As the end of support for SAP ECC looms, the option of migrating to SAP…
Confusing terminology isn’t exactly uncommon in the SAP world, but the term “SAP security” sounds pretty straightforward. Outsiders often either assume it covers all the threats against your SAP system, or that it focuses on defeating outsider threats, such as hackers.
Neither assumption is true. SAP security actually focuses on insider threats. It’s the set of tools and practices that implement your GRC rules, reducing risks such as fraud, theft, vandalism, and record keeping errors.
When your company creates a role, the SAP security administrator makes sure that it doesn’t have multiple tasks that pose a Segregation of Duties (SoD) risk — for example, they make sure that when one worker claims expenses, someone else approves them, providing a check against fraudulent expenses. When a new employee joins the company, or an employee has new jobs assigned, the SAP administrator makes sure there’s no SoD conflicts, gathers whatever approvals are required, and gives the worker the necessary access.
However, SAP security doesn’t protect your landscape from external attacks — that falls under cyber security (the term cloud security also applies, if you’re in the cloud). Your SAP landscape is massive, and bad actors are constantly on the lookout for weaknesses. A single unpatched vulnerability, misconfigured application, or even a forgotten default password could breach your most closely-guarded secrets. Combining SAP and cloud security into a single, comprehensive approach is a central challenge all enterprises face.
Staying Ahead of Cloud Security Threats
SAP vulnerabilities can go undetected for years before they’re discovered. For example, Onapsis recently discovered critical cyber security vulnerabilities, which compromised the TREXnet protocol which SAP HANA® TREX servers use to communicate with each other. These vulnerabilities could have given hackers the power to steal or vandalize data or even take control of the system. And some of them couldn’t even be patched — they required admins to change the way the SAP landscape was configured.
Your security depends on fixing the problem quickly, but your overburdened SAP team may not have the time to apply every critical patch, or the know-how to spot configuration issues. And even if they do, they probably aren’t on the lookout for cloud security threats that compromise SAP indirectly. Attackers can exploit non-SAP cyber security vulnerabilities to target your users’ devices, email accounts, or applications. A user clicking on a single infected link in social media can give a hacker access to their computer, allowing the attacker to steal their login credentials and mount an attack.
For most organizations, basic SAP security is a huge challenge, and many don’t even understand what they face in the realm of cloud security. Implementing a system that can adequately mitigate both internal and external threats requires a massive transformation.
Why Companies Struggle With SAP Security
SAP security seems like it should be easy. You have control over your landscape — you can configure your business logic, supervise your users, assign responsibilities in a way that minimizes risks, and give your SAP administrators as much power as they need to enforce the rules.
But in reality, companies struggle with SAP security issues constantly. They fail audits and even find reporting to auditors challenging. They can’t spot SOD conflicts or suspicious behavior. Their approval processes don’t provide adequate oversight, or else they impose costly delays. And no matter how hard they try, they’re always one crooked employee or tough auditor away from a big problem.
- Outdated security approaches hold companies back. In most ERP landscapes, security is treated as an afterthought, and many companies have security models burdened by decades of neglect. As the company has grown and changed and the landscape has evolved to keep up with it, their SAP security model hasn’t been kept up to date. Controls have been applied inconsistently or slipped by the wayside, leaving behind undetected SOD conflicts, missing approval processes, and lack of proper configuration of SAP itself.
This problem is severely exacerbated by outdated technology. Many sophisticated enterprises still use primitive, document-centric review processes which require compliance staff to pore over spreadsheets or even paper records to detect and remediate SAP security issues. As security changes are poorly documented or inconsistently applied, the problem gets worse, until just gaining a basic understanding of the SAP security model can become a major undertaking.
- Many organizations don’t handle approvals efficiently. Security and compliance processes require approvals. You need signoffs on various financial reports and transactions as part of SOD and mitigating controls, on changes to the SAP system, and for exceptional processes like emergency access management.
All of these signoffs need to be done in a timely manner that allows careful review without getting in the way of productivity. For enterprises, that can be a major challenge. Items or entire processes slip through the cracks, missing or delayed approvals lead to lost opportunities and decreased productivity, workers without the authority signoff, and various stakeholders waste lots of time and energy chasing signatures.
Outdated technology makes the problem worse. It’s one thing to have a supervisor review a set of transactions and give a signoff when the computer has already combed through the records. It’s quite another to have them manually review 1,000 pages of transactions every quarter.
Beyond inefficiency, this causes real risks. With outdated processes and inconsistent approvals, businesses risk data loss, theft, and fraud — not to mention big compliance penalties, damage to their reputation, and legal liability.
Why Companies Struggle With Cloud Security Issues
As a platform used by many of the world’s most powerful corporate and government organizations, SAP is an attractive target to both cybercriminals and state-backed hackers. In 2015, a breach of USIS — a government organization that provides background checks for federal employees — by Chinese hackers compromised the background info of 48,000 federal employees using an SAP exploit.
In 2016, another SAP vulnerability gave attackers access to at least 36 organizations worldwide. Hackers had gained “unauthenticated remote access to affected SAP platforms, providing complete control of the business information and processes on these systems, as well as potential access to other systems.”
SAP cloud security experts are aware of the dangers. In a study of over 600 SAP security professionals, the Ponemon Institute found that 65% had suffered a breach in the last 24 months (at an average cost of $4.5 million!)
A full 92% said future SAP breaches could be anywhere from serious to catastrophic, but barely half believed they’d be able to detect it promptly —.a full 47% said they were “not confident” or had “no confidence” their organization could detect a future breach within a year. But despite efforts to combat SAP cloud security risks, organizations keep falling to attackers year after year. Here are a few of the reasons:
- SAP teams don’t perform necessary maintenance. Both the attacks discussed above had two things in common: they were discovered by Onapsis Research Labs, and they involved known vulnerabilities. In the attack that affected 36 companies, the hackers were using an exploit that had been known for 5 years! And if you think “my company is better than that,” think again. Onapsis Research Labs found that over 95% of SAP landscapes they assessed “were exposed to vulnerabilities that could lead to full compromise of the company’s business data and processes.”
Typically, companies either fail to patch regularly, or have a patching schedule that exposes them to risk. When an SAP patch is released, hackers immediately use it to try to figure out how to exploit the vulnerability. If a company takes 6 months to deploy that patch, it gives the bad guys more than enough time to exploit the vulnerability.
- Organizations have poor information or priorities. When companies don’t understand what SAP security does and doesn’t do, they don’t invest in adequate cloud security controls. They don’t invest in auditing and strengthening their external controls. This can be exacerbated by other misunderstandings, such as the belief that staying on premise or migrating to SAP HANA makes them safe.
They may also believe their infrastructure keeps them secure, and they don’t invest in detection and response. When a hacker finds a way around their security (and a determined hacker always will), there’s no one watching to detect and neutralize the threat.
- The complexity of cloud security is a major challenger. Attackers don’t have to hack their way through the heavily-secured front door — they can usually find an easier way in through the back. For example, an attacker may start in a lower security development landscape, or enter through a supplier or customer portal, then pivot to production.
- Malicious attackers can receive insider assistance. Sometimes, an insider is actively in league with a cybercriminal, but more often, the problem is carelessness or lack of security awareness. An insider may click on unsafe links or download contaminated files, reuse passwords, lose control of a device while it’s logged in and compromise cloud security in innumerable other ways.
Solving the Problem Requires a Complete Managed SAP and Cloud Security Solution
The right solution has to merge three considerations: SAP GRC, SAP security, and cloud security. An SAP managed security services team can tackle the first two, working with you to set GRC policies, dramatically simplifying your SAP security model to meet those policies, and take care of daily security tasks — provided they offer sufficient support.
However, a lot of companies fall down when it comes to cloud security solutions. Here are just a few of the things your cloud security team needs to be able to:
- Continuously scan for vulnerabilities.
- Monitor user activity and compliance.
- Apply patches quickly.
- Fix other problems with the SAP platform, such as configuration issues.
- Use advanced threat intelligence to anticipate and address risks before attack.
If there is suspicious activity that may indicate an attack, your cloud security team needs to be able to spot and neutralize the threat immediately. That means eyes-on-glass monitoring and incident response, 24/7/365 — which means a lot of hours on the clock just waiting for something to go wrong. Add in periodic security reviews, change management, training and retaining staff, and coordinating with SAP security and management to spot and address insider threats, and you need a regular security army to keep up. That’s way more than a typical SME can address internally.
Even with outsourcing, it can be a huge challenge to piece together an entire SAP cloud security and GRC solution from vendor offerings. And if you do manage to put together software, monitoring tech and expertise, there’s no guarantee that your ad hoc vendor portfolio will be able to work as a team. That creates a risk of security vulnerabilities falling through the cracks, and could undermine your ability to neutralize a threat before it leads to a major data security breach. When every moment of delay means lost data, you need a team that works as an extension of your company.
Symmetry and Onapsis: Complete Security Coverage For SAP
As a leading SAP application hosting provider, Symmetry brings deep expertise in SAP security services and GRC to the table. With ControlPanelGRC, winner of the prestigious GRC 20/20 award, we’ve helped companies like Carlisle Construction Materials (CCM) overcome severe and previously intractable internal security issues, turned passing audits into a low stress, routine process, and reduce their costs (CCM cut 80% off their SAP security consulting costs, and 75% off annual SAP security administration).
To bring you a complete SAP cloud security solution, we’ve partnered with Onapsis, an industry leader in security. Onapsis doesn’t just find new SAP vulnerabilities like the ones discussed above — they also offer the first comprehensive SAP cybersecurity solution: the Onapsis Security Platform.
Together with Onapsis, Symmetry can provide complete protection against both internal and external threats in a single SAP managed cloud platform. Symmetry keeps your system internally secure and compliant, handling duties like SOD, user provisioning, and emergency access management.
Onapsis takes care of cloud security risks, handling everything from patching, to detecting and repelling threats in real time, to avoiding future attacks with advanced threat intelligence. Sophisticated monitoring joins the two halves together, allowing us to detect and repel complex threats involving both inside and external threat actors.
To learn more about how we provide complete SAP and cloud security, watch our webinar, Secure HANA in the Cloud | Mitigating Internal and External Threats, or contact us.