Over the last several years, the cybersecurity industry has seen an increased focus on how organization’s approach SAP. With more organizations looking to expand their SAP environments in the cloud, paired with a growing rate of advanced threats to data security around the globe, it’s easy to see how the risk to SAP has grown. As these trends continue, it’s drastically changing the methods in which CISO’s, audit, and information security teams are securing and managing their most mission-critical assets. As a CIO, you surely understand not only the amount of time, money and resources that have been invested in implementing these applications, but also the work that is continually executed to ensure that these applications run smoothly.
SAP Cybersecurity Myths
Business-critical enterprise systems are the lifeblood of the world’s largest companies as they manage their most sensitive information and processes such as ERP, HCM, CRM, BI and Supply Chain Management.
Despite housing an organization’s “crown jewels,” SAP systems and their application layer are not protected by traditional security solutions. Traditional security methods such as Segregation of Duties (SoD) and having SAP Access Controls in place have never been an effective means for preventing cyber-attacks against the application layer.
Additionally, traditional security vendors do not continuously monitor SAP applications, let alone offer detection and response capabilities necessary for a fully scalable enterprise class security solution for the SAP application later.
Where are we now?
Most business executives believe they continue to lose ground to attackers as the sophistication of threats increases faster than corporate defenses can respond. For many, the question is not if, but when a security incident might occur.
Reducing risks across increasingly complex infrastructures can be daunting for CIOs and CISOs, who typically work with and rely upon dozens of vendors to ensure the security of various parts of the organization, but rarely focus on ERP systems. Because of this, many organizations and their teams don’t have complete visibility into their SAP infrastructure, nor do they understand where the responsibility of SAP security lies within an organization.
Despite SAP regularly releasing security patches, the patching process is complex and can be overwhelming to practitioners; applying patches to live systems creates an additional risk of disrupting critical business operations. Therefore, SAP administrators are often reluctant to patch as taking a critical system offline can sometimes pose a greater threat than leaving the vulnerability unpatched. As a result, these mission-critical systems remain unpatched and exposed to vulnerabilities for up to years at a time.
Additionally, limits on time, money and talent put a premium on being able to make the right compromises between risk and resources, which reduces the chances of being compromised. Maintaining regulatory compliance mandates while also preventing cyber attacks can be a tough responsibility to fulfill. A project that improves compliance with audits and regulatory schemes often receives escalated priority, forcing InfoSec and BASIS teams to put these ahead of initiatives that address security needs.
2017 SAP cybersecurity Challenges
This year, I have been engaged in numerous conversations about new and evolving SAP cybersecurity challenges affecting organizations. There are three main challenges I’d like to highlight:
- Migrating SAP to the cloud: When it comes to migrating SAP solutions to the cloud, it seems that most organizations we’ve talked to are lacking a comprehensive cybersecurity program. There are also some misconceptions associated with responsibilities of certain aspects of moving to the cloud that might leave security teams with additional work. Cloud implementations are a tricky process, and require security to be top of mind from even the very early planning phases. Unlike transitioning other business applications to the cloud, there is no singular model for what SAP security looks like, and therefore migrating these systems to the cloud can be a very tricky process.
- Aligning internal departments to reduce risks to SAP: CISOs are often faced with competing priorities when it comes to giving SAP cybersecurity the attention it deserves. Compliance with internal audits often escalates a project’s priority, forcing CISOs to put resource-intensive internal audit requests ahead of security-focused initiatives necessary to keep pace with the rapidly-shifting threat landscape. Due to the critical nature of SAP systems, its applications are the target of numerous industry standards and regulatory demands such as PCI, NIST, SoX and beyond.
- Staying ahead of evolving threats in a shifting landscape: It is no surprise that the threat landscape for SAP is constantly shifting and evolving. As the SAP cybersecurity market continues to grow, threat actors both inside and outside organizations are developing advanced methods for gaining access to critical information and processes stored in these systems.
Ensuring your SAP systems and secure and compliant
SAP-centric organizations must be able to cross-functionally evaluate evolving threats, shorten the window of exposure to known vulnerabilities and improve awareness around points of vulnerability.
This requires an approach characterized by the following:
- Understand your SAP risks
- Identify business-critical SAP systems
- Create Governance Team
- Carry out vulnerability management process with continuous monitoring
- Generate reports and track trends
By combining these steps, organizations can begin to include these critical systems in their current security management and patch management processes and monitor the security of these systems on an ongoing basis.