SAP was founded in 1972 and is the market leader in enterprise application software and also leading in analytics and business application. Christian Klein, CEO of SAP envisions the SAP solutions to become the foundation for the “intelligent enterprise” of the future. According to SAP’s webpage, they have more than 425.000 customers in more than 180 countries.
SAP’s enterprise applications are used by businesses, to execute sales, billing, and human resource-related tasks. Unplanned outage due to cyber incidents puts the business at risk and creates cost per the minutes of downtime. Leakage of secret data may even lead to damage to reputation. The security departments lead by the CISO, have understood the criticality of such systems. Top auditing form has educated their audit experts with equivalent knowledge to address the risk potentials to the Board, or the Risk Management lead by the CRO.
Once an organization decides to enhance the cybersecurity strategy protecting enterprise critical applications like SAP ERP, SAP CRM, SAP APO, etc., the security team demands the same as for “regular” IT security:
- State of the art vulnerability management
- Threat detection/security monitoring and sometimes integration with established SIEM solution (splunk, MS Sentinel, IBM QRadar, ..)
- And custom code security
And, similarly to cybersecurity, specialized solutions for each of these areas are also available for SAP systems. Sometimes those solutions are provided by 3rd party companies, however, some tools are also available from SAP itself.
Selecting a specialized solution for each dimension of security for SAP, however, has many limitations. Individual solutions are hardly interconnected and if they are, customers need to consider a simultaneous update and maintenance strategy to avoid version dependency conflicts. Each solution requires a dedicated level of knowhow to understand the architecture and to maintain the configuration.
Specifically, with SAP systems, which are accessed by heterogeneous user groups, connected to both legacy and other SAP systems, a holistic approach is required to gain insight into potential risks and to offer full transparency of the security posture of each system, and its interconnectivity, as well as of the entire SAP landscape. Deploying a holistic approach over specialized individual solutions offers three main benefits.
- Context information can be considered and integrated very easily. Many custom applications, for example, contain security weaknesses such as missing authorization checks. This vulnerability will be picked up by any code security scanner. However, whether this vulnerability can be exploited depends on other security areas, such as configuration settings or the role and authorization concept. A holistic security solution will analyze the interconnectivity impact for those contextual settings and rate or categorize the security weakness accordingly. In contrast, if using specialized solutions, this would either need to be custom-made or involve significant effort to integrate those solutions. This leads to another benefit of holistic security solutions, namely:
- A centralized dashboard where the security status of each system as well as the entire SAP system landscape is included in a holistic security solution for SAP. The standard SAP tools unfortunately don’t offer this functionality, and specialized solutions focus on providing dashboards only for their particular security area. Only a comprehensive solution covering all relevant security areas is capable of providing a 360°-degree view of the security posture of an entire SAP system landscape.
- Best practices and standards for cybersecurity are based on processes rather than technological areas. The NIST framework for example, which also serves as the reference for all security-related developments from SAP itself, is based on the procedures of, identify, protect, detect, respond, and recover. Each of these steps touches many security areas. To enable those best practices across all technological areas requires a solution that also works across those technological areas.
While the benefits of using specialized solutions cannot be denied, they have limitations in that they leverage their full potential for specific requirements only. Holistic SAP security solutions, on the other hand, cover all aspects needed to find actual attacks. Besides, they can detect and mitigate vulnerabilities in custom coding, configuration, and identity protection as well as report on missing patches.
Creating an effective line of defense and providing the transparency and insight needed is only possible when potential attack vectors are known and system activity across all areas is closely monitored. This can only be achieved with security solutions that comprehensively cover all relevant topics and integrate them into a “bird’s eye” perspective of the entire system landscape.