With cybercrime on the rise, attacks on corporate infrastructure become more and more sophisticated and professional. This does not only reflect in the complexity of the attacks themselves, but also on the targeted systems: ERP systems, where companies keep their most valuable data, are a logical target in terms of potential return on “investment”. Especially in big companies, those ERP systems are likely to be products from German company SAP, the biggest provider of ERP systems in the world. But how effectively are these systems secured?
Historically, SAP systems have often been separated from the rest of the IT infrastructure. In the pre-internet era, where systems in general where seldom connected with another, this was an obvious choice. However, that also lead to separate departments for SAP and the general IT. When security came into focus, responsibilities for the security of the SAP systems was therefore more often than not unclear. As a result, SAP systems were often vulnerable to attacks. Add the enormous complexity of SAP systems to the picture (SAP systems have about 6 times more lines of code than a Linux OS), and it becomes obvious that security was always a weak point in SAP landscapes.
Fragmented security tools
Even though security patches in SAP were introduced in the late 2000s, SAP itself was slow in baking security into their product portfolio. Customers did (and still do) have the option to harden their systems, but unfortunately the various tasks involved were scattered over many different administration tools, and most of the time not very user friendly or intuitive. With the introduction of several solutions which SAP customers could buy for increasing security and the growing awareness of cybersecurity in general, however, things have improved.
It should be noted, though, that one of the main driver for the improved security in SAP systems were the customers. One of the main organizations to drive security for SAP systems was the German SAP User Group (DSAG). One of their earliest achievement was the publication of an audit guideline for SAP systems, which still serves as the de-facto-standard for securing SAP systems. During the DSAG’s “Technology Days”-Conference in Mannheim, Germany, we took the opportunity to look at the state of SAP security in 2020.
Security by default
A major point of criticism towards SAP was always the fact that their products were not “secured by default”, i.e. when setting up an SAP system, some known vulnerabilities were insecure on installation. The latest release of one of the main products of the German software provider, S/4 HANA, changes all that: security-relevant settings, such as open ports, are now secured on installation as well – a big step forward, says Steffen Pietsch, board member of DSAG and responsible for SAP technology: “It shows that SAP listened to its customers, though we feel that this can only be a first step.” Even though S/4 HANA is their main solution, the step towards more security can indeed only be measured as a small step. During the press conference in Mannheim, SAP would not commit to which products would follow in being secured by default.
Admittedly, securing their entire solution portfolio will prove to be a significant effort for SAP. Besides the original business suite, with S/4 HANA as the flagship product, SAP hosts numerous other solutions for different processes as well as different industries – take the C/4 HANA solution as an example: though branded as one solution, SAP combined different acquisitions in this brand name, with integration of those still in its infancy. As a result, harmonizing the underlying technology, is one of the main issues SAP needs to address and solve. This includes security, however. SAP’s CTO Jürgen Müller admitted as much during the press conference but also mentioned that security is on the agenda among those harmonization efforts.
A security dashboard for everyone
One positive surprise during the conference was another demand by the German user group: Due to the fragmented tools available in the standard delivery of SAP solutions, the DSAG asked SAP for a security dashboard solution spanning those tools and delivering a single point of entry for security operations. This demand has been put forward to SAP for quite a while now, and during the conference SAP finally committed to deliver a security dashboard. Details will be discussed both internally and in co-operation with both SAP customers and partners.
Meanwhile, the market for SAP security solutions seems to focus more and more on detection of potential threats. Lead by SAP themselves, which introduced their “Enterprise Threat Detection” some years ago and recently have made some significant advances in the feature set offered, other vendors have jumped the train and are offering “SIEM for SAP” solutions themselves. Most notably was the partnership between SIEM-vendor Splunk and SAP, which was announced in 2019.
The problem, however, is not only with vendors such as SAP. As anyone active in cybersecurity can relate, it’s often the customers which do not focus on security as much as they should. As Steffen Pietsch put it: “We see two groups within our member companies: there is a growing number of companies which realize that in order to protect their most valuable data, they need to be proactive when it comes to securing their SAP systems.” Unfortunately, there is also the other group, which do not see security anywhere near the top of their priority list. “Not taking security into account is not only negligent, but reckless”, says Pietsch.
Patrick Boch has been working in the IT industry since 1999. He has been dealing with the topic of cybersecurity for several years now, with a focus on SAP and ERP security.
In recent years, Patrick Boch has published various books and articles as an expert, especially on the subject of SAP security. With his extensive knowledge and experience in the areas of SAP compliance and security, Patrick Boch has served as product manager for several companies in the IT security sector since 2013. Patrick is Co-Founder and Editor of Cyber Protection Magazine.