Integrated Risk Management
Through the application of technology and automation, we'll help you manage your risks efficiently and effectively across the entire enterprise.
Identity and Access Management
We'll help you ensure everybody within your organisation has access to the right systems and data, for the right reasons, and at the right time.
Cyber & Application Security
Our experts will uncover security weaknesses within your security design and business-critical applications. Helping you protect your organisation from both internal and external threats.
Bedrock Managed Service
Scalable support and on-demand expertise that seamlessly integrates with your existing operations.
About us
A group of passionate individuals with a shared purpose to help the world's leading companies embrace best practices for GRC and risk management.
Partners
Turnkey's strategic partner network consists of selected organisations that complement our capabilities.
Corporate Social ResponsibilityCSR
We are committed to being agents for change through our Climate Action Plan, championing diversity in our workplaces, and more.
Get in touch
We have operations in all corners of the globe, so see which office is nearest to you and connect with them.
Careers
We have operations in all corners of the globe, so see which office is nearest to you and connect with them.
Webinars & eBooks
All of Turnkey's webinars, guides and other insights available in one place.
Blogs
Read the latest insights from our experts on GRC and risk management, covering the latest industry topics.
Press Coverage
See all the publications where Turnkey, our experts and our successes have been noted.
Key events
See the key industry conferences on GRC, SAP security and risk management which we are attending.
Case Studies
Client satisfaction is of the utmost importance to us, and we strive to constantly deliver above expectations, going the extra mile at every opportunity.
14 July 2016

How to protect SAP within your Data Centre

788new (1)-1Hosting business applications and data is not a new concept.  Mechanisms, terminology and custody can change in an industry that is always seeking the ‘next big thing’, but enduring InfoSec principles apply regardless of where data resides.  In this blog I will be primarily referring to SAP, however the themes apply to any ERP vendor.

InfoSec 101 is as relevant now as it has ever been

SAP systems have traditionally fallen under the “fortress” model of security where control of the perimeter is the primary defence.  That model is outmoded as collaboration and integration is required to get value out of business process platforms.  Key principles that help you to secure your information assets include:

  • Applying your InfoSec standards to all assets
  • Hardening your systems, to vendor spec/recommendations at a minimum
  • Reducing your threat surface by deactivating unnecessary services
  • Encrypting data in transit and rest
  • Ensuring that dialog between security, technical and application teams is frictionless
  • Enforcing penalties for non-compliance to security standards, policies and processes

Use vendor-delivered tools

ERP vendors invest heavily in security.  Systems Integrators tend to regard it as an overhead, so once a project is put into action it’s left to the client to implement anything more than basic capabilities.  Often, design decisions have been made that make it difficult to retrofit security efficiently.  SAP delivers a number of tools that can be used to protect your SAP applications:

  • Encrypt traffic  (Secure Network Connection, VPN)
  • Monitor security configuration (Solution Manager Configuration Validation)
  • Perform proactive threat detection (Enterprise Threat Detection)
  • Consider the vendor ecosystem e.g. Onapsis and VirtualForge for products with best-in-class capabilities

Integrate with Security Information and Event Management (SIEM)

SAP is a critical business asset yet the application stack is rarely monitored under existing SIEM frameworks.  While attacks on SAP can be application specific there are numerous generic infrastructure components, for example networking, operating system and database, that can be compromised with the same net effect as directly targeting the SAP application.  Improve your security position by:

  • Leveraging the tools and processes of your Security Operations Centre
  • Monitoring SAP and infrastructure components using your SIEM tools and supporting processes

Consider your interfaces

SAP is delivered open to facilitate the transfer of data with other systems.  If a closely coupled application is compromised then there is a chance for manipulation of business processes using modified data transmitted via the interface.  To gain better control of your interfaces:

  • Understand that responsibilities exist beyond the immediate custody of the asset
  • Classify interfaces for data and process sensitivity
  • Whitelist permitted interface connections

It is often said that a data centre can be "assumed secure" without any further qualification. By ensuring that your SAP systems adhere to a number of fundamental principles, you are reducing reliance on the network/data centre perimeter to be secure and taking control of the security of your SAP systems.

 

Insert image