This blog is intended as an introduction for security managers who want to and must protect their SAP environment against cyber-attacks. The article explains whether and how SAP landscapes can be protected and what needs to be considered.
Are SAP Systems under Attack?
When we look at the news, we see new cyber-attacks almost every day. The question is, does this also affect SAP applications? Let’s explore this topic. In general, there are two types of cyber-attacks: 1. attempting to cause a denial of service and 2. theft of financial data, intellectual property, prescriptions, health status, personnel or sales information from organizations.
Attacks executed with any kind of malware, ransomware, phishing, SMShing, botnets, very often target the IT infrastructure. When the IT infrastructure is affected by a cyber-attack, it can also affect an organization’s SAP environment and HANA databases. Applications are often blocked, or files and databases encrypted. With this denial-of-service attacks, attackers often want to achieve a ransom payment or even just the fame and recognition of having caused damage to the company.
Systems are under attack
More sophisticated attacks such as Advanced Persistent Threats are attempting to spy on organizations, infiltrate global networks, manipulate customer systems within the supply chain to gain undetected access to money, information, intellectual property – the crown jewels of an organization. Let’s explore about this: where is this information stored within an organization? In the file system? Hopefully not, though sometimes it is and, often, it is very easily accessible by a hacker. Databases? Sure. How can a hacker access an organization’s database? Difficult, because it is often encrypted, or we are dealing with thousands of tables and millions of data records and don’t know how to read that information. But how does an organization access the data in the database? Usually through an application running on that database. If a hacker can exploit a highly privileged user of that application or take advantage of a vulnerability, they may be able to gain access to an organization’s most critical data and processes.
How does SAP help customers to protect the SAP environment?
SAP does a great job securing software delivered to customers, and SAP helps customers with secure cloud applications. However, security needs to be considered more critically when dealing with an on-prem and private cloud applications like S/4HANA or ECC. These systems have several thousand configuration parameters that can affect the security of the application. In addition, customers can implement custom coding to extend functionality. Sometimes organizations fail to control security and audit measures.
SAP helps customers with how to secure these systems and helps identify what countermeasures to consider.
A very good example is SAP’s Security Operations Map. The SAP Security Operations Map is one of the most important security documents along with the Security Baseline Template and the Security Patch Process, all designed to help secure an SAP environment. Each of these documents can also be found in the SAP Security Optimization Services Portfolio.
SAP Secure Operations Map
The most important thing about the updated SAP Security Operations Map, compared to previous versions, is the new focus on the organization and the awareness within an organization. An organization will only be able to successfully defend itself against hacker attacks if everyone within the organization has an awareness of security and protecting the crown jewels of the organization. Only then can we talk about technologies such as user access and identity management, roles and authorizations, custom code security, vulnerability management for configuration, patch, patch (management) your SAP systems as soon as a new Patch is available. It is important to note that as soon as a new patch is available and start security and event monitoring from now on. This also helps prevent and detect ransomware attacks that could be triggered by a hacker from within your SAP environment.
SAP Depth and Breadth, supporting the Intelligent Enterprise.
We are giving you a more complete picture about how to securely support the intelligent enterprise.
We have already touched on the importance of people and processes in protecting the intelligent enterprise. In contrast, technology can only be managed by people working within the right processes. Technology itself will not turn a red flag green. Mitigating a vulnerability often requires extensive mitigation processes to turn a vulnerable configuration into a secure one. A configuration change can always impact ongoing operations or users within the system, so these mitigation processes often take several weeks or months. Therefore, the migration from ECC to S/4 is also a very good time to initiate and do many of these steps.
To successfully protect an organization, awareness is the gatekeeper when you begin to look at the four quadrants of protecting the intelligent enterprise.
- Identity and access governance
- Data protection, and privacy
- Cyber security
- Enterprise risk and compliance
Within these quadrants, we can then address individual technologies. Most important, however, is the inter-connectivity between the quadrants and the technologies in use. When a highly privileged user is created or enabled within Identity and Access Management, the Threat Management component must have the information to monitor that user appropriately. The threat management component than can informs the technology within data protection to mask critical information within the user interface so it cannot be seen or downloaded. Another example would be that data can be automatically masked or blocked based on attribute-based access or the geographic location from which information is accessed.
That said, all of this critical information also needs to be processed and communicated to Enterprise Risk and Compliance to give the C-level and CISO the visibility they need to make the right decisions at the right time, based on quantifying a risk and presenting and correlating it within an appropriate dashboard.
Let’s have a look at the details of the four quadrants needed to protect an intelligent enterprise.
The picture shows the general deployment of the single products and the usage for cloud and on-Prem / Private Cloud solutions.
Identity and access governance
Identity and access governance solutions
- Segregation of duty
- Access-request, -design, -analysis, -certification
- Privilege access management
- Identity Lifecycle Management for SAP’s cloud applications
- Single sign-on for cloud- and hybrid-scenarios
- Segregation of duty
- Manage access
- Monitor, analyze, maintain, provide, certify
compliant entire identity life cycle
- Hiring, substitution, promotion, termination
- Secure authentication and communication
- Simplification and productivity
Cyber security and data protection
Cyber security and data protection solutions
- Protect sensitive information in the user interface layer
- Block or log data access
- Secure & refine access
- Identify and remedy security vulnerabilities in ABAP custom code
- Security Configuration Management
SAP S/4HANA, SAP HANA, SAP NetWeaver & J2EE
- Patch Management
- SIEM solution tailored to the needs of SAP applications
- Effectively identify and analyze threats in SAP applications
- Key management
- Monitor and report on data access, storage, movement, processing, and location
Create and enforce data access, location, movement, and processing policies
Enterprise risk and compliance
Enterprise risk and compliance solutions
- Document and manage controls
- Demonstrate effective internal controls over financial reporting
- Implement detection & screening strategies for transactions
- Design, analyze, detect, investigate, report
3 Lines offering
- Ensure effective controls and ongoing compliance
- Document, plan, perform, monitor, evaluate, report
- Defined risks within the context of value to the organization
- Plan, identify, analyze, respond, monitor & report business risks.
- Managing Audit Activities
- Risk–based approach following IIA best practices
Bridging the gap between IT infrastructure security and SAP security.
The NIST Cyber Security Framework gives guidance, based on existing standards, guidelines and best practices for organizations to better manage and reduce cyber security risk. In addition to helping organizations manage and reduce risks, it was designed to foster risk and cyber security management communications.
The Framework provides a policy framework for IT security guidance and can be used by organizations to assess and improve their ability to identify, prevent, detect, and respond to cyber-attacks and recover from cyber-attacks. It is a systematic classification of cyber security and a methodology for evaluating and managing the results of the classification. It is being used by companies and organizations worldwide to help them to shift to a proactive approach of risk management. The Framework assist organizations by providing context on how an organization views cyber security risk management. The Framework is also often the basis for communication to discuss risk appetite, mission priority, and budget. This also applies to SAP environments and can be used by organizations to protect their SAP environment more effectively.
Cyber security- and Compliance Solutions from SAP based on NIST
Cyber security– and Compliance Solutions from SAP based on NIST
For more details on the mapping of SAP Cyber security and Compliance solutions, please see the publicly available SAPinsider article that Martin Müller SAP SE and I wrote in 2020. In this article you will also find a more detailed description of the products mentioned in the mapping above. Link: How to Build a Strong Security and Compliance Foundation for Your SAP Landscape
- Cyber threats targeting SAP systems are real and increasing.
- SAP environments must be configured and operated in a secure and compliant manner.
- SAP provides a structured approach to help customers to secure their business-critical applications.
- SAP provides solutions to support customers securing their SAP On-Prem, Cloud and Hybrid environments within the disciplines of:
- Identity and access governance
- Data protection and privacy
- Cyber security
- Enterprise risk and compliance
If SAP customers are interested in learning more, they may contact their SAP Account Executive to organize a session to better understand the complete offering.