Security policy and effective solutions

The prevalence of the Invoke servlet vulnerability in non-updated or misconfigured SAP NetWeaver implementations currently highlights the deficiencies in the security of SAP implementations.

Although a patch was made available by SAP six years ago, there is still evidence of an exploit of the vulnerability at 36 companies in the USA, UK, Germany, China, India, Japan and South Korea as recently as spring 2016.

13 of the affected companies generate more than $13 billion in revenue per year. The vulnerability can allow full unauthorized control of affected SAP systems.

As there should hardly be a lack of will for better SAP security, there seems to be a lack of resources. Remedies are needed: A key component is context-sensitive solutions for inventorying and monitoring vulnerabilities and for detecting and immediately responding to unusual events and accesses.

They enable and require a comprehensive safety process to avoid such mishaps.

A five-point plan helps to set up and implement the SAP security process company-wide:

1. Break down SAP topology: Analyzing the SAP infrastructure provides an overview of all SAP systems - including those for development and quality management.Automated and continuous topologization shows which business processes a system supports and what information each system stores and processes. Only then can the impact of vulnerabilities be assessed.
2. Identify and assess risks: The next step is to inventory and assess risks resulting from misconfigurations in the implementation. The assessment is made from industry requirements or corporate security policies. The next step is to prioritize defensive measures.
3. Stakeholders at the table: Several stakeholders are usually responsible for an SAP infrastructure. However, the dialog is difficult. SAP departments, information security teams, and CISOs and CDOs often do not coordinate their efforts. Business departments focus on the productivity of SAP systems.The C-level may not see that SAP security needs to be a part of the overall IT security strategy. IT security administrators often lack an overview of SAP applications and their data exchanges. Low information exchange and an unclear distribution of responsibilities are the cause of deficiencies in SAP security.The inventory and assessment of risks and vulnerabilities creates the basis for discussion, with which all stakeholders can recognize the problems and responsibilities can now be distributed clearly and fairly.
4. Define action plan: A joint action plan integrates SAP security into existing security initiatives and also leverages the existing IT security framework. A flexible approach that combines measures to prevent, detect, and defend against threats is a good way to do this. Good criteria for such a security plan are provided, for example, by the CIS (Critical Security Controls) criteria from sans.org. In addition, companies should implement services that provide constant information about current IT security risks, both general and SAP-specific. An important part of the action plan is updating SAP systems with the manufacturer's patches.
5. Measure progress: The CISO defines the common goals of the company's own SAP security policy and measures progress thanks to continuous assessments of the security situation. Modern technologies provide delta reports that document the changes in the security configuration.

SAP security becomes feasible as soon as technical solutions enable the implementation of a security strategy, which in the next step becomes part of the general IT security of a company.

Currently, companies have a lot of catching up to do, starting with the disputed or non-existent allocation of responsibilities: SAP departments, information security teams, and CISOs and CDOs often fail to act in concert with one another.

Business departments focus more on the productivity of SAP systems. The C-level sometimes fails to see that SAP security must be a component of the overarching IT security strategy.

IT security administrators often lack an overview of business applications and data exchange. An unclear distribution of responsibilities and low information exchange are often the cause of deficiencies in SAP security.

Consistent SAP security policy therefore begins by creating a basis for discussion through continuous assessment and evaluation of risks for all stakeholders. But these results must also be integrated into the general IT security policy.