1 Introduction
For many enterprises SAP systems are the backbone of the IT infrastructure. Critical business information is stored within ERP systems, and the golden source for employee data is the SAP HR system. Customer data is stored within SAP CRM system, business processes are implemented through portal solutions relying on SAP NetWeaver, and highly individualised functionality is coded right into the existing standard SAP modules by using ABAP or JAVA.
While most also have other systems in place, which contain critical information as well, business relies on the availability of well-designed and well-protected SAP Systems. Traditionally, SAP systems are major targets for internal and external auditors. And usually they are especially vulnerable to attackers from both inside and outside the organization due to their high level of complexity and individual configurations. This has led to the development of a dedicated market segment of SAP security products, as documented in the “Leadership Compass: Access Control / Governance for SAP environments”.
These solutions typically cover all or part of the following aspects:
- Business logic security, i.e. the identification of Segregation of Duties (SoD) issues and their mitigation with SAP’s own GRC system or adequate third-party GRC solutions. This is often considered the first (and sometimes the only) aspect of SAP security.
- Application platform security: Just like any other IT system, SAP systems are vulnerable infrastructures themselves. Each component of the application platform along with their interactions and the communication of all components are potentially endangered. Misconfiguration, missing patches, weak passwords, or both known and newly discovered vulnerabilities put the system and thus stored corporate data at risk of unauthorised access from both inside and outside attackers using vulnerabilities in internet-facing installations of SAP Router, SAP Portal or CRM systems.
- Custom code security: Additional functionality is coded into the SAP platform by using programming languages such as ABAP and JAVA. Weak, unclean or even rogue code can compromise an SAP system, which has to be appropriately detected and cleaned up.
SAP security faces the challenges and requirements that all modern security infrastructures need to address. Proactive patch management, the identification of unexpected or even rogue user behaviour; and adequate responses to these are aspects gaining more and more importance. The increasing number of potential threats and threat vectors combined with the lack of experienced security personnel demand intelligent solutions providing assistance in all areas of SAP security including detection and response.