SAP Security: What are the flanks to protect?

Did you like our article?

Recently, according to reports from cybersecurity companies such as Check Point and Kaspersky, cyber-attack attempts in Chile have increased significantly (see article in El Mostrador). Among those affected by this type of attack are important organizations such as Sernac, the Joint Chiefs of Staff of the National Defense, BancoEstado, the Administrative Corporation of the Judiciary and, recently, Mercado Público. In the latter case, the Chilecompras web platform had been down for about ten days (see Interferencia’s note).

SAP systems are, in general, very critical systems and, therefore, highly desirable for ransomware-type attacks; in addition, they usually handle very valuable data. Potential threats include not only external cyber-attacks, but also attempts at fraud or information leaks, which usually come from within companies or institutions. In this context, in its Trust Center SAP promotes different actions to take care not only of security, but also of data privacy, compliance and transparency.

Given the increase in threats, it is now necessary to protect the operational continuity of SAP systems and the data residing in them with multiple additional security measures, to cover all exposed flanks – the attack surface – and mitigate the risks that cannot be eliminated with all these layers of protection.

Traditional SAP security

Until now, the security of SAP systems was mainly concentrated in three areas:

• Infrastructure security, which includes datacenter, servers, storage, etc.
• Communications security, mainly VPNs and firewalls.
• SAP access security, through credentials and authorizations, with the traditional system of roles and profiles.

Given the new nature of attacks, these traditional security measures are not sufficient to safeguard SAP systems and their data. In this year’s SAP Insider “Cybersecurity Threats to SAP Systems” survey, respondents were asked to rank the top cybersecurity threats to their SAP systems from highest to lowest. Ransomware (data hijacking) attacks, unpatched systems and credential compromise were ranked as the most important to systems, as they were last year. The continued growth of cloud migration, integration, data augmentation, virtualization, mobile device access and the Internet of Things (IoT) have made securing these connections a critical element of cybersecurity. Vulnerabilities due to unsecured systems and connections can be a direct channel to SAP for ransomware, malware (malicious software) and other attacks.

The new security requirements for SAP

If we look at the different layers that make up the security of an SAP system (see figure), we can see the following:

• 1) Communications security is traditionally entrusted to a scheme of private links and firewalls, or to the use of VPNs. Although these solutions provide a basic level of security, they are not sufficient and other measures are required to complete an acceptable range (application firewalls, proxies, etc.). The current trend is to move towards a Zero Trust security model, as shown by Gartner in its report Zero Trust Architecture and Solutions, where it predicts that by 2023, 60% of organizations will use the Zero Trust security model instead of VPNs (see Zero Trust Security: what it is and why it is important).
• 2) The security of the infrastructure should be well covered by the hosting provider, either with a traditional datacenter or with a public cloud. In the case of a public cloud, the responsibility is shared between the cloud itself and the client or the cloud hosting provider. Here it is very important to have the expertise of a specialized provider, hopefully certified by the cloud itself (see article Our cybersecurity solutions in SAP’s cloud operation).
• 3) Security within SAP applications themselves should cover at least the following:
  • SAP security notes, and their ongoing implementation, hopefully as part of a larger vulnerability management process.
  • Access security, secure credentials, key protection, etc.
  • SAP roles and profiles, including proper request and authorization process, and ongoing risk analysis and mitigation.
  • SAP roles and profiles, including proper request and authorization process, and ongoing risk analysis and mitigation; Custom Code (Z) security, based on best practices, analysis, and auditing.
  • Threat detection, in the form of suspicious activity within the SAP application.

The new advanced security solutions for SAP

The current threat environment has prompted the emergence of various tools to provide additional security for SAP system environments. However, these do not constitute a solution on their own. Technical knowledge of the associated security concepts is required in addition to the tool itself. It also requires ongoing, structured processes for monitoring, detection, notification, and response to security incidents.

For this reason, comprehensive solutions to the different vulnerabilities, in the form of services delivered by a specialized provider, are more effective. Among these solutions we can highlight the following:

• Zero Trust Access Service, which includes the implementation of the secure communications solution, and the ongoing support and operation of the solution.
• SAP Security Notes Service, a permanent service of information gathering of SAP security notes, applicability analysis, planning and implementation of the notes.
• SAP Threat Detection Service, a permanent service for monitoring and detection of suspicious activity in SAP, including manual and automatic structured responses for the most critical cases.
• SAP Function Segregation of Duties Service, including the initial analysis of associated risks, their remediation or mitigation, and a permanent service for managing access change requirements, and the analysis and mitigation of associated risks.

In Novis we have services and new advanced security options for SAP systems, of which we will show more details in later deliveries. For more information about our services, we invite you to contact us.

Feedback/discussion with the author: Glen Canessa.