Post Fetaured Image

Secure Your System When Migrating SAP to the Cloud

Sep 30, '19 by Joerg Schneider-Simon

In April 2019, hackers uploaded a series of exploits targeting SAP business applications to a public forum.

These exploits, referred to as 10KBLAZE, leverage insecure default configurations that SAP has known about for a while and had corrected already.

However, the public release increases the risk of cyberattacks against many SAP on-premise and cloud instances, particularly in two circumstances:

  • The new default settings may not have been adopted
  • The configurations have been updated.

This means your SAP Cloud Platform is vulnerable not only to nation-state cyberespionage groups and sophisticated hackers, but also to any amateur who can use a search engine like Shodan (the world’s first search engine for internet-connected devices).

Professional hackers and hobbyists alike can now download one of these exploits, point it at the IP address of an SAP system, and then could be able to wipe out the system with one command.

Your security depends on fixing security vulnerabilities quickly, but your overburdened team may not have the time to apply every critical patch, or the know-how to spot configuration issues. And even if they do, they probably aren’t on the lookout for cloud security threats that compromise SAP indirectly.

Attackers can also exploit non-SAP cyber security vulnerabilities to target your users’ devices, email accounts and applications. A user clicking on a single infected link in social media can give a hacker access to their computer, allowing the attacker to steal their login credentials and mount an attack.

Why Your SAP Cloud Instances Are Vulnerable

These newly highlighted vulnerabilities primarily target insecure default configurations of on-premise SAP Gateway and SAP Message Server, two components that many SAP business applications use and that are common in many environments.

And yet these configuration issues exist even in new SAP implementations in the cloud. Why? Because companies are not migrating SAP to the cloud with security in mind.

For most organizations, basic SAP security is a huge challenge, and many don’t even understand what they face in the realm of cloud security. Implementing a system that mitigates both internal and external threats requires a massive transformation—one that many organizations are unwilling to make.

So why are so many SAP cloud instances vulnerable?

  1. Companies are focused on only one type of control. Many enterprises approach the security of SAP applications one way—by concentrating on segregation-of-duties controls. They control which users can do which actions once they have access to the system. But they fail to make sure the technical settings of their system are secure.

  2. The complexity of cloud security is a major challenge. Attackers don’t need to hack their way through the heavily-secured front door anymore — they usually find an easier way in through the back. For example, an attacker may start in a lower security development landscape, or enter through a supplier or customer portal, then pivot to production.

  3. Malicious attackers can receive insider assistance.Sometimes, an insider is actively in league with a cybercriminal, but more often, the problem is carelessness or lack of security awareness. An insider may click on unsafe links or download contaminated files, reuse passwords, lose control of a device while it’s logged in and compromise cloud security in innumerable other ways.

How to Secure Your SAP Cloud Platform Against Cyberattacks

Make your technical settings secure

Step one in securing your SAP cloud platform against attacks is understanding that there are technical settings that you must get right. Fail here, and you leave your system vulnerable to exploits that can have immediate and catastrophic business and financial consequences.

If you leave these system-wide technical settings in an insecure state, external hackers and disgruntled internal employees can easily bypass your data access controls and gain unrestricted access to your entire system. The most important of these technical settings to get right is properly segmenting SAP on your internal networks.

Gain visibility

Not all monitoring tools detect attacks and exploits against SAP systems. The result? In many cases, when attacks happen there's no obvious system disruption or data modification, so the attack remains undiscovered.

The remedy is to gain visibility into your SAP infrastructure. Understand the connections between systems, both on-premise and cloud and search for current and new vulnerabilities that will impact your business.

Know your layers

In an on-premise SAP scenario, you own the entire stack, from OS, to database, to SAP-BASIS, to application, making responsibility for securing the stack entirely yours and giving you easier transparency into the status of your stack’s security. With cloud instances, you may only have insight into the top layer or two, with no way to verify whether your cloud provider is effectively monitoring OS, DB, and BASIS. Should a breach occur, the bulk of the responsibility (and public perception) will fall upon the client corporation, not the cloud vendor, providing extra impetus for corporations to demand a transparent and holistic view of SAP security.

Stay up to date on SAP vulnerabilities

SAP offers guidance for fixing these issues in SAP Notes #821875, #1408081 and #1421005, and offers a helpful SAP Cloud Platform Integration Security Guide.

Monitor for attacks and exploits

Install monitoring tools that uncover the systems in your network that are exposed to these exploits and take steps to remediate these vulnerabilities immediately.

Security in the age of digitalization remains a neck-and-neck race between cybercriminals and cloud solution providers. As you migrate your SAP applications to the cloud, make cybersecurity a priority, to help keep your on-premise and cloud instances safe from cyberattack.

How to Implement Virus Scanning and Content Security on SAP Application Server ABAP and NetWeaver Gateway