Tuesday, 19 February 2019 17:03

Securing SAP, where to start?

The fact you started reading this blog probably means that you have an interest in SAP security, and I'm pretty sure you're well aware of the potential threats to SAP systems . All too often we see SAP security vendors and service providers using scaremongering as a tactic and working for a software vendor in the SAP security space myself, I can't deny global media attention on IT security, or primarily the lack of efficient security, has been beneficial for our security technology, but the main question still remains:

"How do you go about securing an SAP system?"


The SAP security baseline document itself is a great start. The SAP Solution Manager configuration validation utility can also be a very valuable toolset. But SAP security is not just about selecting the right tool. Security “housekeeping”, ie: applying regular SAP security notes, shouldn't be considered an SAP security project, rather an ongoing activity! System security should be a fundamental part of your overall “keep system running operations”. However just as regular oil changes are crucial for keeping your car in good shape, it doesn't provide any guarantees that your car won't break down.

In earlier blog posts, for example, we discussed the concept of “unknown unknowns” and “a false sense of security”. I personally also spoke at various conferences and also here the same questions keep returning: “We are very well aware of the risks, but how do I build a use case to cost justify applying technology to remove the security risk ? Where do I start?”.

This article will give you a concrete introduction into the approach we typically take. Firstly it's important to look at the facts. Getting a listing of all your potential and theoretical SAP vulnerabilities, whether it be within the ABAP code base or the existence of configuration flaws, may result in a lengthy security assessment report. Knowing you have hundreds or even thousands of code vulnerabilities will not necessarily improve the security position, its too much data and too vague, you may not even be able to mitigate all the identified risks, given the enormous amount of effort and costs required. However knowing that critical data gets extracted every single day, caused by insecure code, can be classified as a top priority which deserves instant remediation.

Our approach to SAP security is based on real-time system monitoring and is entirely factual data-driven. How can you prove this within your own environment ? We offer a license-free trial of our SAP security platform. You can install and run SecurityBridge on-premise, and discover the vulnerabilities in your SAP applications. This will provide actual results, not supposed vulnerabilities, but actual exploits that are triaged in relation to the risk to your organization. You can then remediate before any harm is done. No sifting through masses of data, no false positives, no successful breach.

Concrete start

See how simple it is in 4 easy steps, and then send us the contact form and we'll guide you through the entire process.
A security assessment facilitated by SecurityBridge - completed in 4 simple stages:

1. Preparation

You will receive access to the online SecurityBridge knowledge-base, which describes in detail how to prepare for the evaluation. Basic technical requirements are described which will shorten the administrative overhead during the initial installation. The installation package will be sent in advance so your SAP basis administrator can add the transports to the required import buffer(s).

2. Installation

A dedicated product consultant is assigned to assist or manage the entire installation process. A typical installation takes 2-3 days. This is mostly executed onsite as it also serves a training purpose, but we can also install over VPN.
This is just guidance as the installation and configuration of SecurityBridge is a self-install.

3. Trial period

During the installation process, we will activate an evaluation license. Typically a trial period runs for 30 days. During this period, you can use a full version of SecurityBridge.

4. Summary report

At the end of the trial, an executive report will be produced, and a workshop set up to discuss the findings. The report will include :

  • An overview of the most significant vulnerabilities and exploits recorded during the audit period
  • Each vulnerability will be documented with a risk rating and recommendation for mitigation


Scope

SecurityBridge will be installed within an SAP landscape of your choice (e.g. ECC, HR, BW, CRM, …). A maximum of 3 SAP system IDs and one production system, all belonging to the same SAP landscape, can be monitored.
The product resides within the reserved /ABEX/ namespace. Its installation and usage has no impact on system performance or running operations. Since SecurityBridge runs natively within SAP there is no extraction of SAP data or raw logging.

We can also connect SecurityBridge with your SIEM platform, and If the evaluation is executed on a system that runs an SAP Gateway component, you might also want to install and utilize the mobile event monitor, which is a Fiori application.

What's needed from your side?

The only thing you really need is a running SAP system. We also need limited access to an SAP basis and SAP security resource for the duration of the installation. Once installed, we recommend that you regularly review the identified exploits and recorded vulnerabilities. Along with your dedicated product consultant, we will be fine-tuning the configuration to ensure all accepted security risks are eliminated.

An SAP security consultant should regularly review the collected alerts. If a SIEM integration is also in scope, you might also want to involve your IT security department.

Support

For the entire duration of the trial, you will be guided by a dedicated product consultant. Our standard support channels are as follows :

  1. Collect feedback or raise a support ticket
  2. Our online knowledge base


Request your trial today !

Additional Info

  • Language:: English
Ivan Mans

Ivan Mans

Passionate about SAP.

Email This email address is being protected from spambots. You need JavaScript enabled to view it.