GRC
HR
SCM
CRM
BI
Expand +


Article

 

Monitor Your SAP Systems to Identify Vulnerabilities — Before an Attacker Does

Safeguard Your Systems with Proper Configuration and Consistent Monitoring

by Alexander Polyakov | SAPinsider, Volume 15, Issue 4

October 1, 2014

As threats to data housed in business applications proliferate, stringent security precautions are more worthwhile than ever. Learn how proper configuration and consistent monitoring can safeguard your systems against cybercrime.

 

An enterprise’s SAP systems function as its nerve center, housing and directing its most vital business processes. The data stored in business applications such as SAP ERP, SAP Business Warehouse (SAP BW), and SAP Customer Relationship Management (SAP CRM) is highly sensitive, and any illegal access can result in enormous losses and potentially paralyze a business. From 2006 to 2010, according to the Association of Certified Fraud Examiners (ACFE), losses to internal fraud constituted 7% of an organization’s yearly revenue.1 Many organizations do not do enough to ensure that their systems are secure.

Configuration vulnerabilities can result in unauthorized access to SAP systems, creating problems even for organizations that successfully manage SAP solutions for governance, risk, and compliance.

An Evolving Threat

There has been a persistent misconception that SAP ERP security boils down to a segregation of duties (SoD) matrix. This is a myth. In reality, there are threats across the spectrum, including both internal and external attacks on SAP routers, SAP Enterprise Portal, and even business applications such as SAP ERP, SAP CRM, and SAP BW.

There were roughly 100 documented security weaknesses in SAP customer environments in 2009. As of July 2014, this number had skyrocketed to more than 3,000.2 The number of attacks is increasing as well, with the discovery of the first SAP-specific worm targeting SAP clients and stealing login data in 2013.3

SAP is taking commendable steps in its software development lifecycle (SDLC) process and decreasing the number of vulnerabilities in new platforms by deploying internal processes with assistance from companies like ERPScan. Nevertheless, there are differences between making solutions more secure and customers configuring them correctly at the outset.

When companies deploy SAP systems, they create thousands of different configuration tweaks in multiple platforms, each with a discernible impact. Unfortunately, any configuration issues that arise are not always easy to patch in real time as they can directly affect business processes.

Configuration vulnerabilities can result in unauthorized access to SAP systems, creating problems even for organizations that successfully manage their SAP solutions for governance, risk, and compliance, such as SAP Access Control.

Secure Your SAP Platform

 With the ERPScan Security Monitoring Suite for SAP systems, you can continuously monitor all tiers of SAP security, including patch management, configuration, source code security, and SoD. It is specifically designed for enterprise systems to continuously monitor changes in vast SAP landscapes, generate and analyze trends on user-friendly dashboards, manage risks and tasks, and export results to external systems. These features enable centralized and easy management of your SAP system security.

Learn More

The largest companies across industries such as oil and gas, banking, and retail have successfully deployed the ERPScan Security Monitoring Suite for SAP systems to monitor the security of their critical SAP infrastructures. Learn more at www.erpscan.com.

1 ACFE, "Report to the Nations on Occupational Fraud and Abuse" (2014; www.ACFE.com/RTTN). [back]

2 ERPScan, “Analysis of 3,000 Vulnerabilities in SAP” (2014; http://erpscan.com/publications/analysis-of-3000-vulnerabilities-in-sap/). [back]

3 See www.darkreading.com/attacks-breaches/is-a-tsunami-of-sap-attacks-coming/d/d-id/1140813? [back]

An email has been sent to:





 

Alexander Polyakov
Alexander Polyakov

CTO
ERPScan



More from SAPinsider



COMMENTS

Please log in to post a comment.

No comments have been submitted on this article. Be the first to comment!


SAPinsider
FAQ