Onapsis, a Boston-based ERP cyber security company, plans to release a new update for its X1 security suite, which provides automated security assessments of SAP systems. The new feature enables customers to audit for security vulnerabilities affecting their mobile-accessible SAP environments, providing them with prioritized mitigation plans that help them mitigate existing risks.

Onapsis CEO Mariano Nunez responded to a few of my questions about securing SAP systems, mobile applications, and cloud services.

What mobile security area do you think is the one most overlooked by organizations today? When talking about mobile security, most organizations are today focused on bring your own device (BYOD) or mobile device management (MDM). They focus on securing the devices and their applications. However, several of them fail to realize that if they have an SAP mobile application installed on their iPhones, that application is actually connecting back to an Internet-facing SAP system running inside their networks. Therefore, even if the devices are completely secured, cyber-attackers can target the back-end SAP systems directly, launching tools and exploits directly from their fully equipped attack systems. It is very common to find SAP back-end systems that are exposing many more services than just the mobile applications that were supposed to be exposed, providing malicious hackers with a wider attack surface. In order to go mobile securely, organizations need to be sure to lock down not only their devices but also the SAP systems that are accessed by them.

Do you think providers of cloud-based services are better prepared for securing access to their applications from mobile devices than a company relying on on-premises applications?

Many providers of cloud-services have designed their applications from scratch with mobility in mind, so several of them have secure architectures by design and robust security processes in place. SAP Afaria is a great example of this. Some of the on-premises applications were not originally designed to be exposed to untrusted networks such as the Internet, so this can introduce additional challenges when trying to secure them. However, one key aspect to consider when deciding whether to go cloud or not is how mature is the company itself regarding information risk management, as well as the trust and control they have on the cloud provider. If the company has a strong information security practice and the right technologies, it can secure its applications as well (or even better) than cloud-based providers. Furthermore, in this scenario, the company can be sure that it has full control over its platforms and the controls it implements, which could not be so easy to enforce when this is managed by a third party. On the other hand, for small and medium-sized businesses and companies without such strong security practices, a cloud provider may do a better job at protecting the applications.

Have you consulted with any clients that were not adequately securing their back-end systems for SAP on non-SAP systems? If so, what recommendations did you make for them besides keeping their patches up-to-date?

Certainly. We have worked over the last six years with global Fortune 100 customers and governmental entities, many of which feature some of the largest and most complex SAP implementations on the globe.

Based on our practical experience performing SAP penetration tests and customers using our products, we see that, unfortunately, many SAP systems are currently exposed to high-risk technical vulnerabilities that could lead to espionage, sabotage, and financial fraud attacks. SAP has done a great job in streamlining the release of security patches and SAP Notes. However, the problem is that customers are not applying them promptly. Furthermore, security patches only protect against certain vulnerabilities; others, such as standard users with default passwords, can only be solved through continuous monitoring of the platform – and that’s the customer’s responsibility as well.

Several organizations are not capable of doing this today (such as a knowledge gap or missing the right processes and tools). That’s why so many SAP systems are currently exposed to high-risk vulnerabilities.

Applying security patches is critical, and SAP has done great work with the SAP Security Patch Day program, setting the pace for customers that should be now applying the critical patches monthly.

It is important to note, however, that applying patches is only a piece of a holistic SAP security program. Important aspects to keep in mind are securing the systems at the network layer (through internal firewalls and intrusion detection/protection systems), verifying the configuration of all the security-relevant instance profile parameters, understanding whether there are dangerous RFC [remote function call] connections from non-production to production systems, and making sure that users do not have default passwords or dangerous authorizations, among others.

I think the big change hits when customers stop thinking of SAP security as roles and profiles or segregation of duties controls. That’s indeed important, but securing the systems from cyber-attacks requires different knowledge and controls.

If an organization cannot afford to invest in a third-party security solution such as X1 to secure its mobile-accessible SAP systems, could it manually keep its environment and its back-end systems secure, or has this become an overwhelming challenge for security administrators to tackle alone? In a small organization, with a few SAP instances, I believe they might be able to manually secure and monitor their SAP platforms. However, in large organizations with dozens or hundreds of SAP instances, this becomes overwhelming. Reviewing manually one SAP system alone can take a few days. To achieve holistic security, all the SAP landscapes and systems (including non-production environments) must be secured and continuously monitored. So in large environments, doing this manually is simply not feasible. These are the cases where automation is a perfect fit – being able to continuously and effortlessly assess the entire SAP platform enables security administrators to focus their efforts in value-add activities, significantly maximizing the efficiency of the SAP Basis and security teams.