Lukardi

Webinar Bezbolesny projekt reorganizacji uprawnień SAP – automatyczne dopasowanie ról

SAP Security Challenges

Share

No system will ever be secure. On the other hand, it is not that we cannot strive for safety - quite the contrary. It all comes down to risk management, risk acceptance, but above all risk awareness. So what are the biggest challenges in SAP security?

SAP is the largest ERP system in the world, as statistics realistically show. This has its consequences related to the requirements of customers, who globally have a real impact on the development of tools both by the manufacturer itself and by client solutions (so-called zetas).

The ecosystem built around technology includes both a technology layer (e.g., BASIS) and a layer related to business consulting (which optimizes business processes, at least in theory). Two major challenges arise from this
with SAP security, which consequently boils down to risk management.
Two groups of security challenges are based precisely on these two main areas, and they can be laboriously grouped according to the following list:

Challenge 1 - business context
Provide users with the ability to execute business processes appropriate to their position. This makes it imperative for the organization to know what risks excess authority brings - here we introduce the concept of SoD (conflicts of authority, separation of duties).

Challenge 2 - technology
E.g. proper system configuration, kernel, interface settings, reporting or automations. The consequence is that the organization has the knowledge to assess technical vulnerabilities affecting the stability and security of the system and the data in it. Each of the above challenges can be addressed separately,
However, only by addressing the challenges holistically (comprehensively) can the system be adequately secured.

Authorizations - the first pillar of SAP security

The business processes implemented by the SAP system are carried out
(in simple terms) based on transactions. It is their presence in a role, assigned to a specific user, that allows the work required by the position to be carried out. The organization's awareness of what risk is is crucial. Therefore, its identification is based on identification:

  • critical transactions - such authorizations that will themselves allow the execution of dangerous activity,
  • Conflicts of authority - a set of two transactions that separately are not dangerous, but in combination allow, for example, the execution of the entire business process or a critical part of it.

Why it is crucial to implement the following steps to improve SAP security (i.e., implementing GRC processes in SAP):

  1. Defining risks - a key element of policy implementation
    authorization security.
  2. Identify risks in roles and for users.
  3. Role optimization (removing risks wherever possible).
  4. Mitigation, that is, acceptance of risks and implementation of controls when they materialize.
  5. Implement workflows to ensure automatic identification of risks at the application stage.
  6. Monitoring.

During the webinar on April 18, 2024 at 2:00 pm, I will talk about the individual elements of the above steps and suggest a handful of arguments that can be used in discussion with the business (to consequently convince them of the need to address the implementation of the security upgrade project).

Technology - the second pillar of SAP security

SAP is growing at a dizzying pace. This can be illustrated by comparing the technology to the world's largest. The number of lines of code that make up the system is greater than the combined lines of code of Mac OS, Firefox, Windows, Office
And a few more technologies.

In the thicket of hundreds and thousands of system, kernel, database, and interface parameters, there are some whose change from 0 to 1 can cause significant security challenges. There are also those risks that do not directly affect the application layer, such as the example below, where an attack on the operating system can be realized by swapping SSH keys.

In addition, ready-made (or almost ready-made) exploits of known vulnerabilities can be found on the Internet. It turns out that to try to exploit a vulnerability the attacker in some cases does not need to have sophisticated knowledge (see script kiddie https://pl.wikipedia.org/wiki/Script_kiddie))
The existence of a number of log sources further introduces challenges related to
With what specifically to investigate. Each of the log sources has its own characteristics that real-time SAP monitoring can complicate.

Summary

The above SAP security challenges are just a collection of them
and grouping. During dedicated webinars, among other things, we focus on examples of its elements in order to raise awareness of individual challenges. Because only a holistic view of the implementation of GRC processes in SAP and the identification of risks from the technological side allows for proper risk management. I invite you to follow upcoming events.

Tomasz Jurgielewicz

Head of Security Department at Lukardi. For the past 10 years, he has led a team of SAP Security specialists, providing comprehensive services and tools to secure SAP systems and optimize licenses. Experience in the areas of: - identification of authorization conflicts and authorization reorganization, - identification of SAP vulnerabilities, - integration of SIEM solutions with SAP, - optimization of SAP licenses.