Securing SAP Fiori Applications: 3 Quick Wins

Securing the SAP Internet Communication Manager (ICM) Services

SAP Fiori applications are implemented on top of the SAP NetWeaver ABAP Application Server, leveraging Open Data Protocol (OData) technology and the ICM among other things (Figure 1). Regardless of whether you use the SAP front-end server or SAP NetWeaver Gateway as the front-end component, you need to enable certain services in the ICM. In this front-end component, it is extremely important to understand which services are opened and avoid exposing other well-known SAP ICM services, such as the WEBGUI, SOAPRFC, or SAPINFO.

Figure 1 — Through the same HTTP server, a user might be able to log in to different SAP services, as shown above, where both SAP Fiori and the WEBGUI can be accessed in the same host.

Attackers might be able to easily connect to the HTTP interface and launch a brute-force attack against these services as well as other dangerous ICM services that should be disabled, especially in an SAP Fiori environment. This should be done, even if you filter the URL access through a web dispatcher. This will give you a “defense-in-depth” approach and will provide a reduced attack surface.

To disable ICM services, just connect using the SAP GUI and execute transaction code SICF (HTTP Service Hierarchy Maintenance). Through this transaction you can browse the diverse ICM services and disable them.

Securing the Integrations

For the SAP Fiori applications to be able to reach back-end data, interfaces and trust relationships are established across different systems. These interfaces are typically configured by executing transaction code SM59. The interfaces are Remote Function Call (RFC) connections to back-end systems.

For these integrations to be secure, as users will not be prompted for passwords to authenticate in the back-end systems, you must ensure tight controls around authorization object S_RFCACL in the back-end user base.

Make sure you have strict controls around:

  1. To whom the authorization object S_RFCACL is assigned
  2. How granularly the S_RFCACL authorizations are assigned to users, as you might restrict transactions that they are allowed to execute, the clients they can connect from, and the activity

This is of vital importance, as a compromise in the front-end system could be potentially mitigated if the authorizations are properly set.

Securing the Transport Layer

SAP Fiori relies on a complex architecture with multiple connections in between the client and the SAP systems. To ensure the data is sent securely, you should implement encryption in the following places:

  1. RFC connections in between the front end and back end as business data flows through those connections. This connection can be encrypted using Secure Network Communications (SNC).
  2. HTTP connections in between the client and the front end, as most likely the client network is going to be an untrusted one. This connection can be encrypted using Transport Layer Security.

These two configuration changes should help you drive security across your SAP Fiori landscape, but they are not enough. You should complement these with additional measures as well as strategies to secure SAP systems and SAP Fiori applications. You can learn about these measures at Cybersecurity for SAP Customers 2018, which will be held in Prague June 27–29. For more tips on how to secure an SAP environment, read this blog.