Managing access control from the application layer
Introduction
In today’s interconnected digital landscape, where data breaches and cyber threats are on the rise, ensuring robust technical security measures is of paramount importance for organizations. With the increasing complexity of IT systems, safeguarding sensitive data and maintaining regulatory compliance has become more challenging than ever. This is where Access Control Lists (ACLs) can play a vital role in bolstering technical SAP security. In this blog, we will explore the significance of SAP ACLs, understand their importance in mitigating security risks, and compare them with network security measures like firewalls.
Why SAP application security is necessary
Organizations face the ongoing challenge of securing their valuable assets, such as financial data, intellectual property, and customer information, stored in SAP systems. Unauthorized access to these assets can lead to severe consequences, including financial loss, reputational damage, and legal ramifications. Traditional security measures, such as firewalls, can effectively protect the network perimeter, but they often fall short in securing internal systems and data repositories, like SAP systems.
Why? We name 2 main reasons:
- There are multiple threats / exploits that simply cannot be stopped at network level alone but require application specific settings.
- Complex architecture and number of components in an SAP system that require network connectivity.
To elaborate on this last point: SAP systems have a multi-layer architecture, its components are highly scalable and can be distributed among several hardware resources to facilitate even the highest landscape requirements. This offers great flexibility but comes with the price of great complexity as well! The number of components involved in connectivity are vast and even with relatively small SAP landscapes, oversight is easily lost. Let’s take a typical SAP ABAP system as an example. From a technical connectivity standpoint, there is connectivity from user interaction, coming from browsers, apps and (the everlasting) SAP GUI. There is system integration for interfacing and other technical components like LDAP, file shares, email connectivity, monitoring agents, databases etc. And that is all aside the components of the SAP system itself that need various connections to simply operate, which complexity greatly increases for larger landscapes and higher available setups. Have a look at this overview of TCP/IP ports for SAP products and it is quite clear that managing and controlling connectivity in a SAP landscape is no small feat…
So, can this all be managed securely by relying on network components alone? Is a firewall enough? The answer is simple: no it is not. Firewalls primarily focus on traffic filtering, packet inspection, and network segmentation. These are essential security features, no doubt about that. But they do not offer the granular form of application security that is required in this day and age. In fact, without additional application security, SAP systems are highly vulnerable for known exploits, which can come from external as well as internal sources. Look at our previous blog post for a striking example.
“Is network security enough to protect SAP systems? No, it is not!”
ACLs as a crucial addition
As said, advanced application security is of paramount importance to safeguard SAP systems. In this blog, we only look at technical connectivity and want to point out the added value that Access Control Lists have for SAP security. It is a great addition to network measures like firewalls and different network zones because it allows to make a more granular distinction which can be controlled from the SAP application level. SAP is offering ACL functionality for multiple components, like the following:
- Message server: central component used in SAP ABAP and Java stacks.
- Internet Communication Manager (ICM): mainly used for HTTP(S) and SMTP protocols (but there is a lot more). Note that the Web Dispatcher can be setup similarly.
- RFC gateway: for RFC communication between SAP systems and external programs.
The above list is not complete and each named component has its specifics for configuration of an ACL which would deserve a separate blog. In principle though, an ACL is basically a rule set that either ‘permits’ or ‘denies’ a certain type of connection related to the component. Like the following example of a message server ACL (see link below).
The example entries above define which hosts are allowed to logon to the message server component as an SAP application server. Without a ruleset like this, any host that can reach the message server can try to register itself and try to exploit known vulnerabilities to the SAP system via this route.
Guidelines for implementation
Interestingly, the option to use ACLs often already exists for years but is often not used at all or inadequately to offer real protection. There can be various reasons for this, like time shortage, lacking insight in the landscape architecture or misguided notion of network security. Whatever the reason, implementing an effective ACL needs to be done properly to prevent disruptions and offer real security at the same time. Therefore, see below some guidelines for implementation:
- Insight in landscape architecture is paramount to identify related systems / components upfront.
- Use additional logging / tracing to identify missing (or already malicious!) connections.
- Implement ACLs at non-production systems first (best practice).
- Allow considerable time like weeks or months for step 2 and 3. This to include connectivity that is not often used but may be critical. Think about connections needed for month or year-end closures for example.
To gain insight in landscape connectivity, Protect4S Vulnerability Management (VM) offers a great help with the connection map functionality, see our previous blog.
See below references to the SAP Help pages as a starting point for the mentioned components:
Message server: SAP Help link
ICM : SAP Help link
RFC gateway: SAP Help link
Conclusion
In today’s interconnected world, organizations must adopt a multi-layered approach to safeguarding their valuable SAP systems. While network security measures like firewalls protect the network perimeter, SAP offers an additional layer of security using ACLs that can play a crucial role in securing internal systems and data repositories. By implementing SAP ACLs, organizations can enhance data protection, mitigate risks and maintain accountability. As technology continues to evolve, organizations must prioritize comprehensive security measures like SAP ACLs to ensure the confidentiality, integrity, and availability of their critical business information.
Like to know more about how Protect4S can help to increase security of your SAP landscape? We are happy to tell you more about our SAP Vulnerability Management and SAP Threat Detection capabilities. For more SAP security-related news, articles, and whitepapers, please follow us on LinkedIn!
