Many large businesses run SAP to manage their business operations and their customer relations. Security has become an increasingly critical priority due to the ongoing digitalization of society and the new opportunities that attackers exploit to achieve a system breach. Recent attacks related to corrupt data, stealing personal information and escalating privileges for remote code execution all highlight the new and varied entry points threat actors have taken advantage of. Attackers with the appropriate skills could be able to exploit specific SAP vulnerabilities to take full control of the SAP system and expose the critical information and processes of the company.

Among new SAP users and non-technical experts, there are multiple myths when it comes to SAP, like “SAP is a commercial product that delivers security by default.” The reality is that even after implementing the standard functionalities of an SAP solution, it is not secured by default.

Traditionally, companies were predominantly focused on the roles and profiles assigned to different users in the SAP system as the main control to improve the security in the SAP systems. However, this focus has been expanded beyond merely access control, and there are plenty of elements that need security factored in:

  • Access Management: In the SAP solutions, there are multiple ways to provide high privileges to users and to perform critical actions on the business processes, such as changing already created invoices, modifying existing purchase orders or trying to change the system configuration
  • Custom Code: According to best practices, it is better to build security in your code during the design process than waiting to have a breach.
  • Configuration: An SAP system has hundreds of different parameters that influence the configuration of the system and therefore its security. As such, most customers have included security as a key part in their SAP implementation projects.
  • Interface/integration with other systems: Interconnecting systems can be a dangerous activity if the security of both systems is not adequate and the connector is not configured properly.

IBM Security has defined a security framework featuring 13 layers that focus on the critical elements of the SAP stack. This framework uses a top-down approach, going from regulatory and compliance to the most technical details related to cybersecurity.

Figure 1: The 13 layers of SAP Security

Some years ago, the main activities on an SAP security project were focused on defining the appropriate roles and authorizations according to the Segregation of Duties matrix established by the customer or the best practices. However, those activities have been expanded to include the security of the DevOps and in the interfaces, consideration of encryption (at rest or in motion), performance vulnerability assessments, penetration testing and more.

A good starting point is to identify all the security aspects that could impact the SAP systems that are either running in a cloud environment or will be moved to a cloud environment. This activity evaluates the security considering the aforementioned 13 layers framework and combining the utilization of different assets to speed up the analysis.

These are some examples of the questions that will be answered during this analysis:

  • Are the integrations between the SAP ERP system and other internal and external systems secure?
  • Is the company monitoring the vulnerabilities in the SAP landscape? If so, is the company appropriately managing the vulnerabilities identified?
  • Is the company correctly assigning the users’ roles in the SAP landscape?
  • Is the configuration of the application layers of those SAP systems secure enough?

The final deliverable should be a detailed report including the security weaknesses and an action plan to mitigate the found risks.

This type of project is used to justify the security value behind the transformation program defined by the company and is utilized as a first step to start the security transformation in the SAP environment. After this activity, IBM offers different solutions to accelerate the security transformation and to manage the applications in a secure manner.

The key difference that sets IBM apart is that we analyze the client security posture from two different perspectives; we consider compliance and cybersecurity with the main objective of identifying all the weak flanks that could compromise the customer’s business.

Is your IT strategy considering the security of its SAP solutions? Is your company performing frequent reviews to assure that the SAP solutions have not been attacked or suffered a breach? How is your company managing the vulnerabilities identified in the internal or external audits? Learn how to best secure your SAP environments and get in touch with an expert to help you through your SAP security transformation today by accessing here.

More from

Cloud Workload Protection Platforms: An Essential Shield

2 min read - Businesses of all sizes increasingly rely on cloud computing to power their operations. This shift has brought with it a new set of security challenges. To protect their workloads in the cloud, many of these businesses are deploying a critical tool for cloud security: cloud workload protection platforms (CWPPs).What are Cloud Workload Protection Platforms?CWPPs are comprehensive security solutions designed specifically for cloud-based environments. They provide advanced protection and threat detection capabilities to safeguard cloud workloads and guarantee the confidentiality, integrity…

2 min read

Is Open-Source Security a Ticking Cyber Time Bomb?

4 min read - Software depends on layers of code, and much of that code comes from open-source libraries. According to an Octoverse 2022 report, open-source code is used in 97% of applications. Not only do developers embrace open source, but so do nine in 10 companies. “Open-source software is the foundation of 99% of the world’s software,” Martin Woodward, VP of developer relations at GitHub, told VentureBeat.As the foundation of just about every piece of software, every application or device runs on code that…

4 min read

Threat Sharing Evolution: How Groups Offer Less Risk and Better Intelligence to Members

16 min read - Listen to this podcast on Apple Podcasts, Spotify or wherever you find your favorite audio content. In 2019, the World Economic Forum advocated for increased threat intelligence sharing by arguing that cybersecurity is a “public good.” Meaning, if organizations — both public and private — share threat information across groups, everyone has a clearer picture of the threat landscape and with it, the ability to better defend against increasingly aggressive and sophisticated threat actors. In response, multiple threat-sharing groups have sprung to life,…

16 min read

How to Manage Cyber Risk During Mergers and Acquisitions

4 min read - By attracting attention from threat actors, merger and acquisition (M&A) events are a significant source of cyber crime risk. So much so that, according to a 2020 IBM Institute of Business Value study, more than one in three executives said they experienced data breaches that can be attributed to M&A activity during integration.Security ratings, provided by security rating services (SRS), can deliver an overview of risk to stakeholders. But attack surface management (ASM) tools give security teams actionable insight on…

4 min read