How SAP systems are protected against security and cyber risks

21 October 2021 Consultancy.uk 6 min. read

Turnkey Consulting and Onapsis have released the 2021 edition of their SAP Security Survey Report, providing in-depth insights into the current state of the industry. Tom Venables, a leader at Turnkey Consulting, walks through some of the report’s key findings and lessons.

Many SAP security administrators know how to secure access to applications and understand the need for secure communications, encrypted storage and the like, but are not necessarily experts in SAP programming or administration. This is borne out by good responses on the auditing of users, authorisations and configuration, when compared to code scanning or patch management, for example. 

The requirement of diverse skillsets being brought together to understand the threats posed by code configuration, insufficient patching, or system configuration which leaves vulnerabilities open to be exploited is one of the greatest obstacles organisations must overcome in dealing with the wider risks to SAP.

What would you consider is the greatest risk to your SAP systems?

Operators need to be something of an expert in both the business operations, to secure those effectively, and the technical components that support those operations. This is a broad set of skills, which requires constant expansion to accommodate new threats. 

Items such as code vulnerabilities, patch management, secure system configuration and privilege misuse are understood to be important, but many of the risk treatments in this area appear to be of lower priority, given the lower percentages of organisations that have reached a high level of maturity in managing these functions. 

Low usage of automation solutions means that processes to govern wider IT risks to SAP estates can be costly, time consuming and error-prone. 

Does your SOC have visibility into SAP security events

How does SAP stack up against wider IT?

This stands in stark contrast to the types of solutions that we see in the wider IT landscapes, where Security Information and Event Management (SIEM), Endpoint Detection Response (EDR), and Network Telemetry and Response (NTR), code scanning and secure development operations have evolved to respond to growing threats in a much more comprehensive way. 

The application of these principles to the SAP estate, given its crucial position in managing business operations, is a logical step to ensuring they’re better protected. 

An evolving landscape for SAP

Only 27% of respondents were not considering a move to S/4 HANA, or had not yet decided, showing that the SAP landscape is evolving. This shift requires that defences also evolve, to address the increasingly online nature of the SAP ecosystem. 

If you are either planning or have already undertaken your migration to SAP S/4 HANA, what type of implementation have you chosen

An increasing number of people disagree with the statement that SAP is within the network, therefore it is secure, clear evidence that the SAP community understands the shifting nature of their landscapes, that digital transformation, cloud-first approaches, web and mobile-enabled access and changes to hosting architecture are all altering the types of threats to SAP systems. 

This is further reinforced by the breadth of understanding of risk, which moved overwhelmingly from ‘internal fraud’ to a much more balanced response, although fewer than 20% of respondents stated that external attack was their greatest concern. 

Would you generally agree with the statement “SAP is within our network, and so is secured against cyber threats

An educated user base is key

An essential component in securing systems against risk is that the risks and their treatments are understood, not only by the security administrators but also by the application owners and the overall business. It is essential that users of these critical systems recognise the nature of the threats and how best to help protect against them. 

In addition it is critical that SAP users in particular are well trained in cyber security awareness, so they do not fall foul of the most common avenues of attack, such as credential exposure through phishing; regarding these users as requiring training above the company baseline can help to increase their capability to spot and respond to a threat. 

Likewise, business ownership of risk must incorporate all elements of risk to the business. It’s no longer enough to assume that it is ‘IT’s problem’; in order to address risk, IT needs the funding and business backing to make the case to protect against malicious activity and the growing maturity of attackers – singling out SAP as a target shows that this risk is growing in importance. 

Overall, how would you rate your users’ maturity and capability to manage cyber risk to your SAP landscape

Playing catch-up on defence

‘The defenders are always on the back-foot’ is one perception of how difficult it can be to secure an organisation’s IT infrastructure against attackers, as it is often necessary to react to new techniques and tactics used by the ‘red team’. However, the proactive identification of exploits by vulnerability hunters are fully intended to put users ahead of the game wherever possible.

SAP clients can also take the same ‘secure by design’ approach to their key systems and infrastructure for SAP that they do for the wider IT estate, ensuring that the principles of cyber defence are also applied to the SAP estate

Do you have a way to identify insecure or problematic custom code before it hits production systems

Breaking down the silos

To ensure the prioritisation of security for business critical systems, SAP system owners need to be connected to the IT risk management organisation, often under the auspices of the CISO.

Understanding the risks and sharing a common language about dealing with these threats closes the gap between these ‘silos’ and pools resources to protect the estate. 
Who is responsible for SAP application security in your organization

Aligning to the NIST framework is one way an organisation can layer its defence and share common approaches, This makes it key to: Identify risks and map them to affected systems; Protect systems against those risks; Detect where any gaps in protection may have occurred; and Respond to those incidents and events in a timely fashion. The survey shows that some progress is being made, but there’s more catching up to do. 

In conclusion

The survey results may not surprise veterans of the industry. But they flag the elements of security that are not necessarily familiar to SAP security teams, and highlight the need to align with the core components required to operate a secure landscape, in addition to a focus on roles and authorisations.