SAP and security - two separate worlds?
Only an integrated cyber defense strategy that takes the entire IT system into account can eliminate potential vulnerabilities and provide reliable protection against threats.
The generally increasing risk to IT security has led to many companies initiating security projects but excluding the SAP world. This is no longer acceptable today, especially as SAP data is usually business-critical.
But what is the reason for the inadequate consideration of SAP security? There are several reasons for this. For example, SAP security is often not on the CISO's IT agenda because it is considered too complex and very specialized.
This is shown by NTT Com Security's experience from numerous customer projects in the areas of information security and risk management. In addition, SAP departments are generally independent units that want to retain their independence and sometimes refuse to allow the rest of IT to exert influence.
In addition, SAP IT departments often lack the necessary security know-how across the board. In the recent past, SAP has launched a number of security products on the market, such as SAP Single Sign-On for secure access to SAP and non-SAP systems or SAP Identity Management for efficient user administration, SAP Access Control for rule- and law-compliant authorization assignment or the Code Vulnerability Analyzer for automatic and manual source code checks.
SAP has developed the SAP Enterprise Threat Detection and SAP Fraud Management solutions for the real-time identification of attacks and attempted fraud. However, the mere availability of these tools does not mean that they are used across the board:
SAP Enterprise Threat Detection, for example, which provides security-relevant evaluation and analysis of security events across the SAP system landscape and was also designed for connection to traditional SIEM systems, is not yet in use at many companies.
But even if individual SAP security tools are used on the company side, one problem remains: Only a fully integrated security solution offers reliable protection; with a patchwork of solutions and isolated solutions, the systems remain vulnerable.
However, inefficient security silos can still be found in many companies. This was also the result of a recent study by Dell, in which 175 German companies took part. A key finding here was that IT security is often organized on an application-specific basis and is the responsibility of different company departments.
Only 23 percent of the companies surveyed have a central IT security department that also includes the distributed application and therefore SAP landscape.
Separate worlds and security gaps
The fact that two worlds often dominate is already evident in a simple topic such as user administration. The status quo in many companies is still that the SAP environment is separate from the rest of IT and authorization concepts are not implemented company-wide.
In almost all companies today, the Microsoft Active Directory (AD) directory service is a central element of the entire infrastructure. AD performs a wide range of tasks that go far beyond the mere administration of user accounts and also include, for example, the authentication and authorization of non-Windows-based systems such as Linux servers or applications. Surprisingly, however, one area is often left out: the SAP infrastructure.
However, integration is only one side of the coin, just as important is the elimination of existing security gaps - and these are frequently found in the SAP world. For example, the activation of encryption or the separation of administrative authorizations is missing.
Often there is also no segmentation of front-end and back-end and a patch management strategy is not in place. Another key problem is that, particularly in the SAP environment, access authorization concepts and change management procedures are often only implemented on a user-related basis - and not from a security perspective.
The challenges are therefore obvious, and SAP itself is also increasingly addressing the topic of security as part of several initiatives. Security expert NTT Com Security is investing in collaboration with SAP in order to be able to offer customers holistic solution concepts.
While SAP is at home in SAP IT, NTT Com Security has both SAP know-how and access to the overarching IT department, which is responsible for company-wide IT security. NTT Com Security can therefore take on a kind of "intermediary role" in matters relating to the security of business-critical data.
The cyber threat to SAP applications can only be reliably averted by integrating them into a company's overall security strategy. This means that it is of fundamental importance that the SAP world is also taken into account as part of security projects and when implementing a holistic cyber defense strategy.
When implementing such a strategy, a sequential approach should be chosen. The starting point is the analysis and risk profiling of the IT landscape, including the SAP environment, with the tool implementation coming at the end of the process chain.
Risk assessment (risk insight) involves classifying all processes and data worthy of protection - including within the SAP world, of course. All further measures must then be based on this as part of an end-to-end cyber defense strategy. The core elements here are the four central cornerstones of prevention, detection, defense and response.
On the one hand, prevention involves infrastructure and network management on the company side, with classic security measures such as perimeter protection with email gateways including spam and malware filters, next-generation firewalls, VPN systems or dynamic sandboxing solutions.
On the other hand, the company-critical (SAP) business applications and data themselves must also be given greater attention and secured accordingly.
The next step is detection, i.e. a comprehensive security analysis with the evaluation of real-time data and proactive monitoring. Efficient monitoring not only covers system logs and alerts, but also includes, for example, behavioral analyses of a company's IT environment, which can be used to detect unusual processes.
An indispensable component of a comprehensive security solution is the ability to detect threats at an early stage, i.e. the use of early detection systems. It is obvious that a company can hardly implement comprehensive protection against cyber attacks completely independently, as the threat situation is too heterogeneous and, above all, too dynamic, and the costs are too high.
This is where SOCs (Security Operations Centers) from Managed Security Services (MSS) providers come into play as proactive defense centers for companies.
Last but not least, a company should also be prepared for the worst-case scenario, a so-called incident, as 100% protection is likely to remain a utopia. This means that an incident response procedure must be established that can be called up in the event of danger and that prevents unwanted data outflow.
One thing should be clear: Hackers do not differentiate between SAP applications and general IT. When implementing a cyber defense strategy, it is therefore important to take a holistic approach that integrates the monitoring and protection of the SAP infrastructure as an important success factor. Only with such a comprehensive concept can an SAP user achieve maximum IT and information security today.
