Patch management not enough to secure SAP systems
Security is critical to SAP customers, and third-party tools can help seek out and monitor vulnerabilities in areas that SAP patches miss, such as custom code and access control.
Two SAP-focused security vendors stepped up efforts to provide customers with tools to identify and respond to both existing and emerging threats to SAP systems.
SAP selected Onapsis, a Boston-based cybersecurity company, to become an SAP Endorsed App, which come from third-party developers that have undergone technical validation testing from SAP. It is available in the SAP Store, according to Onapsis at SAPinsider 2023 in March.
The Onapsis Platform is now certified for Rise with SAP, SAP's initiative to move customers to S/4HANA Cloud on public cloud infrastructure. The Onapsis Platform, which provides security monitoring, mitigation and compliance for SAP systems, is available as a standalone product, but can be included with the Rise with SAP program, the company said.
Also at SAPinsider, SecurityBridge, based in Nuremberg, Germany, introduced the SAP Management Dashboard, a new capability on its SecurityBridge platform. The dashboard is intended to provide a centralized location to view and act on SAP security issues in real time, according to the company. The SAP Management Dashboard is a no-cost additional application for the existing SecurityBridge platform that the company expects to be available early in the second quarter of 2023.
SAP security changes with move to the cloud
Security for SAP systems is always an issue for customers, and the move to the cloud creates more vulnerability while providing more opportunity to secure core systems, according to Frank Dickson, group vice president at IDC.
Frank DicksonGroup vice president, IDC
Taking security seriously is vital because SAP systems are often the foundation for how an entire business runs, he said. SAP customers are used to thinking that on-premises systems can be kept safe with traditional cybersecurity measures, but these measures need to change when customers move to the cloud.
"You start worrying more about how to protect applications, and identity becomes very important," Dickson said.
Organizations want to give their employees access to these systems while keeping others out, but they don't want to give their employees ubiquitous access, he said.
"You want them to have access to things that they need," Dickson said. "But you also want to make sure you're protecting that data -- who has access to the application, what data they have access to and what they're allowed to do with it."
Embed security early in move to S/4HANA Cloud
SAP customers are looking to get to the cloud faster with programs such as Rise with SAP, but these moves can be delayed if they don't include security at the start of the process, said Mariano Nunez, CEO at Onapsis.
"In many cases, customers are engaging Rise to go to the cloud, but at the last minute, the security team comes in to make sure the system is secure," Nunez said. "That can derail the project because there's always something to fix or a new control that needs to be implemented."
Customers can select any cybersecurity platform or service they want, but embedding security tools and processes in the beginning of a migration can reduce friction, he said.
SAP systems have specific security issues that need to be addressed when building them for the cloud, Nunez said.
"When you are building the system with a hyperscaler, the vendor takes care of the basic infrastructure layer. They're looking at network security, endpoints and the operating system, but they're not looking at threats on the application layer," he said. "They're not looking at custom code or the customer's SAP interfaces or configurations. That's where we see the attackers going."
SAP takes security seriously, Dickson said, but it can help to use a third-party vendor such as Onapsis to help protect SAP systems.
"Onapsis is constantly looking for vulnerabilities in the application," he said. "But not only are they looking for vulnerabilities, they're looking for ways to mitigate those vulnerabilities."
Real-time security monitoring
The new SAP Management Dashboard from SecurityBridge enables organizations to get a holistic view of security vulnerabilities and provides measures on how to mitigate or resolve them, according to Bill Oliver, technical director for the Americas at SecurityBridge.
Keeping up with security patching is vital, and SAP regularly releases patches for vulnerabilities, Oliver said, but customers must look at their own code for vulnerabilities as well as monitor systems for security issues that are not code-related, such as access control.
"You've got to scan your code, making sure you don't have violations like SQL injections, denial of services, directory traverse or other backdoors," he said. "You really need to monitor your system [to see what users are doing]. Maybe someone is downloading sensitive data or just put something in a code that had a bug or something sensitive."
The key is to monitor the SAP system and look for anomalies in activity, Oliver said, such as a user who signs in to the system from a different location or at a different time than usual.
"That's not something a patch is going to tell you -- it's not something you'll find out by fixing your code," he said. "If you've got somebody who possibly compromised a user's credentials and is using it somewhere else, you will get a flag warning [on the Management Dashboard] that this is an activity that doesn't fit the user's profile."
Seeing alerts as close to the vulnerability as possible helps organizations discover and act quickly to resolve issues, Dickson said. These can come from mistakes, where access levels are set incorrectly, or from malicious actors who look to compromise SAP security from inside an organization.
"Knowing if a user's access time or location is unusual or if they have elevated privileges are things that SAP isn't necessarily focused on," he said. "But they're things where a third-party dedicated security company can add value."
Jim O'Donnell is a senior news writer who covers ERP and other enterprise applications for TechTarget Editorial.