SAP HANA is a major element of any modern business application because it ensures effective management, storage, and processing of critical information such as employees’ personal data, financial and tax reports, information about material resources, depending on the modules enabled. An unauthorized access to this system can result in disruption of key business processes and data corruption. According to latest statements of SAP representatives, more than 7200 organizations have already implemented SAP HANA.
SAP HANA SECURITY RISKS
There are multiple risks related to SAP HANA systems. It should be also noted that they are specific for different SAP HANA solutions.
Data breaches (Espionage)
SAP HANA is responsible for storing business-critical data, which is a subject to multiple regulations. An unauthorized access to this information (credit card data, supplier data, customer data, SSNs, HR data, etc.) may lead to data breaches. ERPScan researchers have recently notified about SAP HANA security vulnerabilities related to default encryption keys, which are the same for every SAP installation that facilitates probability of breaches.
Embezzlement of funds (Fraud)
An access to SAP HANA Database enables an attacker to modify critical tables responsible for financial transactions. For example, attackers can manipulate any data about banking account. One of the possible attack vectors is modifying it to their own during transaction time and changing it back afterwards. The major drawback of SAP HANA Security is, as an in-memory database, it barely stores any data in files thus complicating forensic investigation of such modifications.
IoT and IIoT systems unauthorized access (Sabotage)
SAP HANA is known as a platform accumulating large streams of data from various systems, be it business applications or IoT devices from ICS network. Being connected to all these devices, SAP HANA is a tempting target for hackers as any access to SAP HANA automatically makes it possible to penetrate into thousands of interconnected devices.
Compliance penalties (Sabotage)
SAP HANA (as any other database) that stores the most critical data is a subject for multiple compliance regulations.
Any industry regulation (e.g. GLBA, HIPPA, FISMA, PCI DSS or GDPR) requires personal data protection. In case SAP HANA is improperly secured, it can be in the face of incompliance with the regulations and big fines.
SAP HANA VULNERABILITIES
The number of SAP HANA vulnerabilities is growing. The news is bursting with messages concerning regular vulnerabilities dangers in SAP HANA.
For now, the software developer has released more than 45 security patches for SAP HANA and all associated products. Each patch may be responsible for one or even dozens of vulnerabilities. The most critical vulnerabilities allow an attacker to remotely get control over SAP HANA XS application server and decrypt SAP HANA passwords.
HOW CAN OUR SOFTWARE BE OF HELP TO ENSURE SAP HANA SECURITY?
Being on-premises or cloud solution, ERPScan Security Monitoring Suite for SAPs contains a wide range of checks aimed to discover security issues specific to SAP HANA Systems including SAP HANA Database, SAP HANA XS application server, and SAP HANA S4. ERPScan’s leading position in this field has been confirmed by multiple awards. This is the only SAP SE-certified product on the market to identify, analyze and remediate all SAP security issues, and to enable powerful protection against cyberattacks and fraud. It embraces all three tiers of SAP security: vulnerability management, source code review for custom programs, and segregation of duties (SoD).