Thoughts about Security in an SAP Cloud-Compatible World
In the previous post (Part I), Decoding the “work in progress “, I commented how the flexible idea of a hybrid architecture hid the definition of an inevitable and unique direction: cloud-compatible architectures. In this blog, I outline some thoughts on the consequences this might have for SAP security activities.
In the past DSAG Technology Days event (March 2023), there were eight security presentations, partner’s stands, and various hallway conversations. Specifically: four presentations on Awareness and another four on vulnerability management. Two of them, bordering on a subject as complicated as it is fascinating, Law and IT Security. In addition, a new announcement for Security Dashboards appeared (dashboards always look good, but if you keep the same sources without further analytics treatment, it’s not easy to show enthusiasm). Darknet anecdotes, vulnerabilities in the NetWeaver Gateway configuration, and user and password leaks in communications. What to say about it? There is already too much written about it. It may be more interesting to pay attention to what was NOT said, i.e.: how this cloud-prepared approach can affect different SAP Security Areas.
SAP security activities and SAP security products have been deployed for years in quite specific and stable areas: system configuration and communication interfaces, authorization analysis, custom code revision, log analysis and, lately, security awareness. These areas are grouped and renamed depending on the service vendor or the standard. Still, they consist probably more than 90% of SAP Security.
As mentioned in the previous post, the path to the cloud-compatible world affects each SAP technical domain (administration, development and data analysis). The discussion about the location of servers is today a second matter order. There is only one direction towards cloud-compatible, and it brings a series of critical implications.
For example, in the public cloud environment, a system’s configuration and monitoring continue, but that responsibility is moved to the service provider. On the other hand, the permanent and growing diversity of integrations with SaaS demands that permission analysis activities be multi-platform and integrated, and this is for both private and public clouds. And most radically, given the inevitable adoption of ABAP Cloud, the client code attack surface is dramatically reduced, and this applies even to local on-premises systems. And for these new scenarios, for all these changes in the infrastructure and architecture, it seems to be no “news” from a security perspective.
Probably this situation speaks about the lack of security in a design phase, security relegated to the reaction of external experts. A more optimistic person would assume that in this new cloud-compatible world, there will be no security threat, unfortunately this is not my case. Business processes are continuously segmented and exposed to external traffic. Users perform their “dialogues” on dozens of platforms and services, and the transactions are executed from different regions. There was no mention of these topics, or practically, because within all this silence, there was a very lucid presentation, which curiously ended with a disturbing title about the nebulous future.
A few notes on it:
Custom Code Security
Although security products, including standard tools, tend to report hundreds and thousands of vulnerabilities, the percentage of real exploitability of these, in reality, does not usually reach 1%. They certainly exist, but respond more to a theoretical exercise than an actual attack surface. Now, in an ABAP cloud universe, where the direct interaction with OS, directories, or even the database doesn´t, the custom code exploits, as we know today, practically disappear.
User and Identity Management & Security Hardening
Meanwhile your S/4 system stays On-Premise or in a Private Cloud, someone will continue performing the current (still not as extended as we would like to see) security actions performed today. Critical accesses, configuration parameters, access to OS, etc. The tools and solutions we are using today will still be compatible, including Solution Manager. Considering the latest history, it is difficult to get alarmed by the EOL announce for Solution Manager in 2027. But certainly, is a sign of a cloud compatible direction.
Security Monitoring & Forensics
There is a consensus that this product line will be the most development in the future of the cloud-compatible world. But beware, the current business processes will be distributed in multi-platform scenarios. Threat Detections solutions must then have an inclusive, open and non-hermetic nature. In this sense, a minimal but powerful event extractor tool that exports events to a generic ETL will be much more efficient than an SAP tool that tries to integrate and orchestrate logs from external applications. This event server concept has been intensively used in the design of the Protect4S Threat Detection solution.
But there is a more specific problem. Currently, the cost of ETD solutions, both from SAP and other software vendors, is so high that sometimes, it can be compared with the entire budget of the SAP Basis team. So, what are the alternatives for the small and medium-sized? Here is a second design principle of Protect4S: Deliver valuable security products that cover the most important security functions at an affordable price for most SAP customers.
Summary
The cloud-compatible scenario will undoubtedly bring challenges for the SAP Security area. The word “transformation” is widely used in each of the areas of SAP. Security, of course, will not be the exception. The key of risk management is to invest as efficiently as possible to minimize the risk. If my infrastructure is changing to a new architecture, I would prefer to invest thinking in this new world. Of course, against a high-risk vulnerability, doing nothing is not an option. For this reason, in this scenario of uncertainty and transformation, limit security actions to what is “really” exploitable and build your security framework based on this new architecture, seems to be the most reasonable alternative. Here, the Protect4S design strategy can be of immense help to you.
Although Vulnerability Management activities will continue to be active, even in private cloud scenarios, Threat Detection solutions will slowly begin to take the leading role. Among these, Protect4S Threat Detection may be the most accessible and affordable solution for SAP companies.
Regarding code security, consider any investment in ABAP OO mitigation carefully. In the short or long term, it will be replaced by ABAP Cloud, whose attack surface is insignificant. Carry out a Pentest exercise in your company, mitigate what is really exploitable, but be clear that there are better investment strategies for the SAP risk mitigation.
Knowing which and how your information flows and under what regulations will be much more effective in the cloud-distributed business processes context. Something Protect4S seems to have had in mind for years:
Due to their quality, design, simplicity and cost, Protect4S solutions are prime candidates for SAP risk mitigation. Be aware of future scenarios and prepare your security strategy to protect your social, commercial, and administrative activities. For more information, don’t hesitate to contact us or simply, follow us on LinkedIn and our YouTube channel!
