A technical administration perspective
Introduction
In today’s digitally-driven world, businesses heavily rely on enterprise software systems like SAP to streamline their operations, manage resources, and optimize business processes. However, with increasing dependence on technology, the threat landscape has evolved, exposing organizations to cyber-attacks and data breaches. In the context of SAP landscapes, where valuable and sensitive information resides, solid security measures are of utmost importance. At Protect4S, we help our customers to control this with our products Vulnerability Management (VM) and Threat Detection (TD), focusing on the technical security aspects of SAP landscapes. But, as passionate as we are about the technical side of security, we do realize there is more to it than that. In this blog we take a slightly different perspective and zoom in on 5 key points to be aware off as a technical administrator to prevent or identify security issues.
Common vulnerabilities are here to stay?
Protect4S is frequently asked to perform assessments regarding the technical security of SAP landscapes. In these analyses, we make recommendations to enhance security levels, like optimization of parameters and other settings. Our VM solution plays a key role in these assessments to identify the areas that need improvement. An interesting observation from these assessments is that the recommendations made, often concern topics that are already publicly known for quite some time. Sometimes even years…
Some examples:
- Technical users with roles or profiles that give far too much access (even SAP_ALL).
- Incorrect client or system settings allowing direct changes (SCC4/SE06 settings).
- Missing RFC gateway security. This can lead to a fully compromised system, an issue that dates back to 2010. See our recent blog for more information.
- Users that exist with the default passwords. Like SAP*.
Are these issues unknown? Absolutely not, any technical SAP expert should be fully aware. So why are misconfigurations like these still found? Why is it so hard to prevent this from happening?
Awareness is key
Technical administrators play a vital role in safeguarding technical security of SAP systems. This is often related to identifying and solving the issues at hand. But preventing security issues is even better! For this, it is important to be aware of situations that may result into these security issues. Below we name 5 key points for technical administrators to consider for preventing security issues or to identify these quickly:
- Security standards are dynamic. In other words: what is safe today, is not safe tomorrow. Technology advances quickly and new techniques and vulnerabilities are found on a daily basis. This drives development of new standards and requirements, like higher encryption algorithms and more complex password requirements etc.
Consideration: be prepared to adapt to new standards. Technical security requires frequent evaluation in the form of a process, it is not a one-time activity.
- Systems settings are dynamic. In a perfect world, all procedures are followed completely and nobody makes mistakes. And all settings and configurations stay the same and there is never a security issue… In the real world though, people do make mistakes and unwanted or inconsistent settings are set. For example: temporary settings that are not put back to original because of time pressure or as part of troubleshooting sessions. These kind of mistakes are easily missed, especially when it does not directly result in malfunctions or incidents from users.
Consideration: expect inconsistencies instead of perfection. Take special care to review during or after (large) changes like implementations and upgrades.
- Passwords are everywhere. Despite initiatives to reduce the use of passwords, reality is that passwords and other keys are used variously on the application, database and OS layer. The number of passwords and keys in a typical SAP landscape easily goes to the hundreds and require due care.
Consideration: implement a solid solution to store passwords and evaluate passwords frequently with password policies of the organization. Especially default passwords (and users). Migrate to a more secure solution than passwords, if possible.
- Patch and be complete. Applying patches frequently seems a no-brainer and it should be! It is less easy though to make sure all required components are included in a sufficient life cycle. Main components are normally not forgotten, like for an ABAP system, the ABAP application components, security notes and kernel. But components like the SAP Host Agent or database client software are more easily missed.
Consideration: make sure to have a sufficient patch schedule and actively investigate what software is really installed (instead of in use) to have a good understanding of the components that require patching.
- Review technical users and connections. Technical users often operate on a less visible level and it is no exception for these users to have too much access. The reasons can be historical for example, or because a single technical user is used for various goals or integrations.
Consideration: review technical users and connections that are setup between systems. Make sure to remove temporary users and connections (like RFC destinations) and separate between different use cases.
Conclusion
Ensuring technical security is not an easy task. It requires technical insight in various areas as well as a vigilant approach to make sure business processes are not impacted. Apart from the technical aspects, security issues can be prevented with the right attitude and awareness of situations that can lead to such issues. In this blog we gave a few key points for technical administrators that may contribute to this so that SAP environments are kept safe. Given the variety of security areas to cover, we believe that a solution like Protect4S Vulnerability Management (VM) can help greatly in the identification of security issues and a secure setup of an SAP landscape.
Like to know more about how Protect4S can help to increase security of your SAP landscape? We are happy to tell you more about our SAP Vulnerability Management and SAP Threat Detection capabilities. For more SAP security-related news, articles, and whitepapers, please follow us on LinkedIn!
