Why do you need an SAP cybersecurity framework?

If you have opened this article, you understand that SAP security and ERP Security in general deserves special considerations. Just look at the number of issued SAP Security Notes – more than 3500 of them released now. Also, more arguments provided in an article about ERP Vulnerability Management. Just to give you an idea: ERP systems contain special components, handle critical assets, and employ specific security controls.

Let’s take a look at SAP security controls. They can be roughly divided into three categories:

1. Business logic controls (e.g. Access control, Authorizations, Segregation of Duties, User Behavior analytics).
2. Code security controls (e.g. Custom code review, Backdoor scan, Authorization Checks).
3. Application platform controls (e.g. Patch Management, Secure Configurations, Passwords, Secure Communications, Disabling Unnecessary Services, Auditing, Change controls, Batch Job, Management controls, etc.).

No need to say that SAP security controls should be integrated with enterprise security controls. For example, data classification rules should be uniform throughout the SAP systems and the whole organization. Enterprise SIEM should be able to identify a business transaction to which set of security events is connected. User access should be managed centrally across the enterprise in IDM.

Furthermore, aforementioned SAP security controls exist not on their own. They enforce enterprise security policies in place that establish priorities, methodologies, and approaches. Moreover, SAP security controls should ensure compliance with a bunch of security related requirements and regulations: HIPAA, PCI DSS, SOX, FISMA, ISO 27001 and so on.

Also, if an enterprise had established some kind of GRC program, SAP systems should be included in the scope of governance, risk and compliance processes.

So, we need to enforce enterprise-wide approaches in diverse and complex SAP architecture and, conversely, we need to integrate SAP-specific security controls into different layers of the current business environment.

In that kind of situations, frameworks come on stage. They provide what we need right now – different views on the same thing. SAP Cybersecurity Framework closes the gap between SAP security and enterprise security, as it

  • encompasses the essential and unifying components of SAP and enterprise security;
  • expresses the SAP structure (form) and behavior (functions);
  • embodies the SAP components, their relationships with each other and with the business environment;
  • provides unified definitions and context for two-way risk communication, security requirements management and quality assurance of SAP systems.

If I assured you SAP Cybersecurity Framework is a worthwhile thing, where do you get one?

I’m proud to announce that ERPScan will make freely available SAP Cybersecurity Framework at the RSA Conference 2017 in San Francisco. Come along and visit our booth 4140 in North Expo. You will get a brochure describing SAP Cybersecurity Framework and have an opportunity to talk to our experts in person.

Baseline SAP Security capabilities

Right now, I would like to share our minimalist approach to SAP security, which proves its effectiveness for hundreds of our clients. It’s shown in figure 1.

Baseline SAP Security Capabilities Figure 1 – Baseline SAP Security Capabilities

If you need to start SAP security from scratch or want to make your approach to SAP security more systematic, consider managing SAP security on the basis of vulnerability management. Why? Because that will inevitably force you to grow a baseline set of predict, prevent, detect, and react capabilities of your Security Team:

  • Predict. You will need to learn how to identify assets and assess vulnerability risks.
  • Prevent. You will minimize attack surface and choose and implement security controls based on risk assessment.
  • Detect. You will continuously monitor SAP system to detect any signs of compromise in proper time: scanning for vulnerabilities, collecting security events and correlating them with incidents.
  • React. You will be able to fix a situation in case of an incident, recover a loss, investigate, and learn lessons for the future.

And the main thing about vulnerabilities – they are really sexy. You could easily impress public showing them the myriads of ways to steal their secrets, destroy their work or interrupt business processes. These considerations could support buy-in of new security projects.

How to start off developing SAP security capabilities?

1. Develop an SAP Security Initiative and obtain management support

Present such information about your SAP system as: risks of operating SAP system, threats to business, compliance requirements, and value of information stored in the system.

On the one hand, there is no clear agreement in the industry on who should be responsible for possible SAP Security breach. There could be different answers: CISO, CIO, SRO, or even CFO, every organization should make its own decision.

On the other hand, there are a lot of parties interested in the proper functioning of SAP system: Information Owners, Application Owners, Business Process Owners, Audit Department, IT Department. You just need to establish good working relationships with them and show a dependency between SAP security and their area of responsibility.

If you properly show a causal connection between interrupting business processes and malfunctioning of the SAP system, clarify requirements to assets inside the system and find good allies, there’s a good chance organization will form SAP Security Working Group and provide it with a proper budget.

2. Assess current SAP security posture

Identify and communicate key problem areas: conduct audit (for example, a comprehensive SAP Security Audit by external specialists), assess technical risks, implement quick-win remediations, and outline security plan. The aim here is to understand where you are now and what you should do next.

3. Choose a set of controls and an approach to put them in place

There are plenty of references to choose controls from: ISO 27002, NIST 53-800 r4, COBIT 5.

Also, there is SAP-specific and technical in nature Enterprise Application Security Project (EAS-SEC), that provides guidance on implementing SAP security controls.

To get most out of SAP security controls, they should be integrated with IT Security Framework and aligned with enterprise security policies.

4. Start a vulnerability management program

Recently I’ve published an article about ERP Vulnerability Management. In short, you should repeat searching, prioritizing, and addressing vulnerabilities continuously. With each run, bit by bit, increasing the level of the system assurance.

Organization doesn’t have to patch all found vulnerabilities at once, rather prioritize actions and address the most critical part of issues. After all, you may don’t have enough resources to remediate all of the vulnerabilities. And don’t have to.

Speaking about resources, we come to the final step: tracking effectiveness of activities.

5. Develop metrics, report efficiency and compliance

You should be able to describe the state of affairs, the amount of work done, your tactical goals and future plans for any given time. All of that should be supported by the data.

Furthermore, if you can afford to conduct third party SAP pentest or SAP Security audit, it will seriously strengthen your arguments. One way or another, you should demonstrate the progress towards the reaching security goals: reliability of the SAP system, necessary degree of compliance and comfortable level of risk.

As it’s true for maintaining physical well-being, addressing security problems at early stages is easier than waiting until it becomes obvious even for your boss and clients.

So, analyze your SAP business context, manage vulnerabilities, handle incidents, report compliance and try to enjoy this.

Thank everyone, that’s it for today. SAP Security Framework will be reviewed and explained in the future series of articles on the ERPScan blog.

Do you want more?

Subscribe me to your mailing list