It’s necessary to look beyond SAP to the wider business, where threats are more likely to emanate from.
By Rohan Vaidya
From their early history developing payroll and accounting mainframe programs to the behemoth that they are today, it is not an exaggeration to say that organisations are built on SAP. With offerings like the NetWeaver solution stack to the HANA data platform, SAP is the foundation to entire business processes. If something were to go wrong with SAP, cars will not be able to be assembled, screws ordered or people paid. From the business perspective, SAP is what counts.
SAP is so important, in fact, that it has grown into something that is separate from normal data centre operations. SAP Competency Centres exist in many businesses as an integrated delivery centre for SAP services to the business. Why? Because SAP has so many specific requirements that all, or nearly all, products that touch SAP must be certified by SAP. These Competency Centres are data centres within the data centre. Even the hardware platform might be SAP-specific; possibly a different standard to the ‘outside’ infrastructure.
Everything then—certified hardware, databases, tools, extensions from other vendors that feed into SAP—exists in its own world, speaking its own language. And in this world everything is as integrated as possible, for a seamless experience. In IT security, we often speak about ‘protecting the crown jewels’. For businesses underpinned by SAP, it’s more like ‘protecting the crown jewel’, singular. SAP must be taken care of. In certain very large manufacturing businesses, the manual for hardening SAP runs to several hundred pages; it is that important.
But there is a flaw in this approach. While SAP is its own world, it is not a world that has no outside connection. As soon as something leaves the SAP platform, SAP does not manage it. A single SAP instance can have a huge number of interfaces and connections. So while the SAP system itself may be hardened, if the connected systems that can access the data held on SAP are not as secure, then there is an issue. And that issue is around access to the SAP system.
If a connecting system is compromised and in turn allows ‘approved’ access to highly critical roles like SAP_ALL role, then game is over. Access to roles must be managed and secured beyond SAP’s governance, risk, and compliance capabilities.
How wrong could things go? Access to the right SAP system in a given business could lead to theft of new product information or new technology developments, deletion of orders or alteration of transactions. The effects could include a drop in future revenue to the production line grinding to a halt because steering wheels have been ordered in the tens, not the thousands and there are not enough to go around. Material damage, in other words—not to mention the risk of incurring GDPR-related penalties.
To guard against this, it’s necessary to look beyond SAP to the wider business, where threats are more likely to emanate from. All privileged access to SAP and the associated infrastructure—operating system and database in particular—must be secured, by monitoring SAP privileged user activity and managing, protecting and controlling the use of SAP privileged accounts, thus helping to prevent against privileged access-related risk and credential compromise.
The writer is regional director of sales – India, CyberArk