote code execution all highlight the new and varied entry points threat actors have taken advantage of. Attackers with the appropriate skills could be able to exploit specific SAP vulnerabilities to take full control of the SAP system and expose the critical information and processes of the company.
Among new SAP users and non-technical experts, there are multiple myths when it comes to SAP, like “SAP is a commercial product that delivers security by default.” The reality is that even after implementing the standard functionalities of an SAP solution, it is not secured by default.
Traditionally, companies were predominantly focused on the roles and profiles assigned to different users in the SAP system as the main control to improve the security in the SAP systems. However, this focus has been expanded beyond merely access control, and there are plenty of elements that need security factored in:
- Access management: In the SAP solutions, there are multiple ways to provide high privileges to users and to perform critical actions on the business processes, such as changing already created invoices, modifying existing purchase orders or trying to change the system configuration
- Custom code: According to best practices, it is better to build security in your code during the design process than waiting to have a breach.
- Configuration: An SAP system has hundreds of different parameters that influence the configuration of the system and therefore its security. As such, most customers have included security as a key part in their SAP implementation projects.
- Interface/integration with other systems: Interconnecting systems can be a dangerous activity if the security of both systems is not adequate and the connector is not configured properly.
IBM Security has defined a security framework featuring 13 layers that focus on the critical elements of the SAP stack. This framework uses a top-down approach, going from regulatory and compliance to the most technical details related to cybersecurity.
Figure 1: The 13 layers of SAP Security
Some years ago, the main activities on an SAP security project were focused on defining the appropriate roles and authorizations according to the Segregation of Duties matrix established by the customer or the best practices. However, those activities have been expanded to include the security of the DevOps and in the interfaces, consideration of encryption (at rest or in motion), performance vulnerability assessments, penetration testing and more.
A good starting point is to identify all the security aspects that could impact the SAP systems that are either running in a cloud environment or will be moved to a cloud environment. This activity evaluates the security considering the aforementioned 13 layers framework and combining the utilization of different assets to speed up the analysis.
These are some examples of the questions that will be answered during this analysis:
- Are the integrations between the SAP ERP system and other internal and external systems secure?
- Is the company monitoring the vulnerabilities in the SAP landscape? If so, is the company appropriately managing the vulnerabilities identified?
- Is the company correctly assigning the users’ roles in the SAP landscape?
- Is the configuration of the application layers of those SAP systems secure enough?
The final deliverable should be a detailed report including the security weaknesses and an action plan to mitigate the found risks.
This type of project is used to justify the security value behind the transformation program defined by the company and is utilized as a first step to start the security transformation in the SAP environment. After this activity, IBM offers different solutions to accelerate the security transformation and to manage the applications in a secure manner.
The key difference that sets IBM apart is that we analyze the client security posture from two different perspectives; we consider compliance and cybersecurity with the main objective of identifying all the weak flanks that could compromise the customer’s business.
Is your IT strategy considering the security of its SAP solutions? Is your company performing frequent reviews to assure that the SAP solutions have not been attacked or suffered a breach? How is your company managing the vulnerabilities identified in the internal or external audits? Learn how to best secure your SAP environments and get in touch with an expert to help you through your SAP security transformation today by accessing here.
Senior Managing Security Consultant