archive

How to get started with DevOps for SAP

10 things you can do to get started on your journey to DevOps for SAP

There’s a compelling business case for adopting DevOps for SAP, but how do you make the move away from a traditional approach to development?

This ebook from Basis Technologies sets out 10 steps that can help you to shift from waterfall-style change management to a fast, agile, responsive way of delivering, business-enhancing innovation in SAP.

Access Content Now


Taking Control of Profitability

Drive organizational performance with an advanced and purposeful approach to profitability management. Learn what Ventana Research believes are the technology requirements for taking control of the profitability management process, beginning with addressing the four main challenges to obtaining accurate measurement of costs and cost drivers.

Access Content Now


SAP's Strategy for Industry 4.0

Read about SAP Industry 4.0 strategy. Manufacturing companies are challenged to increase producing high quality individualized products in an environment of constantly changing and varying customer demand. Companies recognize Industry 4.0 as strategic priority to turn these challenges into opportunities so you can stay connected to customer and integrate partners.

Access Content Now


An Intelligent Digital Supply Chain Is Key To Customer Centricity

Find out why companies must redefine the supply chain in a way that extends digitally to include product innovation, planning, manufacturing, execution, and service to deliver superior customer experiences, enable innovation, and gain market share.

Access Content Here


Bring the Power Of Machine Learning Directly To Business Users

A new wave of disruption is hitting the analytics market: augmented analytics.

Machine learning infused in business intelligence and planning workflows helps users make decisions with confidence – without IT intervention or data science training. Read this brochure to learn how to bring the power of machine learning directly to business users.

Access Content Now


Insights for Evaluating, Identifying, and Executing Cybersecurity for Your SAP Systems

by Jhansi Bandaru, PMP-Certified IT SAP Security/Compliance Lead

 The sheer volume of data in SAP systems that demands optimum protection is increasing at unprecedented levels. As a result, also on the rise is the need for advanced, sophisticated cybersecurity mechanisms built on people, processes, and technology to prevent attacks aimed at compromising that information.

With private sector companies compelled to take on cybersecurity, it is forecasted that some one trillion dollars will be spent on remedial measures through 2021. Currently, public sector organizations — for example, multinationals such as Bank of America and J.P. Morgan Chase — invest around $500 million a year on cybersecurity. Since SAP systems are considered some of the most mission-critical systems that organizations run, they will comprise a significant percentage of the cybersecurity market.

This blog provides advice for companies running SAP software for methods to best ensure their networks are secure, and it outlines the steps necessary to evaluate, identify, and craft effective cybersecurity umbrellas for SAP systems.

Step #1: Evaluate Your Security Blanket

Many systems managers consider SAP systems secure and robust because they have built-in authorization features. While this is partially correct, due to default installations and misconfigurations, there can be serious security issues that require remediation. These issues can be addressed and treated using modern software that are solution-specific and appropriate for the issues that companies experience.

Phishing, ransomware, social engineering, malware, and the inherent vulnerabilities in web applications and networks that make up a SAP data landscape each have their own weaknesses that must be tackled for any anti-piracy protocol to be effective.

To detect the vulnerabilities within SAP systems, IT professionals need to conduct assessments to identify serious security risks and uncover the vulnerabilities that are not included in SAP systems, such as databases, hosts, and network architecture.

Like an individual’s personal health regimen, regular security check ups are essential to identifying these access issues before they spiral out of control, mitigating the risk from control deficiencies, and ensuring security administrators are following best practices. In an SAP environment, assessments of a system’s health include periodic appraisals of key application-layer IT general controls (ITGC) related to user access. Companies need to cover sensitive access monitoring, general access monitoring, and mitigating control assignment, as well as any other ITGC a system may evaluate.

These essential evaluations encompass a wide range of frameworks that identify system gaps and deliver cues and directions to seal security gaps in common vulnerabilities — such as risks of SAP NetWeaver Application Server for Java and cross site scripting (XSS) attacks.

Beyond just SAP applications, it is crucial to evaluate every component of an existing security blanket, appraise options, and implement an enhanced security strategy utilizing tools such as Nmap (Network Mapper), Burp Suite, and Nessus vulnerability scanner. Similarly, there are many other tools available on the market to assess and evaluate any other application that an organization has interfaced with SAP software. In particular, Sapyto is a potent tool that provides support to information security professionals in executing the SAP penetration testing operations.

This protocol simulates ‘dummy’ cyber-attacks on an organization’s IT infrastructure to find the loopholes and gaps within existing systems and determine whether the systems are sufficiently secure.

Step #2: Identify Your Weak Points by Performing SAP Penetration Tests

Many factors are involved in identifying the nature and methodology of SAP penetration tests. When effectively applied, they can help locate a myriad of vulnerabilities in SAP components, services, and work processes.

In addition, they can identify misconfigurations lurking within a system, assist in implementing effective methods to uncover and decode the behavior of potential hackers, and provide the enough knowledge to prioritize the remedial approaches.

Missing SAP security codes; users with default passwords or access to administration services; unsecured SAP gateways, SAP authentication, or SAP message service; insecure remote function call (RFC) interfaces or SAP routers, and the use of SAP network filtering or SAP web applications are some examples of the potential weak points in the average system uncovered during a routine SAP penetration test.

For example, during one penetration test, it was discovered that though the SAP infrastructure was securely separated from the users’ network, it was still possible to attack the network by gaining access to a user’s work station, which, in turn, provided ready access to the SAP servers.

Step #3: Execute Penetration Testing from the Outside In

SAP penetration testing can be complicated and requires crafting an intelligently designed course of action that includes effective management and operational oversight.

According to Frederik Weidemann of Virtual Forge, “SAP security patches stick to the ‘downwards compatible’ policy. If these activities are not applied, the patch is not active, and the system remains vulnerable.”

During his presentation “Going from the Outside In: The Truth About Penetration Testing” at the June 2018 Cybersecurity for SAP Customers conference in Prague, Weidemann suggested, implementing thorough security patching as “SAP security patches stick to the ‘downwards compatible’ policy.” This means that applying security patches in many cases will require manual post-installation activities. “If these activities are not applied, the patch is not active, and the system remains vulnerable,” he says.

Weidemann also recommended establishing, monitoring, and enforcing an SAP security baseline. “Before going forward with a penetration test, use the SAP security baseline template security guide to help you detect any simple and well-known issues related to areas such as standard passwords, critical basis authorizations, insecure profile parameters, remote function calls (RFC), RFC gateway, and RFC callback security.”

He also strongly suggested “validating the first two challenges and finding the right person to do the penetration test: A general penetration tester may not be proficient in working in an SAP system; you need to use an SAP specialist who knows the SAP language.”

Strengthen Your Weakest Link

It’s a fact: cyber-criminals and hackers will infiltrate companies through their weakest link. Taking stock and knowing a company’s vulnerabilities are the first steps toward cyber security. Planning ahead for a guaranteed attempt by hackers to infiltrate the company’s system is the best way to thwart them.

At the same time, it is critical to understand the nature of the business and conduct research regarding all possible threats that might harm the corporation. Companies should plan systematic audits to keep their environments clean from all sorts of viruses and should build a detailed overview of the rules and regulations that all employees have to follow to ensure the safety of the business.

After compiling the results of a rigorous SAP penetration test, companies should develop and implement security strategies accordingly to reduce the risks that have been uncovered before they are exploited by those cyber pirates that are up to no good.

 

About the Author:

Jhansi R Bandaru is a PMP-certified IT SAP Security/Compliance Lead with over 12 years of experience and expertise in design and implementation of SAP security, SAP HANA, SAP Business Warehouse (SAP BW), governance, risk, and compliance (GRC), audit, and controls. In addition, Jhansi has worked on several SAP ECC, SAP BW, and GRC upgrade and support-related projects and has managed several SAP security and GRC projects and teams. For more information, please email: jhansiratna@gmail.com.



Simplify Integration And Transform Your Organization Across Cloud And Hybrid IT Landscapes

SAP has consolidated and enhanced its suite of integration solutions and capabilities with the release of SAP Cloud Platform Integration Suite. Read this informative solution overview to discover how you can connect people, processes, data and devices everywhere, allowing people with different talent sets to leverage a wide range of integration tools, approaches and prepackaged content.

Download Report


Data-Centric SAP Security: Strengthen Policy Enforcement and Align to Real-World Risk

Organizations realize that the contextual attributes related to data access can best determine risk. Where is a user coming from? What device are they accessing from? Are they accessing a data field that may be especially sensitive (ex. salary info, direct deposit, social security, etc.)? Are they editing a data field in a problematic manner (ex. increase PO amount, discounting, add vendor without documentation, editing Master Data, etc.)? Managing and enforcing business policies designed to prevent fraud and theft quickly become inadequate when provisioning static roles is the primary strategy for maintaining governance, risk, and compliance (GRC.)

Attend this webinar to understand the myriad of business risks that exist in SAP ERP systems, and how a data-centric strategy that includes attribute-based access controls, fine-grained security, and real-time analytics can greatly strengthen your GRC strategies.

Topics include:
• Pitfalls of relying on static roles and the myriad of business risks that still remain
• How you can implement a strategy that tightly aligns context, data, and level of risk to ultimately determine user access
• How to streamline and centrally manage solutions designed to prevent data leakage (ex. Data Masking)
• How using real-time, fine-grained analytics can accelerate how you identify, alert, and remediate business policy violations BEFORE the violation becomes costly

View the Webinar Now

Preparing and Executing SAP S/4HANA Plans

87% of SAP customers have at least started evaluating the business case for SAP S/4HANA. Companies are moving towards SAP S/4HANA adoption largely because they see SAP S/4HANA as an opportunity to re-engineer business. To support this migration, SAP customers have to make many complicated decisions such as what type of infrastructure architecture will host their instances of SAP S/4HANA and whether to go with a greenfield new implementation, a brownfield system conversion, or a hybrid selective data transition. Hear SAPinsider Analysts discuss this critical issue and share results from a recent Benchmark report related to SAP S/4HANA Migration.

Access Webinar Now