SAP systems continuously face security threats. But protection is a complex, often uncoordinated undertaking, leading to vulnerabilities that put valuable data at risk.
Because of ongoing threats, SAP customers must ensure security is a top priority, according to Juan Pablo Perez-Etchegoyen, co-founder and CTO of Onapsis, a cybersecurity firm that focuses on SAP and Oracle enterprise systems.
Onapsis Research Labs reported in November that it found 1,000 critical vulnerabilities in SAP systems during the 13 years it has conducted the research -- a milestone that highlights the ongoing nature of threats, Perez-Etchegoyen said.
"This has been a continuous cadence based on our research on SAP and Oracle systems," he said. "It's not like systems are more insecure. This is the outcome of a continuous flow of research to identify and report on risks."
Opening systems brings risks
SAP systems may be more exposed to threats today because they're being opened in ways they haven't been before, Perez-Etchegoyen said.
On-premises SAP systems, while not invulnerable, have a measure of security because they sit behind a level or several levels of firewalls, he said. But this has been changing in the past few years with cloud migration and connection to non-SAP systems via APIs.
"There's an opening up of many different interfaces, so those boundaries are no longer there," Perez-Etchegoyen said. "A lot of vulnerabilities can be exploited in internal systems, in the cloud and by the interconnections between systems."
Migrating to the cloud is not in and of itself a great security risk for SAP customers, even as interconnection of SAP systems with other systems increases, said Shaun Syvertsen, managing partner and CEO of ConvergentIS, which provides SAP system migration and application development services in Calgary, Alta.
"It all comes down to how [the connections] are done. If they are well done, there are no security concerns," he said.
A different landscape leads to vulnerabilities
SAP systems are vulnerable to threats because the application landscape is different than what IT security teams are knowledgeable about, said Christoph Nagy, CEO of SecurityBridge, a cybersecurity firm that specializes in SAP systems in Ingolstadt, Germany.
"The SAP applications stack is traditionally a kind of black box for security teams in general because it's very specific," Nagy said. "Security analysts are typically focused on IT infrastructure -- things like firewalls, next-generation IPSes [intrusion prevention systems], virus scanners and endpoint devices -- but not so much on the application layer."
Now more organizations realize SAP systems touch most financial transactions and sensitive business data and are better integrating IT security with SAP security teams. Because of SAP's broad reach, security management can be complex, requiring attention at every level in the stack and expertise from multiple domains, he said.
Companies need to engage configuration teams to handle SAP application configuration security as well as development teams to produce secure code. And then there's security patch management, which sits between SAP configuration and development, Nagy said. Further complexity arises if the organization deploys SAP on a SaaS infrastructure.
"[Problems arise] when there's no responsibility or shared responsibility, which becomes even more predominant with hyperscalers," Nagy said.
Good SAP security practices are a web that include configurations and custom code specific for SAP systems, he said. Even the most basic security practice -- patch management -- is not easy in SAP environments.
"Patching is not like Windows where a pop-up tells you a new patch is coming," Nagy said. "It's a disconnected process, and customers need to look for patches. SAP has a patch day every second Tuesday, and customers are responsible for reviewing the patches to see if they apply to their products."
One of SAP's advantages is that it can be customized. Organizations can have hundreds to thousands of customizations. But customizations can also be dangerous if not done properly, Nagy said.
"[They] can lead to coding glitches that introduce vulnerabilities or can contain malicious code that can harm a system if they are brought into a production system without your knowledge," he said.
Security is everyone's job
Christoph NagyCEO, SecurityBridge
SAP security is a critical part of everybody's job, from executives to developers to SAP Basis admins responsible for managing day-to-day operations, according to Syvertsen.
He also advised that organizations support employees coming forward with vulnerabilities. This needs to be stated upfront but should be tailored for each company's culture, Syvertsen said.
"There needs to be a safe avenue for them to highlight something that could be a vulnerability," he said.
Security is a team sport, and IT security teams must coordinate with SAP teams to better understand the issues putting an organization's most valuable data at risk, Perez-Etchegoyen said.
"SAP teams need to work with CISOs to integrate their ERP applications into existing vulnerability management programs and incident response programs," he said. "If you don't put that all together, you have organizations that are sitting on a ton of risk."
Jim O'Donnell is a TechTarget senior news writer who covers ERP and other enterprise applications for TechTarget Editorial.