The global and independent platform for the SAP community.

Why we need a NextGen of SAP Security

Defending against cyberattacks on SAP systems means more than just protecting the ERP system alone. The threat potential of networked companies and hybrid SAP landscapes requires a holistic approach.
Christoph Nagy, SecurityBridge
21 December 2022
it security header
avatar
This text has been automatically translated from German to English.

It all depends on the combination

Anyone who wants to adequately detect attacks on SAP systems today and defend against them at an early stage - in other words, increase their resilience - must consider application and network security at the same time. Only then can next-generation SAP security be created. SAP is no longer a monolithic block. User-centric devices and IoT devices interact with SAP and third-party applications, which sometimes run in the cloud, sometimes on-premises. 

SAP refers to such interwoven hybrid ERP landscapes when it talks about the "intelligent enterprise. So things are getting more complex, and that doesn't make things any easier for security managers. As a result, the IT landscape becomes opaque and the risk of a security gap being overlooked (even existing for a long time) increases. To the same extent, the risk of a successful attack also increases. The number of potential entry points has simply become much larger.

Security managers need an open and scalable security architecture that keeps pace with the growing attack surface and provides a high level of protection against internal and external attacks. Security for hybrid IT landscapes must be based on a multi-layered structure, built like layers of an onion. The individual components in it work together intelligently, absorbing as well as compensating for attacks and evaluating all the information needed to assess an incident. Ideally, these functions would all be available in one platform. Until now, lines of defense have tended to exist in isolation and have not been interconnected. Today, you can't get very far with this traditional security approach. In the next generation, intelligent components integrate and share information to assess incidents. An intelligent firewall detects and blocks attacks on SAP by examining data packets and intercepting dangerous payloads in TCP/IP traffic.

Virtual patching of SAP security vulnerabilities can take place at the infrastructure level; in this case, the attempted attack of an already published SAP vulnerability is detected by a NextGen firewall and redirected or blocked even before the attacker reaches the valuable SAP system. This approach is particularly recommended when highly critical SAP security advisories (SNotes) cannot be implemented in a timely manner because systems are too complex for rapid patching or the testing effort would be too high in the short term.

In any case, companies must always assume that every application (and therefore every SAP system) contains serious security vulnerabilities that cannot be closed because no patch is available - the infamous zero days. The more comprehensive the understanding of what is considered an SAP attack surface (not just the ERP alone), the lower the risk of zero days being exploited - and the higher the resilience. A core feature of NextGen SAP Security is therefore the growing role of network security within a holistic SAP protection. All components for securing SAP systems work together intelligently and automatically. Cyber attacks on SAP systems can be detected at a higher level and defended against if necessary. If this is not possible, the following security layers are at least informed about an incident so that the next line of defense is forewarned and can act effectively. Cybersecurity is a team sport - not only on the side of the attackers, but especially within the lines of defense.

Classic authorization concepts no longer offer sufficient protection in hybrid landscapes and can therefore only be regarded as part of SAP security. There is more to it than that: hardening and monitoring of configuration slots, regular security updates, checking customer developments for problematic code, checking the transport system, and seamless security monitoring.

SecurityBridge

avatar
Christoph Nagy, SecurityBridge

Christoph Nagy is Managing Director at SecurityBridge


Write a comment

Working on the SAP basis is crucial for successful S/4 conversion. 

This gives the Competence Center strategic importance for existing SAP customers. Regardless of the S/4 Hana operating model, topics such as Automation, Monitoring, Security, Application Lifecycle Management and Data Management the basis for S/4 operations.

For the second time, E3 magazine is organizing a summit for the SAP community in Salzburg to provide comprehensive information on all aspects of S/4 Hana groundwork.

Venue

More information will follow shortly.

Event date

Wednesday, May 21, and
Thursday, May 22, 2025

Early Bird Ticket

Available until Friday, January 24, 2025
EUR 390 excl. VAT

Regular ticket

EUR 590 excl. VAT

Venue

Hotel Hilton Heidelberg
Kurfürstenanlage 1
D-69115 Heidelberg

Event date

Wednesday, March 5, and
Thursday, March 6, 2025

Tickets

Regular ticket
EUR 590 excl. VAT
Early Bird Ticket

Available until December 20, 2024

EUR 390 excl. VAT
The event is organized by the E3 magazine of the publishing house B4Bmedia.net AG. The presentations will be accompanied by an exhibition of selected SAP partners. The ticket price includes attendance at all presentations of the Steampunk and BTP Summit 2025, a visit to the exhibition area, participation in the evening event and catering during the official program. The lecture program and the list of exhibitors and sponsors (SAP partners) will be published on this website in due course.