SAP stands for System Applications and Products in Data Processing. SAP is the market leader in ERP software and helps companies of all sizes.
Organizations using SAP as their business application or ERP system often store their most critical assets, including intellectual properties within SAP. This data must be protected against unauthorized access originating from both outsides and within the organization. SAP systems require extensive protection and security monitoring.
What is SAP Security?
Contents
There are various aspects to SAP Security, such as infrastructure security, network security, operating system security, and database security. The next layer is secure code, which includes maintaining SAP code and security in custom code. A secure setup of SAP servers is essential. It covers the secure configuration of a server, enablement of security logging, security in terms of system communication, and data security. Users and authorizations are no less critical. Overall, it is essential to guarantee system compliance with the help of continuous monitoring, audits, and the establishment of emergency concepts.
Why it is important
SAP Security is required to protect SAP Systems and Critical Information from Unauthorized Access in a Distributed Environment while accessing the system locally or remotely. It covers various Authentication Methods, Database Security, Network and Communication Security, and protecting standard users and other best practices that should be followed in maintaining your SAP Environment. In an SAP Distributed Environment, there is always a need that you protect your critical information and data from unauthorized access. Human Errors, Incorrect Access Provisioning shouldn’t allow unauthorized access to the system and there is a need to maintain and review the profile policies and system security policies in your SAP environment.
SAP security is often siloed or a blind spot within the centralized cybersecurity monitoring of a business. SAP security should protect the business-critical systems that organizations rely on to run their business effectively.
The most common use cases include:
- Avoiding exploitation and fraud
- Ensuring data integrity
- Identifying unauthorized access
- Continuous and automated audits
- Detecting data leaks
- Centralizing security monitoring
An attack on SAP systems can have a devastating impact on the operations of the business that can result in both financial and reputational losses. These systems must be protected against internal and external cyber threats in order to maintain confidentiality, availability, and integrity. Despite this, many organizations keep them out of scope for security teams or rely on the ERP vendor tools alone. This increases the risk of attacks and makes ERP systems, such as SAP, a prime target for adversaries.
How does SAP Security work?
SAP systems are complex and unique by nature, making sufficient cybersecurity challenging to achieve. There are several disciplines to master within SAP security to ensure a sound security posture:
Roles and Authorizations
SAP delivers necessary authorizations as a standard. Customer-specific authorization concepts are set up in SAP, allowing essential permissions to be assigned. The assignment of authorization combinations (Segregation of Duties, SOD) is critical. The assignment of critical combinations of authorizations should be avoided and only used or assigned in exceptional cases, such as with so-called firefighter accounts. A further complication in SAP security is that authorizations and roles can be manipulated in SAP by SAP standard means.
Therefore, examining necessary authorizations and authorization combinations is of crucial importance and presents companies with significant challenges. Also, the continuous, automated review of SAP authorizations is of high importance.
Such checks use a test catalog. Creating this from scratch requires much effort and is not only relevant for the authorizations in the SAP Basis area, but for business processes. Suppose 4-6 eye principles are undermined by the assignment of necessary permissions and combinations of permissions. In that case, there is a risk of exploitation or fraud.
SOD-checks are ideally carried out not only according to SAP roles but according to users who may violate a so-called SOD conflict by assigning several roles. In addition to users’ evaluation, it is essential to know which roles ultimately trigger the conflict in combination. The SAP transaction SUIM and its API allow checks of combinations of critical authorizations.
Patch Management
SAP is increasingly affected by security breaches. Threats that are currently being dealt with in traditional cybersecurity are also valid for SAP systems. There are continuous publications of so-called SAP Security Notes, however, the challenge for organizations is to keep the SAP systems up-to-date and apply the patches continuously. This is not always possible. Therefore, many SAP systems remain unpatched for a long time and thus have serious security gaps. To make matters worse, with the release of new patches, information is released about where the vulnerabilities are, and how they can be exploited. Not only is patching essential but also the detection of exploited vulnerabilities, so-called zero-day exploits.
Transaction Monitoring
SAP offers a large number of critical transactions and functional modules that are even available remotely. It is possible to create accounts via the SAP system’s API, equip them with authorizations, and then use them remotely. Other building blocks and function modules can then load or manipulate data from the SAP system. Once again, the authorizations assignment plays a role here, as it restricts the use of the transactions. It is also crucial to monitor the execution of transactions, RFC modules, or SAP reports continuously and in almost real-time. Access to SAP systems from outside via the interfaces of an SAP system, for example, the RFC interface, also needs to be monitored.
SAP Code Security
Code security is also an essential part of SAP security. In SAP systems, it is often left to the developers to ensure the ABAP code’s security. Coding is put together in transports and transported from the development systems to the production systems, often without a sufficient examination of the coding. Also, SAP offers attackers interesting options for code injection as coding can even be generated and executed at runtime. The manipulation of important and urgent transports is just one way of transporting malicious programs undetected into an SAP system. SAP provides a code inspector, with modules like the Code Vulnerability Analyzer, to check the coding.
System settings
System settings are the basis of SAP security and the settings options of SAP systems are numerous. Settings are done at the database level by SAP transactions or so-called SAP Profile Parameters, which are stored in files. The rollout of an SAP system must comply with a set of rules for system settings, which can be found in an SAP Basis operating manual. Here it is determined how the security settings are assigned in an SAP system, how access is granted or denied, and which communication of an SAP system is allowed. The operating system, database, and application layers are relevant here. Each of these layers requires proper configuration of the security settings. Unfortunately, these are often insufficient in the standard SAP system.
RFC configuration
RFC communication is an important topic. The RFC Gateway can be described as the SAP-internal firewall and needs to be configured precisely (RegInfo, SecInfo), to avoid unauthorized remote access from systems and applications. SAP best practice guidelines, or guidelines from SAP user groups such as the DSAG, contain practice-tested and security-oriented settings and test catalogs.
Security Concepts for SAP
Below are the main Security Concepts in SAP:
- STAD Data
Transaction codes are the front door to get access to SAP’s functionality. STAD data provide security against unauthorized transaction access. STAD data is used to monitor, analyze, audit, and maintain the security concept.
- SAP Cryptographic library
SAP Cryptographic Library is the default encryption product delivery by SAP. It is used for providing Secure Network Communication (SNC) between various SAP server components. For front-end components, you need to buy an SNC-certified partner product.
- Internet Transaction Server (ITS) Security
To make SAP system applications available for access from a web browser, a middleware component called Internet Transaction Server (ITS) is used. The ITS architecture has many built-in security features, such as running the Wgate and Agate on separate hosts.
- Network Basics (SAPRouter, Firewalls and DMZ, Network Ports)
The basic security tools that SAP uses are Firewalls & DMZ, Network Ports, SAPRouter, etc. A firewall is a system of software and hardware components that define the connections that should pass back and forth between communication partners. SAP Web dispatcher and SAPRouter are examples of application-level gateways that you can use for filtering SAP network traffic.
- Web-AS Security(Load Balancing, SSL, Enterprise Portal Security)
SSL (Secure Socket Layer), is a standard security technology for establishing an encrypted link between a server and client. With SSL you can authenticate the communication partners(server & client), by determining the variables of the encryption.
With sap cybersecurity, both partners are authenticated. The data transferred between the server and client will be protected so any manipulation in the data will be detected. In addition to that data transferred between the client and server is also encrypted. Enterprise portal security guide can be helpful to secure the system by following their guidelines.
- Single Sign-On
The SAP single sign-on function enables you to configure the same user credentials to access multiple SAP systems. It helps to reduce administrative costs and the security risks associated with maintaining multiple user credentials. It ensures confidentiality through encryption during data transmission.
- AIS(Audit Information System)
AIS or Audit Information System is an auditing tool that you can use to analyze security aspects of your SAP system in detail. AIS is designed for business audits and systems audits. AI presents its information in the Audit InfoStructure.
Next in this SAP Security tutorial, we will learn about SAP security for mobile apps.
SAP Security Best Practices Checklist
- Network settings and landscape architecture assessment
- OS security assessment where SAP is deployed
- DBMS security assessment.
- SAP NetWeaver security assessment
- Internal assessment of access control
- Assessment of SAP components like SAP Gateway, SAP Messenger Server, SAP Portal, SAP Router, SAP GUI
- Change and transport procedure assessment
- Assessment of compliance with SAP, ISACA, DSAG, OWASP standards
Summary
- SAP Security definition: SAP Security is a balancing act for protecting the SAP data and applications from unauthorized use and access.
- Security Concepts for SAP
- STAD Data
- SAP Cryptographic library
- Internet Transaction Server (ITS) Security
- Network Basics (SAPRouter, Firewalls and DMZ, Network Ports)
- Web-AS Security(Load Balancing, SSL, Enterprise Portal Security)
- Single Sign-On
- AIS(Audit Information System)
- The good thing about SAP security for mobile apps is that most mobile devices are enabled with remote wipe capabilities.
- SAP Security Best Practices
- Network settings and landscape architecture assessment
- OS security assessment where SAP is deployed
- DBMS security assessment
SAP NetWeaver security assessment