The global and independent platform for the SAP community.
IT Security Column, Mag 22-10

Why we need a NextGen of SAP Security

Defending against cyberattacks on SAP systems means more than just protecting the ERP system alone. The threat potential of networked companies and hybrid SAP landscapes requires a holistic approach.
Christoph Nagy, SecurityBridge
21 December 2022
Content:
it security header
avatar
This text has been automatically translated from German to English.

It all depends on the combination

Anyone who wants to adequately detect attacks on SAP systems today and defend against them at an early stage - in other words, increase their resilience - must consider application and network security at the same time. Only then can next-generation SAP security be created. SAP is no longer a monolithic block. User-centric devices and IoT devices interact with SAP and third-party applications, which sometimes run in the cloud, sometimes on-premises. 

SAP refers to such interwoven hybrid ERP landscapes when it talks about the "intelligent enterprise. So things are getting more complex, and that doesn't make things any easier for security managers. As a result, the IT landscape becomes opaque and the risk of a security gap being overlooked (even existing for a long time) increases. To the same extent, the risk of a successful attack also increases. The number of potential entry points has simply become much larger.

Security managers need an open and scalable security architecture that keeps pace with the growing attack surface and provides a high level of protection against internal and external attacks. Security for hybrid IT landscapes must be based on a multi-layered structure, built like layers of an onion. The individual components in it work together intelligently, absorbing as well as compensating for attacks and evaluating all the information needed to assess an incident. Ideally, these functions would all be available in one platform. Until now, lines of defense have tended to exist in isolation and have not been interconnected. Today, you can't get very far with this traditional security approach. In the next generation, intelligent components integrate and share information to assess incidents. An intelligent firewall detects and blocks attacks on SAP by examining data packets and intercepting dangerous payloads in TCP/IP traffic.

Virtual patching of SAP security vulnerabilities can take place at the infrastructure level; in this case, the attempted attack of an already published SAP vulnerability is detected by a NextGen firewall and redirected or blocked even before the attacker reaches the valuable SAP system. This approach is particularly recommended when highly critical SAP security advisories (SNotes) cannot be implemented in a timely manner because systems are too complex for rapid patching or the testing effort would be too high in the short term.

In any case, companies must always assume that every application (and therefore every SAP system) contains serious security vulnerabilities that cannot be closed because no patch is available - the infamous zero days. The more comprehensive the understanding of what is considered an SAP attack surface (not just the ERP alone), the lower the risk of zero days being exploited - and the higher the resilience. A core feature of NextGen SAP Security is therefore the growing role of network security within a holistic SAP protection. All components for securing SAP systems work together intelligently and automatically. Cyber attacks on SAP systems can be detected at a higher level and defended against if necessary. If this is not possible, the following security layers are at least informed about an incident so that the next line of defense is forewarned and can act effectively. Cybersecurity is a team sport - not only on the side of the attackers, but especially within the lines of defense.

Classic authorization concepts no longer offer sufficient protection in hybrid landscapes and can therefore only be regarded as part of SAP security. There is more to it than that: hardening and monitoring of configuration slots, regular security updates, checking customer developments for problematic code, checking the transport system, and seamless security monitoring.

SecurityBridge

avatar
Christoph Nagy, SecurityBridge

Christoph Nagy is Managing Director at SecurityBridge


All articles of the author

Write a comment

The Hackett Group has recognized Esker in the area of C2C Receivables

Rackspace Technology launches UK Sovereign Services

August-Wilhelm Scheer Institute and BAD Gesundheitsvorsorge und Sicherheitstechnik: The future of healthcare

Working on the SAP basis is crucial for successful S/4 conversion. 

This gives the Competence Center strategic importance for existing SAP customers. Regardless of the S/4 Hana operating model, topics such as Automation, Monitoring, Security, Application Lifecycle Management and Data Management the basis for S/4 operations.

For the second time, E3 magazine is organizing a summit for the SAP community in Salzburg to provide comprehensive information on all aspects of S/4 Hana groundwork. All information about the event can be found here:

SAP Competence Center Summit 2024

Venue

Event Room, FourSide Hotel Salzburg,
At the exhibition center 2,
A-5020 Salzburg

Event date

June 5 and 6, 2024

Regular ticket:

€ 590 excl. VAT

Venue

Event Room, Hotel Hilton Heidelberg,
Kurfürstenanlage 1,
69115 Heidelberg

Event date

28 and 29 February 2024

Tickets

Regular ticket
EUR 590 excl. VAT
The organizer is the E3 magazine of the publishing house B4Bmedia.net AG. The presentations will be accompanied by an exhibition of selected SAP partners. The ticket price includes the attendance of all lectures of the Steampunk and BTP Summit 2024, the visit of the exhibition area, the participation in the evening event as well as the catering during the official program. The lecture program and the list of exhibitors and sponsors (SAP partners) will be published on this website in due time.