Top reasons CISOs tend to neglect SAP security

Even though SAP systems run on regular operating systems and databases, the application itself uses very specific standards and formats for exchanging and storing data. This article explains the top reasons chief security officer's neglect SAP Security.
SAPsecurity and CISOs

It’s the year 2020 AD. The entire enterprise IT infrastructure is protected by cybersecurity solutions monitoring for threats and attacks and notifying the security department in real-time. Well, not entirely… A small section of SAP systems containing the most valuable company data is resisting continuous security monitoring. And life is not easy for the CISOs who protect the underlying infrastructure, trying to protect invaders from entering the resistant SAP infrastructure.

The SAPies administrating and maintaining the SAP system landscape speak a different language than the rest of the IT security employees. Nor do they adhere to best or good security practices. Unfortunately, the SAPies also govern and control the most important business processes, which under no circumstances must interfere with security measures. Therefore the Caesar em I mean, CISO has no power over the SAP village, which increases the risk for an attack targeting the most valuable company data. Can CISOs win the trust of SAPies and protect them from threats and attacks?

The challenges for CISOs in protecting SAP environment go beyond mere language problems. The technology used by the German software giant not only differs in the terminology used, it is also inherently more complex than the rest of the IT infrastructure. To give a simple example: a common operating system contains about 60 million lines of code – and those already contain thousands of security relevant settings and entry points which need to be monitored. Compare that to the 320 million lines of code of the SAP business suite and you have the first reason, why CISOs shy away from protecting their ERP systems.

And it’s not only the sheer complexity which makes it difficult to monitor every aspect of SAP for potential threats and attacks. The underlying technology is very much different, too. Even though SAP systems run on regular operating systems and databases, the application itself uses different standards and formats for exchanging and storing data. Which makes the regular tools and weapons used to fight off cyber attacks pretty much useless. Specialized software, on the other hand, used to be rare and mostly expensive, representing another obstacle in securing SAP.

The costs for SAP specific security solutions are not the only financial reasons why CISOs find it difficult to argument for an effective security strategy for their SAP systems. After all, business operations must, by no means be affected by securing the respective SAP applications. Just take the SAP security patches as an example. The moment those patches are publicized, the hacker community will know about the most effective way of entering an SAP system. However, the SAPies responsible for implementing those patches cannot do it at their own will – some patches require a restart of the affected SAP system, which sometimes makes it next to impossible to implement it at all. For those cases it comes down to a simple financial decision for the company: is it more expensive to, say, stop a production line for implementing the patch or would a potential breach lead to more costs? More often than not, companies decide for the former, with the consequence that security for SAP suffers.

This leads to another reason why CISOs don’t focus as much on the security of their SAP systems as they should. In the past, SAP systems were often separated from the “regular” IT infrastructure, even to the point that the SAP department was separated from the IT department. These organizational structures still exist today, in a world where every device with some computing power is connected to all other computing devices. That includes SAP, which due to the very nature of being a system which controls most business processes, includes hundreds or even thousands connection to the outside world. However, when it comes to security, the SAP department and the IT department often do not communicate with each other. Neither sees a reason to: the IT department still – historically – perceives SAP as being a separate entity and the SAP department doesn’t see security as their responsibility.

Given those obstacles, how can companies successfully make the transition to a security strategy which holistically includes their SAP systems as well?

The answer is surprisingly simple. An SAP security system needs to have the sophistication to address the complexities of the SAP environment to detect known and unknown threats and provide a simplified method for vulnerability management so that housekeeping tasks can be performed by an automated or semi-automated process, guiding the SAPies and reducing their workload by targeting efforts effectively. This balanced with cost-effective solutions should make the cost vs security ROI a compelling argument. Contact us to find out how those objectives can be achieved effectively and efficiently.

Contact us for finding out how those objectives can be achieved effectively and efficiently.
Please find more information on SecurityBridge.

Picture of Christoph Nagy

Christoph Nagy

My name is Christoph Nagy. I am the founder and managing director of SecurityBridge - NCMI GmbH. We develop strategic security solutions for our customers, enabling them to perform automated analysis of security settings and to detect and prevent cyber-attacks against SAP© in real-time.

Leave a Replay