When you mention enterprise resource planning (ERP), SAP is usually the name that comes to mind. As one of the leaders in the industry, SAP offers a range of end-to-end solutions for industries such as manufacturing, human resources, distribution, and financial services. Over time, SAP has grown into a set of efficient business solutions, but because modules are used to create the end-to-end application implementation, they can require complex integrations that create an infrastructure vulnerable to exploitation.
In an effort to combat these malicious exploitations, SAP has created a strong security suite as part of its offerings, but organizations that don’t make SAP security a priority can learn the hard way that they’re not as protected as they might believe. Is your SAP solution properly secured? These questions—and their answers—might help you discover the truth.
Are SAP Security Setting Still on Defaults?
Default security settings have never been intended as a one-size fits all solution. Solutions providers, including SAP, set defaults to accommodate the largest range of customers. For most organizations, however, those default settings are far too lenient to provide any real protection against application-level attacks.
Default settings can include security aspects such as password length, password expiration time, number of incorrect password attempts, and the length of idle time that elapses before a user is automatically logged out. To ensure that your SAP solution is properly secured, a security specialist should reset defaults to match organizational security policy requirements.
Is Access Security Based on User Roles?
SAP security includes the ability to assign security requirements and restrict access to parts of the system according the role a user is assigned, but the user roles are not set up by default, which means that unless the default is changed, every user has access to the same data and is subject to the same security requirements. Do your administrators need the same access as users? In most cases, the answer is no.
To ensure that users have access to only the features and data they need, the configuration team should first define the requirements and restrictions for teams of users based on their job functions and the access needed to achieve those functions, and then assign those roles to each team member. Restricting users to the access necessary provides a layer of protection for higher-level data that not every user needs to access.
Did Your Security Team Clean Up After Integration?
Another often-overlooked aspect of SAP security is the privileges that are granted to the integration team. The integration team needs wider access to ensure that applications function as they should for users and across business processes, but when everything has been completely integrated and is properly functioning, those administrative privileges should be revoked to prevent unauthorized access to functions and data. Plan to have a security team clean up after the integration to remove any accounts that could be used for unauthorized access.
Do You Follow SAP Security News?
It’s not at all unusual to learn about new SAP security vulnerabilities. Integrating an end-to-end application into existing systems is bound to create complexities that might not be secured by existing features and configurations. Too often, however, a vulnerability only becomes widely publicized after a data breach has been discovered. That doesn’t mean information about how to avoid or protect against the vulnerability wasn’t available; it just means that organizations often fail to pay attention to those details until it’s too late.
Staying up to date on security vulnerabilities as well as the patches and fixes for those vulnerabilities is essential to protecting your SAP system. The criminals that want to breach the system are experts in these matters, so to protect your SAP application, your security team needs to be, as well.
SAP is no more vulnerable than most other ERP applications on the market. It is, however, a much bigger target, and any organization that chooses to use SAP should be aware that default security settings, failure to restrict access using roles-based security, and not cleaning up after the integration are all vulnerabilities. The best way to protect your SAP applications is to become an expert at SAP security. Follow the news, learn about vulnerabilities and how to protect against them, and then follow through. It’s not a 100 percent guarantee that your SAP application won’t be targeted, but it is an effective way to reduce the odds.
About the Author
Jerri Ledford has been writing about business technology for more than 20 years. Her articles, profiles, news stories, and reports have appeared in such venues as Intelligent Enterprise, Network World, Information Security Magazine, DCM Magazine, and CRM Magazine. She develops and teaches technology courses for enterprises such as Sony, HP, and CNET and is the author of 19 business technology books, including Google Analytics and The SEO Bible. Jerri is a Studio B analyst.