Busting 3 Common Myths Around SAP Security

SAP® is undoubtedly a world leader in mission-critical business applications. These are the applications that 92% of the Forbes Global 2000 have standardized on SAP to power their operations and fuel the global economy. With more than 400,000 organizations using SAP, 77% of the world’s transactional revenue touches an SAP system. These organizations include the vast majority of pharmaceutical, critical infrastructure and utility companies, food distributors, defense and many more. An orchestrated and successful attack on unprotected SAP systems could have far-reaching consequences.

Let’s take a look at some of the top myths around SAP security and use these insights to help make better decisions to keep your organization secure.

Myth #1: Attackers do not know about SAP so I don’t need to worry about it.

In a recent threat intel report released by SAP and Onapsis, we found that threat actors are actively exploiting business-critical SAP applications and are doing it leveraging techniques and expertise specific to SAP applications. SAP systems are complex but threat actors have been upgrading their tools and knowledge and leveraging specific CVEs and CWEs that can be used to compromise SAP applications. 

While in the past, it might have been true to some extent that threat actors possessed less expertise around mission-critical applications, this has changed in the last few years—from observed threat actors providing data around how to attack and compromise ERP Applications to the active exploitation and compromise of SAP systems

The research we share in this report will help defenders better understand the cybersecurity and compliance risk to their critical business processes and data, as well as how to address and mitigate this risk, ensuring their crown jewels are protected from internal and external threats.

Myth #2: I have a dedicated SAP security team so I’m covered.

SAP used to be a black box that businesses installed and trusted implicitly but today, almost every organization has a mature SAP security team keeping an eye on access controls, authorizations, roles and profiles. These tasks are critical to ensure that employees across the globe can access SAP applications properly to perform required business processes, at the same time ensuring they have permissions to do only what they need to and not access anything outside of this realm. SAP environments have a lot of accounts in them that can be easily abused to give threat actors full administrator privileges and this is an area that organizations should focus on.

SAP security involves much more than just restricting access and authorizations across the different systems. Due to the nature and complexity of the technology that supports SAP applications, specific controls need to be in place to ensure SAP customers are properly deploying, setting-up and maintaining.

Myth #3: Enforcing controls in SAP applications should only focus on production.

Auditing is essential to enabling the visibility needed for monitoring system activity across the SAP environment. Auditing SAP applications is a time-consuming effort and because of that, auditors sometimes just focus on one subset of the environment. SAP landscapes are large, complex and extremely interconnected so only applying and checking controls in the productive environment (which most of the time means one productive system, one application server and one client) is not enough to ensure the business data and processes are properly protected. The entire landscape should be in scope of security controls and governance, as there are countless ways to traverse the different building blocks and components that make up SAP landscapes, from one client on one system to eventually land with full access to the production environment, which is a clear compliance violation.

Additional Resources

Risk, cybersecurity and SAP leaders should implement a specific mission-critical application security program as part of their overall cybersecurity and compliance strategy to protect these applications effectively and comprehensively. To support SAP customers that require investigation, threat remediation and additional post-compromise security monitoring, Onapsis is offering a Free Rapid Assessment and, in partnership with SAP, a 3-month free subscription to The Onapsis Platform for Cybersecurity and Compliance.

Download and read the full threat report to assess if you are at risk, and which actions to take immediately to protect your business and meet us at RSA as we debunk more myths around mission-critical applications and for a special announcement.