Skip to Content
Author's profile photo Former Member

3 Tips On Securing SAP Fiori Applications

SAP Security needs to be monitored in order to ensure that access is granted to those who require it while at the same time securing the system against malicious attacks. These three key components of the SAP architecture allow us to perform routines that minimize the ability of external sources to gain access to the data stored on our SAP server. With any luck, these three tips will allow you to brace your server against certain types of cybersecurity attacks.

1. SAP Internet Communications Manager (ICM) Services

SAP Fiori applications are developed to be run on top of the SAP NetWeaver ABAP server which utilizes Open Data Protocol (OData) along with the ICM. The login system may be either the NetWeaver gateway or the SAP front-end, but regardless of which one of these are implemented, certain services need to be made available within the ICM. The selective exposure of services is crucial in ensuring that no open doors are left for exploitation and well-known SAP services such as SOAPRFC, SAPINFO and WEBGUI are which can be exploited should be secured against malicious attack. A brute-force attack after connecting to the http interface can render these services unusable and other potentially dangerous ICM services should also be disabled to limit the size of the foothold a potential attacker may gain on the system.  To disable specific ICM services is simple. Connect with the SAP GUI and run the transaction code SICF (HTTP Service Hierarchy Maintenance). The interface will enable you to go through the individual services and disable the ones that may be a problem in the case of a security breach.

2. Data Integration Security

Back-end data is usually integrated with SAP Fiori via interfaces and trust relationships between the systems. Configuration of these interfaces is usually done via the transaction code SM59 to establish Remote Function Calls (RFCs) which connect the applications to the back-end systems. Users will not be prompted to go through a second gate-keeping exercise for passwords once they make it onto the system initially, so these interfaces need to be have tight controls instituted around the S_RFCACL at the back-end to ensure that the data stored there isn’t compromised. Controls can be instituted around who the S_RFCACL is assigned to and how openly usage is granted through the S_RFCACL authorizations as well as to which machines may be connected and what sort of transactions those specific machines are allowed to execute. By instituting these controls, the system becomes more secure since external machines aren’t granted access by default even if they make it past the initial gate-keeping interface of username and password. This redundant system mitigates the extent of the potential incursion if the front-end system becomes compromised.

3. Transport Layer Security

Complex interfacing with multiple data sources is key to the proper functioning of SAP Fiori. This interconnection introduces places within the system interaction where security might be breached. The two most specific examples of possible security breaches are:

– RFC connections that exist between the front-end of the system and the back-end where the data is stored. Encryption is necessary to ensure that data transmitted between the back-end and the front-end is not intercepted, but this is as simple as integrating Secure Network Communication (SNC) encryption.

– HTTP connections initiated by the client to the front ends of the SAP Fiori servers. The client networks can’t be trusted to be secure and to deal with this, Transport Layer Security needs to be introduced to ensure that the data sent and received isn’t intercepted.

Working hand in hand, this dual-layer system should theoretically be enough to ensure that the data sent from the back-end securely reaches the client and vice versa. However, a security chain is only as strong as its weakest link and client systems are the usual weak link here. Additional security on the client end is usually necessary since unpatched SAP systems can generate log data revealing sensitive information. This can allow attackers easy doors into a system, even if you’re using a DaaS. Ensuring that an SAP interface is always up-to-date is crucial in closing the security chain around the system.

Security of a system which contains sensitive data is one of the most important parts of that system. Keeping data protected is not an easy task but with dedicated effort, the amount of breaches that are likely to happen would be significantly reduced. A well-secured system makes it less likely that data will end up in the wrong hands and serves as a good deterrent against malicious attacks which seek to exploit a system simply because it can be compromised easily.

Assigned Tags

      Be the first to leave a comment
      You must be Logged on to comment or reply to a post.