The time has long passed since global organizations could rest easy knowing basic perimeter defenses (without actively enforcing security advisories), patching compliance gaps and healing system vulnerabilities were enough to keep systems safe from cyberattacks. Today, they must eliminate any and all threats to their business before they evolve. To effectively do so, all businesses must implement preventative measures such as continuous monitoring on their core business data, applications, and systems.
Evolving threats including viruses, malware, Trojans, and other exploits are becoming more advanced than ever before, making it vital to have a preventative plan in place before an attack occurs. Securing business-critical data is the result of meticulous strategic planning and the implementation of preventative and responsive solutions that ensure protection. Real-time monitoring, identification of vulnerabilities and risks, attack recognition, and behavioral analysis are just some examples of the processes now required to stay ahead of the cyberthreat game. Businesses must decide whether they are content using traditional security measures that leave systems unprotected, or if they want to implement new measures that protect core systems and critical data from being compromised by unauthenticated attackers.
The decision all boils down to how much an organization truly values its customer data, product pricing, financial statements, employee information, supply chain logistics, business intelligence, budgeting, planning, and forecasting information. What price would your business place on the security of all the purchase orders processed in your SAP systems? How about payroll details? Intellectual property? Bank account and credit card data? These are just a few examples of the type of critical data typically housed within the SAP systems of an organization.
It is always surprising to learn just how many businesses are still not assessing and proactively monitoring core business-critical applications, including ERP, HCM, Supply Chain Management, CRM, and FICO applications running on SAP Systems. So why aren’t more businesses actively monitoring and defending these systems? Well, the truth is that it’s a very complex problem to solve, and many businesses simply don’t ask the right questions. Every business should calculate the true impact and cost of its core business-critical applications going down. Business-critical application suites like SAP are the heart of most modern businesses, and therefore demand the highest possible security.
One of our own global customers, a CISO of a Fortune 500 company, recently admitted to me that should its SAP system go down due to a breach, it would cost the company $22 million per minute. So although leading global database providers and enterprise application developers do continue to work hard to make their systems inherently secure, businesses cannot simply assume that basic defenses will be enough to thwart would-be attackers.
SAP systems have been installed at the heart of business since the 1970s, with the sole function of running critical business processes. Since that time, SAP systems have organically evolved IT security concepts and paradigms to provide features and functions, which allow system administrators to provide additional levels of security. However, there are common problems that most SAP customers still face while attempting to secure systems -- most arising from the sheer scope and complexity of ERP, coupled with the specific knowledge of security and likely attacks required to secure SAP systems. The complexity of enterprise-wide SAP installations makes a typical risk or vulnerability assessment worthless unless planned using specialized products and correct knowledge. Another problem is the misconception that SAP security merely amounts to performing a tight Segregation of Duties (SoD) over user authorizations, ensuring that only required permissions are assigned to each employee, and avoiding any potential privilege escalation.
During the last few years there have been numerous headlines highlighting public attacks on SAP systems. This means that the hacking community is beginning to realize how essential the information stored on these systems really is.
Complexity is a key factor in the task of securing SAP systems. Most SAP-based businesses will have multiple applications to secure, including ERP, CRM, SCM, SLM, GRC, Solution Manager, BW, PI, Mobile, and many others. Generally a business will run several applications interconnected across their networks, and many application servers running processes for multiple SAP systems. There isn’t a magic solution when it comes to securing SAP systems. Instead it’s necessary to consult with SAP security specialists and implement applications that can detect attacks and foster preventative responses for these systems.
All plans to heuristically secure SAP systems should involve, among other things: missing patch detection; configuration analysis and monitoring; user activity monitoring; and solid current knowledge of SAP attacks and vulnerabilities. The most important concept when developing such plans is to understand that a single vulnerability or misconfiguration that is not properly taken care of could not only compromise the affected system, but also the rest of the SAP landscape across the company.
Analyst group Securosis’ recent whitepaper, "Securing Enterprise Applications" by Adrian Lane, provides an in-depth look at the gaps left behind by vendor recommended security controls and available solutions. To download this, please click here.Juan Pablo leads the research & development teams that keeps Onapsis on the cutting-edge of the business-critical application security market. He is responsible for the design, research and development of Onapsis' innovative software solutions, and helps manage the ... View Full Bio