Disclaimer – This is my first post on the SAP community. Looking forward to learning from the community and connecting with anyone who reads this. Please feel free to drop me a comment below. The below is my first post discussing my experience with SAP and integration into existing network security protocols.
When SAP systems are compromised, it’s typically not due to a shortcoming on the part of the software package but rather a failure of those responsible for security to implement best practice defense measures.
What are best practices?
Truthfully, SAP is similar to other interconnected business systems. This means that you can use traditional application testing and network tools as well as their methodologies/sets with SAP systems. Understandably, specifics, technologies, idiosyncrasies, and protocols will vary, so you will need to familiarize yourself with them.
However, the high level advice provided to secure a SAP system will be similar to what is given when securing a typical application, system, or network.
Unauthorized Access and Privilege Abuse Should Be Prohibited or Prevented
For SAP or an interconnected system to be secure, unauthorized access and unauthenticated access must be prohibited (issues like bridging or redundant network connections). The same is true of systems and databases that make up the core business infrastructure.
Additionally, users with the proper authentication or authorization should not be able to abuse their privileges in a way that circumvents security controls. Business logic rules must be enforced in the systems authentication/authorization model. Principles of least privilege as well as segregation of duty should be adhered and enforced.
For this to work, the following practical advice should be followed:
- Strong authentication must be enforced
- Default passwords and usernames for applications, databases, and operating systems should be changed
- All channels of communication must be encrypted
- Communication channels must be restricted to those who require access
- Control and attack paths must be isolated by segmenting the network (this is a great read if you want to learn more)
- The configurations of all services should be hardened to conform to the guides, recommendations, and SAP notes provided by security practitioners
- Application should be regularly updated and patched. This also applies to operating systems and databases
With the goal of maintaining a high level of security and continuing to secure and maintain large estates, organizations that have older security programs can take advantage of automated vulnerability software programs that are designed to assist in identifying vulnerabilities along with security defects.
Nessus, a well-known security scanner, as well as other traditional security vulnerability scanners are not designed to be “SAP aware.” We have found two SAP certified products that automatically assess SAP systems. These are X1 and ERP SCAN.
When you feel confident that your system has been sufficiently hardened and once you’re satisfied that you have done everything possible to protect your investment, the SAP system as well as other connected systems should be subjected to other assessments. These include but should not be limited to a benchmark against TEC 11 and BIZEC.
You will be able to identify the most common critical security defects and threats affecting the business runtime layer of your SAP platform. Every element on the list will be sorted based on its level of criticalness. V is for very high, and H is for high. Other indications tell you if the problem is Common© or if it is Rare®. This will help you prioritize your remediation measures.