Why we need a NextGen of SAP Security

It all depends on the combination

Anyone who wants to adequately detect attacks on SAP systems today and defend against them at an early stage - in other words, increase their resilience - must consider application and network security at the same time. Only then can next-generation SAP security be created. SAP is no longer a monolithic block. User-centric devices and IoT devices interact with SAP and third-party applications, which sometimes run in the cloud, sometimes on-premises. 

SAP refers to such interwoven hybrid ERP landscapes when it talks about the "intelligent enterprise. So things are getting more complex, and that doesn't make things any easier for security managers. As a result, the IT landscape becomes opaque and the risk of a security gap being overlooked (even existing for a long time) increases. To the same extent, the risk of a successful attack also increases. The number of potential entry points has simply become much larger.

Security managers need an open and scalable security architecture that keeps pace with the growing attack surface and provides a high level of protection against internal and external attacks. Security for hybrid IT landscapes must be based on a multi-layered structure, built like layers of an onion. The individual components in it work together intelligently, absorbing as well as compensating for attacks and evaluating all the information needed to assess an incident. Ideally, these functions would all be available in one platform. Until now, lines of defense have tended to exist in isolation and have not been interconnected. Today, you can't get very far with this traditional security approach. In the next generation, intelligent components integrate and share information to assess incidents. An intelligent firewall detects and blocks attacks on SAP by examining data packets and intercepting dangerous payloads in TCP/IP traffic.

Virtual patching of SAP security vulnerabilities can take place at the infrastructure level; in this case, the attempted attack of an already published SAP vulnerability is detected by a NextGen firewall and redirected or blocked even before the attacker reaches the valuable SAP system. This approach is particularly recommended when highly critical SAP security advisories (SNotes) cannot be implemented in a timely manner because systems are too complex for rapid patching or the testing effort would be too high in the short term.

In any case, companies must always assume that every application (and therefore every SAP system) contains serious security vulnerabilities that cannot be closed because no patch is available - the infamous zero days. The more comprehensive the understanding of what is considered an SAP attack surface (not just the ERP alone), the lower the risk of zero days being exploited - and the higher the resilience. A core feature of NextGen SAP Security is therefore the growing role of network security within a holistic SAP protection. All components for securing SAP systems work together intelligently and automatically. Cyber attacks on SAP systems can be detected at a higher level and defended against if necessary. If this is not possible, the following security layers are at least informed about an incident so that the next line of defense is forewarned and can act effectively. Cybersecurity is a team sport - not only on the side of the attackers, but especially within the lines of defense.

Classic authorization concepts no longer offer sufficient protection in hybrid landscapes and can therefore only be regarded as part of SAP security. There is more to it than that: hardening and monitoring of configuration slots, regular security updates, checking customer developments for problematic code, checking the transport system, and seamless security monitoring.