Four Best Practices for Increasing SAP’s Security Posture
Properly configure system settings With seemingly endless individualization settings, the basic security of an SAP system relies on correct configuration, including compliance with rules for system settings, proper program authorization permissions, and SAP system communication dictations. The operating system, database and application layers require careful attention, including the configuration of the RFC Gateway to avoid unauthorized remote access from systems and applications. To ensure configuration is correctly updated, organizations should refer to guidelines provided by SAP user groups such as USAG for security-oriented settings, test catalogs and general best practices.
Actively monitor authorizations SAP automatically delivers necessary authorizations, allowing essential permissions to be assigned. Operators must carefully examine and vet permissions and combinations of authorizations because even if three key principles are undermined by the assignment of necessary permissions, there is a large risk of exploitation or fraud. This type of monitoring is particularly important since many critical transactions and functional modules are available remotely. An important component to this supervision, and SAP security as a whole, includes the correct control of security logs. Test logs like segregation of duty (SOD) checks are carried out according to SAP roles and users who may violate a so-called SOD conflict by assigning several roles. In addition to users’ evaluation, it is essential to know which roles ultimately trigger the conflict in combination. The most critical logs to prioritize are the Change Logs (SCU3), Change Documents of users and business objects (SCDO) and SAP Security Audit Log (SM20), which must be synced. The SAP Security Audit log should be prioritized since it contains a set of security and audit-relevant events. The SAP RFC Gateway Log SMGW contains various other logs including the RFC Gateway, and the SAP Internet Communication Manager, in addition to the Web Dispatcher. Many security logs are also essential in meeting the compliance needs set under the California Privacy Rights Act or the EU Data Protection Regulation (GDPR or DS-GVO). The SAP Read Access Logs contain accessibility information for specific fields of transactions, reports, or programs. The configuration and assessment of this log is a fundamental constituent of SAP security monitoring as it allows greater visibility and control of the entire SAP system.
Patch and (de)code the unknown SAP is increasingly vulnerable to security breaches because attacks on these systems often successfully expose a large surface area. Threats that are currently being handled in traditional cybersecurity are also valid for SAP systems. The challenge faced by most organizations running SAP is not lack of awareness of needed patches, but in keeping patches updated and continuously applying them. Since this is a strenuous process, a significant amount of SAP systems remain unpatched for long periods of time, further increasing the risk for a possible breach. Patching is essential, as is the detection of exploited vulnerabilities, so-called “zero-day exploits.” Code security is another key component of establishing a secure SAP network. Since code security is left in the hands of developers, coding is developed and transferred from the development systems to the production systems, usually without sufficient examination. This process enables hackers to interject, undetected and manipulate urgent transports at runtime, meaning code inspection tools or modules are critical in protecting the overall security from attackers. Ensuring timely patches and proper code security can prevent extensive damage.
SAP’s Pièce de resistance: SIEM Once the basics of SAP security are covered, then organizations can integrate SIEM, to go beyond basic compliance and increase security. Most vendors’ SAP systems and traditional cybersecurity monitoring tools like SIEM are separate entities, creating a blind spot in protection and escalating opportunities for threat actors. Integrating SAP security monitoring to a centralized SIEM offers a holistic approach to protection, adding valuable insights into cybersecurity, IT operations, system compliance, and business analytics across an organization’s network. This combination allows for continuous monitoring for the detection and automation of threat responses for SAP systems, so attackers cannot slip through the cracks. By ensuring system settings are properly configured, permissions and authorizations are continuously reviewed, patching and coding remains updated, and SAP is integrated into SIEM, organizations can significantly increase their level of preparedness against a range of cyber threats that inevitably come their way.