How to Protect SAP Systems Effectively
According to the DSAG Investment Report 2024, IT security is clearly the most important overarching IT topic for existing SAP customers, with 88 percent of medium and high relevance, see chart. This is a good thing. There is a growing awareness that SAP landscapes are not only at risk from external threats, but also from within.
For example, a newly hired employee might want to know how much their colleagues earn. To be able to view salary lists, he would need either SAP_All authorization or access rights to transactions and read rights for tables in SAP HCM. Although he does not have these, he does have debugging authorization due to his role, which enables him to make changes in both the SAP development and SAP production systems. And this is precisely where a security gap opens up. During debugging, he manipulates the production system in such a way that the authorization check is bypassed and
he can - without authorization - access salary data. In such a case, even properly maintained authorizations do not offer sufficient protection.
This is still a comparatively harmless scenario. What if an attacker uses social engineering methods to obtain the access data of a former administrator whose account and authorizations have not yet been deleted? Then even a company's most valuable information, such as its production and development data, is no longer secure. And not even if the security team has done its homework and properly implemented and configured traditional security solutions such as antivirus software, ransomware protection, firewalls, etc.
The prize question is therefore: What can and should existing SAP customers do to close the gaps in SAP security?
Trust, look who!
As the saying goes: trust can be dangerous. Translated into IT language, this means that the right starting point for increasing the level of security in SAP landscapes is the zero-trust approach. If the attacker is always already in the system, you cannot trust anyone or anything and must verify everyone and everything. This applies even if users and devices access SAP via a trusted network such as a company LAN and even if they have been previously verified.
In order to develop an effective security concept based on the Zero Trust approach, existing SAP customers should be guided by several principles:
- Authenticity: Secure authentication should be enforced always and everywhere.
- Secrecy: All communication should be secure.
- Least privilege access: Authorizations should only be granted to the extent that users need them to be able to do exactly what they are supposed to do, but no more.
- Safety: Unknown devices and users are denied access to the company network as a matter of principle.
- Responsibility: It must be clear and verifiable at all times who makes changes to the settings and which ones; all of this must be logged accordingly.
- Actuality: The entire IT stack, from hardware and the operating system to databases and SAP applications, must always be kept up to date; accordingly, SAP customers should regularly evaluate and install security updates once they have been announced.
- Suspicion: Zero trust means permanent mistrust, which is why user rights and their roles, transactions, services etc. are regularly checked.
- Consistency: The security level must remain at least as high with every change, which is why security measures are a mandatory component of every change to the SAP landscape.
- Risk Aversion: Risks are not only recorded and evaluated once, but continuously, as are the errors that inevitably occur, so that we can learn from them and contain them with suitable countermeasures.
- Resiliency: The IT landscape should be able to compensate for partial failures, for example by segmenting the network and securing it with its own guidelines and measures, or by regularly practicing the recovery of services.
These principles form the basis of any effective zero-trust architecture that existing SAP customers can implement with the help of suitable tools and processes, as well as partners.
Making the most of SAP tools
As a general rule, existing SAP customers should consistently use the security tools provided by SAP and exploit their full potential. The SAP Identity Management (IdM) solution can be used to manage all SAP user identities and their authorizations centrally and in an audit-proof manner.
A rule- and role-based approval workflow controls the creation of user accounts and their authorizations. Throughout the entire user lifecycle, it is ensured that identities can only use the systems and functions that they actually need. However, comprehensive access should only be granted in an emergency and under no circumstances for longer than necessary. In addition, it is advisable to set up and manage centralized access to SAP using SAP Single Sign-On (SSO), which improves user authentication. At the same time, SAP SSO ensures end-to-end encrypted communication between clients and SAP resources, while SAP NetWeaver can make data transfer and communication between SAP systems and other network components tap-proof.
In addition to authorizations and authentication, the settings and parameters of the SAP systems and the database are considered potential weak points. Whether they actually exist can be checked using Configuration Validation and the Security Baseline Template from the popular and widely used SAP Solution Manager (SolMan), which also offers the option of importing the monthly SAP Security Notes and patches.
On a technical level, network ports and the clients through which end users access SAP applications, whether from the desktop in the office, from the home office or on the move via tablet or smartphone, are popular targets for attacks. In addition to regular and necessary user training, intrusion detection and prevention systems (IDS/IPS) can help to detect and ward off attempted attacks. And, of course, the security team must monitor the information on such attempts and initiate measures to permanently prevent them.
SAP tools thus provide a solid foundation for the security of SAP systems, but are reaching their limits in the face of individual business requirements and increasingly sophisticated cyber threats.
Unfortunately, SolMan can only partially overcome these limitations with the help of its monitoring functions; after all, it was never intended as a security solution. Furthermore, it does not offer live monitoring and limits monitoring to the SAP applications, but does not keep an eye on the infrastructure, interfaces and data flows from and to peripheral systems.
Take control
The ideal solution would therefore be a monitoring solution that monitors everything from infrastructure and network to SAP Basis, applications and databases. A solution that reads and provides all security-relevant information - including from third-party security solutions - independently detects security-relevant incidents à la incident management, triggers alarms above certain threshold values and immediately initiates security measures such as withdrawing authorizations, interrupting access or terminating transactions. A solution that issues the necessary authorizations in the event of a disaster and only then, and withdraws them again promptly after the problem has been resolved. And all of this, of course, automatically and around the clock.
Risk assessment, identity management, authorization management in the event of a disaster, single sign-on, comprehensive monitoring, patch and incident management and finally the whole bouquet of security products from firewalls to malware and ransomware protection to intrusion detection and prevention and more - the list of central security components is long. In order to manage and apply them from a central location, it is advisable to set up a Security Operation Center (SOC) that works around the clock and in which all security-relevant information flows together via a central monitoring solution.
This solution and control center should provide the same level of protection regardless of the specific deployment location of the SAP landscape, whether in the company's own data center, in the public cloud of SAP and hyperscalers or with a hosting partner.
No fear of managed services
Existing SAP customers should not shy away from using managed services if they need additional resources. A suitable partner should have in-depth SAP and security expertise. They must also be able to demonstrate many years of practical experience. In addition, the service offering should be modular and seamlessly complement the customer's existing skills and resources, rather than replacing them in whole or in part. Approaching and engaging with each other creates the prerequisites for outsourcing tasks and managing the required quality of the purchased services via agreements.
But perhaps the most important thing when choosing a service partner is their attitude towards security and compliance. Only if both sides share the same understanding and assume that the attacker is always already in the system can existing SAP customers achieve the goal of cyber resilience with the help of their partner - against all enemies, foreign and domestic.
The enemy is always already in the system
Why protection against external threats is not enough: In 2023, more than 2000 security vulnerabilities in software products were reported per month - that's 24 percent more than in the previous year - and 84 percent of all fraudulent emails were aimed at capturing access data. No less than 15 percent of the known vulnerabilities were classified as critical and generative AI makes it increasingly difficult to distinguish fraudulent emails from legitimate ones. These are the key findings of the BSI report on security in Germany from November last year. Security vulnerabilities are not just the result of errors in the software code. They are often a consequence of the software architecture. In addition, modern systems and applications that were built for a networked world exist in all IT landscapes alongside legacy environments that date back to a time when they were isolated and external attacks were unthinkable. Mainframes are an example of this, with banks and telecommunication providers living an almost eternal life. But even with common business software, different generations exist side by side and cannot help but trust each other, for example by accepting certificates without checking them. Both internal and external attackers benefit from this, particularly in the case of widespread sideways movements, and thus penetrate from non-critical parts of the environment to the most sensitive areas.
Remain capable of action
In view of this situation, it would be wrong to focus solely on threat defense. Rather, it is just as important to remain capable of acting in the event of successful attacks. Cyber resilience is therefore the order of the day, as the BSI rightly writes. What does this mean for existing SAP customers? They should start from the premise that The enemy is already in the system and comes from within in around a third of cases and two thirds from outside. Resilience does not start with securing SAP applications, but with the infrastructure, extends to interfaces and data flows from and to peripheral systems and manages the unavoidable compromise between practicability and the highest possible level of security. In addition, it enables existing SAP customers to take full responsibility for security and compliance at all times, even in the event of a threat, both in their own data center and in the public cloud. This requires complete transparency and seamless monitoring at all levels, as well as close collaboration and communication between the SAP and security teams. Unfortunately, this is often precisely what is lacking.
How risks to SAP security arise
Increased lack of transparency: In most companies, SAP landscapes are the result of years of expansions, changes and in-house developments. Companies have been bought and sold, business units merged and newly established, plants and branches closed and new ones opened. And each time, IT had to map the organizational changes and wishes of the specialist departments in SAP, the third-party systems and the infrastructure - in addition to daily operations such as installing updates and patches, managing authorizations, maintaining the infrastructure and interfaces, maintaining security solutions, etc.
Historically grown SAP and IT landscapes are arbitrarily complex and employees are scarce. Staff turnover in IT and the specialist departments does the rest. Authorizations are only maintained incompletely, not all changes, systems and settings are documented, there is too little time for the necessary further training and appropriate exchange of information and colleagues who leave the company take their knowledge with them to their new employer or into retirement. This applies not only to the SAP Basis teams, but also to the security teams. They also struggle to keep pace with the changing state of technology and continuously acquire the necessary skills. Furthermore, in many cases they are not only responsible for IT security, but also for compliance.
... encounters staff shortages
What's more, SAP security teams often use a motley assortment of individual tools that are not integrated with one another and are sometimes even operated manually. This is not very efficient and carries the risk that security vulnerabilities are only discovered after a considerable delay. Cyber criminals exploit this mercilessly to compromise and paralyze SAP software at both the infrastructure and application level or to steal business-critical data.
In other words, the lack of transparency, knowledge and personnel regularly leads to at least partial ignorance of the areas of the IT and SAP landscape that are particularly worthy of protection and, as a result, to an excessive focus on external threats and, conversely, to a systematic underestimation of internal risks.
To the partner entry: