Security requirements are constantly increasing, and securing critical data in an organization is one of the basic issues that ensure the continuity of basic business processes.
System environments are becoming more and more complex (communication with external systems, data exchange and continuous development of existing systems).
During a possible attack on the SAP system (no matter if the attack comes from inside or outside the organization) an attacker might gain access to valuable system information
therefore, it can use this information for further attacks to other SAP systems as well as obtain important company data (customer data, product information, e.g. recipes and drawings ttechnical data, salary data, etc.) unnoticed.
Managing security comes down to managing risk
First, to do it properly, all risks should be recorded and grouped according to prioritize so that the organization with the SAP system can learn and correct any possible threats to the SAP system (e.g. with the help of external support).
The research SAP security and compliance includes checking the network, operating system, database, parameters, and conflicts SoD in the SAP system based on the provided risk and conflict matrices.
6 basic risk areas
We have listed 6 basic risk areas that should be looked at first.
We divided the areas into two parts: technical and users.
1. Setting up the SAP configuration
Layer of configuration parameters that should correspond to the organization's security policy. These parameters should be monitored regularly.
login/password_expiration_time (default 0, our recommendation is 30)
The user has to change the password after a certain number of days (for parameter 0, enforcement is not enabled).
login/min_password_lng (default value 3, our recommendation is 8+)
Setting the minimum password length.
login/fails_to_user_lock (default value 12, our recommendation is 5)
Number of incorrect entered password to lock the user account.
2. Verification of events and settings "on" and "outside" the SAP layer
SAP Security Audit Log:
- main security log,
- some information is difficult to read from the security perspective,
- SAP user login * does not constitute a risk according to the log, while the risk is a wrong login password.
SAP Change Documents and Table Loggin:
- logging of document changes and changes to tables,
- low quality in the absence of archiving documents in time.
SAP System Log:
- główny log systemu SAP,
- logs written over after 14 days.
Levels beyond SAP
Operating system log Windows/UNIX -the problem is, for example, the fact that the administrator must have root privileges to read logs only
Database log – no possibility to analyze database settings from the SAP level (e.g. information about accounts and their authorizations)
Web Logs SAP Router/HTTP - the problem is the lack of standard solutions to redirect logs to syslog
3. Updating system patches
Every system is vulnerable to hacking, SAP is no exception, so it's important to regularly install system patches.
Thanks to them, information about break-ins with the use of known vulnerabilities appears.
Example 1 - a report by the US Department of Security pointing to intrusions into at least 36 global SAP systems using a known (and fixed) vulnerability since 2010. More at https://bit.ly/28Kpk5r
Example 2 - the annual meeting of the security community, the PWNIE Awards in 2015 awarded the first prize in the Best Server-Side Bug category for detecting a vulnerability in SAP, allowing for unauthorized access to the system https://bit.ly/29Se5hB
4. Default accounts
During the implementation of the SAP system default user accounts are created. They are used for the initial installation of the system, they are commonly known both by their name and password.
It is extremely important to properly protect these accounts.
The most critical account is SAP * (it allows for virtually unlimited access to and changes in the system)
Default account passwords should be changed and highly privileged profiles (such as SAP_ALL) should be removed.
The important thing is that if you delete the default account - it will be recreated automatically (with the default password).
The SAP account * should therefore have the password changed and the login / no_automatic_user_sapstar parameter set to 1 (no possibility to restore the automatic SAP account *).
5. Default profiles
As in the case of default accounts, SAP has (delivered with the installation) sets of authorization profiles allowing for wide access to the system. The use of these profiles should be very strictly managed, and their use should be limited to emergencies only.
The most important broad access profile is SAP_ALL - it allows you to perform any transaction, access to any object, function or action (there is a reason in the jargon of SAP administrators it is commonly referred to as "God on the system"). It is important that this profile is not assigned anywhere. The same applies to the SAP_NEW profile
6. Conflicts of Permissions
Inadequately providing users with access rights to different parts of the system increases the risk of fraud.
Example: if one person has both the option to change the bank account number and the ability to make a transfer - it is possible to bypass the organization's policies in order to transfer money outside.
To sum up: it is important to properly manage the privilege conflict matrix. Such a matrix allows, first of all, to identify existing conflicts, and verification of individual users' access will allow for risk assessment. The implementation of an effective data access policy in SAP is one of the most important elements of sealing the SAP environment in terms of risks, the main factor of which is user activity.
GOOD TO READ ABOUT SAP SECURITY:
Monitoring the behavior of SAP users
Monitoring the behavior of SAP users
Increasing requirements (e.g. from GDPR regulations) force organizations to implement solutions that will increase the level of security of systems processing personal data. SAP is no different. Today's article will show you how to increase data security in 3 steps.
Data security is not only about authorizations
To break down the topic into prime factors, let's start with the basics. Each user in SAP is granted authorizations. They decide whether the user should get access to a certain batch of data or whether such access should be blocked. Based on the assigned roles, we can restrict access. Thats true. Here, on the other hand, there is a quite serious problem related to the potential leakage of data outside the system.
1. Monitoring of personal data display
Standard SAP solutions are limited to authorization management. The standard does not provide a clear answer to questions about "who", "what" and "when" displayed on its screen. Currently, with an ordinary mobile phone, each user is able to take a picture of the screen on which personal data is displayed (or make a print screen), there is practically no trace of this action. Therefore, it is important to monitor and log risky user operations with greater accuracy than the standard functionalities provided.
There are more examples of potential abuse. For example, privileged users (for example administrators) have almost unlimited access to data containing sensitive information. The new GDPR requirements are about monitoring access to data as effectively as possible. Not only regulatory requirements should be the only factor aimed at introducing changes to the processes of access to personal data. After all, the mere leakage of payroll data can disrupt the order between employees. Data can also be hijacked by competitors - and that's also a business problem.
Above, we present the essential elements of logging user behavior with the accuracy of displaying personal data, in a global manner. The resolution of user monitoring should therefore be large enough to precisely provide information related to the access (displays) of SAP HR data.
2. Saving data to files
As standard, the SAP system allows you to globally enable or disable the possibility of downloading data (e.g. from a report to which the user has access). By default, the logs only allow information about when and who downloaded a file with a specific name, to a specific path. As standard, there is no information about the content of downloaded files.
You can pay attention to the above screen through the prism of information about possible violations:
1 - What data was collected? No information
2 - Were there any critical personal data in the file? No information
3 - Are we able to play the downloaded file? No.
Fortunately (for data security in SAP), there are solutions that can effectively solve the above-mentioned problems. By providing extended information in logs about specific activities, with much more resolution.
With the help of defined keywords, reports or file sizes - administrators are able to receive information about potential abuse connected with downloading critical portions of data. Additionally, each download is postponed (for a specific amount of time), so it is possible to completely play the downloaded file
3. Exploitation of Transactions
Reducing the risks associated with unauthorized access to data also means ensuring that the rights granted are limited to the necessary minimum. The assumption is this - the authorizations granted do not always meet the required requirements in 100% (they are often much larger than those that the employee actually needs to perform his daily activities). Therefore, the use of transactions should be analyzed in terms of their use.
Statistics are located in ST03N and updated monthly. Thanks to this:
- unused transactions can be removed from user rights
- transactions not used in the role (by any user) - can be completely removed from the role
The above set of three user monitoring elements, with which you can extend your SAP system, supports the processes related to risk management and will directly increase the level of security. Such an operation will allow for quick ordering of the possibilities of abuse.
It is worth adding one more extremely important thing from the user monitoring perspective.
During one of our projects, a few weeks after the implementation of the above-mentioned functionalities, users were informed that their activities were monitored. The drop in data downloads to files fell by about 63%.
What are your users doing in SAP?
Do too many permissions pose a risk to the SAP user?
Are too much permissions for the SAP user
It would seem that - for sure - every system administrator, as well as - at least - top management users are well aware of the access rights to the system each of them has.
Practice in the scope of performing SAP system audits has shown that this is not the case.
What to pay attention to when granting permissions?
It often happens that the authorizations granted to a SAP user are too extensive. Even if they are aware of the scope of their rights, in the case of the risk that they may be associated with - this awareness is missing.
Administrators, on the other hand, are not able to monitor threats, do not have documentation of critical activities, and do not have a chance to take remedial measures.
What is the risk of having too much authority?
I think that the most striking example (especially for people holding managerial positions in the area of finance, e.g. financial directors) will be whenthe user (let it be a consultant) has an account allowing him to create and modify financial documents.
Are such permissions needed for this user?
The Finance Director will say - Impossible! But still! Such situations take place very often, and in fact they are a trap for the person who has them, because they increase the risk of erroneous interference (I do not assume deliberate action) in the documents to which they have access, and provide users from the financial department with additional - unnecessary - work related to correcting these activities.
The most common threats
This time let it be the SAP BASIS module administrator. It is very common for users to have the following permissions of this type:
- access to business transactions,
- the possibility of influencing this data,
- creating users,
- assigning them specific roles or program editing.
It is easy to guess that a user with such permissions it also has access and the possibility to modify data in the General Ledger.
What does it mean?
He can make changes to the chart of accounts, and further - all business events that are important for the company / organization.
Does the administrator need such permissions? The answer is - NO.
Because such a range of authorizations for a given person (user) poses a real threat to the security of the system.
To sum up: my colleague, who is the absolute best SAP system administrator I know, says:
"The user of the production with the development key is God."
And he definitely knows what he is talking about. A person with such a key / authorization can make any changes to the production system.
Example: he can write a delete program, a modifier, etc.
Think - it is impossible for such situations to happen!
Take our word for it - situations with incorrectly assigned permissions happen very often!
If managing and controlling permissions are a challenge for you, contact us!
OTHER ARTICLES ABOUT SAP AUTHORIZATIONS WORTH READING: