Targeted Protective Measures Against Intruders
Digital transformation poses threats to companies’ IT security. Cloud computing, networking, and functional enhancements are the key trends that offer cybercriminals ever new points of attack – and that call for systematic protective measures.
Published as technical contribution on October 12, 2018 in the Computerwoche (German only).
Monolithic ERP systems such as SAP R/3 are out. A steadily growing number of companies are now saying goodbye to the “one-system-for-everything” approach in favor of solutions from specialized cloud service providers for specific niches like talent management or payroll accounting. This also has the advantage of eliminating the effort and expense of operating the new applications in-house while enabling scalability in line with requirements. Providers are responding to rising customer demand by bringing more and more cloud services to market: “Everything as a Service” is the motto of this new digital world.
But it is likely to be some time before this paradigm becomes established practice. In the meantime, companies face the task of integrating the new cloud services as seamlessly as possible with their own ERP and existing third-party systems, as well as with each other, in hybrid landscapes. Integrative solutions such as SAP Cloud Platform, which SAP itself provides as a Platform as a Service (PaaS) and which enables data to be exchanged between SAP and non-SAP systems, are ideally suited for this purpose. However, as the number of services deployed increases, so does the need for effective IT security measures: A growing and increasingly networked IT infrastructure – consisting of a local network and a wealth of SAP, third-party, and cloud applications – must be protected against increasingly sophisticated attacks. This pressure is intensified by the spread of innovative IoT technologies.
Interfaces Provide Backdoors for Attackers
In addition to auditing the IT platform and configuring it uniformly, securing its interfaces plays a central role. Typical SAP systems have several thousand RFC interfaces, as well as interfaces to the operating system, SAP GUI, mobile apps, Web services, and other solutions run in the cloud or by subsidiaries, customers, and suppliers. If these interfaces are outdated, incorrectly configured, or inadequately protected, they offer data thieves, business spies, and saboteurs tempting backdoors for accessing information. This can have major financial and legal consequences for businesses. What’s more, corporate reputations suffer. This situation is aggravated by increasingly stringent regulatory requirements, such as the recent EU GDPR, which imposes hefty fines for breaches of the new regulations on the protection of personal data.
Transparency Through Inventory
Although the risks of unsecured interfaces have long been known, many companies do not have the problem under control – especially since advances in digitalization mean they can lose track of the increasingly complex interfaces faster than in the past. It is therefore advisable to use special tools to analyze the communication relationships within the system landscape and to take an inventory of, document, and monitor all interfaces.
If the analysis detects vulnerabilities, system administrators receive suggestions for better protection. Tools of this type also enable companies to check whether their authorization concept matches the available interfaces. In addition, rules can be defined in the tools to block unauthorized data access. For example, if a sales representative tries to download confidential HR data, the integrated monitoring component triggers an alarm. The system administrators can then block the relevant interface immediately. Likewise, rules can be used to systematically exclude the possibility of personal data, such as customer names or credit card information, getting into the public domain – a key requirement for compliance with the EU GDPR.
In addition, taking stock of and monitoring interfaces helps reveal where encryption is lacking for data transmission. While this issue is extensively covered by robust industry standards in the on-premise world, the situation in complex cloud environments is quite different. Since various encryption methods are used for the individual cloud services, and the data is repeatedly decrypted during the process, this is another area where it pays to use a tool that records all interfaces, continuously monitors them, and sounds the alarm in the event of inadequate encryption. This enables data flows between distributed systems to be tracked and comprehensively secured.
Functional Enhancements Create Loopholes
However, enterprises cannot rely solely on available on-premise and cloud solutions to accelerate their digital transformation. Any company that wants to respond quickly and flexibly to new market and customer requirements must constantly expand the functionality of its applications. One way of doing this is the DevOps approach, which involves close collaboration between development and IT operations to accelerate delivery of high-quality software. This enables companies to continuously implement small-scale functionalities and solutions tailored to their specific needs. In the SAP space, SAP HANA database technology is gaining traction as a development platform that provides considerable impetus for DevOps thanks to its big-data processing capabilities.
SAP users also have the option of purchasing the required functionality directly from partners in the SAP App Center. The SAP App Center currently comprises more than 1,000 extension solutions from partners for the entire SAP solution portfolio, including SAP S/4HANA as well as SAP Cloud Platform and cloud solutions from SAP. As demand grows, the importance of the SAP App Center in the SAP world will soon be on a par with that long enjoyed by Apple’s App Store in the consumer sector
Significant Increase in Complexity
Whenever companies program the required functions themselves, they create new framework conditions. Because SAP supports Cloud Foundry, an open source Platform as a Service (PaaS), extensions can be created in any programming language and added to the SAP Cloud Platform. Other programming languages, operating systems, interfaces, and platforms are added, increasing the complexity of the existing system landscape – and also the security risk. The situation is similar when companies shop in the SAP App Center. Even if SAP ensures that the partner solutions offered meet certain security standards, companies run the risk of the apps not matching their own security concept.
This is why all functional extensions should be analyzed using suitable tools to detect potential security vulnerabilities. This applies to partner solutions from the SAP App Center as well as to DevOps. Right from the outset, it is advisable for companies to use test tools that are integrated directly into the programming environment and provide a high degree of automation: from code development to the test and build phase right through to the runtime environment and operation. At every stage of the software product life cycle, these analyses ensure that the new functions and applications can be securely programmed, configured, and transported to the target system.1
A New Understanding of IT Security
A recent IDC study2 found that “new technological challenges such as digitalization or the Internet of Things (IoT) call for a new understanding of IT security on the part of a large number of IT managers”. This new understanding should certainly include securing interfaces, adherence to compliance requirements, and automatic analyses of functional extensions.
1 See also: Markus Schumacher: “More security for DevOps", Computerwoche May 7, 2018 (German only)
2 Bernhard Haluschak: “Die digitale Transformation ist ein Sicherheitsrisiko”, Computerwoche July 20, 2018 (German only)