In the past few years, cyber-attacks have increased, exploiting vulnerabilities that the shutdown around COVID-19 caused. For example, Check Point reported that from 2020 to 2021, cyber-attacks across all industries increased by 50%.1 More specifically, they found that organizations suffered about 900 attacks on average per week in Q4. Looking particularly at ERP platforms, software vendor attacks increased by 146% and averaged at about 536 attacks per week.
Unfortunately, SAP is not immune to this phenomenon. Even at Q4 of 2023, the company still discovered some critical risks (which have fortunately been patched, as we will discuss later in this article). Despite the company’s vigilance towards identifying and resolving security issues, businesses also need to be aware of potential risks and take the steps needed to ensure privacy—regardless of what software vendor they choose.
In most scenarios, the best way to avoid a problem is to stop it at the source before it grows into a serious conflict. To prevent security issues from the start, businesses need to maintain data security and compliance throughout the landscape simplification process.
The Risks
Even before the pandemic arose, SAP presented vulnerabilities. For example, Vijayan’s contribution to CSO provided some insight into a component that often leads to security problems: an unnecessary level of complexity in the SAP footprint.2 In other words, a cluttered SAP landscape.
From his observations, we can see that SAP landscape simplification and SAP security go hand in hand. Businesses can employ the landscape simplification process to detect security issues early on, whereas a cluttered landscape presents vulnerabilities and open doors for cyber-attacks. Some specific ways an attacker could target a cluttered landscape include a haphazardly made Access Control List, faulty custom code, and insufficient auditing.
Additionally, if the business does not regularly monitor and maintain its landscape, a cyber attacker can stealthily gather and extract data from the SAP landscape, sometimes over a period of months.3 They may gain access from gaining improperly assigned permissions or finding a way to pose as someone else due to poor authentication techniques—among other methods.
Finally, cloud is a common method for landscape simplification due to its versatility and easy access. However, these same aspects can also raise security concerns. For example, the presence of private data on the Internet poses as an easy target for hackers who want to gain unauthorized access.4 Additionally, cloud resources are generally separate from a business’s main infrastructure, which can render the tools that the business uses for security and monitoring ineffective.
The Solutions
As previously mentioned, strong security ultimately depends on how the business implements and simplifies the SAP landscape. If the business does not do the following, they face security risk—no matter how secure the software itself is:
- Ensure everyone is assigned proper levels of authorization.
- Establish reliable authentication techniques.
- Communicate procedures to avoid social engineering.
- Avoid an overly complex landscape, which presents vulnerabilities.
- Maintain data security and compliance throughout the landscape simplification process.
- Regularly monitor the landscape for security and compliance.
Businesses may initially be intimidated by the daunting amount of vigilance and structure they need to fully ensure security. In some scenarios, they may even need to completely restructure their landscape and processes.
Fortunately, SAP has tools to assist. For example, SAP Enterprise Threat Detection (ETD) provides regular monitoring to ensure data security and compliance. The tool provides a way to monitor and respond to security incidents, all while providing analytics of the system users. This tool integrates well with the Security Information and Event Management, or SIEM, to provide a more comprehensive monitoring experience.5
Additionally, SAP BTP, a popular landscape platform, offers ways to ensure your business has sufficient security and compliance. For instance, they offer Security Recommendations to help guide a business throughout the configuration process.6 The platform operates on its own network, which has heavy firewalls and transport layer security. Finally, they provide an easy-to-use user management system, which is a crucial way to avoid improperly procured permissions and authorizations. Finally, the program protects digital identities through a process known as identity federation.
SAP also offers bioLock MFA technology, or multi-factor authentication, that is specifically designed for SAP’s ABAP code. The system offers various biometric authentication methods, including fingerprint and facial scans, to protect from traditional password vulnerabilities and suit the business’s specific needs.7
Finally, the ERP software vendor regularly posts on a Patch Day Blog, in which businesses can gain awareness of current vulnerabilities and install the corresponding security patches.8 These blogs are released the second Tuesday of each month. If you want more information on how to navigate and employ the Patch Day Blog, feel free to look through the SAP support page for this topic: https://support.sap.com/en/my-support/knowledge-base/security-notes-news.html
To gain some insight on what the Patch Day Blog detects, let’s take a look at two critical vulnerabilities that were addressed in December of 2023. In one security concern, BTP security services integration library allows escalation of privileges, which could allow malicious gain of unnecessary permissions. This problem impacts versions earlier than 2.17.0 and any between 3.0.0 and 3.3.0. Additionally, the SAP blog spread awareness of the Operating System command injection vulnerability. This issue can allow the attacker to execute commands that compromise or even shut down the system. These are both serious security threats—issues that any business that uses SAP should be aware of.
Keeping Agile
As mentioned before, a truly secure business landscape can be difficult to achieve. A business may be in need of a complete landscape change but face concerns about the resources and knowledge transfer, which requires formation of a learning organization. This is where keeping agile comes in.
One way businesses can gain agility is through the cloud. As mentioned in this article, the cloud offers an affordable, simple way to consolidate the SAP landscape while providing analytics. However, as we discussed earlier, the cloud also poses security risks. Fortunately, SAP’s program GROW provides a well-tested security structure that addresses the cloud’s vulnerabilities. To learn more about how specifically GROW offers security to the SAP landscape, check out this article: https://blogs.sap.com/2023/04/20/security-of-grow-with-sap-landscape/.
Conclusion
SAP security is vital to a properly implemented landscape. Without a simplified landscape, you open your business’s private data to vulnerabilities. If you fail to consider security aspects during your landscape simplification, you will be unaware of potential issues—possibly even allowing a hacker to extract data without you knowing it. As a result, the organization should not only consider security as a necessary part of compliance, but also as an integral part of business success.
1 “Check Point Research: Cyber Attacks Increased 50% Year over Year.” https://blog.checkpoint.com/security/check-point-research-cyber-attacks-increased-50-year-over-year/.
2 Vijayan, Jaikumar. “Top 8 Security Mistakes in SAP Environments.” https://www.csoonline.com/article/567405/top-8-security-mistakes-in-sap-environments.html.
3 Upadhyay, Gulit. “Understanding SAP Security.” https://blogs.sap.com/2022/12/01/understanding-sap-security/.
4 “Main Cloud Security Issues and Threats in 2024.” https://www.checkpoint.com/cyber-hub/cloud-security/what-is-cloud-security/top-cloud-security-issues-threats-and-concerns/.
5 Boddu, Raghu. “Safeguarding SAP Landscapes: Unleashing the Power of SAP Enterprise Threat Detection (ETD)- An Introduction.” https://blogs.sap.com/2023/06/04/safeguarding-sap-landscapes-unleashing-the-power-of-sap-enterprise-threat-detection-etd-an-introduction/.
6 “Best Practices for SAP BTP: Security Concepts.” https://help.sap.com/docs/btp/best-practices/security-concepts.
7 “Enhancing Security in SAP Technology with bioLock Multi-Factor Authentication.” https://news.sap.com/africa/2023/09/enhancing-security-in-sap-technology-with-biolock-multi-factor-authentication/.
8 SAP Patch Day Blog. https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html.