SAP security administrators and SAP technical consultants must often feel like sheriffs in the old west. Just as sheriffs had to protect their towns from gunslingers while staying within the confines of the law, SAP security teams find themselves situated in between hackers and malware authors on one side (wearing the black hats) and auditors (wearing the white hats) on the other side. How can you win this battle? If you focus too much on protecting your SAP system from attackers (e.g., setting security authorizations, parameters, and controls), you may leave another part of your system noncompliant.
In her article on GRC Expert titled “10 Tips to Ensure Compliance Doesn’t Slip After a GRC 10.0 Go-Live,” Nicola White states that “SAP BusinessObjects GRC solutions make it relatively easy to increase the quality of both the controls and the reporting. However, it can be difficult to find staff with the skills and capability to match the technology in place, outside of the project team.
The organization risks noncompliance if controllers are unable to interpret the monitoring information they are provided. An example is the use of firefighter (emergency access management in version 10.0 of SAP BusinessObjects Access Control) whereby reviewers are required to examine audit logs post-usage. Finding staff with the requisi
te functional and technical expertise to conduct more than just a superficial review can prove daunting. Performing a detailed review of firefighter usage is laborious and often underestimated in terms of time, effort, and pre-existing knowledge.”
With regard to the issue of vulnerabilities in SAP systems, certified SAP technical consultant Saul Christie wrote in his blog on March 2010 that if an attacker enters your network, “then as the SAP technical consultant you need to make sure that you are completely blameless should he get onto your SAP system. You can blame your security team as much as you like, but if you have technical security holes at the OS, DB, or application level, then they blow any SAP security policies clean out of the water.”
Christie’s comment about security holes was echoed on August 4 at the annual Black Hat conference in Las Vegas. At the conference, Alexander Polyakov, SAP security expert and chief technical officer at ERPScan, a company that researches enterprise resource planning security with a particular focus on SAP security, demonstrated how a hacker can gain access to SAP systems via a hole in the Java II Platform Enterprise Edition engine in SAP NetWeaver. According to an article in PC World, SAP reacted to the demonstration by announcing that it plans to collaborate with Polyakov in developing a patch for the NetWeaver vulnerability. So SAP technical consultants and security administrators dodged a bullet last week by learning a lesson about a key vulnerability without suffering an attack.
Please feel free to post comments about challenges that you face in remaining compliant while implementing an SAP system. I’m curious to see what you have to say about this issue.