SAP systems are not 100% secure out of the box. There are critical services that are still active by default. Ivan Mans, CTO and co-founder of SecurityBridge, explains how enterprises can protect their SAP deployment and manage vulnerabilities better.
Fact: Over 40,000 SAP systems are exposed to the internet, according to Onapsis researchOpens a new window . To underscore this, VoltDBOpens a new window has shown 1,500 known vulnerabilities for these systems, and over the last three years, this number continues to grow. This pattern is an increasing SAP cybersecurity threat. So what’s the solution to this growing problem?
Identity and access control management/visibility is critical for securing SAP. Since 2010, there has been a streamlined process for their security patches – every second Tuesday of the month, patches are released to the public. In addition, SAP also publishes security guidelines. But the 2021 edition of these guidelines has 840 pages – nobody has the time to sift through all those pages to retrieve pertinent information relative to their SAP installation. Beyond the book and patches, the company also has a portfolio of products that help to secure and monitor the application stack for vulnerabilities and exploits.Â
See More: Surveillance vs. Security: The Trouble with Tattleware
These services include systems where audit logging is not enabled and systems that lack any concept of application firewalls. There are always SAP systems with very weak password policies exacerbating these vulnerabilities. Remember, if there is no API gateway protection, there is no endpoint security.Â
Take the Team Approach
Because of the fully-integrated nature of SAP systems into nearly every facet of an organization, they require dedicated cybersecurity monitoring. This can be provided by a specific security team or special attention from an existing cybersecurity team. Either way, you’ll need 24X7 cybersecurity teams to be able to execute SAP incident response actions the same way that they’re doing it on any other system in your environment.Â
Today we see more advanced threats, such as zero-day vulnerabilities being exploited, advanced persistent threats, and targeted spear-phishing that seeks to exploit the access of an admin account or other superuser accounts. Hardening an SAP system is always a team effort, which should involve infrastructure system architects, the GRC, the authorization management team, and developers.
Bringing all cybersecurity teams together across the entire infrastructure landscape is extremely important. The shared security model defines who’s responsible for different areas of the cloud and the physical infrastructure, all the way through to the application stack. This model should also contain deep-packet inspection, HTTP inspection, endpoint security, and container responsibilities.
Sharing the Onus of Security
Why is shared security so important? Consider this: It’s 2 am, and you have received an incident on a Windows server or a Linux server in the data center. Of course, you know exactly what to do: you disable accounts and quarantine those machines, among other procedures.Â
But if an incident happens with your SAP system, many organizations experience the deer-in-the-headlights syndrome. This is because they may be seeing it from an iOS layer in the best-case scenario, but they can’t execute a fix in the same manner as they can with their Windows or Linux servers. This is precisely why the cybersecurity teams and, in many cases, the compliance teams need to be unified around the SAP landscape.Â
The fact is that most people still underestimate the complexity of SAP and the importance within the organization of shielding it from both external and internal risks. There are SAP customers running years behind in applying critical patches, patches that eliminate publicly known exploits.Â
SAP remains a bit of a special application from a security perspective because the security apparatus needs to be SAP-aware. You can oversimplify it when you look at it as a black box. But when you start taking it apart into its components, it has its communication protocol and messaging bus. You have to be aware of that and understand how threats can persist in this specialized environment.Â
SAP Security Considerations
You want to apply network security at the perimeter for North-South inspection at critical points such as the SAP router extranet gateways. Then consider internal segmentation for East-West inspection, segmenting user connections from direct database access and messaging servers and between application servers and other landscapes. Most important, don’t forget pre-production and production environments within your SSID.Â
However, when implementing these security procedures, be aware of how this may impact transaction times. You can’t necessarily throw all sorts of inspections in front of databases; you have to do that in a smart, very low latency way. For that reason, consider an Application Delivery Controller. This device communicates directly with the message server to get application targets and provides a web application, API protection, and load balancing in a single function—improving both security and performance.
SAP In The CloudÂ
When you talk about moving to a public cloud such as AWS, Google, Microsoft, or others, most companies are still running internal applications alongside their new cloud environment. So that puts these organizations in a hybrid cloud infrastructure model. There are things to consider in terms of shared responsibility, visibility, policy, and context management, such as:
- How are the logs managed across multiple clouds and data center sources?Â
- How will disaster recovery be designed and managed?Â
- Who will have access to the cloud tenancy? Â
Choosing the Right PathÂ
Managing these SAP environments and their expanded attack surfaces (cloud) puts a lot of strain on the competencies of the SAP admin, the IT infrastructure, and cybersecurity operators. The IT security infrastructure teams need to be unified for a rapid and collective response—applicable to all application vulnerabilities. However, finding IT individuals who understand cloud and SAP competencies is challenging.
See More: Are You Protected Against “Phygital†Attacks?
Fortunately, some solutions provide automation to fill technical team skill gaps. These solutions include automated segmentation in the environment and intent-based security that can pull out infrastructure data to provide better visibility across on-prem and hybrid cloud models.
In a tiered, transitional SAP deployment, the infrastructure security must be flexible enough to handle HTTP and RFC protocols. With FortinetOpens a new window and SecurityBridgeOpens a new window , companies have a combined platform approach that solves the IT skill and visibility gaps, regardless of what SAP version the customer may be on or what cloud provider they choose.
How are you protecting your SAP vulnerabilities? Share with us on LinkedInOpens a new window , TwitterOpens a new window , or FacebookOpens a new window . We’d love to know!