SAP is the software backbone of most organizations, running ERP, HR, supply chains, and other vital company parts. Ninety-nine of the world’s largest companies run SAP, and many customize the system to meet their specific needs. Unfortunately, this customization involves thousands of configurations, often leading to misunderstandings regarding who is responsible for the entire system’s security.
SAP’s internal development and custom-coding abilities make it quite versatile. However, the customization abilities also create a silo view of a specific SAP installation – a dramatic departure from the reality that it’s one software application divided into sections for individual business needs. This silo mentality makes it difficult to assign IT security responsibilities. Further complicating this situation, it’s not easy to bring the existing information security practices to individual departments and request standard implementations.
Patching for SAP is unlike a Windows update, where boxes are checked, and the software is automatically deployed. Instead, each interface from the multiple stacks needs to be considered to understand which configurations exist to accomplish a solid hardening. Malicious activities such as data manipulation or unauthorized extraction can be discovered with this knowledge.
Applying Patches
Achieving a secure SAP state is difficult because organizations need to be more agile rather then run on industrialized release concepts. SAP security cannot be delegated to quarterly updates; routine maintenance must be established. Patches must be tested and brought to the business teams to ensure core processes are not affected before the correction can be deployed to the production stack.
Hackers will exploit known vulnerabilities, so SAP patches must be completed immediately. Every second Tuesday of the month, SAP has its SAP Security Patch Day, where they release security-related corrections for their product portfolio. In addition to security hygiene of regularly applying patches, a clear SAP security policy must be developed to gain actionable insights into the ever-present risks. Companies should use a risk-based methodology to understand that they need to classify which data is confidential, which specific SAP system is secret, and what would happen if someone steals information from the system. Appropriate security measures must be applied to all these areas.
There are also emergency patches to contend with, such as the recent incident with Log4j that allows malicious attackers to execute code remotely on any targeted computer. There was no pre-established playbook for this particular patch, immediate choices had to be made based on individual use cases, and it had to be done before the following scheduled downtime. Many patches also require manual pre and post-operation, which can only be executed by professional service personnel.
Out-Of-The-Box SAP Security Is Ineffective
Cybercriminals are skilled at using unsecured apps to their advantage, and many businesses are unaware that their network security measures are porous. As a result, endpoints, networks, and backups are the main focus areas for conventional security solutions. While these are necessary to monitor, they are insufficient to stop successful attacks, particularly regarding SAP. Therefore, safeguarding SAP applications with real-time monitoring is essential.
Active content within SAP systems is vulnerable, as malware can be embedded in files and cause a specific action to occur each time the file is viewed. Among these dangerous malware activities are macros, a common means to spread ransomware like Locky, WannaCry, Ryuk, etc.
A virus-scanning and content-security interface called NW-VSI was developed by SAP and is integrated right into the application infrastructure. But SAP is a complex environment that still needs regular patching and frequently has custom code for which there are no available patches. Additionally, attackers understand how challenging it is to track down malware in massively complex, interconnected systems.
SAP mapping can identify one of the known primary vulnerabilities. Every file extension is mapped to a MIME type by SAP’s content mapping (MIMETYPES-table). As a result, PDF files will always look like a PDF file, even though the system can be tricked by changing file extensions. Unfortunately, many businesses need to know that executable content can be maliciously disguised and uploaded to their SAP systems.
SAP In The Cloud
There are benefits to moving workloads and apps to the cloud, including eliminating some troublesome maintenance contracts for on-premise hardware and software and freeing up on-site computing resources for other applications businesses wish to maintain close to home. But as necessary data leaves the building and moves to the cloud, there is a more significant requirement for ongoing oversight and deep operational insights; security is crucial to these off-site operational insights.
Security is still the owner’s responsibility, even though an application is now hosted by a cloud provider (no matter how large they are). Remember that not all responsibility for informing clients of internal breaches rests with the cloud host, implying that cloud users are still responsible for cybersecurity oversight. Gartner underscores this notion by stating that “Through 2025, 99 percent of cloud security failures will be the customer’s fault.” The lesson to be learned from this is that not all aspects of cybersecurity can be outsourced, and shared cloud resources clash with ultimate accountability.
Organizations should exercise extra caution when moving mission-critical programs to the cloud, including SAP’s software, as this exposes them to significant cybersecurity threats such as unauthorized data access, account takeover, and data loss.
In actuality, cloud-based rather than on-premises installs of SAP systems, SAP upgrades, and S/4HANA migrations are now more common. Although these SAP cloud implementations increase scalability and agility, they also widen the potential attack surface. It is not a novel idea to move SAP to the cloud; in fact, SAP is undergoing a corporate change to become a cloud provider. As a result, many of their new SAP applications are frequently introduced as cloud services initially and afterward as on-premises solutions.
It is entrusting their mission-critical program to someone else when firms shift their SAP applications to a cloud provider, necessitating increased cybersecurity monitoring to guarantee the provider manages it with care. To comprehend what actions are occurring in the hosted SAP system, the customer must also have a process in place. Some cloud providers offer a monitoring service, but the client’s strategy must be in place first.
Automate For Efficiency
Manually applying patches and assessing risks is a constant challenge for SAP customers. To properly keep SAP systems up to date, every department utilizing it needs an SAP expert on staff; unfortunately, this is not feasible. Experienced SAP experts are difficult to find and expensive to hire. To overcome this issue, organizations are turning to SAP Security Platform providers that utilize integrated real-time solutions for constant monitoring to differentiate between accurate results and false positives so that security teams can better focus on real issues. These out-of-the-box solutions can also discern if a vulnerability will occur, configuration glitches, or open loopholes within the security posture.
Most importantly, these constant monitoring solutions can translate specific SAP information into a universal understanding, so security teams from every department can utilize the data. With this information, a unified SAP security program can be established, with a clear roadmap following other security measures.
Building An Effective SAP Security Strategy
By gaining access to SAP, risk managers may evaluate and keep track of various potential threats. In addition to supplying managers with ongoing information for their organizational strategies and compliance procedures, it allows them to monitor risk violations to their company’s data. However, risk managers are just some individuals who must develop SAP’s security strategy. The SAP security responsibility necessitates a team environment to become familiar with interfaces, business processes, and data classification.
The team environment will enable a cooperative exchange of crucial information about who, where, and what is happening. Risk managers must collaborate closely with all SAP system-related employees. This plethora of data gives risk managers visibility into the company’s SAP processes, covering most business tasks and keeping an eye on the controls that can be applied to each process function.
Conclusion
Because SAP’s apps hold much business intelligence, cybercriminals target them. Due to a lack of procedures for checking uploaded files (internally and externally) for vulnerabilities, the door is wide open to anything from financial payment information to employee names and social security numbers. In addition, unstructured content remains a wide-open door for cybercriminals.
However, the structure of SAP systems is often unknown to most IT security personnel who seek access. Because good-hearted but incorrect IT changes may affect numerous business-critical operations, this lack of familiarity remains problematic. Therefore, knowledgeable stakeholders must continually survey the SAP system to ensure an efficient hardening process.
Implementing the right SAP security monitoring solution will address the patching and system hardening issues that native SAP security does not handle. No matter how frequently hackers alter their attack vectors, a good third-party SAP security solution can discover anomalies, prioritize alerts, and report on the mitigation progress. Most importantly, these systems will prioritize the most critical patches from the frequently suggested patches so that SAP administrators can focus on addressing urgent issues first.
Cybersecurity should never be an afterthought, and SAP systems are mission-critical business applications that need purpose-built security solutions. Although there are many well-intentioned IT administrators, SAP is specialized software that requires at least a knowledgeable staff and often expert assistance from third-party vendors and their software solutions.
Christoph Nagy is a founding member and CEO at SecurityBridge–a global SAP security provider.
