Beginners guide to SAP Security: Why is it important and how does it work?

Organizations using SAP as their business application or ERP system often store their most critical assets, including intellectual properties within SAP. This data must be protected against unauthorized access originating from both outside and within the organization. SAP systems require extensive protection and security monitoring as business-critical systems.

SAP (Systems Applications and Products) Security is a means to protect your company’s data and systems by monitoring and controlling access both internally and externally. SAP Systems are a type of ERP software used widely by all kinds of businesses across a variety of industries.

There are various aspects to SAP Security, such as infrastructure security, network security, operating system security, and database security. Another layer involves the secure code, which includes maintaining SAP code and security in custom code.

A secure setup of SAP servers is essential to keep your business’s private information safe and out of the hands of cyber attackers. It covers the secure configuration of a server, enablement of security logging, security in terms of system communication, and data security. Users and authorizations are also critically monitored and tracked.

Given the complicated and interconnected nature of SAP systems, there is a lot that goes into maintaining their security. When it comes to SAP Security, here’s an overview of the different aspects involved:

• Infrastructure security
• Network security
• Operating system security
• Database security
• Secure code ABAP/4
• Configuration of a server
• Enablement of security logging
• System communication

When carried out effectively, it’s easy to maintain system compliance with the help of continuous monitoring, audits, and the establishment of emergency concepts.

SAP security is often siloed or a blind spot within the centralized cybersecurity monitoring of a business. And with 66% of business executives feeling that cyberattacks are increasing in frequency around the world, it’s a serious concern.

And so, as a countermeasure to these attacks, SAP security is designed to help protect the business-critical systems that organizations rely on to run their business effectively.

The Most Common Uses of SAP Security Are:

• Avoiding exploitation and fraud
• Ensuring data integrity
• Identifying unauthorized access
• Continuous and automated audits
• Detecting data leaks
• Centralizing security monitoring

An attack on SAP systems can have a devastating impact on the operations of the business, leading to financial losses, supply chain issues, and long-term reputation damage.

To prevent that kind of headache, these systems need to be protected against internal and external cyber threats. That way your company can continue to maintain confidentiality, availability, and integrity.

Despite this, many organizations keep them out of scope for security teams or rely on the ERP vendor tools alone. As you might expect, this dramatically increases the risk of attacks and makes ERP systems, such as SAP, a prime target for adversaries.

Because SAP systems connect different departments and programs together to help you run your business smoothly, they are incredibly complicated. Since they are so complex and unique by nature, this makes it harder to develop proper cybersecurity measures.

According to a study from the University of Maryland, cyberattackers attempt to attack systems every 39 seconds – Protecting them is vital.

Within SAP security, there are several steps you can take to prevent attacks:

First, your SAP systems deliver necessary authorizations as a standard. Customer-specific authorization concepts are set up in SAP, allowing essential permissions to be assigned. The assignment of authorization combinations (Segregation of Duties, SOD) is critical.

The assignment of critical combinations of authorizations should be avoided and only used or assigned in exceptional cases, such as with so-called firefighter accounts. A further complication in SAP security is that authorizations and roles can be manipulated in SAP by SAP standard means.

Therefore, examining necessary authorizations and authorization combinations is crucial and presents companies with significant challenges. Also, it’s crucial to conduct continuous, automated reviews of SAP authorizations.

You can easily do these checks using a test catalog. Creating this from scratch requires effort and is not only relevant for the authorizations in the SAP Basis area, but also for business processes. Suppose 4-6 eye principles are undermined by the assignment of necessary permissions and combinations of permissions. In that case, there is a risk of exploitation or fraud.

SOD-checks are ideally carried out not only according to SAP roles but according to users who may violate a so-called SOD conflict by assigning several roles. In addition to users’ evaluation, you should know which roles ultimately trigger the conflict in combination. The SAP transaction SUIM and its API allow checks of combinations of critical authorizations.

SAP is increasingly affected by security breaches. Threats that are currently dealt with in traditional cybersecurity are also valid for SAP systems. There are continuous publications of so-called SAP Security Notes, however, the challenge for organizations is to keep the SAP systems up-to-date and apply the patches continuously.

Unfortunately, it’s just not always possible.

And so, many SAP systems remain unpatched for a long time and end up with serious security gaps. To make matters worse, with the release of new patches, information is released about where the vulnerabilities are, and how they can be exploited. Not only is patching essential but also the detection of exploited vulnerabilities, so-called zero-day exploits.

SAP also offers a large number of critical transactions and functional modules that are even available remotely. That also means it’s possible to create accounts via the SAP system’s API, equip them with authorizations, and then use them remotely. Other building blocks and function modules can then load or manipulate data from the SAP system.

Once again, the authorizations assignment plays a role here, as it restricts the use of the transactions. And so, it’s vital you monitor the execution of transactions, RFC modules, or SAP reports continuously and in real-time. Access to SAP systems from outside via the interfaces of an SAP system, for example, the RFC interface, will need to be monitored too.

Next up, is code security—an essential part of your SAP security. In SAP systems, it is often left to the developers to ensure the ABAP code’s security. Coding is put together in transports and transported from the development systems to the production systems, but often it’s done without a sufficient examination of the coding.

Worse yet, SAP offers attackers options for code injection as coding can even be generated and executed at runtime. The manipulation of important and urgent transports is just one way of transporting malicious programs into an SAP system completely undetected. Luckily, SAP provides a code inspector, with modules like the Code Vulnerability Analyzer, to check the coding.

Your system settings are the basis of SAP security and there are numerous settings options in SAP systems. Settings are done at the database level by SAP transactions, or so-called SAP Profile Parameters, which are stored in files.  The rollout of an SAP system must comply with a set of rules for system settings, which can be found in an SAP Basis operating manual.

Here it is determined how the security settings are assigned in an SAP system, how access is granted or denied, and which communication of an SAP system is allowed. The operating system, database, and application layers are relevant here. Each of these layers requires proper configuration of the security settings.

Unfortunately, these are often insufficient in the standard SAP system. For instance, in many companies, only 5% of their folders are properly protected.

The RFC Gateway can be described as the SAP-internal firewall and needs to be configured precisely (RegInfo, SecInfo), to avoid unauthorized remote access from systems and applications.

SAP best practice guidelines, or guidelines from SAP user groups such as the DSAG, contain practice-tested and security-oriented settings and test catalogs.

SAP Security also covers a row of security logs. These need to be switched on and controlled at the same time.

The most critical logs are the SAP Security Audit Log (SM20), which contains a set of security and audit-relevant events. Change Logs (SCU3) of database tables are available, and the so-called Change Documents of users and business objects (SCDO). The SAP RFC Gateway Log SMGW carries logs of the RFC Gateway, logs of the SAP Internet Communication Manager, and the Web Dispatcher.

The SAP Read Access Log stores read and write access to specific fields of transactions, reports, or programs. Thereby providing an essential component to meet the obligations under the EU Data Protection Regulation (GDPR or DS-GVO) – the logging of personal data access. 

The configuration of the SAP Read Access Logs and their evaluation is an essential element of SAP Security Monitoring, not least in times of GDPR. With this log’s help, access to SAP can be monitored, extracted, and centrally collected, and at best, automatically monitored with appropriate rules. The SAP Read Access Log is maintained via the transaction SRALMANAGER.

With so much at risk and so much to organize, it’s can be overwhelming to get a plan in motion. So, here’s a quick and easy checklist to help you get started if you’re looking to improve your SAP security.

To keep your data safe you need to conduct a number of different assessments:

• Internal assessment of access control
• Change & transport procedure assessment
• Network settings & landscape architecture assessment
• OS security assessment
• DBMS security assessment
• SAP NetWeaver security assessment
• Assessment of various SAP components (like SAP Gateway, SAP Messenger Server, SAP Portal, SAP Router, SAP GUI).
• Assessment of compliance with SAP, ISACA, DSAG, OWASP standards

After doing these assessments, there are still some other steps you’ll need to take. With a plan in place, you’ll be far ahead of most companies—and cyberattackers. Here is an easy 4 step process to get you started and monitor your SAP security:

1. Align Your Settings: Make sure you have your settings all set up to align with your organizational structure. You should also educate your teams and double-check all security measures in place are being followed.
2. Create Emergency Procedures: In the event of an emergency, you should have a plan in place to address it quickly and effectively. For one, you should be sure your Network Administrators can easily revoke access and privileges as needed.
3. Conduct Housekeeping and Review: Next, you should always be monitoring your SAP Systems. Also, make sure the list of permissions is updated regularly, especially when you have new hires or staff change roles.
4. Use Security Tools: Lastly, it’s crucial to have the right security tools in place to keep tabs on what’s happening and catch any suspicious activity. That way, you can more easily prevent a cyberattack or data breach from happening.

Looking for the right SAP security software? It’s hard to know where to look and who to trust—especially with something so important. At Logpoint we have a security solution that is tailor made to keep business-critical systems secure – BCS for SAP.

While the vendor does technically provide an SAP security solution, it often fails to integrate with the rest of the organization’s cybersecurity monitoring. This creates a blind spot for the security team and increases the cyber threat from internal and external threats.

That is why integrating your SAP security monitoring to a centralized SIEM can significantly add value to your cybersecurity, IT operations, system compliance, and business analytics. Ideally, these platforms use technologies such as UEBA (User Entity and Behavior Analytics) – to get behavioral insights in addition to rule-based monitoring.

SAP security needs to be monitored continuously and automatically in SIEM solutions. At a central point in the company, integrated into IT security, ideally managed by a Security Operations Centers (SOC), to identify threats and respond immediately.