It is essential to improve SAP Segregation of Duties (SoD) Violations Management to ensure that that only users deemed eligible can perform “sensitive” transactions. Read on to know more about it…
System Analysis Program (SAP) systems consist of several components such as
• NetWeaver Application Server (Java & ABAP versions),
• SAP Gateway and Messenger server, RFC gateway,
• Internet Communications Manager (ICM),
• SAP router and more.
The systems use several communication protocols such as DIAG, Remote Function Call (RFC), and HTTP. They often has a large number of interfaces – mostly using RFC. Many of these have stored logon credentials, which are unencrypted and lack basic security controls.
SAP landscapes also tend to be complex with a large number of systems and clients and users often end up reusing their passwords across these systems. It’s also possible that if attackers get hold of one of them, then all the common passwords are compromised.
Even when Single Sign On (SSO) is enabled, password logon is allowed, leaving the backdoor vulnerable and open to intruders. A simple scenario will be for an intruder to get the password hash file from a less secure SAP development system, crack the password (if password is backward compatible) and then use the same credentials to logon to SAP production system. In these circumstances, the SAP system has a number of vulnerabilities, leaving it at risk of cyberattacks, data breaches and other cybersecurity threats.
Security Operations Centre (SOC) monitoring often is not integrated with SAP application level security logs. An organisations’ SIEM solution is often not configured to monitor SAP logs – mostly because they are managed by a different SAP team within the larger IT team, which creates loop holes amongst the security posture of the organisation.
Organisations mostly fail to realise that the known SAP Security Vulnerabilities have increased many times. The attack surface for SAP vulnerabilities has also increased with the adoption of newer technologies, and managing complex SAP environments consisting of on-prem and cloud solutions has become more and more complex.
Being one of the crucial asset of IT landscape for any organisation, it is not surprising that SAP has been on the radar of several hackers looking to exploit these vulnerabilities during this decade than probably its entire lifespan.
So, how do you improve SAP Security?
Performing an SAP cyber security assessment is a good starting point. It is recommended not to go with the traditional focus on just the SAP ERP production system – instead perform an assessment of the entire SAP landscape. Once the security risks and vulnerabilities are identified, identify the ones with high impact but are easy to implement – and go after them first. Have a time-bound and phased approach for the remaining.
Some of the common areas that needs focus are as follows:
• Develop SAP security baseline / standard,
• Mitigate Configuration related security vulnerabilities,
• Defining an ongoing security patching process,
• Secure RFC connections – Unified Connectivity,
• Enforcing Encryption, wherever possible,
• Securing externally exposed parts of SAP – SAP provides multiple options using gateway & messenger server, SAP router and Web Dispatcher,
• Most Important! Create a monitoring mechanism – look-out for attacks and address non-compliance immediately.
If SAP is hosted on the cloud, in general, SAP or the hosting service provider is typically responsible for the hosting and related infrastructure security. The user organisation still remains responsible for the application security.
Contributed by
Kamal Matta, CIO & CISO, Sonic Biochem Ext Pvt. Ltd.
