Foundational SAP Security

⇨ Securing SAP landscapes involves protecting individual SAP systems and services as well as the network they run on and the integration points between them

⇨ The most effective security involves starting early and building an integrated foundation of services that communicate and provide information in a central location

It is more important than ever to ensure that SAP systems are secure. The number of attacks against systems continues to increase, and recent SAPinsider research on cloud security trends revealed that 61% of respondents were aware of one of their cloud providers having been subject to an attack. While ransomware and malware attacks are some of the most discussed in the media, other forms of cyber attack or credentials compromise may represent a higher risk factor. With SAP systems being central to an organization’s ongoing operation, it is more important than ever that protections be put in place to ensure systems are secure. But there are many challenges that organizations face including detecting potential threats, patching, securing custom code, and protecting data.

Identifying SAP Security Challenges

To better understand these challenges SAPinsider sat down with Matthias Czwikla and Julian Petersohn of Fortinet. Czwikla is the Head of Global SAP Sales, and Petersohn is the Global SAP Cloud Architect. Both have years of experience with the SAP ecosystem, and Petersohn has been specializing in SAP security for the last five years. One of the biggest challenges Czwikla and Petersohn see for SAP customers is just how vulnerable SAP systems really are and that there are some critical attack vectors that are often forgotten.

“An example of this vulnerability is the SAProuter,” says Petersohn. “This is often a fortgotten component within an SAP landscape, but nearly every company has an SAProuter. The first area of vulnerability is that there is often a discussion around who is responsible for the SAProuter. Since it’s exposed to the internet and allows communication between internal and external systems the network team would normally handle security. But since it’s an SAP application the SAP team often ends up being responsible. This can cause confusion over who needs to maintain and patch the system. A recent study showed that over 9.000 SAProuters were reachable globally, and all of these routers provided their host name within an error string. Around 300 also allowed access to the connection table which indicates a misconfiguration and might allow access via the SAProuter to the SAP systems running behind it.”

Another example that Czwikla and Petersohn provided was a recent vulnerability discovered within the login process. The challenge was that the vulnerability was within Log4J which is a third-party library that SAP leverages not a core SAP component. This meant that SAP had to distribute the patch and advise customers to apply it. But one of the biggest challenges regularly faced by SAP customers is that of regularly implementing patches and updates. Organizations sometimes must wait weeks for a patching window, and only 54% of those responding to the research discussed earlier said that they were addressing necessary patches on a regular schedule. While this is positive, 22% said that they don’t address necessary patches regularly. This can be very concerning when serious security vulnerabilities are exposed.

The last major gap for many organizations is security misconceptions when moving to the cloud. Depending on the cloud environment it can be the customer’s responsibility to ensure security controls are in place not that of the cloud provider. It is very important that organizations take the time to ensure that security is in place for any cloud deployments and that they thoroughly understand who is responsible for security in their specific scenario.

Adding Layers of Protection

“There needs to be a security layer before the SAP system in order to better prevent attacks,” says Petersohn. “This can ensure that something that cannot be secured by an authorization check or ACL file can be protected against even if a patch has not been proved.”

Czwika agrees. “Putting in place SAP intrusion detection can not only help keep systems protected, but they increase uptime because it’s possible to provide a virtual patch against certain SAP vulnerabilities. It’s also possible to inspect the contents in SAP network packets and identify what is actually in them.”

In addition to implementing a security layer that protects systems running within the network, it is just as important to protect against attacks coming from the internet or via the HTTP protocol which is used by SAP Fiori. Much of the communication that occurs between SAP systems is system to system communication via APIs that are defined and propagated by SAP. By regulating who can address these APIs at the network layer means that this protection doesn’t have to happen within the SAP system because that can be difficult to maintain and administer.

Another feature that should be considered for is vulnerability scanning. This allows an organization to scan their SAP systems against the most common SAP threat vectors that have been identified. The same scanning tools should also be able to look at operating systems in the same way and identify threats coming from the operating system that are SAP focused.

An additional challenge for many customers is the move to the cloud. While this is often done in conjunction with the move to SAP S/4HANA, it expands the attack surface for organizations as there is increased communication between cloud-based systems and those still running on-premise. Having insight into network traffic and making that traffic visible allows organizations to ensure that they are most effectively protecting one of the biggest vulnerabilities with SAP landscapes.

Implementing an SAP Security Foundation

“Communications and networking are really the foundation and where I would recommend customers start when they want to implement SAP security for the landscape,” says Czwikla. But he also believes security should go beyond that. Security should react to security incidents that are recognized within the SAP system. For example, if a user tries to access a report more than four or five times that may create a security alert in the SAP system. That can trigger a response in a tool that can perform actions around the infrastructure. Start with network security to create a barrier around your SAP systems so that you’re protecting them from threats coming from the outside as well as reacting to potential threats that happen within the systems themselves.

“When an organization implements security they are looking to protect their brand and their revenue,” Czwikla stated. “They don’t want to be on page one of the New York Times seeing that their data has been breached. But above that it’s to protect their data, systems, and infrastructure. But since we live in an interconnected world it’s not just about protecting your own data but the data that populates your network.” But any security foundation should also help reduce the time between when a security incident is detected, and when it is remediated.

Your security foundation should also add security to SAP components that do not provide built-in security functionality. Ideally it should be a mesh of tools that communicate and exchange data and threat information so that it is not necessary for manual intervention and all the threat information is stored in a central location where it can be evaluated and distributed.

Czwikla also emphasizes that security is best discussed early in the process. He has seen the cost of implementing security rise with the progress of an implementation project. No matter what the project is, he encourages organizations to consider security as early as possible in any project.

Another part of the security foundation is ensuring the collaboration of the network security team, security team, and SAP Basis teams. This is something that Czwikla has seem more organizations encouraging in an effort to prevent historical challenges where operating system, database, storage, and SAP teams often failed to collaborate. Having teams work more closely together can be a significant advantage when reacting to a potential security attack.

What Does This Mean for SAPinsiders?

The biggest factor impacting SAP security today is the need to protect access to sensitive and confidential data in SAP systems. Whether an organization has been running SAP systems for years or are embarking on a new project such as a transition to SAP S/4HANA, placing security at the center of your plans is crucial. What are some steps that can be taken to help start the process of securing SAP systems?

• Thoroughly explore your SAP environment to understand what is in place and what needs to be protected. Traditional SAP security has focused on access and process control—ensuring that the right people have access to the right data and processes. But there are many parts of the SAP environment which are crucial but can be neglected from a security standpoint. Data flow and integration points can often be a gap in security plans as there is confusion over which team is responsible for managing security on those points. Third party services leveraged by SAP can also be neglected. The more an organization understands their landscape the better it can be effectively secured.
• Implement patching plans and ensure that they are followed. Keeping up with patches and updates can be a challenge for SAP customers today. Not only are patches being issued on a regular basis, they are provided by SAP, partner software vendors, operating system vendors, and infrastructure providers. Knowing which patches are the most critical to apply and finding time to apply them can be challenging especially when minimizing downtime is one of the most important tasks for SAP teams. It is vital that every organization have a patching plan in place, have scheduled patch windows, and stays on top of the most critical patches and updates if they want their SAP systems to be secure.
• Encourage collaboration between SAP, IT, and security teams. Beyond the lack of cybersecurity resources, one of the biggest challenges facing organizations around security is a lack of collaboration. SAP teams have traditionally managed the security of SAP environments, but this has not always been in cooperation with security teams that are taking a more holistic approach to managing security across the enterprise. Encouraging collaboration between SAP, IT, and security teams can help build a foundation for more effective cooperation should it become necessary to react to a security threat and help enhance the security of your landscape.

 

About Fortinet

Fortinet provides enterprise-class security for SAP applications whether they are deployed on-premises or in the cloud. Fortinet solutions tightly integrate with SAP landscapes to provide a zero-trust approach to SAP security. Fortinet’s SAP reference architectures and SAP’s specific threat feeds offer a tried and tested security solution. Security teams can easily evaluate their SAP configuration and security posture against best practices and protect against the latest threats targeting each industry sector. With integrated multi-layered protection, visibility, and analytics offered by Fortinet and SAP, organizations gain the confidence knowing that their SAP environment is secure.