Zero-trust is a concept that marks a significant change in how IT security frameworks operate. Instead of assuming that everything within an organization’s network has to be trusted, within a zero-trust model, it’s presumed that everything starts as a risk, and only user identity and context can then establish trust for certain things and in certain areas.
The sensitive nature of the data and information stored within your SAP systems means that a zero-trust approach is always the best course of action. However, this approach isn’t as common as it should be, and this was highlighted in the recent SAP Security Survey Report, compiled jointly by Turnkey Consulting, Onapsis and Legion Star. A worrying 53% of respondents said they either didn’t review third-party code for security or quality issues, or weren’t sure whether they did or not.
This blog will explore why this is such an area for concern, and explore the practicalities of deploying zero-trust security in your SAP estate.
The risks of not checking third-party code specifically
If you don’t check third-party code before you implement it, then you may be introducing vulnerabilities or gaps into your SAP estate without you even realizing it. This applies even if you trust the source of the code because you’ve used it before. Without checking all code for potential discrepancies, you may unwittingly give cyber-criminals a clear path of entry to your SAP system and data.
Ultimately, an approach prioritized around risk is important to the detection of a breach, and critical to its containment.
A wider zero-trust approach
Zero-trust does more than give you a defensive, safety-first approach to your SAP Security. Under zero-trust, devices and users have to be authenticated every time they use any asset, environment or application, rather than trust being taken for granted. This means threat actors can’t access valuable data, even if they manage to get into the network.
The same principles apply to third parties and remote employees: they can only access applications that they are authorized to, meaning they are shut off as a potential route for cyber-criminals to gain access themselves.
It comes down to the difference between being proactive and reactive: organizations using zero-trust are actively looking for threats that may infiltrate their systems, not reacting to them after they’ve started to have an impact.
How to deploy zero-trust with SAP Security
According to Microsoft, 94% of security leaders have ‘embarked on their zero-trust journey’. This is encouraging, but there’s still work to do to make this aspiration an implemented reality across applications and systems, including SAP.
Alongside reviewing third-party code, there are many other actions you can take to make zero-trust possible, including:
Specify surfaces for protection: locate the surface, ensure all applications and data are isolated and classified, and increase contextual and visibility awareness
Set out transaction flows: use automated tools to map data, assess the interaction of applications, data and systems, and categorize all traffic
Define the trust policy: develop automated application rules, use a multi-layered approach to scanning and mitigating threats, and ensure the policy covers who access what, when, where and how, including what they need access for
Adjust response processes: use all the data available to put incidents into context, and automation to rapidly contain attacks with network segmentation, then learn from the experience to improve trust policies
Keep SAP secure: maintain security through environment monitoring, regular updates and enhancements to the environment, and a fast threat detection and response strategy (ideally utilizing AI-based tools)