An enterprise’s SAP systems function as its nerve center, housing and directing its most vital business processes. The data stored in business applications such as SAP ERP, SAP Business Warehouse (SAP BW), and SAP Customer Relationship Management (SAP CRM) is highly sensitive, and any illegal access can result in enormous losses and potentially paralyze a business. From 2006 to 2010, according to the Association of Certified Fraud Examiners (ACFE), losses to internal fraud constituted 7% of an organization’s yearly revenue.1 Many organizations do not do enough to ensure that their systems are secure.
Configuration vulnerabilities can result in unauthorized access to SAP systems, creating problems even for organizations that successfully manage SAP solutions for governance, risk, and compliance.
An Evolving Threat
There has been a persistent misconception that SAP ERP security boils down to a segregation of duties (SoD) matrix. This is a myth. In reality, there are threats across the spectrum, including both internal and external attacks on SAP routers, SAP Enterprise Portal, and even business applications such as SAP ERP, SAP CRM, and SAP BW.
There were roughly 100 documented security weaknesses in SAP customer environments in 2009. As of July 2014, this number had skyrocketed to more than 3,000.2 The number of attacks is increasing as well, with the discovery of the first SAP-specific worm targeting SAP clients and stealing login data in 2013.3
SAP is taking commendable steps in its software development lifecycle (SDLC) process and decreasing the number of vulnerabilities in new platforms by deploying internal processes with assistance from companies like ERPScan. Nevertheless, there are differences between making solutions more secure and customers configuring them correctly at the outset.
When companies deploy SAP systems, they create thousands of different configuration tweaks in multiple platforms, each with a discernible impact. Unfortunately, any configuration issues that arise are not always easy to patch in real time as they can directly affect business processes.
Configuration vulnerabilities can result in unauthorized access to SAP systems, creating problems even for organizations that successfully manage their SAP solutions for governance, risk, and compliance, such as SAP Access Control.
Secure Your SAP Platform
With the ERPScan Security Monitoring Suite for SAP systems, you can continuously monitor all tiers of SAP security, including patch management, configuration, source code security, and SoD. It is specifically designed for enterprise systems to continuously monitor changes in vast SAP landscapes, generate and analyze trends on user-friendly dashboards, manage risks and tasks, and export results to external systems. These features enable centralized and easy management of your SAP system security.
The largest companies across industries such as oil and gas, banking, and retail have successfully deployed the ERPScan Security Monitoring Suite for SAP systems to monitor the security of their critical SAP infrastructures. Learn more at www.erpscan.com.
1 ACFE, "Report to the Nations on Occupational Fraud and Abuse" (2014; www.ACFE.com/RTTN). [back]
2 ERPScan, “Analysis of 3,000 Vulnerabilities in SAP” (2014; http://erpscan.com/publications/analysis-of-3000-vulnerabilities-in-sap/). [back]
3 See www.darkreading.com/attacks-breaches/is-a-tsunami-of-sap-attacks-coming/d/d-id/1140813? [back]