Top 5 security concerns for the SAP Cloud Connector

SAP Cloud Connector

Every organization constantly faces the challenge of minimizing the attack surface that an adversary could use to perform malicious operations. To do this, administrators must install the deployed components and understand them in detail to identify risks and proactively mitigate or prevent those. Today we are looking at what is necessary to protect the SAP Cloud Connector. 

What is the SAP Cloud Connector?

When installing and operating the SCC, administrators need to consider several things to ensure security. A good starting point is the manufactures SAP Cloud Connector Security Guidelines, which include the topics:  

  • Network zones concept  
  • Administration UI  
  • High Availability  
  • On-Premise Configuration  
  • Audit Logging  
  • OS-Level Protection  
  • Protocol Security and  
  • Instances.  

A new and remarkable feature of the SAP Cloud Connector is that it has an integrated security check, which provides the administrator with information about the existing issues. Not only is there a kind of checklist, but it displays a status that shows which problem currently exists. How to find the feature? Find it from the Connector menu and choose Security Status to access an overview showing potential security risks and the recommended actions. 

SAP Cloud Connector

The SCC distinguishes between general and sub-account-specific problems. In the General Security Status area, customers will find general issues. In the lower area, you will then see the sub-account issues.  

Problem 1: Often, these recommendations have not been implemented or are only partially implemented. 

Often, technical components are installed and then forgotten if they perform their service and do not break anything that works. To make matters worse, these components usually are provided by external service providers. As a result, there is not enough internal expertise available within the company for regular security checks or the remediation of security problems.  

Problem #2: The SAP Cloud Connector isn’t integrated enough into the lifecycle management of the SAP operation. This neglect can lead to security problems that are not detected or resolved in time. 

SAP releases regular enhancements for all products in the software’s portfolio. It is the customer’s responsibility to check on-premise components for security vulnerabilities for which a patch has been provided and to close this loophole on time. In addition, you must include other software products used by SAP SCC in the equation. Examples are the Java Virtual Machine (JVM) version and the Tomcat web server.  

Problem #3: Also, due to the lack of integration into the software lifecycle management, customers aren’t aware of security patch releases and don’t implement them or aren’t fast enough. You can find the available SAP Security Patches for the technical component on the SAP Support Portal using the following query: Display security patches for SAP Cloud Connector.  

SAP products are usually extensive in their logging. This makes it possible to track circumstances and situations occurring during regular operations. However, the number and variety of security logs poses a challenge for many customers. If they’re enabled, they are usually only used by the administrator for error analysis and troubleshooting. Few manage to transfer this valuable information to the Security Operation Center (SOC), and only very few apply valuable use cases making real use of the collected data.  

Problem #4: Security logs are not enabled or monitored. There is no concept for alerting when an anomaly occurs, and thus attack actions such as exploiting vulnerabilities are not detected. 

The SAP Cloud Connector builds a bridge to the outside world. Communication with public networks is dangerous because external attackers can intercept and analyze data packets. Therefore, protocol security and network architecture are important. At this point, we want to motivate our readers to support the Feature Request “Implement SNC support for incoming RFC in SAP Cloud ConnectorIn the SAP Customer Influence Portal.  

Problem #5: The system architecture isn’t optimized. For example, the SAP Cloud Connector in the DMZ shares a host system with other components. Alternatively, the protocol security isn’t guaranteed so attackers can intercept, redirect, or manipulate the packets. 

Addition:  
Based on our field service’s reports, we found SAP Cloud Connector installations in production environments that used the portable version. For productive use, SAP strongly recommends using the installer version. 

Conclusion

The integration of technical components such as the SAP Cloud Connector or the SAP WebDispatcher into the in-house software lifecycle management processes requires special efforts from the customer. To achieve a resilient posture against cyber-attacks, both the hardening of software components and monitoring of whether the measures are working must be carried out.  

Security updates must be identified and implemented on time, and security logs must be monitored continuously for suspicious activity to detect attacks as they occur.  

 You may think this is a massive hurdle until you experience solutions like the SecurityBridge Platform for SAP. SecurityBridge provides a holistic cyber-security coverage addressing the need of SAP customers directly from within your SAP landscape. 

Posted by

Christoph Nagy
Share on linkedin
Share on twitter
Share on email

Find recent Security Advisories for SAP©

Looking into securing your SAP landscape? This white-paper tells you the “Top Mistakes to Avoid in SAP Security“. Download it now.

S/4HANA migration
SAP Cybersecurity- SAP Security Automation- Security News
“There are a few constants in life” – a statement that also applies to the SAP user community. It has always been a challenge for SAP customers to bring their large SAP environments to a current release level. Although the vendor has done a lot in the past to simplify this, it is still not a complex undertaking.
SecurityBridge
Here at SecurityBridge, we are extremely lucky to have a team full of amazing professionals. Thanks to our team, we have achieved extraordinary things in the past couple of years. With that in mind, we thought it was time for us to start introducing you to the team that drives everything behind the scenes. And we couldn't have chosen a better example to start with than our very own, Harish Dahima! Read on and learn all about Harish's life as a Senior Product Developer, his role, and life at SecurityBridge.
SAP Cycling event
Life at SecurityBridge- Partner News- Security News
It was John F. Kennedy who once said: “nothing compares to the simple pleasure of a bike ride”. And what a pleasure it has been! We had our annual bike ride with friends from Accenture, Deloitte, CGI, McCoy, Thales, KPN, Hunt &Hacket, and security leaders from major customers. We had a lot of opportunities for exchange in the cozy atmosphere among like-minded people who all love road cycling and have SAP Security improvement in mind.
SAP Expert Search
SAP Patch Management- Security News- Security Patches
After many years in the SAP eco-system, I know many good and bad practices exist in the IT Departments of – to be frank – every organization on this planet. Initiated by the SAP Security Patch Day in September 2022, our team has nudged me to share some knowledge. In this short how-to description, we want to explain the correct usage of the SAP Launchpad Expert Search to get the most accurate result looking for SAP Security Notes. If you want to find out how this powerful tool works, keep on reading.