Six Steps to Improve SAP FIORI Security
Jan 26, '21 by Joerg Schneider-Simon
Hackers have been quick to notice that many SAP applications, servers, and databases that were once hidden behind corporate firewalls are now exposed to the web, making them prime targets for attacks.
One common denominator in this push to the web is SAP FIORI, the design language and user experience approach that SAP developed for itself, its customers, and its partners to use in their business applications.
Applications that use the SAP FIORI design language include SAP S/4HANA and SAP C/4HANA suites, SAP Analytics Cloud, SAP Data Hub and SAP Ariba. The goal of SAP FIORI is to give designers and developers a set of tools and guidelines for quickly creating apps for any platform.
SAP FIORI exposes enterprises to increased security risks primarily because it increases the attack surface. SAP FIORI exposes previously isolated, on-premises SAP systems to the public internet and mobile networks. Attackers now have many more points of vulnerability, in the form of SAP FIORI interfaces, to attack.
Attack attempts may be inevitable, but successful attacks are not. Here are six ways to improve your SAP FIORI security.
1. Benchmark Your Vulnerabilities
Take an inventory of all the ways that hackers can attack your SAP systems through SAP FIORI interfaces. Include all devices that operate both within your firewall and outside of it. Pay particular attention to mobile devices, such as tablets and phones.
2. Get the Basics Right
Make sure you are already using best practices for securing SAP systems against attacks. For example, ensure that you are:
- running the latest releases of SAP applications
- installing the latest SAP Security Notes (security patches) as soon as they are issued
- not allowing users to share passwords
- not permitting users to use weak passwords
3. Harden Your SAP Infrastructure
Improve you defenses by hardening your SAP infrastructure. Start with policies and then move on to the practical. Create administrative policies, processes, procedures, and guidelines that describe how to maintain security at administrative and technical levels. Set strict hardening policies, then start monitoring compliance.
In particular, harden your gateway servers, message servers, and ICF components. Then,
- Erect a network firewall in front of your SAP Web Dispatcher limit network connectivity to required ports and protocols.
- Hackers aim to penetrate SAP FIORI connections in order to infiltrate backend SAP servers. Prevent these attacks with a Web Application firewall in front of your SAP Web Dispatcher that protects your backend servers against attacks that exploit this FIORI connector. Better yet consider merging the functionalities of an SAP-specific WAF and the Web Dispatcher and use bowbridge Application Delivery Controller for SAP Solutions.
- Block access to the HTTP port on the NetWeaver Gateway server at the firewall.
- Implement HTTP Strict Transport Security.
- Allow access to critical FIORI apps only over Virtual Private Networks.
- Implement redirections from HTTP to HTTPS URLs in SAP Web Dispatcher and SAP Internet Communication Manager.
4. Watch Your Connections
Your goal is to give attackers as few entry points into your SAP systems as possible, and to make those entry points secure. Start by getting a grip on your access controls. Know who is using your SAP systems, why they are using them, when they are using them, and how they are accessing them. Then take the following steps:
- Deploy Security Assertion Markup Language (SAML), proxies strong authentication, such as two-factor authentication to deny access to unauthorized users.
- Encrypt your connections and your data using TLS and SNC. Encrypted connections protect your SAP data while in transit. And encrypted data makes your information useless if it falls into the hands of attackers.
5. Monitor Activity by Bad Actors
SAP FIORI Security is not a one-and-done activity. Hackers and cybercriminals never rest, so neither should you. Monitor your SAP systems 24/7 for suspicious activity. This includes activity by your users, both standard and privileged. Whenever possible, feed security data into a SIEM solution or SAP Enterprise Threat Detection to identify threats at the infrastructure layer and the business logic layer.
Continuously monitor for violations of your security policies. When you find deviations, take action immediately to remediate threats and change user behavior.
6. Use Third-party Tools
Standard OS-level antivirus programs do not recognize or address SAP cybersecurity threats. If you want to protect your SAP systems against viruses and content-based attacks, you must use security tools developed by other firms.
This is also true for SAP FIORI. To protect against attacks, consider using third-party tools that are custom-built to protect the data that flows in and out of SAP applications. Application Delivery Controller by bowbridge, for example, ensures the availability, integrity and performance of web-exposed SAP applications for on-premises and cloud-based SAP implementations. This software is cloud-ready and built specifically for SAP applications, making it the market’s only software-based Application Delivery Controller for SAP applications.