Enhancing SAP Security through Security Awareness: 5 key points for Administrators
Chapters
Share Article
Let's Talk SAP Security
Have questions about SAP Security? We’re here to help. Contact Us
In an era where cyberattacks are growing in complexity and impact, safeguarding enterprise systems like SAP is more critical than ever. At SecurityBridge, we know this like no other.
While technical measures play a crucial role, security awareness is often underestimated as a required state of mind. What do we mean by that? Personas like Subject Matter Experts (SMEs) and administrators often approach cybersecurity with technical measures, like firewalls, access controls, or intrusion detection systems (IDS), etc. – which are all vital for enhancing security, no doubt. However, by fostering a security-conscious culture, many risks and data breaches can be more easily identified or even prevented. Security awareness in this sense refers to the knowledge and behavior that help recognize, prevent, and respond to security threats. In this article, we highlight 5 key security awareness points for SAP SMEs and administrators.
Awareness is key
As said, administrators play a vital role in safeguarding the security of an SAP landscape. One main challenge for administrators these days is the increasing complexity of the SAP landscape, driven by several cloud services. Surprisingly, though, it is not only recent developments that pose a challenge for organizations but also well-known security issues in the landscape. For some reason, these issues keep ‘popping up’ and prove to be hard to mitigate. A few examples:
- Users with roles or profiles that give far too much access.
- Default passwords of (technical) users.
- Incorrect client or system settings in ABAP systems, allowing direct changes.
- Missing RFC gateway security can lead to a fully compromised system.
The examples above are all well-known in the SAP community and have existed for many years (the RFC example dates to 2010!) but still seem hard to permanently mitigate. Instead of focusing on these security issues (as said, many are well-known already), we need to focus on the conditions that make systems insecure. So, let’s dive into some of these underlying dynamics that administrators need to be more aware of.
1. Security standards are dynamic
Put in another way: what is safe today is not safe tomorrow. Technology advances quickly, and new techniques and vulnerabilities are found daily. This drives the development of new standards and requirements, like higher encryption algorithms and more complex password requirements, etc.
What Administrators can do:
- Review standards and policies frequently.
- Embed the review in a process; this is not a one-time activity.
2. System settings are dynamic
Normally, every system is updated or patched frequently (or at least it should be). Often, this not only comes with functional changes but also brings along changes in default settings, built-in standard values, and system behavior. For example, custom configurations can be overwritten after an update, resulting in security settings that are no longer set according to corporate policies.
What Administrators can do:
- Validate security settings after system updates and patching.
- Embed this in update projects and patch processes.
3. The human error
In a perfect world, all procedures are followed completely, nobody makes mistakes, all settings and configurations stay the same, and no security issues arise. Right… The real world is much different. People do make mistakes, and unwanted or inconsistent settings are set. This point is perhaps the most important one because so many examples exist where the ‘human factor’ proved to be the problem. In an SAP landscape, this is no different. For example:
- ABAP client settings that have been changed and not put back to their original values.
- Authorizations are assigned to users for temporary reasons but not revoked afterward.
- Troubleshooting sessions require several system settings to be made, which are not or only partly undone.
- Different settings across environments lead to an inconsistent security posture.
- Users download sensitive data and store or send it unprotected.
Do you recognize some of these examples? The list goes on…
What Administrators can do:
- No matter how robust system settings are at a certain point in time, or how well-thought-out a process is, expect inconsistencies because of human behavior, and prepare.
- Focus on security during changes and troubleshooting sessions. These are the typical situations in which temporary changes are made that may lead to inconsistent configurations.
- Trust, but verify. Implement (extra) monitoring of critical security items, especially during changes and troubleshooting sessions.
4. Passwords are everywhere
Passwords are everywhere. Despite initiatives to reduce the use of passwords, the reality is that passwords and other keys are used across systems, applications, databases, and the OS layer. The number of passwords and keys in a typical SAP landscape easily goes into the hundreds and requires due care. To make matters worse, many ‘default’ passwords exist that may still be in use!
What Administrators can do:
- Evaluate passwords frequently against corporate policies.
- Check for the use of default passwords that may have been in use in the organization or for well-known technical users (like user SAP*, DDIC, and many others). Do not think that a password will never be reset back to a default!
- Implement a solid solution to safely secure and manage passwords.
- Migrate to other authentication methods where possible (like X.509 or OAUTH2).
5. Always patch and don’t drop your guard
Security patching should be a core process within any organization. This should be a no-brainer for each IT professional. So far, so good, right? Not really. Many successful cyberattacks simply rely on IT components being vulnerable because of missing patches. How can this happen if patching is so obvious? We name two points that contribute to this:
- Many IT landscapes evolve quickly and become increasingly complex because of new concepts and technologies. Lack of insight into the various components in a landscape plays an important role in overlooking components that require patching.
- Security patching is a “no-brainer” and re-occurs every month or even more often. Although this should lead to a smooth process, it can also lead to a certain ‘fatigue’ or a lower sense of importance.
What Administrators can do:
- Make sure that patches are applied with the right frequency and minimal delay (aka the “no-brainer”).
- Realize the battle: an attacker only must find one component to breach; you need to secure every component. That’s just how it is…
- Maintain a complete overview of the landscape or the part you’re responsible for. Remember: the main components are normally not forgotten, but make sure to cover everything around them as well. For example, for an ABAP system, the ABAP application components, security notes, and kernel are probably well in scope. But components like the SAP Host Agent or database client software are more easily missed. And so, there are many more…
Conclusion
Ensuring technical security is not an easy task. It requires technical insight in various areas, as well as a vigilant approach to make sure business processes are not impacted. Apart from the technical aspects, security issues can be prevented with the right attitude and awareness of situations that can lead to such issues. In this article, we gave only a few points for technical administrators that may contribute to this so that SAP environments are kept safe. Looking at the variety of security areas to cover and the changes that many SAP landscapes face, the security task is enormous. Consider a solution like SecurityBridge to get back control of your SAP landscape!
