It is interesting to watch the security world undergoing a dramatic change. The classic world of protecting the good SAP system against the evil with a good firewall and relying on the closed SAP ABAP technology (known only by the good guys) does not longer live up to the promise.

The old security assurance, that SAP is so isolated and so exotic in the company network, that nobody will enter the premise, is slowly deteriorating over the last decade. Suddenly, the Internet, the Extranet, the VPN’ns are all over the place, connected straight to the ECC core system. SAP Hacks is a standard program on any blackhat convention.


While there are so many new Security Technologies in Firewalls, Appliances and software security frameworks, the Security World at SAP is still old-fashioned. But this is also a tribute to the ever growing complexity of the SAP eco systems. The impression, to live behind a secure wall in a secret garden, is just the glorified view to the past.

It is easy to say “Fix and harden the SAPRouter and Web Dispatcher”. But what if you have thousands of routes and dozen of routers and web dispatchers? Just keeping them always up to date is a job by itself.


Customers need to learn to manage this complexity in a new way. I know a lot of SAP sites that are discussing continuous patching, upgrading, testing and enhancing. But this by itself is a daunting task. One of my larger customers has 60 SAP systems in one tier, all related and connected. Multiply this by three and you have Dev, QA and PROD tier with 180 machines. Tell me how to do “permanent changes” to this landscape and ensure maximum security while testing all 60 app systems in unison every time after patch day. In theory, you can add unlimited resources, 24×7 uninterrupted strategies and unlimited budget. Yes, you can solve it. But in economic terms, it is not feasible. It is the old economic story of limited resources and limited spend money.


The first step in a new strategy for security is risk assessment. There was a great blog of Balancing Danger and Opportunity in the New World of Cyber Domain

a great summary of Derek Klobucher about the keynote speech of  Gen. Michael Hayden (retired NSA Chief) who spoke to the attendants of the SAP Retail Forum 2013 .

Hayden drastically stated the new security paradgm : “If you have anything of value, you have been penetrated,” Hayden said. “You’ve got to survive while penetrated — operate while someone else is on your network, wrapping your precious data far more tightly than your other more ordinary data.”

He basically stated, that Security is no longer about vulnerabilty alone. He introduced the formula, that Risk is always a relative value for your assets.


sdnSec.jpg


Risk = vulnerabilty x consequence.


This is the most important message for the near future for everyone involved in security You need to manage risk. Security risk in time and over time.


That must be the goal, even more for such a critical system like the central SAP system. The new security paradigms lives in real time, defending against frequent attacks, internal and external threats to capture or manipulate data. Organizations must face the new complexity, new organizational challenges and security risk management.


And with the risk, you need to change the security thinking from “defending walls” like in medieval castles to “pattern recocgnition”, to an approach, where you anticipate the next attack while it is building up. Here, the technologies of Big Data, SIEM and Artificial Intelligence emerging. In Germany, T-Systems and Telekom have a great “Real Life” showcase: the “Advanced Cyber Defense Center” in Bonn. (Maybe I do a blog one day about it).


Yes, this is a very complex and demanding world. And this is why even big companies need to talk, act and cooperate on security issues.

But this is the topic of my next block:” Quantum Dawn – What SAP Data Centers can learn from SIFMA war games”. 


Just relying on your good old firewall is a thing of the past.

To report this post you need to login first.

5 Comments

You must be Logged on to comment or reply to a post.

  1. Andreas Wiegenstein

    You are picking up several important aspects of today’s (and future) SAP security threats and tasks.

    I, too, believe that monitoring a multitude of complex systems like a multi-tier SAP landscape is a task companies can no longer accomplish manually.

    SAP customers need tools that have the ability to perform security checks across the entire SAP landscape in a continuous way.

    But this is still not enough: tools that merely report bugs are also no longer sufficient. What is an administrator supposed to do with a SAP landscape threat report, listing 1000+ issues? Even if they are correctly ranked.

    The industry / SAP customers need tools that have the ability to perform security checks across the entire (SAP) landscape in a continuous way AND at the same time provide a means to fix any detected vulnerabilities in an automated fashion or to at least shield the vulnerabilities long enough to give an administrator the time to take proper action.

    Continuous monitoring combined with automated correction technology is the future in security. The first such solutions already exist.

    (0) 
    1. Holger Stumm Post author

      Hi Andreas,

      thanks for the copmment remark. You raised one important point:

      Andreas Wiegenstein wrote:

      ..industry / SAP customers need tools that have the ability to perform security checks across the entire (SAP) landscape in a continuous way AND at the same time provide a means to fix any detected vulnerabilities in an automated fashion or to at least shield the vulnerabilities long enough to give an administrator the time to take proper action.

      Yes, this is very important. The complexity today reaches a level, where even the best admin department does not have the time to understand and manage these ever changing new security requirements and threads.

      You need to build up a strategy based on technologies like pattern based recognition (like IBM QRadar) or managed zones (the example I mentioned by T-Systems) or like Akamai. But there is not one “One size fits all” security strategy. It is something that needs to be developed based on specific risks and overall corporate strategy. 

      thx hs

      (0) 
  2. Maaike Duchateau

    I agree with both of you.In order to get and keep control over the SAP landscape you need to constantly balance preventive security controls versus detective security controls; you constantly need to re-assess through risk assessments, where that balance is. A threat that could be sufficiently be mitigated through a detective control since the impact was low, might at some point become so critical that it requires preventive measures.

    Especially in large, complex and/or critical landscapes, it is a very challenging and complex activity to keep repeating risk assessments, patch environments where required and possible and at the same time ensuring that both the individual SAP environment, but also the full landscape remains secure enough.

    Automated patching or indeed at least being able to provide a shield is a must-have. Looking at the currently tedious job to secure SAP environments through individual security notes that need to be implemented manually, the amount of time spend on analysis of log files to create access control lists, I think to be honest that – although much has improved in the last two years – there are many opportunities in the SAP world to simplify the work of security teams and enable to them to very quickly respond to security threats.

    (0) 
    1. Holger Stumm Post author

      Hi Maaike,

      indeed, very true what you said. Unfortunately, we are confronted with a lot of tools that all do some partial works for the problems you mentioned. It is the ultimate challenge in current security projects to combine them into an overall strategy.

      (0) 
  3. Kinjar Patel

    The most challenging aspect I find in the project is awareness and acknowledgement of security requirements right from the beginning about every single layer of Landscape/infrastructure.

    Heavy application security mindset when it comes to SAP Security and rest is all about BASIS. This must change. Unfortunately this is only true for matured security focused organisations such as Bank.

    SAP products are no longer back office applications and it is exposed directly to customers which needs careful planning and risk management of threats from outside organisation.

        

    I see very little efforts in project planning sometimes where things like penetration testing, stress testing, threat vector are rolled into SAP methodologies such as ASAP. Nevertheless number of SAP Security Notes itself over the last few years tells the story.

    It is very unfortunate sometimes to see PFCG (SAP Security roles), segregation of duties gets attention and budget but rest becomes grey area! Even witnessed SAP Audit is limited to bunch of tick marks and do not have any emphasis on SAP Security notes, patching, managing identity endto end and not just in ABAP. This article is perfect example for me that there is growing need of recognition of the topic – Think Security but not just Application security!

    Thanks a lot for sharing..

    Kinjar.

    (0) 

Leave a Reply