Challenges for SAP® Security and how to approach them

SAP® is the most common used ERP system in the world. Many companies use SAP in their core areas and created individually grown and configured SAP landscapes.

On the corporate side, there is a great need for SAP security. The problem is: there are - at least at present - too few SAP security experts for the wide range of individual enterprise solutions. Different responsibilities and different system requirements also pose a security problem: SAP administrators, corporate security officers, and management usually each set different priorities. As a result, compromises are often made when it comes to security, which can cost the company dearly later.

There are four key challenges in establishing appropriate SAP® security:

  1. SAP solutions are complex and combine a wide variety of building blocks with completely different functions, services, protocols and access control systems.
  2. In most cases, the entire company is mapped in SAP. Attacks, but also configuration errors can therefore threaten the existence of the company.
  3. Every company needs an individual solution, so customizations are an essential part of an SAP implementation. However, many purpose-built programs offer a correspondingly large number of opportunities for attack.
  4. The SAP world has been rather closed until now - therefore there are far too few security experts. Because of the high demand they are usually very expensive.

SAP® security through risk analysis

Security for SAP® Services provides a capability designed to ensure the confidentiality, integrity, and availability of SAP systems. A risk-based approach is the way to go in this situation. According to the Pareto principle, the most effective results should be achieved here with prioritized and targeted measures. However, it is necessary to clarify beforehand what threat scenarios might look like, how likely they are and what the company's "crown jewels" are, in order to analyze in the next step which measures should bring the highest benefit.

A risk-based approach is a must in this complex initial situation. According to the Pareto principle, the most effective results should be achieved here with prioritized and targeted measures.
Khalil Bijjou, Head of Security for SAP Services, SEC Consult

To figure that out a risk analysis is the best way to go. Once it has been determined where the most critical interfaces are located, where the most critical data is processed, which paths can be used to access the SAP system, etc., only then is the important next step possible.

As an example, the following three threat scenarios could be assumed for the risk analysis:

1. attacker with access to the internal network

2. attacker with access to an employee notebook with an SAP user

3. attacker with access to another SAP system on the network

With the overview of the security situation gained, it is possible to prioritize which critical areas should be protected as a matter of priority. SEC Consult experts carry out targeted attacks and identify gaps in the system. With an understanding of where the greatest risks exist, management can also better allocate the appropriate resources.

The goal is to provide an overview of the security status of the system landscape, detect fundamental problems and raise awareness of SAP security in the departments. From the results and recommendations, the company gains insights and knowledge that help protect other systems and landscapes as well and sustainably increase the security level of all SAP systems.

What you need to know about Security for SAP®

Are your SAP systems secure? Are the applications implemented securely? How secure are user and rights management, interfaces, emergency concepts and business applications? How is your patch management? Does your staff know enough about SAP security to prevent malicious actions on your systems? SEC Consult has the answers.

More On The Topic

About the author

Khalil Bijjou
SEC Consult
Head of Security for SAP Services

Khalil Bijjou is a passionate penetration tester, security consultant and Head of Security for SAP Services at SEC Consult. Together with a team of SAP security consultants, Khalil has conducted over 100 SAP security assessments to improve the SAP security posture of a variety of organizations - from global enterprises to national companies - to help them understand their vulnerabilities and the associated risk.