Why Traditional SAP Security Can’t Protect against Cybersecurity Threats

Let’s discuss why traditional SAP security is insufficient for today’s ecosystem.

The SAP landscape’s evolution with digital transformations, cloud adoption, and more and more integrations and open endpoints has expanded the threat landscape and complexity. It’s no longer just an internal application where traditional role-based access control and governance, risk, and compliance (GRC) mostly limited to logical and access control and segregation of duties will protect your SAP application from new cybersecurity threats, including, but not limited to, ransomware and data breaches.

We’ll briefly discuss all the changes that happened and are happening now with SAP ecosystems, which warrants SAP security professionals and the cybersecurity/information security (InfoSec) team coming together to protect SAP from cybersecurity threats. Whether organizations are going through digital transformations or cloud adoption, moving toward using hybrid landscapes, relying more and more on third-party systems/applications and integrations, mitigating financial risks, preventing any fraud, and complying with regulatory requirements, the most important thing is preserving their customer’s trust.

Digital Transformations

Digital transformations, as we all know, are everywhere, whether it’s digitizing your supply chain business processes, finance, e-commerce, human resources, or customer relationship management (CRM). Organizations, customers, and their businesses are adopting digital technologies on a rapid scale. With the advent of cloud, artificial intelligence (AI), machine learning, and automation/robotics process automation, enterprise applications like those provided by SAP have become modern and more mobile-friendly with user experiences such as SAP Fiori. This new shift and digital transformation efforts have significantly altered the threat landscape for SAP.

Digital Transformation and Cybersecurity Go Hand in Hand: SAP systems are no longer an SAP R/2 or SAP R/3 system accessed only via the SAP GUI client. In today’s world, SAP provides SAP SuccessFactors digitizing HR processes, SAP Ariba for supply chain and procurement, SAP Concur for travel and expense, or SAP S/4HANA as your core enterprise resource planning (ERP) system. These systems are offered over the internet via URL or the mobile app; therefore, just doing what we’ve been doing around SAP from a security perspective won’t help us protect ourselves from cybersecurity threats and adversaries.

Apart from increased attack surface with digital transformation and more complex data security, privacy, and compliance requirements, we’re also adding reliance on more and more third-party risks. This is because most of the time, these digital transformations include third-party/vendors helping customers do digital transformations, which includes being an implementation partner/system integrator and also offering solutions, products, and services. While all of this helps businesses with their transformations from a cost perspective, it also increases complexity and security requirements and governance.

Cloud Migrations

The SAP ecosystem is moving to the cloud with SAP’s push to SAP S/4HANA Cloud via the RISE with SAP and GROW with SAP programs (see figure below); customers have either moved their on-premise SAP systems to the cloud or are evaluating it right now. The shift is imminent—even if customers don’t move to SAP’s version of the cloud, they are moving to one of the leading public cloud providers (Amazon Web Services [AWS], Microsoft Azure, Google Cloud Platform [GCP]). Cloud is the preferred choice for organizational leaders to host any resource, including SAP.

In the cloud, the SAP systems are no longer shielded by the physical and network security of the on-premise environment. The shift exposes SAP vulnerabilities and threat vectors inherent in cloud platforms such as misconfigured storage or inadequate access controls and risks due to the multitenant and shared nature of the cloud. Furthermore, the decentralized nature of cloud services complicates visibility and control, increasing the risk of unauthorized access and data breaches.

Traditional perimeter-based security strategies must be updated with the cloud, requiring more dynamics and a multilayered approach. The transition requires a fundamental rethinking of security strategies to protect the SAP environment effectively in the new cloud world. The cloud model also means you’re outsourcing a lot of security responsibility to the cloud service provider and the third party while moving to a shared responsibility model. Most of the time, there is a false sense of security around the cloud, as even with the cloud, the ultimate security responsibility lies with customers only.

Hybrid Landscapes

As we discussed, SAP’s shift toward the cloud and with SAP acquisitions over the years, especially with software as service (SaaS) applications such as SAP SuccessFactors, SAP Ariba, and its new SAP Business Technology Platform (SAP BTP), most customers’ SAP landscapes are already hybrid landscapes. With the SAP hybrid landscape (see next figure), critical business processes span across systems, and sensitive data and applications are distributed across as well. The mixed landscape complicates policy enforcement and identity management, so securing the landscape and traditional SAP security wouldn’t be enough.

Third Party: Open Integrations and Interfaces

As already discussed, organizations on a digital transformation journey are moving to more complex enterprise architectures. The enterprise landscape is involved, where they use different vendors and third parties for additional solutions, resulting in many open integrations, interfaces, and APIs both inbound and outbound with SAP. Open integrations and APIs expose SAP systems to external environments, increasing the potential entry points to cyberattacks. Each integration and interface brings more complexity, and as most of the SAP security team activities, including GRC, have been limited to SAP applications, these third-party integrations and interfaces must also be secured.

Mitigating Financial Risks

Mitigating financial risks involves identifying, analyzing, and taking steps to minimize or control exposure to threats that could lead to financial losses. These risks can arise from various sources, such as market fluctuations, operational failures, credit issues, and so on. Because SAP holds the organization’s crown jewels, including sensitive financial business processes, data, and transactions, and is a system of record for financial and accounting reporting, it’s becoming a prime target of cyberattacks. A breach can lead to substantial economic loss; therefore, incorporating robust cybersecurity measures into traditional SAP security and GRC is more critical than ever.

Though SAP has the advantage of having matured GRC processes and technologies with the SAP GRC solutions (in particular, SAP Access Control and SAP Process Control), it may be better prepared or at least better audited due to financial and accounting reporting compliance (e.g., with Sarbanes-Oxley [SOX]). SOX and GRC work is limited to logical control, access control, and change management from the SAP perspective, as well as usually limited to the application layer. However, it must go beyond and incorporate a cybersecurity mindset and processes to mitigate financial risks.

Preventing Fraud

Traditional SAP security measures are often inadequate for preventing fraud in the SAP ecosystem due to several factors:

• Lack of real-time monitoring: Traditional SAP security solutions often don’t provide real-time monitoring capabilities. This delay in detecting security breaches or suspicious activities allows fraudsters more time to inflict damage or cover their tracks, significantly hindering timely intervention and response.
• Limited scope: The traditional SAP security measures have limited scope, focusing on finance and accounting, primarily related to SOX controls that are limited to logical and access control. Apart from SAP identity and access management controls, the network and perimeter controls, such as firewalls, make up the only other scope. This limited scope fails to address the broader spectrum of fraudulent activities that can occur at the application, database, or operating system levels, leaving significant risks and vulnerabilities unaddressed.
• No behavior analysis: Traditional SAP security doesn’t offer and incorporate behavior analysis, an essential tool in identifying and understanding unusual user activities that could indicate potential fraud. Without this, anomalous patterns that deviate from regular user behavior—often a tell-tale sign of fraud—go unnoticed.
• Dependence on manual processes: Although SAP GRC solutions have some continuous monitoring capabilities, in general, we still rely on many manual processes, whether it’s analyzing audit logs or analyzing incidents that occurred in SAP systems. Relying heavily on manual processes for security checks increases the risk of human error and oversight. Manual processes are time-consuming and less effective than automated, systematic checks in consistently identifying complex fraudulent activities.

Complying with Regulations

The SAP world has been compliant with SOX for years, as SAP systems are used as a core financial and accounting system by leading organizations, including but not limited to public companies from the United States. With SAP GRC solutions, SAP’s control environment is pretty mature regarding finance and accounting related to SOX. Still, with the advent of cloud and digital transformations and an open digital world, there are more regulations beyond SOX, such as privacy and data regulation in Europe, General Data Protection Regulation (GDPR), and other rules worldwide. The number of rules worldwide is increasing, requiring more local compliance for companies. Doing what we do today from SAP security is insufficient and won’t protect the SAP landscape.

Preserving Customer Trust

Doing everything you can from a cybersecurity perspective and not just limiting yourself to traditional SAP security is paramount for organizations. Organizations must do their due diligence to protect customer data and retain customer trust. A breach of security is a matter of when it will happen, not if it will happen; company leaders, chief information security officer (CISOs), and SAP leaders all need to realize that just doing traditional SAP security and GRC aren’t enough to protect SAP and preserve customer trust in today’s digital world. From an SAP perspective, a customer can be an internal employee who uses the SAP SuccessFactors HR system, a supplier using SAP Ariba, or simply a business user using SAP S/4HANA Finance or supply chain business processes. Maintaining the trust involves several vital practices:

• Robust data protection: Implement strong data security measures to safeguard customer information from unauthorized access and breaches.
• Transparency: Be transparent about how customer data is used, stored, and protected. Clear communication about data policies and procedures helps build trust.
• Prompt incident response: With a security incident or data breach, a swift and effective incident response is critical. This includes notifying affected customers and taking immediate action to mitigate any damage.
• Continuous improvement: Regularly update and improve security measures in line with evolving threats shows a protective approach to protecting customer data.
• Customer engagement: Active engagement with customers to understand their concerns and feedback is crucial to designing holistic security around SAP ecosystems.

Editor’s note: This post has been adapted from a section of the book Cybersecurity for SAP by Gaurav Singh and Juan Perez-Etchegoyen.