Organizations using SAP as their business application or ERP system often store their most critical assets, including intellectual properties within SAP. This data must be protected against unauthorized access originating from both outside and within the organization. SAP systems require extensive protection and security monitoring.
What is SAP Security?
There are various aspects to SAP Security, such as, infrastructure security, network security, operating system security, and database security. The next layer is secure code, which includes maintaining SAP code and security in custom code. A secure setup of SAP servers is essential. It covers the secure configuration of a server, enablement of security logging, security in terms of system communication, and data security. Users and authorizations are no less critical. Overall, it is essential to guarantee system compliance with the help of continuous monitoring, audits, and the establishment of emergency concepts.
What is SAP Security used for and why is it important?
SAP security is often siloed or a blind spot within the centralized cybersecurity monitoring of a business. SAP security should protect the business-critical systems that organizations rely on to run their business effectively.
The most common use cases include:
- Avoiding exploitation and fraud
- Ensuring data integrity
- Identifying unauthorized access
- Continuous and automated audits
- Detecting data leaks
- Centralizing security monitoring
An attack on SAP systems can have a devastating impact on the operations of the business that can result in both financial and reputational losses. These systems must be protected against internal and external cyber threats in order to maintain confidentiality, availability, and integrity. Despite this, many organizations keep them out of scope for security teams or rely on the ERP vendor tools alone. This increases the risk of attacks and makes ERP systems, such as SAP, a prime target for adversaries.
How does SAP Security work?
SAP systems are complex and unique by nature, making sufficient cybersecurity challenging to achieve. There are several disciplines to master within SAP security to ensure a sound security posture:
Roles and Authorizations
SAP delivers necessary authorizations as a standard. Customer-specific authorization concepts are set up in SAP, allowing essential permissions to be assigned. The assignment of authorization combinations (Segregation of Duties, SOD) is critical. The assignment of critical combinations of authorizations should be avoided and only used or assigned in exceptional cases, such as with so-called firefighter accounts. A further complication in SAP security is that authorizations and roles can be manipulated in SAP by SAP standard means.
Therefore, examining necessary authorizations and authorization combinations is of crucial importance and presents companies with significant challenges. Also, the continuous, automated review of SAP authorizations is of high importance.
Such checks use a test catalog. Creating this from scratch requires much effort and is not only relevant for the authorizations in the SAP Basis area, but for business processes. Suppose 4-6 eye principles are undermined by the assignment of necessary permissions and combinations of permissions. In that case, there is a risk of exploitation or fraud.
SOD-checks are ideally carried out not only according to SAP roles but according to users who may violate a so-called SOD conflict by assigning several roles. In addition to users’ evaluation, it is essential to know which roles ultimately trigger the conflict in combination. The SAP transaction SUIM and its API allow checks of combinations of critical authorizations.
SAP is increasingly affected by security breaches. Threats that are currently being dealt with in traditional cybersecurity are also valid for SAP systems. There are continuous publications of so-called SAP Security Notes, however, the challenge for organizations is to keep the SAP systems up-to-date and apply the patches continuously. This is not always possible. Therefore, many SAP systems remain unpatched for a long time and thus have serious security gaps. To make matters worse, with the release of new patches, information is released about where the vulnerabilities are, and how they can be exploited. Not only is patching essential but also the detection of exploited vulnerabilities, so-called zero-day exploits.
SAP offers a large number of critical transactions and functional modules that are even available remotely. It is possible to create accounts via the SAP system’s API, equip them with authorizations, and then use them remotely. Other building blocks and function modules can then load or manipulate data from the SAP system. Once again, the authorizations assignment plays a role here, as it restricts the use of the transactions. It is also crucial to monitor the execution of transactions, RFC modules, or SAP reports continuously and in almost real-time. Access to SAP systems from outside via the interfaces of an SAP system, for example the RFC interface, also needs to be monitored.
SAP Code Security
Code security is also an essential part of SAP security. In SAP systems, it is often left to the developers to ensure the ABAP code’s security. Coding is put together in transports and transported from the development systems to the production systems, often without a sufficient examination of the coding. Also, SAP offers attackers interesting options for code injection as coding can even be generated and executed at runtime. The manipulation of important and urgent transports is just one way of transporting malicious programs undetected into an SAP system. SAP provides a code inspector, with modules like the Code Vulnerability Analyzer, to check the coding.
System settings are the basis of SAP security and the settings options of SAP systems are numerous. Settings are done at the database level by SAP transactions or so-called SAP Profile Parameters, which are stored in files. The rollout of an SAP system must comply with a set of rules for system settings, which can be found in an SAP Basis operating manual. Here it is determined how the security settings are assigned in an SAP system, how access is granted or denied, and which communication of an SAP system is allowed. The operating system, database, and application layers are relevant here. Each of these layers requires proper configuration of the security settings. Unfortunately, these are often insufficient in the standard SAP system.
RFC communication is an important topic. The RFC Gateway can be described as the SAP-internal firewall and needs to be configured precisely (RegInfo, SecInfo), to avoid unauthorized remote access from systems and applications. SAP best practice guidelines, or guidelines from SAP user groups such as the DSAG, contain practice-tested and security-oriented settings and test catalogs.
SAP security and read access logs
SAP Security also covers a row of security logs. These need to be switched on and controlled at the same time. The most critical logs are the SAP Security Audit Log (SM20), which contains a set of security and audit relevant events. Change Logs (SCU3) of database tables are available, and the so-called Change Documents of users and business objects (SCDO). The SAP RFC Gateway Log SMGW carries logs of the RFC Gateway, logs of the SAP Internet Communication Manager, and the Web Dispatcher.
The SAP Read Access Log stores read and write access to specific fields of transactions, reports, or programs. Thus, providing an essential component to meet the obligations under the EU Data Protection Regulation (GDPR or DS-GVO) – the logging of personal data access. The configuration of the SAP Read Access Logs and their evaluation is an essential element of SAP Security Monitoring, not least in times of GDPR. With this log’s help, access to SAP can be monitored, extracted, and centrally collected, and at best, automatically monitored with appropriate rules. The SAP Read Access Log is maintained via the transaction SRALMANAGER.
SAP Security Solutions and tools
While the vendor provides an SAP security solution, it often does not integrate with the rest of the organization’s cybersecurity monitoring. This creates a blind spot for the security team and increases the cyber threat from internal and external actors.
That is why integrating your SAP security monitoring to a centralized SIEM can significantly add value in the areas of cybersecurity, IT operations, system compliance, and business analytics. Ideally, these platforms use technologies such as UEBA (User Entity and Behavior Analytics) – to get behavioral insights in addition to rule-based monitoring.
SAP security must be monitored continuously and automatically in SIEM solutions. At a central point in the company, integrated into IT security, ideally managed by a Security Operations Centers (SOC), to identify threats and respond immediately.
By Christoph Aschauer, Director, LogPoint for SAP