11 things CISOs still need to know about SAP ‘cyber’ security

11 things CISOs still need to know about SAP ‘cyber’ security

11 Key Insights for CISOs on SAP Cybersecurity Essential Knowledge for 2024

Introduction

As the IT landscape gets more complex, the job of a Chief Information Security Officer (‘CISO’) is getting more and more complex. CISOs need to keep track of a constant wave of new technologies and how to secure them. Organizations using SAP present another challenge for the CISO – managing SAP security. 

I wrote a blog a few years back detailing the common challenges faced by CISOs of organizations using SAP systems. While lots of things have changed in the cybersecurity world, many of those challenges still remain applicable today also. This is a follow up blog with some updates based on recent developments in SAP and cybersecurity space. 

In most organizations, CISOs rely on the SAP BASIS/ Security team to manage SAP security. And this was achieved mostly through SAP GRC Access Control (or similar tools such as Sailpoint Access Risk Management (‘ARM’)) to manage SAP Segregation of Duties (‘SoD’) and access issues within the SAP system. Some organizations also undergo periodic SAP audits, which may cover the IT general controls to comply with the financial audit requirements. 

Navigating SAP security challenges

While this was insufficient even a few years back, this is exposing organizations and their SAP systems to even greater cybersecurity risks. Hexadius has been involved in many SAP security engagements, which goes beyond these traditional areas and instead also covered core cybersecurity domains of Vulnerability Assessment & Penetration Testing (‘VAPT’), source code security testing as well as interface security testing. 

Based on these engagements, this is the updated list of ten things that will help a CISO navigate the increasingly complex SAP security challenges: 

  1. First and foremost, don’t look at SAP security in isolation. Rather extend your security farmwork to SAP systems!!
  2. SAP security is the responsibility of CISO and not just SAP team!
  3. SAP BASIS is not the same as SAP security – and your cybersecurity team doesn’t always know how to manage SAP cybersecurity. There is often a SAP security skills gap! Engage SAP security specialists to address this.
  4. SAP security is more than SoD and authorizations – attackers can bypass the SoD and authorizations controls to gain privileged access to SAP. 
  5. Security patching is important – annual system upgrades are not sufficient. SAP releases hundreds of monthly security patches and many of these patches are not included in the service pack upgrades.
  6. SAP is not secure by default (which application is?) – it needs to be hardened before being deployed. But unfortunately, there are no industry security benchmarks for SAP systems (e.g., NetWeaver ABAP, NetWeaver Java, SAP HANA, etc).
  7. SAP has many security vulnerabilities and new vulnerabilities are regularly identified – SAP security needs to be tested regularly to keep the set up secure.
  8. SAP can be hacked too – SAP application testing and Vulnerability Assessment and Penetration Testing (‘VAPT’) should be regularly performed by competent testers.
  9. SAP network and communication security is complex – and needs special attention to ensure sufficient security. Securing RFC connections, enforcing encryption, and managing 3rd party connections to SAP is not easy considering the enterprise-wide business impact of any disruption.
  10. Monitoring is important – integrate SAP security monitoring with the corporate SIEM solution.
  11. Remember, SAP is your crown jewel – it needs equal, if not more, of your attention.

The CISO is responsible for protecting its most important system – SAP ERP. At the same time, organizations should not allow SAP to become the weak link that exposes other IT systems to cyber-attacks. 

An SAP security threat mapping is a good starting point to understand the specific challenges in the organizations. Once the security risks and vulnerabilities are identified, SAP security roadmap should be developed to address these.

Table of Contents

Stay Informed

Receive our latest blogs directly in your inbox