The Security Audit Log allows users with extensive authorizations to be monitored. This is particularly useful for ensuring compliance with both internal security policies and external legal requirements. The SAP standard tool gives an overview of critical activities relevant to security and logs them.
On January 23, 2020, news broke on one of the biggest data leaks to date in Germany. Apparently, it was possible for anyone on the Internet to gain full access to the backup of the entire database of car rental company Buchbinder. The ramifications are difficult grasp.
To secure and encrypt customer networks, SAP offers the SNC (Secure Network Communications) interface with which users can log in to SAP systems without having to enter a user name or password. In the standard system, SAP login credentials are transmitted in clear text. The SNC interface routes calls through the SAP Cryptographic Library, to encrypt all communications between the SAP GUI and the SAP server. This enables secure individual logins for SAP.
SAP is planning to move all its customers to cloud systems. Its software is used by most midsize and larger companies in the German-speaking countries, including around half of all the businesses in Germany alone. Making the transition requires solid planning and entails a tremendous amount of organizational effort on the part of IT managers.
SAP systems require special attention when it comes to their security and this is no longer news to anyone. More often than not, the ERP systems supplied from Walldorf in Baden-Württemberg store some of the most crucial and sensitive company data. That said, what is the best approach to achieving the optimum level of security? A security audit would fit the bill!
Do you have an overview of the RFC interfaces in your SAP systems? The larger the company, the more interfaces there are. Unfortunately, these are often not taken into account when securing IT systems, thereby allowing hackers free access to sensitive data. The name of the game for SAP managers is therefore: Clean up and check.
To achieve the most comprehensive protection possible against potential attacks in SAP environments (and deal with those that do occur), encryption mechanisms and up-to-date cryptography libraries are required using TLS.
(Partner blog post of SERPENTEQ GmbH)
On April 19, 2019, at the OPCDE Cyber Security conference in Dubai, security researchers Dmitry Chastuhin and Mathieu Geli gave a presentation called “SAP gateway to Heaven”. They re-visited two configuration issues (related to SAP Gateway and SAP Message Server) that have been known for many years and for which detailed security guidelines have been available for years. Now the researchers applied some admirably creative thinking to combine them.
According to recent investment reports from the German SAP User Group (DSAG), up to 80 percent of the companies it surveyed intend to migrate their SAP systems to S/4HANA in the next several years. Certainly a bold endeavor. To minimize internal effort, the recommendation is to eliminate legacy issues – for example ABAP custom code – before the migration takes place.
The Gateway is a central communication component of an SAP system. As such, it is an attractive target for hacker attacks – and should receive corresponding protections. If the Gateway protections fall short, hacking it becomes child’s play. Despite this, system interfaces are often left out when securing IT systems. Should a cyberattack occur, this will give the perpetrators direct access to your sensitive SAP systems.