The global and independent platform for the SAP community.

Security policy and effective solutions

SAP implementations are increasingly becoming the focus of external and internal attackers. Suitable software solutions and comprehensive security strategies effectively implement SAP security.
Mariano Nunez, Onapsis
July 1, 2016
[shutterstock.com:96088493, Dave Clark Digital Photo]
avatar
This text has been automatically translated from German to English.

The prevalence of the Invoke servlet vulnerability in non-updated or misconfigured SAP NetWeaver implementations currently highlights the deficiencies in the security of SAP implementations.

Although a patch was made available by SAP six years ago, there is still evidence of an exploit of the vulnerability at 36 companies in the USA, UK, Germany, China, India, Japan and South Korea as recently as spring 2016.

13 of the affected companies generate more than $13 billion in revenue per year. The vulnerability can allow full unauthorized control of affected SAP systems.

As there should hardly be a lack of will for better SAP security, there seems to be a lack of resources. Remedies are needed: A key component is context-sensitive solutions for inventorying and monitoring vulnerabilities and for detecting and immediately responding to unusual events and accesses.

They enable and require a comprehensive safety process to avoid such mishaps.

A five-point plan helps to set up and implement the SAP security process company-wide:

  1. Break down SAP topology: Analyzing the SAP infrastructure provides an overview of all SAP systems - including those for development and quality management.Automated and continuous topologization shows which business processes a system supports and what information each system stores and processes. Only then can the impact of vulnerabilities be assessed.
  2. Identify and assess risks: The next step is to inventory and assess risks resulting from misconfigurations in the implementation. The assessment is made from industry requirements or corporate security policies. The next step is to prioritize defensive measures.
  3. Stakeholders at the table: Several stakeholders are usually responsible for an SAP infrastructure. However, the dialog is difficult. SAP departments, information security teams, and CISOs and CDOs often do not coordinate their efforts. Business departments focus on the productivity of SAP systems.The C-level may not see that SAP security needs to be a part of the overall IT security strategy. IT security administrators often lack an overview of SAP applications and their data exchanges. Low information exchange and an unclear distribution of responsibilities are the cause of deficiencies in SAP security.The inventory and assessment of risks and vulnerabilities creates the basis for discussion, with which all stakeholders can recognize the problems and responsibilities can now be distributed clearly and fairly.
  4. Define action plan: A joint action plan integrates SAP security into existing security initiatives and also leverages the existing IT security framework. A flexible approach that combines measures to prevent, detect, and defend against threats is a good way to do this. Good criteria for such a security plan are provided, for example, by the CIS (Critical Security Controls) criteria from sans.org. In addition, companies should implement services that provide constant information about current IT security risks, both general and SAP-specific. An important part of the action plan is updating SAP systems with the manufacturer's patches.
  5. Measure progress: The CISO defines the common goals of the company's own SAP security policy and measures progress thanks to continuous assessments of the security situation. Modern technologies provide delta reports that document the changes in the security configuration.

SAP security becomes feasible as soon as technical solutions enable the implementation of a security strategy, which in the next step becomes part of the general IT security of a company.

Currently, companies have a lot of catching up to do, starting with the disputed or non-existent allocation of responsibilities: SAP departments, information security teams, and CISOs and CDOs often fail to act in concert with one another.

Business departments focus more on the productivity of SAP systems. The C-level sometimes fails to see that SAP security must be a component of the overarching IT security strategy.

IT security administrators often lack an overview of business applications and data exchange. An unclear distribution of responsibilities and low information exchange are often the cause of deficiencies in SAP security.

Consistent SAP security policy therefore begins by creating a basis for discussion through continuous assessment and evaluation of risks for all stakeholders. But these results must also be integrated into the general IT security policy.

avatar
Mariano Nunez, Onapsis

Mariano Nunez is CEO at Onapsis.


Write a comment

Working on the SAP basis is crucial for successful S/4 conversion. 

This gives the Competence Center strategic importance for existing SAP customers. Regardless of the S/4 Hana operating model, topics such as Automation, Monitoring, Security, Application Lifecycle Management and Data Management the basis for S/4 operations.

For the second time, E3 magazine is organizing a summit for the SAP community in Salzburg to provide comprehensive information on all aspects of S/4 Hana groundwork.

Venue

More information will follow shortly.

Event date

Wednesday, May 21, and
Thursday, May 22, 2025

Early Bird Ticket

Available until Friday, January 24, 2025
EUR 390 excl. VAT

Regular ticket

EUR 590 excl. VAT

Venue

Hotel Hilton Heidelberg
Kurfürstenanlage 1
D-69115 Heidelberg

Event date

Wednesday, March 5, and
Thursday, March 6, 2025

Tickets

Regular ticket
EUR 590 excl. VAT
Early Bird Ticket

Available until December 20, 2024

EUR 390 excl. VAT
The event is organized by the E3 magazine of the publishing house B4Bmedia.net AG. The presentations will be accompanied by an exhibition of selected SAP partners. The ticket price includes attendance at all presentations of the Steampunk and BTP Summit 2025, a visit to the exhibition area, participation in the evening event and catering during the official program. The lecture program and the list of exhibitors and sponsors (SAP partners) will be published on this website in due course.