Protect4S

Frequently asked questions

What is unique about Protect4S?

Protect4S enables a simple and affordable SAP security process of continuous improvement which requires no costly specialist skills:

workflow protect4S ERP SEC

 

Which problems does Protect4S solve?

Finding the vulnerabilities:

  • Protect4S has a large repository of vulnerability signatures. Every vulnerability is classified in terms of the context in which it may appear, for instance: a specific operating system type and/or version, the database type and/or version, a SAP component level or a SAP kernel patch level. When Protect4S scans a system, all these system properties are determined and matched against the vulnerability repository, resulting in a list of found vulnerabilities.

Understanding the risk that vulnerabilities pose:

  • Protect4S calculates and expresses the risk level for every vulnerability found using 2 properties: Impact and likelihood. The result of this calculation is expressed in 2 metrics: (Very) Low to (Very) high and a CVSS V2 Score.

Determining what mitigation measures to take:

  • Protect4S assigns a mitigation action and a mitigation effort property to every vulnerability. This enables an efficient selection of those mitigation actions that achieve the maximum reduction in risk for your security budget. Protect4S groups the vulnerabilities found on action and sorts them on their required effort. This results in a clear list of mitigation measures that can be executed by a SAP Basis/Netweaver consultant.

How to evaluate the effect of mitigation measures:

  • Protect4S keeps a history of its security scans allowing users to determine the exact effect of executed mitigation measures in terms of vulnerabilities solved and risk level reduction.

Information overload:

  • Protect4S has documented every vulnerability with:
    – descriptions of : vulnerability and solution
    – references to : relevant SAP Notes, SAP help or important 3rd party information

What is the difference between Protect4S & SAP Solution Manager tools?

Protect4S offers many advantages over the tools inside the SAP Solution Manager. The security related tools within the SAP solution Manager all focus on specific parts of SAP Security, for instance, missing security notes (System Recommendations) or authorisations (SOSS). The Earlywatch Report has a chapter on SAP Security but it is only limited to a few items and far from complete. Although these tools are free, they have several drawbacks:

  • The Solution Manager tools do not cover the complete spectrum of vulnerabilities.
  • The Solution Manager tools are not integrated and therefore lack a common interface for operation, interpretation and reporting.
  • The SAP tools are not intuitive to operate nor user friendly.
  • Some Solution Manager tools, such as Configuration Validation may take many days to implement.
  • The System Recommendations may provide false positives such as listing Oracle Security notes for Microsoft MSSQL customers.
  • A larger disadvantage of the Solution Manager security tools is that they lack a common risk metric .
  • A thorough vulnerability assessment is not possible because the risk components: impact and likelihood are lacking.
  • A thorough mitigation assessment is not possible because the effort estimation of mitigating a specific vulnerability is not provided.

What kind of expertise do I need to operate Protect4S?

Protect4S is very user friendly and intuitive. In order to run scans, you do not require special skills. In order to create new systems and understand the mitigation plans, you need SAP Basis skills. ERP-SEC believes the SAP Basis specialists are key players in the mitigation process. The reporting functions are aimed at CIO, CISO and security support staff.

Will Protect4S be available on / upgradable to Solman 7.2 with HANA?

Yes. Protect4S is available for Solman 7.2 with  and without HANA

How long does it take to implement Protect4S?

A Protect4s installation is a simple procedure that will take about half an hour. After installation you need to setup some master data and you need to create one-time system connections. If all credentials that are needed are prepared correctly in advance, this will take approximately 5 to 10 minutes per system.

Does Protect4S require additional hardware?

No, Protect4S runs as an add-on on the SAP solution manager and therefore requires no additional hardware resources.

Why do I need to scan my SAP systems periodically?

There are several reasons for scanning your SAP systems periodically:

  • SAP Security is not a static process. SAP continuously releases new SAP security patches and the application checks whether these are implemented or not.
  • The SAP landscape of customers adapt all the time due to business reasons or technical changes.
  • Protect4S is supplemented on a regular basis with new security checks and/or templates and existing checks may be improved. Next to that new functionality in the area of analysis, mitigation and reporting may be added from time to time.
  • To make sure your SAP systems stay compliant with security standards and/or regulations.
  • To verify and track mitigation actions/projects and for analysis purposes

Can Protect4S be de-installed?

Yes. Protect4S is a de-installable SAP AddOn.

Can multiple users use Protect4S simultaneously?

Yes. Protect4S is a SAP WebDynpro application build on – and certified for – the SAP Netweaver Stack. It is a scalable multi-user environment that re-uses many features that are part of the SAP Netweaver Stack, such as: batch processing, email, server groups, Web Dynpro, Floorplan Manager etc.

How long does a SAP System Scan take?

That depends on the size and complexity of the satellite system. A small single-instance SAP system may be scanned in approximately 30-40 seconds while a large system containing several instances will take around 3-5 minutes

How is Protect4S itself secured?

The Protect4S delivery includes several different security roles that may be distributed to end-users. In addition, the application keeps a record of all activities executed and is completely auditable. In order to view any report, the end-user must first authenticate. The application table content that contains the result of the checks is not visible in the application layer.  
The links to the systems are all native SAP standard protocols: RFC, HTTP(S), ADBC and SOAP. The RFC users in the satellite systems may be assigned a minimal read-only role.

Is it possible to run a single Protect4S application for multiple different SAP system owners?

Yes. This option may be of specific interest to hosting companies offering private clouds for SAP customers. Although the Protect4S runtime engine is client-independent, it is possible to install Protect4S in different clients in order to achieve separation. In order to achieve this, a dedicated client must be created in the Solution Manager for each SAP system owner during installation. In addition, the Protect4S post-installation wizard must be run in the newly created clients. The Protect4S license will apply to the sum total of systems configured within these clients.

Will I still be able to see the Protect4S reports once the license has expired?

Yes.

Does Protect4S have a mobile interface?

Not currently, but the mobile interface is scheduled to be implemented at the end of June 2016.

Can Protect4S scan the Solution Manager System that it is installed on?

Yes.

Does Protect4S have SAP code scanning functionality?

Not currently. Although Protect4S has OSS Note checks that check for the presence of code injection vulnerabilities, we believe that most customers primarily need to secure the more evident attack surfaces of their SAP systems.

Does Protect4S support Blackbox scanning / Pentesting?

No. White box assessments tend to be more complete and therefore provide organisations with a higher quality overview of the vulnerabilities in their SAP Infrastructure.

How can I be sure that the Protect4S source code does not contain malicious code?

Protect4S is written entirely in ABAP Code and certified by SAP. The source code can be inspected and reviewed by every customer as it is openly available in your SAP system after importing the ADD-ON.

When running several Projects or Scans simultaneously, will the Solution Manager not get overloaded?

No. In order to achieve greater throughput, Protect4S runs scans in parallel using asynchronous RFC. As a result, dialog work processes are used for this task. The amount of dialog work processes used within the Solution Manager may be restricted and controlled using a server group. Inside the satellite systems, only 1 work process is used for execution of the checks.