Effective SAP Security: Strategies and Protective Measures

Cyberattacks are proliferating and becoming more sophisticated, causing increasing harm to both businesses and individuals. McKinsey reports that "at the current growth rate, cyberattack damage will amount to about $10.5 trillion annually by 2025—a 300 percent increase from 2015 levels."

Enterprises that rely on SAP to run their core processes need effective security strategies, methods, and tools to mitigate the growing threat. 

The US National Institute of Standards and Technology (NIST) Cybersecurity Framework provides an essential foundation from which enterprises can develop an effective Cyber Security approach for SAP deployment. Its five elements are threat identification, protection, detection, response, and recovery. 

This blog looks at the framework's threat identification and protection elements of the framework, how they should be applied, and the value that Arvato Systems adds to its clients by helping them use the NIST framework effectively.

Other blogs in this series examine the broader cyber threat in more detail, and how the detect, respond, and recover elements of the NIST framework can be deployed to maximum effect.     

Securing the SAP estate starts with understanding the infrastructure, applications, and business landscape, its associated security risks and vulnerabilities, and priorities for action. 

Data on the on-premise and cloud architecture, hardware, networks, software versions, user permissions, and known vulnerabilities is collated and input to a series of workshops to build a comprehensive security picture encompassing processes and procedures, user roles and privileges, infrastructure, and applications. 

Legacy versions and patching can be significant factors for SAP users. A December 2022 article on theregister.com suggests that a large number of SAP users are still running on the legacy ECC platform, and Arvato Systems’ experience suggests that some enterprises may only patch their SAP systems once a year or less, which is wholly inadequate. 

This is not unique to SAP – in 2016, Gartner analyst Earl Perkins predicted that “Through 2020, 99% of vulnerabilities exploited will continue to be ones known by security and IT professionals for at least one year, ” while Checkpoint reports that 87% of organizations experienced an attempted exploit of a known vulnerability in 2021. 

Moving applications, platforms, and infrastructure to the cloud does not alter this requirement. While cloud providers offer security capabilities, overall responsibility and the requirement for an effective cybersecurity posture and strategy remain with the enterprise. 

Establishing countermeasures to protect the enterprise against cyberattacks needs to be a business-driven, multi-faceted process that goes far beyond implementing perimeter security technology solutions such as firewalls. 

Organizations need a robust cybersecurity posture and strategy that reflects cyber threats' scale, complexity, and fluidity. This strategy must be built on the assumption that, while everything possible will be done to prevent breaches, they will occur. 

Before considering point technology solutions for threat detection, response, and recovery, the enterprise needs to 

• Establish cyber security as a holistic business process
• Develop an effective strategy and implementation concept for SAP security
• Analyze existing processes, remodeling them if necessary
• Understand SAP security as a business process 
• Prioritize access management and identity management     

Access management and identity management have increased in importance as access has diversified, and models focusing solely on the network perimeter have become inadequate.   

Protection increasingly depends on a zero-trust model, where any actor's access to any resource is treated as untrusted. This requires more tightly controlled access, role definitions, and hardening of individual resources like servers against attack.   

Extensive IT expertise, a high level of technical understanding, strong industry knowledge, and partnership in action - that's Arvato Systems. 

In helping clients secure their business-critical enterprise SAP deployment, Arvato Systems can leverage its strategic partnerships with key providers—Microsoft, Google Cloud, and AWS—as well as the proven SAP expertise that comes with being an SAP Gold Partner.