By Annie Kennedy, Associate Conference Producer Jason Fruge (JF), Vice President, Business Application Cybersecurity at Onapsis, was the expert in the Q&A titled “Evolving Your SAP Security and Compliance Strategy in the era of Cloud & SAP S/4HANA,” which aired live on day 1 of SAPinsider's 2020 Virtual Conference Experience. Although Jason is a more than 20-year security practitioner, he wasn’t familiar with SAP and what it does with organizations’ business functions for most of his career. A few years ago, he took advantage of a business risk illustration and was shocked that none of the security controls he’d invested in detected the threat. As he reflected on what a huge issue that was, how a company can’t have the resources to patch everything with rigor and must consider the most important applications and how those functions are protected, he was prompted to build a business case. He got funding to apply for the approved security process, and he was lucky to have a team that was interested in solving the security problem and understood the importance of finding new solutions. The Q&A was moderated by SAPinsider's VP of Research and Publishing, Robert Holland (RH). Here are a few snippets from the conversation. Q: What sort of security challenges do you see customers facing as they begin to deploy the cloud? Is this a good time to evaluate their security? JF: People are beginning to host portions or all of SAP systems or data on someone else’s network. It’s a challenge in this shared model being responsible for securing your data, even on someone else’s network. What tools are you introducing will face that challenge. Organizations need to consider more than firewalls in an age of socially engineered hacks such as phishing. You have to actively educate people on what they can and can’t share. Another factor that weakens security is that SAP is more accessible than ever, put online so people can pull up data on their cell phones. Workplaces are remote during the pandemic, so there’s more cloud-based access of data, and organizations need to consider new modes to combat security threats or leaks. Q: What is the biggest thing a security lead should know or do before starting a move to S/4HANA? JF: Have a meaningful conversation with the team about how they plan to organize and access data in this new environment, what level of risk can be accepted, and what security strategy can be comprehensive enough to protect what’s most important to them. Q: What steps should SAPinsiders take to ensure security? JF: People-process or technology-process, but companies need a holistic strategy that accounts for both. Organizations should look beyond user authorizations; see if the configurations are secure, patches installed, programs updated, etc. Hackers have a lot of incentive to break into SAP systems. 77% of the world’s financial transactions and 78% of the world’s food distribution go through some form of SAP technology; it’s not an enterprise security problem but a national security problem that could have a devastating impact. It’s important to have a strong security system in place. RH: Warehouses and packing plants being shut down by the pandemic had an immediate impact on supermarket stock. Imagine the issue if someone deliberately attacked our global supply chain. Everyone needs to take notice and ensure the chain is resilient. How would your company be affected if your supply chain was taken down? It’s a great conversation piece that everyone should discuss. Q: Are there vulnerabilities people might not be considering, and how important is the security of the HANA database itself? JF: SAP is installed on an operating system. The fastest way to manipulate the SAP application is within the operating system; secure the OS first, then the application next. Q: How can an internal audit function best partner with the IT organization during a move to SAP S/4HANA? JF: Have a good relationship with the architects so they can identify any gaps during production rather than retroactively. Strong relationships are key! We can also automate a lot of the audit, so when they come in to do them, we can arm them with information without having to stop their work to support the audit. Q: Is there an easy way to apply the SAP security patches that get sent out, and is SAP Solution Manager the best alternative? JF: SAP Solution Manager is a fine way to get patches done but it has limitations; it’s an honor system where you check a box and say you applied a patch, but it may not have been applied appropriately. Onapsis’ solution actually tests the patches to be sure they were applied appropriately. Applying patches is a challenge; SAP will give priority scores to patches, and you have to translate the impact of that on your own organization, because what’s high priority for them might be low for you and vice-versa. There’s no quick solution, but the capabilities to put on patches from a technology perspective is the easy part; the business analysis that goes into that decision is the harder part.
THE CHALLENGE: Migrate SAP ECC to SAP HANA while ensuring security and compliance. THE SOLUTION: The Onapsis Platform enabled the firm to complete migration one year ahead of schedule due to stable, tested applications, while strengthening security and compliance Many large companies rely on SAP as a key component of their business. Learn how a Global Advertising company saved time and money by migrating to SAP HANA one year ahead of schedule.
In April 2019, several new exploits targeting SAP business applications were released in a public forum. Although the exploits target insecure configurations that have been reported by SAP SE in the past, their public release significantly increases the risk of successful cyberattacks against SAP implementations globally. Given the criticality of the risk posed by 10KBLAZE and insights from our threat intelligence capabilities, Onapsis has decided to open-source components of The Onapsis Platform and make intrusion detection signatures immediately and freely available to all SAP customers. Further, Onapsis has coordinated a global response with international government authorities, global SAP service providers and leading cyber threat detection and incident response firms to enable detection, monitoring and remediation of affected organizations globally. Check out the full threat report with information about how to determine if you are at risk and steps to take for remediation.
The Chief Information Officer (CIO) holds responsibility for all IT decisions affecting the company, a task that has increased in complexity in recent years. This e-book reviews five challenges CIOs face when dealing with SAP security, including recommendations for overcoming these challenges.
Is SAP HANA really the new big thing? Developed in 2008 by the Hasso Plattner Institute and Stanford University, SAP HANA was introduced in 2010—in the same year as the iPad. It's hard to imagine our lives without the latter, but the adoption of SAP HANA technology is advancing much more slowly. SAP has approximately 380,000 customers and as of the end of 2017, only 8,000 were using SAP S/4HANA1, the application that seamlessly builds on the platform and has existed since 2015. Looking ahead, however, exponential growth is inevitably just around the corner. SAP systems that are not based on SAP HANA technologies will most likely no longer be supported after 2025. With a quick glance at a calendar, it quickly becomes clear that now is time to initiate the complex and long transformation to SAP HANA. Although the deadline is a clear motivation for the transformation, the focus for organizations should be on the opportunities that SAP HANA offers. When properly planned and implemented, the switch to SAP S/4HANA can be an important milestone toward a digital enterprise.
By Juan Perez-Etchegoyen, CTO, Onapsis Enterprise Software is complex due to its nature and interconnectivity to business processes. On top of that, software is made by humans, which means that regardless of how much we want to avoid it, bugs will be there and not uncommonly... critical ones. This holds true for many software vendors such as Microsoft, Apple, Oracle, Intel, Adobe, VMWare...and also SAP. What all of these vendors also have in common is how they deal with the patches that solve those vulnerabilities, through what is called the “Patch Tuesday.” Patch Tuesday happens to be the second Tuesday of every month and has now become a standard day where large software makers release the fixes for security vulnerabilities in their software. In this manner, patches are released in a coordinated way providing organizations’ IT departments the opportunity to be prepared. Even though it is impossible to know if the number of patches a vendor is releasing will be 0, 1 or 10, at least these IT teams can better expect the unexpected, knowing that the second Tuesday of every month, there's potentially going to be a bunch of things to fix across the board.
|CVE-2020-6287||Type: Software Vulnerability||CVSS: 10|
|Threat Report: SAP RECON Cybersecurity Vulnerability|
|CVE-2010-5326||Type: Combination of Software Vulnerability and Configuration||CVSS: 10|
|Threat Report: The Tip of the Iceberg: Wild Exploitation & Cyberattacks on SAP Business Applications|
|CVE N/A||Type: Security Configuration||CVSS: 10|
|Threat Report: 10KBLAZE threat report|
Based in Boston, Massachusetts, Onapsis protects mission-critical applications from SAP, Oracle, and Salesforce, and serves more than 300 of the world’s leading brands including 20% of the Fortune 100. Onapsis’ flagship solution, The Onapsis Platform for Cybersecurity and Compliance, is an SAP Endorsed App and is one of the first cybersecurity and compliance platforms to become an SAP endorsed app. It is currently available in the SAP App Center.
Your request has been successfully sent