How to protect SAP within your Data Centre

Hosting business applications and data is not a new concept. Mechanisms, terminology and custody can change in an industry that is always seeking the ‘next big thing’, but enduring InfoSec principles apply regardless of where data resides. In this blog I will be primarily referring to SAP, however the themes apply to any ERP vendor.

InfoSec 101 is as relevant now as it has ever been

SAP systems have traditionally fallen under the “fortress” model of security where control of the perimeter is the primary defence. That model is outmoded as collaboration and integration is required to get value out of business process platforms. Key principles that help you to secure your information assets include:

• Applying your InfoSec standards to all assets
• Hardening your systems, to vendor spec/recommendations at a minimum
• Reducing your threat surface by deactivating unnecessary services
• Encrypting data in transit and rest
• Ensuring that dialog between security, technical and application teams is frictionless
• Enforcing penalties for non-compliance to security standards, policies and processes

Use vendor-delivered tools

ERP vendors invest heavily in security. Systems Integrators tend to regard it as an overhead, so once a project is put into action it’s left to the client to implement anything more than basic capabilities. Often, design decisions have been made that make it difficult to retrofit security efficiently. SAP delivers a number of tools that can be used to protect your SAP applications:

• Encrypt traffic (Secure Network Connection, VPN)
• Monitor security configuration (Solution Manager Configuration Validation)
• Perform proactive threat detection (Enterprise Threat Detection)
• Consider the vendor ecosystem e.g. Onapsis and VirtualForge for products with best-in-class capabilities

Integrate with Security Information and Event Management (SIEM)

SAP is a critical business asset yet the application stack is rarely monitored under existing SIEM frameworks. While attacks on SAP can be application specific there are numerous generic infrastructure components, for example networking, operating system and database, that can be compromised with the same net effect as directly targeting the SAP application. Improve your security position by:

• Leveraging the tools and processes of your Security Operations Centre
• Monitoring SAP and infrastructure components using your SIEM tools and supporting processes

Consider your interfaces

SAP is delivered open to facilitate the transfer of data with other systems. If a closely coupled application is compromised then there is a chance for manipulation of business processes using modified data transmitted via the interface. To gain better control of your interfaces:

• Understand that responsibilities exist beyond the immediate custody of the asset
• Classify interfaces for data and process sensitivity
• Whitelist permitted interface connections

It is often said that a data centre can be "assumed secure" without any further qualification. By ensuring that your SAP systems adhere to a number of fundamental principles, you are reducing reliance on the network/data centre perimeter to be secure and taking control of the security of your SAP systems.