Last week, our team at DeltaGRiC Consulting concluded a full SAP cyber security audit for a major SAP customer in South Africa using the industry’s most respected tool: ERPScan, which recently got awarded 2017 winner for the best solution for security monitoring according to cyber security excellence Awards.
Upon completion of this exercise, we feel it’s important to share some of the learnings with other SAP CoE Managers, SAP cyber security enthusiasts, CISO’s, CIO’s as well as CFO’s in Africa whose companies depend on SAP for their day to day operations, perhaps, they may pick a lesson or two with the sole aim of assisting you on your company’s journey of securing its SAP landscape, and show you the blind spot where you may have overlooked.
Recent research indicates that almost 90% of security experts anticipates more attacks on ERP system, obviously, for its significance in the organisation. whilst this figure may appear as overrated by some, it may be important to point us to previous predictions on attacks on critical infrastructure as far back as 2010/11/12/13 with various conference Talks using POC etc. which are now coming to pass within the Utilities Industry as seen for example in Ukraine last year
As this will be our second major exposure to conducting a thorough Application Security exercise on a huge SAP landscape in Africa, we see similar trends with the maturity level of SAP cyber security in Africa even when we mirror landscapes from the outside.
To quickly paint a picture of the landscape:
- About 5,000 active users on SAP (multiple solutions: ERP, GRC, BobJ, Afaria, CRM, HANA, HCM …)
- Customer runs a hybrid infrastructure model; where some of their SAP solutions sits on within their internal company data centre, some other solutions in the cloud.
- Customer had deployed a SAP Industry solution
- The customer performs regular Network Vulnerability Assessment (which gave them a false hope and assumption that they were secure)
- Customer also had some interesting Top Notch New Generation Firewall and Endpoint Technologies in place
Our Learnings and Conclusions:
Besides the fact that this was an exciting and interesting project from both our side and the clients, there are 9 points takeaway lessons I’ll like to share:
- SAP cyber security is still a blind spot for many organisations; even to those who already claim to have a mature security programme.
- SAP GRC and Authorizations is actually less than 15% of where your security work lies, there’s a whole world of vulnerabilities, misconfigurations and even unnecessary services running active on your SAP landscape that you need to watch out for. (Trust me: your compliance violations are just a small piece of your SAP application security worries)
- SAP custom applications (Z-programs); Yes, they give you flexibility and extended functionality and/or integration ease, they are often plagued with vulnerabilities and they could be your weakest lin.
- Patch Management: Even when you implement your patches regularly, there are usually several notes which are not implemented properly leaving you exposed at the mercies of those who know where to look.
- Application Security is NOT Network security; Working with a huge consulting firm with expertise in Network vulnerability scan but not in conducting Enterprise Application security audits especially SAP is not the best strategy for any organisation.
- It is important to separate your SAP Application Security contracts from your SAP implementation contract; Don’t create a situation where your implementation partner is the footballer, coach, referee and goalkeeper at the same time. You will NEVER gain insight into the true picture of your SAP security posture.
- More often than not, Customers leave unnecessary SAP “services” on without any checks which, this poses more threats to their landscape; (usually occurs out of misinformation or sheer ignorance on the part of the implementation team)
- Compliance is NOT Security; Our customer here had so many compliance hats in place (ISO/IEC 27001) and yet surprised to see what happened within their SAP landscape within the first 2 hrs of us commencing work with them.
- Threat Detection is very important in your SAP Application security programme; Continuous monitoring of vulnerabilities and also monitoring SAP traffic/logs for anomalies is a very crucial step to take in completing your journey. If you have invested in SAP applications, make some further investments to secure your investments.
If you are reading this, your company or business partners run SAP, operates in Africa, and are wondering if you/they need to conduct a SAP Cybersecurity Assessment or perhaps need a 3rd party independent assessment different from your existing contracts (will do you a lot of good), the DeltaGRiC team will be happy to assist you on your journey to an excellent security posture.
Send us a note: info[at]deltagricconsulting[dot]com or call +27 11 083 9828, we would be happy to share best practice with you.