How to Secure SAP Cloud Extensions
As organizations mature their digital transformation initiatives and adopt innovation across business processes, there is often a cloud-based component in the equation. And when it comes to business processes, some of them can be adopted in a more standard fashion than others. Some examples of these are Human Capital Management, Procurement or Travel expenses, where a pure cloud SaaS solution can help organizations adopt standard processes while getting all the advantages of the latest innovation served in the cloud. Despite that, many SAP customers still want to add new specific functionalities to their existing business processes supported by SAP applications in the cloud. In the SAP on-premises world, adding new functionalities usually involves complex development efforts. The code needs to be written, tested and transported into SAP systems. Benefits include extensive flexibility within the ABAP programming language whereas potential drawbacks are also obvious: high development and maintenance costs including new potential security vulnerabilities.
In the cloud, however, there are ways to keep your core system stable while adding new business functionalities rapidly, which is the concept of SAP cloud “extensions.”
With the concept of extensions, SAP offers a great way to make it easier for customers and partners to personalize and extend their existing SAP cloud applications. But, what do these enhancements mean for system, application and information security? Are these new extensions more or less safer than classical custom code and configuration adaptations?
Let’s take a deeper look into this.
Concept of “Extensions”
The functionality of SAP cloud applications can be increased via extensions. Extensions run separately to the standard SAP software, therefore customers are able to manage the corresponding software lifecycle completely independently from the SAP core. The customization or the enhancement of the SAP system can either be done through an “in-app extension” or a “side-by-side extension”.
The objective for both types of extensions is often either a higher reach or an increase in the scope of an application. An increase of reach is, for example, the availability of an application for devices or applications outside of the company’s network, like for suppliers or customers. This would increase the reach of the application and the exposure for the company, but it also will increase the overall attack surface. Another goal for an extension is to increase the scope of the application. For example, an increased scope can be used to enhance internal analytical reports. New data sources (i.e. Internet of Things sensors or social data) can be included in those reports for more precise analytics.
In-app vs Side-by-side Extensions
In-app extensions are, as the name indicates, enhancements or changes within an application. This can be minor changes, like changing fields, tables or parts of the user experience. These changes can be easily implemented by a strong business user. An example of a more sophisticated change is modifying or adding business logic to an application, which would demand a more technical user. All of the in-app extensions that are supported by SAP are considered “upgrade safe” meaning that whatever changes the organization introduces as an in-app extension will not impact the ability of the application to be updated or upgraded. There are a great deal of benefits towards consuming in-app extensions as long as the functionality that the organization wants to build can actually be built with that framework. For example, the in-app extension framework available in SAP SuccessFactors is called Metadata Framework Objects (MDF), but this same concept applies to most business applications.
What happens when the organization needs to “extend” the functionality of the core cloud application but is not able to do so through in-app extensions? Side-by-side extensions are the answer and counterparts to in-app extensions. They are completely decoupled from the cloud application and run separately, which enables them to integrate more easily with external data sources, like other SAP cloud applications, third-party applications or social data. The decoupling from SAP systems opens up a lot of new potential business use cases, but it also opens up a completely new attack surface for hackers, which the business has to be aware of. Side-by-Side extensions are usually built as Multi-Target-Applications (MTA).
Security for Extensions Matters
Now let’s put all the benefits of extensions aside and focus on the system, application and information security part. The latest data breaches from Facebook, MyFitnessPal and Marriott Hotels should remind us that security should be one of the top priorities when it comes to our daily business. The key security goals in the context of information security are:
- Availability: Ensure that authorized parties are able to access the information at any time
- Integrity: Protect information from being modified by unauthorized parties
- Confidentiality: Protect information from disclosure to unauthorized parties
Having these InfoSec goals in mind, an extension can dramatically increase the likelihood of a security vulnerability. Either through their increased reach or increased scope. Therefore, standards like OWASP, BIZEC TEC/11 and BIZEC APP/11 should be top of mind during the development and configuration of SAP extensions. Examples from these standards include:
- Does the extension have the right authority checks in place?
- Is any critical data disclosed? If yes, does it need to be disclosed in a business context?
- Are the interfaces secured?
- Is the communication encrypted?
Knowing how complex it is to secure an application, keeping it secure and defending it against attackers, we have developed several solutions to assess and protect business applications from a diversity of risks such as custom code vulnerabilities, misconfigurations, missing patches or insecure interfaces. When moving to cloud-based applications, it is important that we support our customers in this endeavor, especially when it comes to the scanning of Multi-Target-Applications.
With a detailed analysis of your custom code, system configurations and vulnerabilities, we provide you with comprehensive protection of your ERP systems and business applications. If you are interested in learning more about how we can help you, visit our Onapsis for cloud applications page.