SAP is a crucial software backbone for most organizations, powering essential applications such as ERP, HR, and supply chains. Its business intelligence value has enabled SAP to accelerate from an on-premises application serving a few departments to a cloud-based solution where, according to the SAP Corporate Fact Sheet, “99 of the 100 largest companies in the world are SAP customers and 85 of the 100 largest companies in the world are SAP S/4HANA customers.”
Attributing to SAP’s growth are its internal development and custom-coding flexibilities. Unfortunately, this customization strength can also create a siloed or departmental-only view of the software, making it challenging to assign essential IT security responsibilities, such as patching. The fact remains that SAP management data contained in silos results in thousands of configurations that confuse anyone unfamiliar with the custom code and make it very difficult to secure the entire SAP system. However, cybersecurity assistance can be provided through automated patch management.
Patches Are Paramount
Due to organizations running on industrialized release concepts, achieving a secure SAP state is challenging, and SAP security cannot be delegated to quarterly updates. Instead, routine maintenance must be established, and patches must be thoroughly tested and brought to business teams to ensure that core processes are not impacted.
Patches must be applied immediately to prevent hackers from exploiting known vulnerabilities. SAP’s monthly Security Patch Day releases security-related corrections for their product portfolio, but companies should still develop an internal security policy to gain additional, actionable insights. Using a risk-based methodology, organizations must classify which data is confidential and the consequences of a security breach. Then, appropriate security measures must be implemented.
In addition to routine maintenance, organizations must be prepared for emergency patches that harden SAP systems against incidents such as Log4j. In December 2021, Log4j originated from a widely used open-source logging framework maintained by Apache.
Unfortunately, there is no pre-established playbook for such patches, and immediate choices must be made based on individual use cases, which cannot wait for scheduled downtime. Furthermore, many patches require manual pre- and post-operation, which only trained service personnel can execute.
Native SAP Security Needs A Boost
Maintaining the security posture of SAP using the system’s native abilities is an ongoing challenge for customers, as it requires the manual application of patches and risk assessments. Because of this manual procedure, it’s not uncommon for some departments to have an in-house SAP expert, but this luxury is expensive.
Organizations are turning to SAP Security Platform providers that offer integrated automation solutions for continuous monitoring to avoid the high costs of in-house experts. When assessing security logs, the third-party SAP security providers can distinguish between accurate results and false positives. In addition, the filtering abilities allow security teams to immediately locate and focus on higher-level security issues first and deprioritize less crucial matters. Unlike native SAP security, specific third-party solutions can also detect vulnerabilities, configuration glitches, and open loopholes within the security posture, which can help establish a unified SAP security program.
Furthermore, these third-party monitoring solutions can translate SAP-specific information into a universal language, breaking down silos and making data accessible to security teams from all departments. With this information, organizations can create a clear roadmap for their SAP security program in alignment with other security measures throughout an organization.
Cloud-Based SAP; It’s Not All Silver Linings
While moving workloads and applications into the cloud offers several benefits, such as eliminating maintenance contracts from on-premise hardware and freeing up on-site compute abilities, there are also potential drawbacks to consider. As critical data move off-site and into the cloud, continuous monitoring and in-depth insights into its operations become crucial.
It’s important to note that even though a cloud provider may host an application, the responsibility for its security still lies with the application’s owner. In addition, the cloud provider is not entirely responsible for informing their clients about internal breaches, meaning that cloud customers cannot rely solely on their cloud host for cybersecurity monitoring.
According to Gartner, “Through 2025, 99% of cloud security failures will be the customer’s fault,” emphasizing that outsourcing all cybersecurity is not feasible and the ultimate responsibility conflicts with shared cloud resources. Organizations that place mission-critical applications like SAP software into the cloud should be particularly cautious. This decision opens up significant cybersecurity risks, such as unauthorized data access, account hijacking, and data loss.
In conclusion, SAP is a critical software backbone for most organizations, powering essential functions. However, the high degree of customization and siloed views of the software can create a barrier to IT security. In addition, manual application of patches and risk assessments is an ongoing challenge, but organizations are turning to SAP Security Platform providers for automated, real-time solutions for assistance.
While moving SAP applications to the cloud offers benefits such as freeing up on-site compute abilities, it also comes with potential drawbacks, including significant cybersecurity risks. Therefore, adopting a Zero Trust policy to continuously monitor cloud-hosted SAP systems and maintaining a clear roadmap for SAP security programs in alignment with existing security measures is essential.
Ultimately, SAP is a significant investment, and IT teams need visibility across the entire installation to ensure best cybersecurity practices are implemented. Because SAP often touches every aspect of a business–even partner systems–a one hundred percent manual approach to monitoring SAP is inefficient, if not irresponsible, for securing their mission-critical applications on-site or in the cloud.
Christoph Nagy has 20 years of working experience within the SAP industry. He has utilized this knowledge as a founding member and CEO at SecurityBridge–a global SAP security provider, serving many of the world's leading brands and now operating in the U.S. Through his efforts, the SecurityBridge Platform for SAP has become renowned as a strategic security solution for automated analysis of SAP security settings, and detection of cyber-attacks in real-time. Prior to SecurityBridge, Nagy applied his skills as a SAP technology consultant at Adidas and Audi.