The global and independent platform for the SAP community.
IT Security Column, Manager Magazine 2024

Interface Management: The open barn door in SAP

An open secret to which many management teams have so far paid little attention: the lack of control of interfaces in IT system landscapes. It was hardly surprising that interface management was neglected when SAP landscapes were still self-contained IT systems. However, this situation has changed fundamentally.
Ralf Kempf, Pathlock
August 26, 2024
Content:
avatar
This text has been automatically translated from German to English.

The previously neglected topic of interface management has become a top priority: Today's corporate system landscapes are becoming increasingly heterogeneous and complex, not only due to multiple SAP production and development systems but also the use of various ERPs and, last but not least, the integration of new cloud structures. This results in a rapidly growing number of interfaces between all systems and consequently an escalating vulnerability and significant threat to the security and compliance of the entire company. Conventional security strategies often do not focus on the systems themselves, but mainly on user authorizations. When it comes to interfaces, however, one thing is clear: It is important to critically review authorizations on an ongoing basis, but if the IT systems themselves are open like barn doors via interfaces, this alone is ultimately of little use.


For security reasons alone, it is therefore extremely important to know exactly which systems are connected, who is actually talking to whom, and also which development systems or legacy systems that are still active need to be taken into account. To date, however, both of these aspects have hardly been identified and an undocumented and uncontrolled exchange of data almost inevitably leads to security risks and compliance breaches. Comprehensive interface management is essential to effectively counter this in the future. This new scope is now being addressed by solutions that also succeed in dealing with the problem at C-level.

New explosiveness for the management level

Why should decision-makers be concerned with this now? Quite simply because, in the event of a cyberattack, it is the response time that determines the extent of the potential damage. However, if nobody knows which systems are connected to each other, it is impossible to initiate adequate countermeasures. There is therefore a blatant, growing lack of information here, which is further exacerbated by different ERP systems and beyond on-premises and harbors considerable risks.

What's more, if data is transferred undocumented via these interfaces, this results not only in a loss but also in a compliance-relevant and reportable data protection breach. According to SOX guidelines, compliance violations of this kind can result in penalties running into billions for companies traded on the US stock exchange. And the mandatory implementation of the new NIS 2 Directive from October will also further increase the urgency of interface management for Europe, especially for compliance conformity, and will severely penalize omissions.

The get-clean phase

Companies are therefore faced with the task of making the large number of system interfaces documentable and therefore controllable. The SAP standard does not offer a comprehensive and centralized evaluation here, is hardly helpful or even provides a false sense of security. In particular, trust relationships between systems (SSO and Trusted RFC) are rarely documented and remote database connections lead to further uncontrolled security gaps. And here, too, the cloud interfaces come into play as a dimension on top.

In order to achieve the best possible protection, it is advisable to implement a two-stage procedure. In the get-clean phase, the first step is to create transparency by analyzing all RFC connections of individual systems, system groups and landscapes. This enables Pathlock Interface Management to determine which systems are communicating with each other without manual effort and from which data contingent, for example, business partner data is being transported. This enables IT to receive a usable warning so that it can react accordingly.

In order to manage interfaces properly later on, it is crucial in the get-clean phase to take an inventory of all system interfaces and analyze which data and function blocks are requested by which endpoints. This is followed by the elimination of security risks through a professionally optimized configuration.

The stay-clean phase

This phase is about maintaining the now clean operating status. Ideally, this is done in real time by integrating a threat detection tool. The aim is to achieve cross-system central control of all interfaces, including a differentiated overview of active and inactive interfaces. Particular attention is paid to checking for highly critical compliance conformity.
Interface management

While a transparent overview of all incoming and outgoing system interfaces was previously lacking, the Pathlock Suite provides a well-prepared, complete representation in graphical or tabular form and extends it with a real-time scope using Threat Detection. Pathlock Interface Management can also be expanded as required, for example with the new Pathlock development Threat Intelligence.

With this combination of established solutions such as threat detection - supplemented by automated processes with individual reactions tailored to the respective risk situation - access to critical applications is restricted or completely blocked, data fields are precisely masked, downloads are prevented or users with critical behavior are locked out of the system. And all this is done fully automatically and in real time, around the clock.

Last but not least, another strength of Pathlock Interface Management is its unprecedented user-friendliness and visualization, even for the C-level. The intuitive usability enables simple, secure and compliant management of all interfaces out of the box, without the need for in-depth specialist knowledge.

To the partner entry:

avatar
Ralf Kempf, Pathlock

Ralf Kempf is CEO of Pathlock Germany.


All articles of the author

Write a comment

Audit risks: Oracle Java usage

Capgemini study on Gen AI

Moving SAP Targets

Working on the SAP basis is crucial for successful S/4 conversion. 

This gives the Competence Center strategic importance for existing SAP customers. Regardless of the S/4 Hana operating model, topics such as Automation, Monitoring, Security, Application Lifecycle Management and Data Management the basis for S/4 operations.

For the second time, E3 magazine is organizing a summit for the SAP community in Salzburg to provide comprehensive information on all aspects of S/4 Hana groundwork.

Venue

More information will follow shortly.

Event date

Wednesday, May 21, and
Thursday, May 22, 2025

Early Bird Ticket

Available until Friday, January 24, 2025
EUR 390 excl. VAT

Regular ticket

EUR 590 excl. VAT

Venue

Hotel Hilton Heidelberg
Kurfürstenanlage 1
D-69115 Heidelberg

Event date

Wednesday, March 5, and
Thursday, March 6, 2025

Tickets

Regular ticket
EUR 590 excl. VAT
Early Bird Ticket

Available until December 20, 2024

EUR 390 excl. VAT
The event is organized by the E3 magazine of the publishing house B4Bmedia.net AG. The presentations will be accompanied by an exhibition of selected SAP partners. The ticket price includes attendance at all presentations of the Steampunk and BTP Summit 2025, a visit to the exhibition area, participation in the evening event and catering during the official program. The lecture program and the list of exhibitors and sponsors (SAP partners) will be published on this website in due course.