Skip to main content
Blog

Zero Trust and SAP

By 30 August 2021No Comments

Do you trust your SAP systems?

Zero Trust and SAP

In recent years, we have seen many changes in the IT business: from on-premise to cloud-based computing, from smart computing to the increasing use of Artificial Intelligence (AI), from Big Data to Data Transformation, from batch-oriented to real-time, from working on-site to working remote and so on, leading to ever-increasing complexity in IT architectures.

At the same time, cyber-related crime has evolved in a similar manner, making the jump from individual malicious actors to organized crime syndicates, often established, and supported by governmental structures.

Zero Trust

It may therefore come as no surprise that new security paradigms have evolved too. One of the latest ones is called “Zero Trust”. The National Cyber Security Centre (NCSC) in the UK identifies the following key principles of Zero Trust:

  1. Single strong source of user identity
  2. User authentication
  3. Machine authentication
  4. Additional context, such as policy compliance and device health
  5. Authorization policies to access an application
  6. Access control policies within an application

Basically, Zero Trust is a theoretical approach for architecting and building new IT infrastructures using sound security principles and complete control of users and access to resources.

But Zero Trust also has a basic flaw: it does not consider the risks of the resources themselves.

Let’s presume that an organization does not have any patch and vulnerability management process in place for their SAP systems. Spending a lot of money on user and machine authentication and safe access while at the same time allowing these users access to unsafe SAP systems makes no sense at all.

Zero Trust ignores the risks within the resources themselves while focusing on access controls.

An SAP system that is not patched, hardened, and is not subject to a strict security policy, is an environment in which SAP user accounts can be hijacked or compromised in many ways.

Before enabling a security model like Zero Trust in an SAP infrastructure, you must close this gap first by implementing a patch and vulnerability management process.

SAP

Over the last 25 years, SAP has made great efforts to enhance its security posture and nowadays many of the standard SAP security-related parameters now have safer default settings. Also, many new security-related parameters and features are now part of the standard delivery.

However, one fundamental principle has remained the same for the last 25 years:

SAP Customers must adapt the security settings to their own specific infrastructure.

Without this adaptation, a newly deployed out-of-the-box SAP system located somewhere in a cloud can be detected and hacked by 3rd parties in a short matter of time.

SAP customers must prevent exploitation of vulnerabilities in their SAP systems by making the required changes to these systems to minimize their risk surface and implement their own IT infrastructure policies.

To harden their SAP systems, SAP customers must start with the basics and define, implement, and monitor a security baseline and maintain many detailed security configuration settings.

In addition, SAP customers must stay up to date with the monthly release of SAP security Notes.

Protect4S

Protect4S provides a simple 3-step security process enabling continuous improvement of SAP security and supports the key principles of zero trust by helping to secure and harden SAP systems.

Protect4S:

  • delivers security monitoring templates based on the latest SAP Security baseline standard
  • addresses all the security areas mentioned above by pointing out all vulnerabilities that may exist in your SAP systems and provides the information on how to remediate these.
  • provides the means to remediate SAP vulnerabilities with the automatic implementation of OSS Notes.
  • makes daily compliance monitoring across complete SAP landscapes effortless and provides easy integration with SIEM based monitoring systems.
  • has a low learning curve that transforms technical SAP consultants into SAP security specialists.
  • quantifies risk and provides the overall risk status and history of your complete SAP landscape

Still wondering how you can automate and simplify your SAP security?
Try out Protect4S for 1 month for free or request a free demo!

For more SAP security-related news, articles, and whitepapers, please follow us on LinkedIn!