SAP Cybersecurity in an Age of Uncertainty

by Jhansi R Bandaru, PMP-Certified IT SAP Security/Compliance Lead

According to Risk Based Security’s 2019 MidYear QuickView Data Breach Report, the first six months of 2019 saw more than 3,800 publicly disclosed cyber attacks exposing more than 4 billion compromised records, with 3.2 billion of those records exposed by just eight breaches. Making matters worse, an overwhelming percentage of the compromised personal or strategic data was considered highly sensitive, yet was stored on unsecured routers and gateways — an oversight that offered cyber attackers ready access and scores of opportunities to steal and misuse data. Just to provide scope and context, think about this: Some 700 message servers that hold highly sensitive data are currently open to the internet in the US, according to the Department of Homeland Security’s National Cyber Security Division.

With SAP systems containing very sensitive and confidential data, there is a critical need for organizations to perform a regular audit of these systems to check their security and data integrity and to identify system vulnerabilities before potential attackers do. Knowing the weaknesses and gaps in a system is the first step in empowering management to deal with those vulnerabilities in a proactive, concise, and effective way.

Developing Effective Access Management Practices

As the number and impact of security breaches continue to climb, management at a growing number of companies has significantly increased its focus on compliance, information security, and IT risk management, with a particular emphasis on governing what data and processes users can access inside an SAP landscape. Access control is a key part of any security system, requiring many processes to manage, monitor, and sustain, and there are a number of best practices to successfully manage the access to sensitive data in a SAP environment:

• • Segregation of duties ― that is, protecting the system against intrusion by users who have low-level clearance by granting only limited access to specific levels of data — is a key element of controlling access to sensitive data. For example, some employees may have access to critical functionality, such as passwords that open the door to virtually every information file in the system, while others are granted authorized access only to certain specified data.

• • Utilizing password management applications is highly recommended as they allow end users to reset passwords on their own, making it easier to manage passwords and synchronize them with other systems.

• • Single sign-on (SSO) functionality serves as a form of authentication that enables users to use a single set of credentials for each system when they want to access different applications or platforms within a certain organization. By allowing them to use this single set, SSO simplifies the process of authentication and allows the monitoring of accounts and user logins.

• • Provisioning — that is, the monitoring of user and customer access rights — ensures enterprise resource security and provides identity management features such as digital identity creation, termination, and validation to clients, employees, and other stakeholders. It allows them to access resources either through the cloud or when present on site, guaranteeing that users have permission to use applications and network resources.

• Creating role-based groups within a network is another effective access management practice as it determines exactly what access privileges users should have based on their job and establishes a vetting process that sets access standards and parameters.

To support these access management best practices, additional SAP security measures ― including authentication methods, database security, and network and external communication security ― must be implemented so that approved users have not only permission, but just enough means to gain access to the information they need to retrieve or edit. This ensures that data in a distributed environment is protected from both intentional piracy and unintentional damage that can compromise otherwise secure data.

Managing SAP Security Patches

SAP security is essentially a complex set of different areas with different responsibilities that can be constituted in accordance with platform types — such as ABAP, Java, and SAP HANA, for example — and can be separated into discrete, workable parts. For example, SAP security can be divided by application and business layers, or it can be organized at the platform and customization level, or it can be grouped by approach, such as detection and response or organizational and technical. A critical aspect across all of these areas is the application of security patches.

To remain optimally effective, SAP solutions, like any other IT application, need to be patched and updated regularly. Implementing security patches is not a one-time occurrence, but rather a continuous process that should take place on a monthly basis or at predefined intervals. However, for a variety of reasons, these patches aren’t always implemented, which raises the risk of cyberattack. For example, companies often mistakenly resist the need to patch, preferring to avoid the bother of disrupting existing processes such as customer relationship management or payment systems.

SAP releases security patches on the second Tuesday of every month, and it is imperative for any SAP customer to align with the security recommendations from SAP. As a first step, the recommended security patches released for the month can be analyzed at https://service.sap.com/securitynotes. In addition, supplementary information as well as testing scenarios on the released patches can be accessed at https://service.sap.com/securitypatchday.

Mitigating Vulnerabilities

Many developers consider SAP systems secure and robust because they have built-in authorization features. While this is true to some degree, faulty installations and misconfigurations can cause issues that can be addressed and treated using up-to-date, solution-specific software.

It is critical to eliminate any vulnerable attack surfaces as numerous Internet of Things (IoT), networks, and storage tools are connected to SAP systems. As such, they can present tempting targets for potential hackers, who are aware that when SAP solutions are in place, the data being protected is of especially high value.

While many firms rely on SAP software, some have outdated employee security policies that can lead to lax password and sloppy network security. This oversight can be a fundamental indicator of an overall poor cybersecurity strategy that devalues effective, long-term data security for the sake of immediate convenience.

In the long run, the most effective approach IT and security teams can take is to monitor operations in a continuous fashion, regularly conducting unscheduled system checks that can, as a best practice, readily identify system vulnerabilities and implement corrective measures.