Skip to Content
Technical Articles

SAP Cybersecurity Issues: The Need For End-to-end Encryption

The world is being revolutionized by the internet and going by the Gartner report that over 8.4 billion devices were connected to the IoT in 2018, this is not a mean feat. SAP as one of the world’s leading tech brands is riding on this wave and deservedly so. 

Considering that about 50,000 businesses depend on SAP products globally, issues regarding cyber threats and attacks cannot be overemphasized. Any vulnerability will quickly be exploited by hackers who know that they will be making “a big kill” based on the sheer volume of businesses that deploy SAP products.

SAP CSO Justin Somaini in an interview he granted Search Security on using blockchain for security says, “When a vulnerability is identified, you need to take it upon yourself to put in mechanisms to defend against an attack while you’re waiting for that patch.” The problem here is not about the patch but rather how effective the mechanisms you put in place to defend yourself from attacks will be.

It’s heartwarming to note that SAP devs work hard to counter exploits as they appear and also that SAP site offers a service called Support Packs, which combine multiple patches. You can bank on these to catch up on long periods of missed updates, however, having a situation that is attack-proof will be a better option.

It’s good enough that SAP has created the opportunity for your database encryption and decryption, making it stronger with end-to-end encryption will still be better.

This article will shed more light on the potential benefits of end-to-end encryption in your SAP products.

Why SAP?

It’s no longer news that SAP has thousands of clients spread all over the globe. It also won’t be an exaggeration to say that any attack on SAP will have devastating effects as its operations transcend a lot of sectors. 

The company became a prime target for hackers when it delved successfully into the Internet of Things, with its wealth of data-processing expertise, and  AI-based machine learning. It has become a place of last resort for any business that is IT-based. 

While all these positive attributes have created a company that is able to solve most of IT-based problems and clients depend on it, cybersecurity issues must be expected. The reason is that large volumes of data traffic will have to pass through applications, sensors, and storage solutions, thereby, becoming a high source of attraction to hackers.

SAP has so much penetrated the world in such a way that businesses using SAP software, for tasks ranging from employee payrolls to product distribution, distribute 78 percent of the world’s food and 82 percent of medical devices. This is very tempting for hackers and they will want to go to any length to grab such a juicy record.

Encryption in SAP products

For SAP products, two methods of database encoding are supported: simple obfuscation and strong encryption.

Simple obfuscation

With simple obfuscation, it is difficult, but not outrightly impossible, for someone using a disk utility to casually inspect the contents of your database. You don’t need a key (password) to encode the database when using simple obfuscation. 

Strong encryption (AES)

Strong encryption makes a database unusable without a key (password). It will hide your identity, location, and data from third parties. The data you have in your database is secure from any form of intrusion. 

The algorithm AES (Advanced Encryption Standard) is used to encrypt the information contained in your database and transaction log files so it cannot be read. Such as the case with ExpressVPN, you can indicate the use of AES 256-bit cipher with a 4096-bit RSA key and SHA-512 HMAC authentication.

Why the need for end-to-end encryption (E2EE)?

Just last year,  In an alert entitled “Malicious cyber activity targeting ERP applications”, the Homeland Security’s National Cybersecurity and Communications Integration Center alerted us to the increasing hackers’ focus on ERP applications, based on the study by security firms Digital Shadows and Onapsis. The report says that not less than 10,000 major organizations are running vulnerable SAP implementations, and there are 4,000 separate bugs in SAP packages that attackers can exploit.

This with other cases of security breaches that affect SAP products is a clear call-to-action for end-to-end encryption. It’s a secure means of communication that allows you to transfer data from one end system or device to another with certainty that any third party can’t access your data.

With E2EE, you can encrypt your data on your SAP product and be sure that only the recipient can decrypt it. It’s so secure that your internet service provider, application service provider, and even hackers can’t attempt to decrypt it. You are able to store the cryptographic keys you used to encrypt and decrypt the messages on the endpoints.

You mustn’t be too complacent believing that the key exchange in E2EE is wholely unbreakable based on known using algorithms and currently obtainable computing power, there could be instances where you may fall prey to the antics of hackers.  

In isolated cases, a die-hard attacker could come up with gimmicks of providing one or both endpoints with the attacker’s public key thereby executing a man-in-the-middle attack. Another thing you need to guard against in your SAP product is the possible situation where either of the two endpoints has been compromised which could lead to the attacker having access to the message either before encryption or after decryption.

A good example of the use of E2EE is in payment card PINs that are used by card processing firms. Their encryption and decryption usually take place within a specialized hardware security module (HSM) using 3DES or other strong algorithms. 

These modules are frequently kept under physical lock and key and only parties that have been certified have access to them. This makes the possibility of data compromise very remote. 

Another one that is similar is the credit card data that is usually encrypted at a point-of-sale (PoS) terminal using 3DES, AES, or some other algorithms, where the decryption does not take place before getting to the acquiring bank for processing. 

Difficulties encountered in E2EE

It won’t be a fair assessment if we do look at some difficulties you may encounter in the implementation of E2EE. 

The very first thing you should know is that E2EE is not an easy thing to implement. In a situation where you need to process your financial data at different stages the purpose of E2EE will be roundly defeated. 

In such an instance, your data must have to undergo multiple decryptions and re-encryption while in transit. There is always a potency for your data to become vulnerable at any of these stages of operations. 

Another source of headache entirely is when you have to decrypt the whole data or a part of it in order to carry out some processing before re-encrypting, this can occur in the retention of payment card data for recurring charges and chargebacks (refunds). 

You also must not lose sight of the fact that the management of centralized encryption key stores is complex and costly.

No Password Recovery

Quite unlike most online services, E2EE does not have password recovery mechanisms. This may seem more like a minus but that’s the price you have to pay for a truly secure service. 

Your encryption key is there for you and any time you lose access to the key, you can forget about your data because you won’t be able to decrypt. You don’t have the opportunity of a “password reset” mechanism since the service provider has no way of knowing what your data contains.

If for any reason your service provider can reproduce your encryption key, it means that your data is not secure and can be accessed without your knowledge. This scenario has completely defeated everything end-to-end encryption portends. 

As an SAP user, what you must guard against are data breaches, fraud, ransomware,  and theft of your sensitive information. All these are, however, avoidable with E2EE. 

You don’t have to do away with SAP products, you only need to ensure they are as secure as possible.

Be the first to leave a comment
You must be Logged on to comment or reply to a post.