Blog

Even in the cloud, your SAP systems are at risk

By 12 March 2020 No Comments

As more and more companies move their SAP systems to the cloud for various reasons (business transformation, cost control, ICT policy, focus on core business etc.), most of them do not consider security to be an issue, because they have been reassured by the cloud vendor that a sufficient built-in security layer exists.

During the actual migration to the cloud, their SAP system’s content will be migrated into a readily installed new infrastructure, often combined with an SAP upgrade or a change of database to SAP HANA.

Secure your applications also

In most cases, the new target infrastructure is designed and setup by either an infrastructure team of the company itself or an external consultancy specialising in cloud infrastructure/operations. Unless special attention is given to security in the design and build phases, SAP cloud customers will end up with a standard level of security that protects their cloud servers but not their SAP applications.

If no specific security measures are taken on the SAP application level, SAP systems will be at risk.

Our investigation that took place in January 2020, identified vulnerable SAP systems world-wide and showed clusters of vulnerable SAP systems located in large data centers that belong to known public cloud vendors and hosting providers.

Prevent being hacked

The easiest way into your SAP systems is via the SAP application layer, via the SAP GUI using a standard user plus a standard password. More advanced hackers may also use hacking tools that exploit open network ports and missing ACL files. Once they gain a foothold, they will quickly escalate privileges until they gain complete control over your SAP system.

Another risk of exploitation exists when SAP customers don’t apply SAP security notes. Because new SAP Security notes are published regularly, they are analysed by hackers to find out the actual vulnerabilities and build specialised exploits for them. SAP Customers that don’t apply the SAP Security notes are especially at risk due to the existence of these exploits.

Use Protect4S and stay in control

Protect4S provides protection on each of the 3 layers of an SAP system: application, (HANA) database and operating system. It contains a repository of 1700 checks that are constantly updated and will determine the vulnerabilities in your SAP systems that may exist due to mis-configuration, missing or bad ACL files, weak encryption, missing OSS Notes and lots of other causes.

Protect4S scans your SAP systems, points out and ranks your vulnerabilities, explains them using trusted SAP sources like SAP OSS Notes or SAP help and automatically generates To Do lists for your technical SAP staff in order to fix these security issues.

Protect4S is a lightweight, browser-based application that runs on top of your SAP Solution Manager and requires no costly and hard-to-maintain special infrastructure or run-time environment. The browser interface is intuitive and does not require special training to handle.

Try it out for free

Protect4S can be tried out for free for 3 months. It can be installed in a matter of hours and de-installed completely in minutes.

Why not give it a try and gain back control of the security of your SAP systems? 

Leave a Reply