SAP Security: The Challenge and 6 Critical Best Practices
What Is SAP Security?
SAP security is a critical component of an enterprise’s cybersecurity strategy. SAP security involves protecting critical SAP business systems that the organization depends on to run its core business processes.
Common threats faced by SAP systems include exploitation and fraud, risks to data integrity, unauthorized access, and data leaks. These risks can be addressed with continuous, automated auditing and security monitoring of SAP systems. However, these activities require close involvement of security teams.
Many organizations treat SAP as a silo and rely solely on ERP vendor tools, keeping the SAP environment out of the scope of security teams. This increases the risk of attack. It is important to treat SAP systems as part of the organizational network and maintain centralized monitoring for all critical systems, including SAP.
SAP Security Challenges
Non-secure communication protocols
An SAP environment consists of many components such as S/4HANA, business applications such as SAP ERP, SAP Gateway and Messenger Servers, RFC Gateways, Internet Communication Manager (“ICM”), and SAProuter. These systems use communication protocols such as Remote Function Call (RFC) and HTTP, and many of these use stored login credentials which are not encrypted and have no basic security controls.
SAP environments also tend to be complex. Because there are many different components, each with its own login credentials, users tend to reuse passwords. By compromising one password, attackers can get access to multiple sensitive systems. Even when single sign-on (SSO) is enabled, password logins are still allowed.
Lack of integration with the SOC
Even if your organization has a Security Operations Center (SOC) that monitors IT systems for security breaches, in many cases, SAP applications are not integrated with the SOC. In most organizations, SAP environments are managed as a silo by a dedicated SAP team. In addition, the Security Information and Event Management (SIEM) system might not be configured to monitor SAP logs because they use special, proprietary formats.
Related content: Read our guide to SAP logs (coming soon)
Every SAP system has custom development, reporting, and transactions created by SAP programmers. In many cases, these programmers do not follow secure coding practices, and their code is not tested for security vulnerabilities. This could put critical applications at risk of ransomware, malware, unauthorized access, and other malicious activities.
For example, an ABAP injection can be used to compromise or shut down an entire SAP system via directory traversal vulnerabilities.
As new technologies are introduced, the attack surface of SAP systems grows. Most SAP users today manage hybrid environments with on-premises and cloud solutions, which makes them even more complex to secure.
Critical SAP Security Best Practices
1. Roles and Authorizations
All SAP systems support authentication and authorization, with a special emphasis on separation of duties (SoD), which is important in mission-critical environments.
Avoid giving a combination of permissions to any one individual that could allow them to do damage (for example, individuals should not be allowed to escalate permissions for their own user account). The only exception is “firefighter accounts” with broad permissions, which should be granted temporarily in order to perform urgent maintenance, and then revoked.
In a large SAP environment, it can be difficult to review authorizations to ensure that the SoD principle is maintained. This makes it necessary to perform continuous, automated reviews of SAP authorizations. This can be achieved through SAP tools requiring advanced customization or via third-party GRC tools like Pathlock.
2. Patch Management
Threats addressed by traditional security systems are also valid in SAP systems, in particular known vulnerabilities, zero-day vulnerabilities, and the need to regularly apply security updates.
The challenge facing most SAP teams is not knowing which patches are needed, keeping them up to date, and applying them consistently. Because this is a laborious process, many SAP systems end up staying unpatched for a long period of time, further increasing the risk of potential vulnerabilities.
3. Secure Coding
Secure coding is another key factor in building a secure SAP environment. Secure coding practices are the responsibility of developers. When code is still on a developer’s machine or in a development environment, it is common to overlook security best practices. A code scanning or inspection tool is very important to give developers fast feedback about potential vulnerabilities in their code and transports and show them how to remediate them. Developer education is also essential to make SAP developers aware of important best practices that can prevent cyber attacks.
4. Transaction Monitoring
SAP provides many transactional and functional modules that can be used remotely. This means users can create accounts, grant permissions, and use them remotely through the SAP System API. There are also other building functional modules that can remote load or manipulate data from the SAP system.
It is critical to restrict and carefully control permissions to limit transaction usage. Therefore, it is important to continuously monitor the execution of transactions, RFC modules, or SAP reports in real-time. Any external access to the SAP system through its interfaces should be monitored.
5. System Settings
Secure system configuration is a foundation of SAP security. This can be challenging because there are many configuration options for SAP systems. Most settings are applied at the database level through SAP transactions called SAP Profile Parameters and stored in files. The rollout of an SAP system must comply with a set of system configuration rules described in the SAP Basis operating Manual.
These settings define security settings such as allowing or denying access and which communications are allowed in the SAP system. The settings cover the operating system, application, and database layers. You must configure the security settings correctly for each of these tiers.
Related content: Read our guide to SAP Basis
6. SIEM Integration
With the fundamentals of SAP security addressed, organizations can incorporate SIEM to enhance security beyond standard compliance. In most companies, SAP tools and traditional security monitoring solutions like SIEM remain in separate silos which are not integrated, creating a blind spot for the SOC. It is important to integrate SAP security monitoring into the centralized SIEM to provide visibility and protection across SAP and non-SAP environments.
In reality, it is difficult to integrate SAP systems with standard SIEM because they use non-standard logging and communication protocols. Some SIEM solutions provide specialized plugins for SAP applications, and another option is to use SAP’s own SIEM solution, SAP Enterprise Threat Detection (described below), which can, in turn, integrate with the centralized SIEM.
SAP Security Solutions
SAP offers many business applications using various architectures, including NetWeaver AS ABAP, SAP HANA, SAP Cloud Platform, and SAP Ariba.
Related content: Read our guide to SAP HANA security
The first defense layer for these solutions is the system backend, which allows administrators to enforce security, define roles, and set access requirements. Each has its own considerations, so each SAP solution has different security features. For example, a cloud-based application will have different security requirements from an on-premises solution.
In addition to basic system administration and solution-specific security, SAP also offers a number of dedicated security products that can help secure your SAP environment.
SAP Cloud Identity Access Governance
SAP Cloud Identity Access Governance is a cloud solution that administrators can use to streamline their governance processes across a small set of SAP solutions. Features include continuous access analysis, user assignment optimization, pre-configured audit reports, and more.
Key capabilities include:
Access compliance management
- Perform continuous analytics and leverage real-time insights to help manage access compliance
- Leverage predefined and configurable access policies and rules
- Dynamically update user access as business requirements change
Intelligent assignment optimization
- Assign user access precisely
- Identify business-critical issues using a dashboard-based user interface, visual cues, and analytics-based intelligence
- Dynamically modify access and manage risk using guided remediation
Extended risk management and control
- Extend access control to all users and applications on any devices
- Enable mitigation monitoring and risk remediation processes for separation of duties (SoD) and security for on-premises and cloud-based systems
- Simplify compliance management using pre-configured audit reports
SAP Enterprise Threat Detection
SAP Enterprise Threat Detection (ETD) is a SIEM solution that leverages SAP HANA to handle high-volume security events such as cyberattacks in real-time. It provides insight into how to detect anomalies and can help neutralize attacks and prevent damage to the system environment in the event of a breach.
SAP systems use a dedicated kernel API to send logs directly to SAP Enterprise Threat Detection, making it more difficult for attackers to manipulate logs.
Log correlation and analysis
- Analyze vast amounts of log data and correlate information across the SAP environment.
- Perform forensic threat detection to uncover previously unknown attack variants.
- Integrate custom third-party systems and infrastructure components.
Automated threat detection and alerting
- Use attack detection mode to find threats related to known attacks on SAP software.
- Define attack detection patterns without coding.
- Investigate attacks and issue alerts to human security teams and publish alerts to integrated security systems.
Integrated with SAP solutions
- Threat detection at the application server and database level.
- Integration with SAP solutions across the IT environment
Related content: Read our guide to SAP Enterprise Threat Detection
SAP Data Custodian
SAP Data Custodian is a solution that provides security information for public cloud users, increasing the transparency and credibility of the public cloud.
Policy creation and enforcement
- Create geolocation policies to govern data lifecycles, access, processing, storage, and movement.
- Modify policies easily to respond to changing regulatory requirements in different countries.
Data visibility, alerting, and reports
- Know where and by whom data is accessed, stored, and moved in the public cloud.
- Notify and warn users of policy violations and data violations.
- Receive near-real-time risk and compliance reports.
Independent encryption key management
- Maintain fully independent control over encryption data and keys.
- Maintain separation of encryption keys from cloud providers.
- Decrease the risk of data breaches and unauthorized disclosure of business data.
SAP S/4HANA visibility and control
- Identify and data protection risks in SAP cloud deployments like SAP S/4HANA.
- Monitor risks over time.
- Create context policies to manage access control for SAP Fiori and TCode applications.
SAP Governance, Risk, and Compliance (GRC)
SAP Governance, Risk and Compliance (GRC) is a set of solutions and products that help you manage resources across your enterprise in a way that minimizes risk, builds trust, and reduces compliance costs. Products such as SAP Risk Management, SAP Process Control, and SAP Audit Management automate GRC activities, improve control and visibility, monitor and enforce risk, and enable GRC through an integrated technology platform.
SAP Identity Management
SAP Identity Management is a solution covering an individual’s entire identity lifecycle. This tool allows administrators to determine who is accessing data on the system. It provides users with password self-service capabilities to assist with role configuration. It also offers centralized reporting and helps meet compliance requirements.
Connectivity for on-premises or hybrid deployments
- Leverage tight integration with SAP S/4HANA applications
- Use connectors for third-party applications and SAP
- Integrate with SAP Cloud Identity Services to manage identity lifecycles management hybrid deployments.
User provisioning, approvals, and workflow
- Apply business policies and rules to simplify user access maintenance and assignment across different systems.
- Provision business partners and employees efficiently.
- Establish self-service password synchronization and reset between connected systems.
SAP Information Lifecycle Management
SAP Information Lifecycle Management (SAP ILM) is a solution that can block and delete sensitive data from SAP systems. This capability is particularly useful for organizations subject to data privacy like the General Data Protection Regulation (GDPR) and the California Consumer Protection Act (CCPA), which require companies to delete customer data when requested.
Data management and archiving
- Manage data volumes without impacting your business environment
- Safely move old data to long-term, low-cost storage
- Ensure easy access to archived data
- Full lifecycle support for unstructured and structured data
- Create data management rules and policies
- Find out your data’s storage location and duration, and when it is destroyed
- Decommission legacy systems and import data from third-party systems and SAP to a central store
- View data after the decommissioning of the original system
- Ensure on-demand access to data
SAP EarlyWatch is a health and performance diagnostic tool providing various health and security checks. Administrators can automate SAP EarlyWatch alert reports to help focus their attention. These reports also notify administrators about important configurations and SAP Notes that are not implemented. SAP EarlyWatch is available as part of the SAP Solution Manager system.
SAP Security with Pathlock
Managing security across multiple SAP instances can be a challenging, time-consuming, and manual process. Without proper security protection in place, companies expose themselves to threats that may lead to system outages, data loss, or financial fraud.
With Pathlock, organizations using SAP can automate many of their SAP security processes to provide 360-degree protection across the SAP system landscape. The Pathlock platform can provide proactive protection, including:
- Vulnerability scanning: run periodic scheduled or ad hoc scans of 1,000’s of rules across SAP instances to identify any known misconfigurations, missing patches, or other risks to be addressed by the business
- Threat detection and response: identify and respond to unusual behavior to remediate threats and reduce risk exposure in real-time
- Code scanning: inspect custom code and transports for any potential performance issues or malicious code that could cause data loss or negative impacts on system performance
- Compliance Reporting: continuously monitor and report on key controls related to application configuration, IT general controls, and other compliance mandates
Interested to find out how Pathlock can help to automate your SAP Security program while keeping your landscape secure and compliant? Request a demo of Pathlock today!