The crux with SAP interfaces

SAP system environments are constantly growing and changing. This is due to general market developments, such as globalization, which leads to increasingly complex business processes. Companies are expanding, merging and acquiring other companies. Added to this are new digitization trends, for example cloud computing and Industry 4.0, which require increasingly strong IT networking.

Over the years, this has resulted in heterogeneous system landscapes in many places with up to several thousand data interfaces connecting SAP applications with each other, but also with non-SAP systems.

In addition to the well-known interfaces, there are several that the system administrators are not even aware of as such, such as unauthorized downloads of lists via the SAP GUI, direct access to the database or communication with external systems.

Loophole for data thieves

If these interfaces are outdated, incorrectly configured or inadequately protected, they offer hackers attractive gateways to access information. Data thieves, economic spies and saboteurs are then able to copy, change or delete entire data sets and thus falsify the balance sheet result or shut down the SAP system completely.

This can have considerable financial and legal consequences for a company, and its reputation also suffers. The pressure is intensified by increasingly strict statutory data protection laws, such as the new EU General Data Protection Regulation (GDPR), which is mandatory from May 25, 2018.

The EU GDPR standardizes the rules for the processing of personal data by companies and public institutions throughout the EU. These will be obliged to take appropriate technical and organizational measures to protect personal data, for example, against processing by unauthorized persons and against accidental loss.

In addition, the documentation requirements will be tightened compared to the previously applicable data protection regulations: For example, the data controller should be able to prove compliance with the EU GDPR guidelines. Violations are punishable by high fines of up to 20 million euros or up to 4 percent of a company's annual global sales.

Although the risks of unsecured SAP interfaces have long been known, most companies do not have the problem under control - mainly because there is no comprehensive transparency about the existing interfaces.

No central documentation

As a rule, there is no central office that has complete documentation of all interfaces and the data exchanged via them. Often, the departments negotiate the interfaces of their SAP systems directly with the customers, suppliers or system manufacturers without this being included in a cross-company inventory.

Thus, it is hardly possible for companies to continuously evaluate and monitor the current SAP interfaces in order to protect them against possible attacks. Nor are they in a position to comply with the provisions of the EU GDPR, since they do not even know exactly which SAP interfaces are or can be used to exchange personal information at all.

Without this knowledge, however, they cannot prove that they have secured the relevant interfaces in accordance with the state of the art in order to protect the personal data from unauthorized access or accidental leakage.

A lot of effort for manual analyses

To avoid such problems and gain transparency about their interface landscape, some companies already rely on manual analyses of the safety-critical parameters of the interfaces and runtime statistics.

However, these evaluations can usually only be carried out on a random basis, as they are enormously time-consuming. Similar limitations exist in the use of various analysis tools offered on the market.

There are three main reasons for this. First, the existing solutions focus on the evaluation of individual interface technologies, as they can be found side by side in large numbers in an evolved SAP system environment: for example, Remote Function Call (RFC), HTTP, FTP, Java Connector (JCo) and many others.

Anyone who wants to gain as complete an overview as possible of the interfaces currently available must therefore analyze each technology individually and consolidate the results manually: This time and cost expenditure is also considerable.

Available solutions are not enough

Another disadvantage of the available solutions is that they analyze the interfaces and data flows only locally, i.e., from a single system. However, to obtain as complete a picture as possible of the communication relationships within an SAP system landscape, each interface must be evaluated on both sides.

Many conventional analysis tools focus on just one problem, such as the question of which data is downloaded via the SAP GUI. In any case, clarity about the existing interface landscape is achieved only selectively.

Companies can gain a complete overview with solutions such as Virtual Forge InterfaceProfiler. They can create a model or set of rules for the desired SAP system and interface landscape and compare it with the information collected on an ongoing basis (target/actual analysis).

In the process, the deviations are reported and documented. Starting from a central SAP system, the InterfaceProfiler analyzes the communication relationships of the entire system environment.

The results are presented graphically and logs of the vulnerabilities found, including their criticality, are generated. In addition, suggestions are made for possible improvements to the security and technical design of the interfaces.

With special security functions, it is possible to counter numerous risks in daily system operation at the push of a button, such as blocking authorizations to download results lists in the SAP GUI.

Likewise, copy-and-paste operations of ALV lists can be avoided. The permissions can be displayed clearly and finely granular in the cockpit of the InterfaceProfiler - an important requirement to comply with the GDPR.

A monitoring component provides information about interfaces that are still technically functional but have not been used for some time. In addition, the usage intervals of interfaces that are still in use can be determined and unauthorized, unscheduled interface activities can thus be identified. All events are logged extensively and can be actively reported.