by Sükrü ilkel Birakoglu, Senior Director
SAP Systems had their evolution in years from closed mainframes to client-server-based systems with internet connection. But the perception about SAP Systems did not change in IT-Security Departments and they are still perceived as ‘internal’ or legacy corporate systems. The fact is, SAP Systems are interconnected with each other and besides that, there are many connections from these systems to a supplier’s and customer’s systems, internal and external employees, mobile devices, SAP Technical Support and various networks.
You can assume that, security of SAP Software is the responsibility of the vendor and SAP is secure per-default. This assumption is wrong. Vendors of a specific software are responsible for program errors and architecture errors in software. Security risks which are results of human factors, errors in architecture implementation, misconfiguration of software or missing patch updates are under responsibility of the client. SAP Systems are quite complex business applications and it is not a trivial task to implement, configure, run and patch these systems in the right way. Patching an SAP System can be quite a time consuming task which can lead to stops in the production, for that reason many companies do not patch their systems often although they are aware of security risks they are running into.
Securing SAP systems
IT-Security Departments often assume that SAP Systems are closed black-box systems of which specifics are not very clear to hackers. So, there is an assumed ‘security through obscurity’ for SAP Systems. This assumption is also wrong.
The information about SAP Systems is very widespread and hackers know already that SAP Systems are hosting most valuable business data of companies. SAP Systems are profitable targets for hackers.
If you would just google the text /irj/portal , you could see hundreds of SAP Netweaver Portal LogOn Pages which can be hacked. Just with this simple information, a hacker can start a brute-force attack on the SAP Systems of a company. So, SAP Systems are known by hackers and they are open to attacks like other systems of a company.
Segregation of Duties
Assuming that SAP Security is only about authorizations and segregation-of-duties (SoD) is also another mistake. You can have the best SoD Checks in place but they would be of no use if you don’t patch your SAP Systems or monitor access to them. If a privileged account is compromised by a hacker, they can cause irreparable damage to the system and SoD Checks would be no use in this case.
SAP Systems are managed by SAP Basis Teams. SAP Basis Management does not mean managing SAP Security at the same time. SAP Security is a responsibility of the IT-Security Department. It is important to integrate security monitoring of SAP Systems into general IT-Security Monitoring of a company.
A CISO must know that SAP Systems are open systems which can be hacked and they are hosting very valuable business related data. Failure of SAP Systems can cost a lot of money to a company and securing SAP Systems is also a responsibility of IT Security Departments. In an ideal world, SAP Security Monitoring must be integrated into corporate SIEM and if possible, response playbooks for SAP Security Incidents must be implemented in an integrated SOAR Solution.
If you want more information regarding how you can ensure you secure your SAP systems and applications head over here to the Logpoint BCS for SAP page, or you can check out the Logpoint Converged SIEM and secure all of you business-critical systems by consolidating your security tech stack in one platform.