Securing your SAP landscape

by CXOtoday Staff    Oct 01, 2010

Mumbai CXOtoday EventSAP is undoubtedly one of the most critical and popular business assets for an organization, but is it as secure as it should be?

The ERP application holds sensitive information, which can be susceptible to internal as well as external threats. While the SAP application does come with its own security, most of the time a transaction between the client and server is merely compressed and not encrypted. Moreover, decryption techniques for simple encryption algorithms are available on the Internet. In a bid to highlight the need to secure the SAP ERP environment and built awareness around the need for better governance, risk and compliance (GRC), CXOtoday.com and Wipro held an event titled ‘Have you secured your SAP infrastructure?’.

At this event, held in Mumbai, three veterans from the IT security industry got together to talk about how and why an enterprise should secure their SAP infrastructure on the network. The first speaker for the evening was Ravi Vaz, Technical Consultant at Wipro, who highlighted the evolution of enterprise applications and went on to elaborate on the risks involved in using an ERP environment in an enterprise. Vaz advised the audience to treat enterprise applications as business processes in order to mitigate the risk involved in operating an ERP solution on an enterprise network. In addition to this, IT managers must secure their application environment according to industry’s best practices, rather than the default implementation or what they feel is convenient. To reduce unauthorized access to sensitive data on a SAP ERP server, one must employ a ‘maker-checker’ duality. This ensures greater accountability into the SAP infrastructure. Vaz gave the example of a customer from the petroleum industry that had implemented a single sign-in access to multiple SAP landscape modules.

Ravi Vaz
Ravi Vaz advising the audience to treat enterprise applications as business processes in order to mitigate the risk involved in operating an ERP solution on an enterprise network

Vaz’s presentation was followed by one from S Girish, VP (Sales), Secude. Girish gave a deep dive into the areas where the SAP landscape is prone to unauthorized access and traffic snooping. He explained how the unencrypted communication between a user’s SAP GUI and server can be secured by employing Secude’s solution to protect information within the enterprise network. Girish also advised the audience to enable Secure Network Communications (SNC) so as to encrypt data sent from and to an SAP server. He highlighted weaknesses in the username/password authentication system in a SAP landscape, adding that multiple user logins for each SAP module increased the likelihood of users setting easy passwords and in some cases, even writing them down for future reference. Even the cookie ticket that is generated after logging in to a SAP server, can be copied and transferred to another web browser.

S Girish
S Girish highlights the weaknesses in the username/password authentication system in a SAP landscape

Since all these issues can result in someone gaining unauthorized access to the SAP database, Girish stressed on the necessity to secure this environment. This is simply because the probability of an internal system breach is higher than an external malicious attack. In addition to ensuring password protection, RSA-based authentication and subsequent SSL certificate-based communication between the client-server, Girish advised IT managers to enforce standards-based password enforcement. Another important area that IT managers need to be aware of is the ABAP code that is written by third-party vendors. These have a tendency to lead to security defects simply because proper compliance QA (quality analysis) of the custom-built ABAP code is not done. This is required to plug ‘compliance holes’ in this code.

Going forward with the need to secure a SAP landscape, the concluding speaker for the evening was Vikas Desai, lead technology consultant, RSA. He took the discussion a step higher by explaining that the need to ensure security and reduce risk in an enterprise should be done via proper governance. He explained how RSA’s Archer GRC framework can ensure that governance, risk and compliance can help IT teams to plug security and policy gaps in the enterprise. Visual reports generated by the solution can help IT managers explain the level of compliance to senior management, thus converting IT-related challenges into business-related challenges.