Organizations widely use SAP systems to perform daily operations throughout almost every step of the value chain. Aside from being central to business continuity, it also serves as a central repository for business data, intellectual property, and sensitive information. Securing it against unauthorized access and malicious activities has never been more critical.
What is SAP Security?
SAP (Systems Applications and Products) Security is designed to secure your SAP systems against malicious insiders and outsiders. By monitoring authorizations and access controls, operational deficiencies, changes to data, compromising behaviors, and lacking adherence to procedures, ‘security’ is complex and multifaceted. It covers infrastructure, network, operating system, and database security. As well as secure code,
which includes maintaining SAP code and security in custom code.
A secure setup of SAP servers is essential to keep your business’s private information safe and out of the hands of cyber attackers. It covers the secure configuration of a server, enablement of security logging, security in terms of system communication, and data security. Users and authorizations are also critically monitored and tracked.
Elements of SAP Security
Given the SAP systems’ complicated and interconnected nature, there’s a lot that goes into maintaining their security. When it comes to SAP Security, here’s an overview of the different aspects involved:
- Infrastructure security
- Network security
- Operating system security
- Database security
- Secure code ABAP/4
- Configuration of a server
- Enablement of security logging
- System communication
When carried out effectively, it’s easy to maintain system compliance with the help of continuous monitoring, audits, and the establishment of emergency concepts.
What is SAP Security Used for, and Why is it important?
SAP security is often siloed or a blind spot within the centralized cybersecurity monitoring of a business. And with 66% of business executives feeling that cyberattacks are increasing worldwide, it’s a serious concern.
As a countermeasure to these attacks, SAP security is designed to help protect the business-critical systems that organizations rely on to run their business effectively.
The Most Common Uses of SAP Security Are:
- Avoiding exploitation and fraud
- Ensuring data integrity
- Identifying unauthorized access
- Continuous and automated audits
- Detecting data leaks
- Centralizing security monitoring
An attack on SAP systems can devastate the business’s operations, leading to financial losses, supply chain issues, and long-term reputation damage.
To prevent that kind of headache, these systems must be protected against internal and external cyber threats. That way, your company can maintain confidentiality, availability, and integrity.
Despite this, many organizations keep them out of scope for security teams or rely solely on the ERP vendor tools. As you might expect, this dramatically increases the risk of attacks and makes ERP systems, such as SAP, a prime target for adversaries.
How does SAP Security work?
Because SAP systems connect different departments and programs to help you run your business smoothly, they are incredibly complicated. Since they are so complex and unique, it is harder to develop proper cybersecurity measures.
According to a study from the University of Maryland, cyber attackers attempt to attack systems every 39 seconds – Protecting them is vital.
Within SAP security, there are several steps you can take to prevent attacks:
Roles and Authorizations
First, your SAP systems deliver necessary authorizations as a standard. Customer-specific authorization concepts are set up in SAP, allowing essential permissions to be assigned. The assignment of authorization combinations (Segregation of Duties, SOD) is critical.
The assignment of critical combinations of authorizations should be avoided and only used or assigned in exceptional cases, such as with so-called firefighter accounts. A further complication in SAP security is that authorizations and roles can be manipulated in SAP by SAP standard means.
Therefore, examining necessary authorizations and authorization combinations is crucial and presents companies with significant challenges. Also, conducting continuous, automated reviews of SAP authorizations is vital.
You can easily do these checks using a test catalog. Creating this from scratch requires effort and is relevant not only for the authorizations in the SAP Basis area but also for business processes. Suppose that assigning necessary permissions and combinations of permissions undermines 4-6 eye principles. In that case, there is a risk of exploitation or fraud.
SOD checks are ideally carried out not only according to SAP roles but according to users who may violate a so-called SOD conflict by assigning several roles. In addition to users’ evaluation, you should know which roles ultimately trigger the conflict in combination. The SAP transaction SUIM and its API allow checks of combinations of critical authorizations.
Patch Management
SAP is increasingly affected by security breaches. Threats that are currently dealt with in traditional cybersecurity are also valid for SAP systems. There are continuous publications of so-called SAP Security Notes, however, the challenge for organizations is to keep the SAP systems up-to-date and apply the patches continuously.
Unfortunately, it’s just not always possible.
And so many SAP systems remain unpatched for a long time, resulting in serious security gaps. To make matters worse, with the release of new patches, information is released about where the vulnerabilities are and how they can be exploited. Not only is patching essential, but also the detection of exploited vulnerabilities, so-called zero-day exploits.
Transaction Monitoring
SAP also offers a large number of critical transactions and functional modules that are even available remotely. That also means it’s possible to create accounts via the SAP system’s API, equip them with authorizations, and then use them remotely. Other building blocks and function modules can then load or manipulate data from the SAP system.
Once again, the authorization assignment plays a role here, as it restricts the use of the transactions. Therefore, it’s vital that you monitor the execution of transactions, RFC modules, or SAP reports continuously and in real time. Access to SAP systems from outside via the interfaces of an SAP system, such as the RFC interface, will need to be monitored, too.
SAP Code Security
Next is code security—an essential part of your SAP security. In SAP systems, it is often left to the developers to ensure the ABAP code’s security. Coding is put together in transports and transported from the development systems to the production systems, but often, it’s done without a sufficient examination of the coding.
Worse yet, SAP offers attackers options for code injection, as coding can even be generated and executed at runtime. The manipulation of important and urgent transports is just one way of transporting malicious programs into an SAP system completely undetected. Luckily, SAP provides a code inspector with modules like the Code Vulnerability Analyzer to check the coding.
System Settings
Your system settings are the basis of SAP security, and there are numerous settings options in SAP systems. Settings are conducted at the database level by SAP transactions, or so-called SAP Profile Parameters, which are stored in files. The rollout of an SAP system must comply with a set of rules for system settings, which can be found in an SAP Basis operating manual.
Here, it is determined how the security settings are assigned in an SAP system, how access is granted or denied, and which communication of an SAP system is allowed. The operating system, database, and application layers are relevant here. Each of these layers requires proper configuration of the security settings.
Unfortunately, these are often insufficient in the standard SAP system. For instance, in many companies, only 5% of their folders are adequately protected.
RFC Configuration
The RFC Gateway can be described as the SAP-internal firewall and needs to be configured precisely (RegInfo, SecInfo) to avoid unauthorized remote access from systems and applications.
SAP best practice guidelines, or guidelines from SAP user groups such as the DSAG, contain practice-tested and security-oriented settings and test catalogs.
SAP security and Read Access Logs
SAP Security also covers a row of security logs. These need to be switched on and controlled at the same time.
The most critical log is the SAP Security Audit Log (SM20), which contains a set of security and audit-relevant events. Change Logs (SCU3) of database tables and the so-called Change Documents of users and business objects (SCDO) are available. The SAP RFC Gateway Log SMGW carries logs of the RFC Gateway, logs of the SAP Internet Communication Manager, and the Web Dispatcher.
The SAP Read Access Log stores read and write access to specific fields of transactions, reports, or programs. This provides an essential component to meet the EU Data Protection Regulation (GDPR or DS-GVO) obligations – logging personal data access.
The configuration of the SAP Read Access Logs and their evaluation is essential to SAP Security Monitoring, not least in times of GDPR. With this log’s help, access to SAP can be monitored, extracted, centrally collected, and, at best, automatically monitored with appropriate rules. The SAP Read Access Log is maintained via the transaction SRALMANAGER.
SAP Security Best Practices
With so much at risk and so much to organize, it can be overwhelming to get a plan in motion. So, here’s a quick and easy checklist to help you get started if you want to improve your SAP security.
To keep your data safe, you need to conduct several different assessments:
- Internal assessment of access control
- Change & transport procedure assessment
- Network settings & landscape architecture assessment
- OS security assessment
- DBMS security assessment
- SAP NetWeaver security assessment
- Assessment of various SAP components (like SAP Gateway, SAP Messenger Server, SAP Portal, SAP Router, and SAP GUI).
- Assessment of compliance with SAP, ISACA, DSAG, and OWASP standards
After doing these assessments, there are still some other steps you’ll need to take. With a plan in place, you’ll be far ahead of most companies—and cyber attackers. Here is an easy 4 step process to get you started and monitor your SAP security:
- Align Your Settings: Make sure your settings are set up to align with your organizational structure. You should also educate your teams and double-check that all security measures are being followed.
- Create Emergency Procedures: In the event of an emergency, you should have a plan to address it quickly and effectively. For one, you should be sure your Network Administrators can easily revoke access and privileges as needed.
- Conduct Housekeeping and Review: You should constantly monitor your SAP systems. Also, make sure the list of permissions is updated regularly, especially when you have new hires or staff change roles.
- Use Security Tools: Lastly, having the right security tools in place is crucial to keep tabs on what’s happening and catch any suspicious activity. That way, you can more easily prevent a cyberattack or data breach from occurring.
SAP Security Solutions and Tools
Are you looking for the right SAP security software? It’s hard to know where to look and who to trust—especially with something so important. At Logpoint we have a security solution tailored to keep business-critical systems secure – BCS for SAP.
While the vendor technically provides an SAP security solution, it often fails to integrate with the rest of the organization’s cybersecurity monitoring. This creates a blind spot for the security team and increases the cyber threat from internal and external threats.
That is why integrating your SAP security monitoring to a centralized SIEM can significantly add value to your cybersecurity, IT operations, system compliance, and business analytics. Ideally, these platforms use technologies such as UEBA (User Entity and Behavior Analytics) – to get behavioral insights in addition to rule-based monitoring.
SAP security needs to be monitored continuously and automatically in SIEM solutions at a central point in the company, integrated into IT security, and ideally managed by a Security Operations Center (SOC) to identify threats and respond immediately.