SAP and IT security are usually two separate worlds. In view of the generally increasing risk to IT security, this has led to many companies initiating security projects but excluding the SAP world. This is no longer acceptable today, especially as SAP data is generally business-critical. But what is the reason for the inadequate consideration of SAP security? There are several reasons for this. For example, SAP security is often not on the CISO's IT agenda because it is considered too complex and very specialized. This is shown by NTT Com Security's experience from numerous projects in the areas of information security and risk management. In addition, SAP departments are generally independent units that want to retain their independence and are sometimes reluctant to allow the rest of IT to exert influence. In addition, SAP IT departments often lack the necessary security expertise across the board.

In the recent past, SAP has launched a number of security products on the market, such as 'SAP Single Sign-On' for secure access to SAP and non-SAP systems, 'SAP Identity Management' for efficient user administration, 'SAP Access Control' for rule- and law-compliant authorization assignment or the 'Code Vulnerability Analyzer' for automatic and manual source code checks. SAP has developed the 'SAP Enterprise Threat Detection' and 'SAP Fraud Management' solutions for real-time identification of attacks and attempted fraud. However, the mere availability of these tools does not mean that they are used across the board: 'SAP Enterprise Threat Detection', for example, which ensures the security-relevant evaluation and analysis of security events across the SAP system landscape and was also designed for connection to traditional SIEM systems, is not yet in use at many companies.

However, even if SAP security tools are occasionally used by companies, one problem remains: With a patchwork of solutions and isolated applications, the systems remain vulnerable. In other words, only a fully integrated security solution offers reliable protection. Despite this, inefficient security silos can still be found in many companies. This was also the result of a recent study by Dell, in which 175 German companies took part. A key finding here was that IT security is often organized on an application-specific basis and is the responsibility of different company departments. For example, only 23% of the companies surveyed have a central IT security department that also includes the distributed application and therefore SAP landscape.

Separate worlds dominate

Schematic representation of the integration of the SAP infrastructure into an overall IT security concept

© NTT Com Security

The fact that two worlds often dominate is already evident in a simple topic such as user administration. The status quo in many companies is still that the SAP environment is separated from the rest of IT and authorization concepts are not implemented company-wide. In almost all companies today, the Microsoft Active Directory (AD) directory service is a central element of the entire infrastructure. AD performs a wide range of tasks that go far beyond the mere administration of user accounts and also include, for example, the authentication and authorization of non-Windows-based systems such as Linux servers or applications. Surprisingly, however, one area is often left out: the SAP infrastructure.

However, integration is only one side of the coin, just as important is the elimination of existing security gaps - and these are frequently found in the SAP world. They concern, for example, the lack of

• activation of encryption,
• Separation of administrative authorizations,
• segmentation of frontend and backend and
• patch management strategy.

Another key problem is that, particularly in the SAP environment, access authorization concepts and change management procedures are often only implemented on a user-related basis - and not from a security perspective. The challenges are therefore obvious, and SAP itself is also increasingly addressing the issue of security as part of several initiatives.

A sequential approach is recommended

An effective cyber defense approach is based on the four cornerstones of prevention, detection, defense and response.

© NTT Com Security

The cyber threat to SAP applications can only be reliably averted by integrating them into a company's overall security strategy. This means that it is of fundamental importance that the SAP world is also taken into account as part of security projects and when implementing a holistic cyber defense strategy.

A sequential approach should be adopted when implementing such a strategy. The starting point is the analysis and risk profile creation of the IT landscape, including the SAP environment; the tool introduction is only at the end of the process chain. The risk assessment (risk insight) involves the classification of all processes and data worthy of protection - naturally also within the SAP world. All further measures must then build on this as part of an end-to-end cyber defense strategy. The core elements here are the four central cornerstones of prevention, detection, defense and response.

On the one hand, prevention involves infrastructure and network management on the company side, with classic security measures such as perimeter protection with email gateways including spam and malware filters, next-generation firewalls, VPN systems or dynamic sandboxing solutions. On the other hand, the company-critical (SAP) business applications and data themselves must also be given greater attention and secured accordingly.

The next step is detection, i.e. a comprehensive security analysis with the evaluation of real-time data and proactive monitoring. Efficient monitoring not only covers system logs and alerts, but also includes, for example, behavioral analyses of a company's IT environment, which can be used to uncover unusual processes.

The use of early detection systems is an indispensable part of a comprehensive security solution. It is obvious that a company can hardly implement comprehensive protection against cyber attacks completely independently, as the threat situation is too heterogeneous and, above all, too dynamic, and the costs are too high. This is where SOCs (Security Operations Centers) from Managed Security Services (MSS) providers come into play as proactive defence centers for companies.

Last but not least, a company should also be prepared for the worst-case scenario - a so-called incident - as 100% protection is likely to remain a utopian dream. This means that an incident response procedure must be established that can be called up in the event of danger and that prevents unwanted data outflow.

One thing should be clear: Hackers do not differentiate between SAP applications and general IT. When implementing a cyber defense strategy, it is therefore important to take a holistic approach that integrates the monitoring and protection of the SAP infrastructure as an important success factor. Only with such a comprehensive concept can an SAP user achieve maximum IT and information security today.

Authors:
Kai Grunwitz is Senior Vice President Central Europe at NTT Com Security;
Patrick Schraut is Director Consulting & GRC at NTT Com Security.