Beyond Firewalls: Enhancing SAP Security with Granular Access Control
Christoph Nagy, a founding member and CEO at SecurityBridge, discusses in depth how companies can enhance their SAP security initiatives with granular access control. This article originally appeared in Insight Jam, an enterprise IT community that enables human conversation on AI.
The digital landscape is broad, encompassing personal devices such as tablets and smartphones that tap into corporate networks and the vast software stack that governs business processes. These digital assets are interconnected and visible to bad actors when their data flows. For these reasons, it’s paramount to create a hierarchy of software access permissions to ensure that only trusted individuals have the ability to work with such important business processes. Regarding platforms such as SAP that touch nearly every part of a business, the importance of Access Control Lists (ACLs) can’t be overstated.
The Ubiquity Of SAP
SAP stores financial, procurement, supply chain, customer, and HR information—and it can’t have open-access or weak cybersecurity policies. Without a thoughtful cyber defense plan, financial loss, reputational damage, and legal ramifications are possible when ransomware holds intellectual property hostage. Firewalls are traditional means of protecting the edge, but they often won’t stop a malicious actor from getting into internal systems and data repositories, like SAP systems.
Firewalls: A Traditional Defense, But Not Enough for SAP
In a typical SAP platform, interfaces like RFC (Remote Function Call) or HTTP allow users to interact with browsers and apps. It is known for its strong integration with SAP’s database and application server. This access ability is in addition to Lightweight Directory Access Protocol (LDAP), which is used for accessing and maintaining distributed directory information services over an Internet Protocol (IP) network.
Firewalls are not enough to secure an SAP environment. A firewall can handle traffic filtering, packet inspection, and network segmentation, but that differs from the kind of granular SAP security necessary to mitigate the risk of internal sources with access.
Hardening SAP: Network-Level Security Does Not Cut IT
Managing ACLs is an excellent method to augment firewall security because it allows for granular distinction, and it can be controlled from the SAP application level for multiple components such as:
- Message Server: Central component used in SAP ABAP and Java stacks.
- Internet Communication Manager (ICM): Mainly used for HTTP(S) and SMTP protocols.
- RFC Gateway: RFC communication between SAP systems and external programs.
Remember that ACL is a rule set that either ‘permits’ or ‘denies’ a certain connection related to the component. The rule set defines which hosts are allowed access to the message server component in the SAP system. Without this definition, any host that can reach the message server can access other business applications.
ACLs are not new. They sometimes lie unused or need to be used more appropriately. This negligence could result from time shortage, lack of insight into the landscape architecture, or a misguided notion of network security. Regardless of the reason for their underutilization, implementing an ACL requires adequate security. Therefore, the following guidelines are to be kept in mind:
- Insight into landscape architecture is paramount to identify related systems/components upfront.
- Use additional logging/tracing to identify missing connections.
- Implement ACLs at non-production systems first.
- Allow considerable time (weeks or months) for the above two steps. This includes connectivity that is rarely used but may be critical.
SAP comes with native security. However, additional controls are needed to check for the ACL configuration of several components and provide a holistic view of the Web dispatcher, ICM Security, and RFC Gateway security status. This centralized view provides valuable insight so that ACLs can be configured consistently across the landscape and receive recommended improvements. Follow the links below to the SAP Help pages for a place to start regarding the components mentioned:
A Multi-Layered Approach: The Key to Comprehensive SAP Security
Firewalls can protect the perimeter, but ACL is needed to guard internal systems and data banks. Implementing SAP ACLs will enhance data protection, mitigate risks, and maintain accountability. As technology evolves, organizations must prioritize comprehensive security measures like SAP ACLs to ensure critical business information remains confidential, untainted, and available. Otherwise, you could be paying a hefty ransom, repairing your image, and spending too much time in court dealing with regulatory fines.