SAP security is a critical component of an enterprise’s cybersecurity strategy. SAP security protects critical SAP business systems the organization depends on to run its core business processes and operations.
Common threats to SAP technologies include exploitation and fraud, risks to data integrity, unauthorized network access, and data leaks. Continuous, automated auditing and security monitoring of SAP systems can address these risks. However, these activities require the close involvement of security teams.
Many organizations treat SAP as a silo and rely solely on ERP vendor tools, keeping the SAP environment out of the scope of security teams. This increases the risk of attack. It’s important to treat SAP systems as part of the organizational network and maintain centralized monitoring for all critical systems, including SAP.
A SAP environment consists of many components such as S/4 HANA, business applications such as SAP ERP, SAP Gateway and Messenger Servers, RFC Gateways, Internet Communication Manager (“ICM”), and SAProuter. These systems use communication protocols such as Remote Function Call (RFC) and HTTP, and many of these use stored login credentials that are not encrypted and have no basic security controls.
SAP environments also tend to be complex. Because there are many different components, each with its own login credentials, users tend to reuse passwords. By compromising one password, attackers can get access to multiple sensitive systems. Even when single sign-on (SSO) is enabled, password logins are still allowed.
Even if your organization has a Security Operations Center (SOC) that monitors IT systems for security breaches, in many cases, SAP applications are not integrated with the SOC. In most organizations, SAP environments are managed as a silo by a dedicated SAP team. In addition, the Security Information and Event Management (SIEM) system might not be configured to monitor SAP logs because they use special, proprietary formats.
Related content: SAP Security in the Retail Sector
Every SAP system has custom code development, reporting, and transactions created by SAP programmers. Often, these programmers do not follow secure coding practices, and their code is not tested for security vulnerabilities. This could put critical applications at risk of ransomware, malware, unauthorized access, and other malicious activities.
For example, an ABAP injection can be used to compromise or shut down critical operations of an entire SAP system via directory traversal vulnerabilities.
As new technologies are introduced, the attack surface of SAP systems grows. Most SAP users today manage hybrid environments with on-premises and cloud solutions, which makes them even more complex to secure.
All SAP systems support authentication and authorization, with a special emphasis on separation of duties (SoD), which is important in mission-critical environments.
Avoid giving a combination of permissions to any one individual that could allow them to do damage (for example, individuals should not be allowed to escalate permissions for their own user account). The only exception is “firefighter accounts” with broad permissions, which should be granted temporarily in order to perform urgent maintenance, and then revoked.
In a large SAP environment, it can be difficult to review authorizations to ensure that the SoD principle is maintained. This makes it necessary to perform continuous, automated reviews of SAP authorizations. This can be achieved through SAP tools requiring advanced customization or via third-party GRC tools like Pathlock.
Threats addressed by traditional security systems are also valid in SAP systems, in particular known vulnerabilities, zero-day vulnerabilities, and the need to regularly apply security updates.
The challenge facing most SAP teams is not knowing which patches are needed, keeping them up to date, and applying them consistently. Because this is a laborious process, many SAP systems end up staying unpatched for a long period of time, further increasing the risk of potential vulnerabilities.
Secure coding is another key factor in building a secure SAP environment. Secure code and maintaining a secure software development lifecycle are the responsibility of developers. When code is still on a developer’s machine or in a development environment, it’s common to overlook security best practices. A code scanning or inspection tool is very important to give developers fast feedback about potential vulnerabilities in their code and transports and show them how to remediate them. Developer education is also essential to make SAP developers aware of important best practices that can prevent cyber attacks.
SAP provides many transactional and functional modules that can be used remotely. This means users can create accounts, grant permissions, and use them remotely through the SAP System API. There are also other building functional modules that can remotely load or manipulate data from the SAP system.
It’s critical to restrict and carefully control permissions to limit transaction usage. Therefore, it’s important to use continuous monitoring in real time for transactions, RFC modules, or SAP reports. Any external access to the SAP system through its interfaces should be monitored.
Secure configuration is the foundation of SAP security. This can be challenging because there are many configuration options for SAP systems. Most settings are applied at the database level through SAP transactions called SAP Profile Parameters and stored in files. The rollout of SAP systems must comply with a set of configuration rules described in the SAP Basis Operating Manual.
These settings define security settings, such as allowing or denying access, and which communications are allowed in the SAP system. The settings cover the operating system, application, and database layers. You must configure the security settings correctly for each of these tiers.
With the fundamentals of SAP security addressed, organizations can incorporate SIEM to enhance security beyond standard compliance. In most companies, SAP security tools and traditional security monitoring solutions like SIEM remain in separate silos which are not integrated, creating a blind spot for the SOC. It’s important to integrate SAP security monitoring into the centralized SIEM to provide visibility and protection across SAP and non-SAP environments.
In reality, it’s difficult to integrate SAP systems with standard SIEM because they use non-standard logging and communication protocols. Some SIEM solutions provide specialized plugins for SAP applications, and another option is to use SAP’s own SIEM solution, SAP Enterprise Threat Detection (described below), which can, in turn, integrate with the centralized SIEM.
Pathlock Data Sheet
Pathlock protects SAP transactions with sophisticated controls that strengthen access policies and enhance logging & analytics capabilities.
SAP offers many business applications using various architectures, including NetWeaver AS ABAP, SAP HANA, SAP Cloud Platform, and SAP Ariba.
The first defense layer for these security solutions is the system backend, which allows administrators to enforce security, define roles, and set access requirements. Each has its own considerations, so each SAP solution has different security features. For example, a cloud-based application will have different security requirements from an on-premises solution.
In addition to basic system administration and solution-specific security, SAP also offers a number of dedicated security products that can help secure and protect your SAP environment.
SAP Cloud Identity Access Governance is a cloud solution that administrators can use to streamline their governance processes across a small set of SAP solutions. Features include continuous access analysis, user assignment optimization, pre-configured audit reports, and more.
Key capabilities include:
SAP Enterprise Threat Detection (ETD) is a SIEM solution that leverages SAP HANA to handle high-volume security events such as cyberattacks in real-time. It provides insight into how to detect anomalies and can help neutralize attacks and prevent damage to the system environment in the event of a data breach.
SAP systems use a dedicated kernel API to send logs directly to SAP Enterprise Threat Detection, making it more difficult for attackers to manipulate logs.
SAP Data Custodian is a solution that provides security information for public cloud users, increasing the transparency and credibility of the public cloud.
SAP Governance, Risk and Compliance (GRC) is a set of solutions and products that help you manage resources across your enterprise in a way that minimizes risk, builds trust, and reduces compliance costs. Products such as SAP Risk Management, SAP Process Control, and SAP Audit Management automate GRC activities, improve control and visibility, monitor and enforce risk, and enable GRC through an integrated technology platform.
SAP Identity Management is a solution covering an individual’s entire identity lifecycle. This tool allows administrators to determine who is accessing information on the system. It provides users with password self-service capabilities to assist with role configuration. It also offers centralized reporting and helps meet compliance requirements.
SAP Information Lifecycle Management (SAP ILM) is a solution that can block and delete sensitive data from SAP systems. This capability is particularly useful for organizations subject to data privacy like the General Data Protection Regulation (GDPR) and the California Consumer Protection Act (CCPA), which require companies to delete customer data when requested.
SAP EarlyWatch is a health and performance diagnostic tool providing various health and security checks. Administrators can automate SAP EarlyWatch alert reports to help focus their attention. These reports also notify administrators about important configurations and SAP Notes that are not implemented. SAP EarlyWatch is available as part of the SAP Solution Manager system.
Managing security across multiple SAP instances can be challenging, time-consuming, and manual. Without proper security protection, companies expose their customers and themselves to threats that may lead to system outages, data loss, or financial fraud.
With Pathlock, organizations using SAP can automate many of their SAP security processes to provide 360-degree protection across the SAP system landscape. The Pathlock platform can provide multiple layers of proactive protection, including:
Interested in discovering how Pathlock can help automate your SAP Security program while keeping your landscape secure and compliant? Request a demo of Pathlock today!
Share