In an earlier blog article, we already demonstrated what vulnerabilities there are in SAP systems and how these systems can be effectively made secure against attack. The most common vulnerabilities include weak security configurations and excessive administrative authorisations. Sounds familiar? In this article, you will learn how to make verifying your SAP application’s security system on the ABAP stack child’s play.
Securely configuring and appropriately designing IT authorisations in an SAP system is a complex undertaking. It is no wonder then that many administrators do not manage to attain an appropriate level of security – not to mention the experience and extensive expertise required. A great deal of manual effort is required to develop a qualified statement on the risk profile of an SAP system within the framework of security audits. Often, expensive experts have to be hired in to carry out this task. In this article, we show you how this can be done in a much simpler and more cost-effective way.
5 reasons for professional management of SAP vulnerabilities
First, let’s go back to basics: why do you need to deal with effective vulnerability management in the SAP environment at all? We recommend the following five points.
- Current market conditions are accelerating digital transformation
The changing market conditions prevailing in recent years have been rapidly driving digital transformation in corporate processes. This effect has been reinforced by the Covid-19 pandemic. In the past, SAP experts had the ability to build multiple layers of security and control them independently. This paradigm is now shifting, with SAP infrastructures moving into the cloud. This shift potentially brings with it new security vulnerabilities as systems increasingly have external connections. The growing demands for shorter development and deployment cycles with the same resources open up new risks for the systems.
- Transfer to the cloud leads to vulnerabilities in business-critical applications
In recent years, corporate attitudes to outsourcing workloads to the cloud have changed dramatically. After some initial scepticism about this previously untested service architecture, this general attitude has undergone significant change. The business-critical SAP landscape has also been affected by this shift. In the transformation projects that we are involved in, we repeatedly find that the “1:1 migration” approach is chosen, which definitely entails risks and fails to adequately take into account security best practice that has been adapted to cloud environments. For example, unnoticed, generally known standard users and their passwords could exist, and these could be exploited by attackers with no in-depth technical knowledge of SAP for carrying out malicious activities. The risk of this vulnerability being exploited can be potentially multiplied by the network-side openings.
- The incidence of attacks on core applications has been on the rise for several years now
Since 2016, the Department of Homeland Security Cyber and Infrastructure Security Agency (CISA) has published 5 US-CERT alerts for mission-critical applications. Leveraging these vulnerabilities can lead to everything from the theft of sensitive data to a complete shutdown of core processes*. Even in companies where there is high awareness of these risks, implementing effective SAP vulnerability management is a major challenge. This is because often, there is a very short time between discovering a vulnerability and the availability of a working exploit. According to the SAP security expert Onapsis, it takes just 24 hours from discovering a vulnerability to attackers actively scanning for affected systems. A working exploit can be available after just 72 hours**. Many companies do not have processes, human resources or tools in place that can respond to vulnerabilities at this accelerated pace.
- Existing defence-in-depth strategies do not adequately protect core applications
Since the very beginning of the transformation of business applications into the Cloud, we know that the traditional “fortress principle”, whereby core applications are supposed to be protected by the strongest possible security mechanisms, is no longer capable of providing adequate protection in the Cloud. Even so, this model should not be completely abandoned, as a lack of security mechanisms in the “outer” security perimeter can lead to the creation of a gateway for attackers to enter the environment. This subsequently enables attackers to move laterally inside the network and locate the “crown jewels” in core applications. This is why many organisations rely on vulnerability scanning solutions to detect weaknesses in the IT infrastructure. These solutions are able to identify vulnerabilities, assess the risks arising from them and offer proposals for mitigation. Traditionally, these solutions cover a wide range of systems, but are ineffective for detecting vulnerabilities such as misconfigurations, over-authorised roles or absent security patches in business applications.
- Even the best SAP security teams are faced with ever-growing workloads, while resources stay the same
The demand for protecting core applications is steadily growing for the reasons already mentioned above. However, the financial resources for security experts in the SAP environment are generally limited. Every month sees the publication of countless security vulnerabilities with different levels of criticality and for a variety of SAP system components. This makes the task of effective vulnerability management hugely difficult, especially when multiple systems are being managed. This can result in patches not being properly assessed and applied with the priority required, or wide-ranging authorisations being granted because there is not enough time to develop appropriate authorisation roles. In many cases, SAP applications contain data that is vital to the organisation’s survival, so vulnerability exploitation can have major consequences.
Everything under control thanks to SAP Application Security Managed Service
Hopefully you can now understand more easily why vulnerability management is crucial in the SAP environment. All the same, for the reasons outlined above, professional implementation is no simple undertaking. This is exactly why we have developed the SAP Application Security Managed Service for our customers, in order to provide you with a cost-efficient overview of your SAP system security on the ABAP stack, and to be able to benefit from the following results:
- You will get an overview of how the security-related configuration of the SAP systems is designed.
- You will know the users, the basic authorisations assigned to them and can assess whether these authorisations are appropriate.
- You can recognise risks in your SAP landscape.
- You will receive a comprehensive external risk assessment from SAP security experts with risk-based measures and recommendations.
- You will receive informative dashboards for the management.
Unique insights into your SAP security in 5 simple steps
Get a unique insight into the design of security controls and basic authorisations in your central ERP system following the 5 steps described in the picture.
Within hours, you get a qualified statement on the design of the security controls and the assignment of the critical SAP basic authorisations. This service can subsequently be converted into an SAP Security Reporting Service, meaning that additional consulting services are not required. This means that the service is even more cost-effective and gives you the opportunity to continuously monitor your SAP systems’ security.
SAP security made simple
What was once a complex task of assessing and evaluating your central ERP systems’ security becomes just a routine task. Thanks to a high level of automation, InfoGuard can effectively support you in identifying a significant risk factor in your IT landscape and in highlighting any risks to your management, who can then deal with them effectively. Does that interest you? You can find all the details and the contact form here:
** Onapsis Threat Intelligence Report - Active Cyberattacks on Mission-Critical SAP Applications