English | Deutsch | Español

SAP Interfaces - Hotspots for Data Leaks

October 1, 2018 | From Dr. Oleksandr Panchenko

Interview published on 28th of September in IT MANAGEMENT - DSAG SPEZIAL

Oleksandr PanchenkoThe tools currently on the market do not provide a complete overview of SAP Interfaces. SAP interfaces are a growing IT security risk. In this interview, Dr. Oleksandr Panchenko, Security Architect at Virtual Forge, explains to us how companies can effectively safeguard themselves against threats.

it management: Why are SAP interfaces increasingly being targeted by data thieves, business spies, and saboteurs?

Dr. Panchenko: In recent years, most companies have developed highly complex SAP system environments. On one hand, globalization has set in motion a major business transformation. Enterprises are expanding, merging, and purchasing other companies along with their IT systems. At the same time, the digital transformation is fueled by trends like cloud computing and Industry 4.0, leading to increasingly interconnected IT infrastructures. Unfortunately, it’s often easy to lose track of existing interfaces – typical SAP system landscapes can contain several thousand of them. As a result, companies are unable to protect these interfaces against unauthorized access, opening the door to cybercriminals.

it management: What are the potential impacts of unsecured SAP interfaces? 

Dr. Panchenko: If cybercriminals can access entire databases to copy, change, or delete them, the economic damage for a company can be immense – for example, if the hackers falsify the balance sheet totals or shut down entire SAP systems. In addition, companies’ reputations suffer, and the trust of their customers and partners dwindles. This pressure is being intensified by increasingly stringent regulatory requirements, that include the EU’s General Data Protection Regulation, which imposes heavy fines on infringements of the new requirements for the protection of personal data.

it management: Why don’t companies get a better handle on the problem?

Dr. Panchenko: Because in most cases there is no central unit with full documentation of all interfaces and all the data exchanged. Some companies manually analyze the safety-critical parameters of their interfaces and runtime statistics to achieve at least some degree of transparency. But because manual evaluations are extremely time-consuming, this is limited to random samples.

it management: What about IT-assisted analyses of SAP interfaces?

Dr. Panchenko: Even the tools currently on the market don’t provide a complete overview. First, because they are confined to evaluating individual interface technologies and don’t cover the entire range of a typical SAP environment, such as Remote Function Call, HTTP, FTP, Java Connector, and interfaces to printers. On the other hand, the interfaces and data flows can be analyzed only locally. In other words, from a single system. And this is not enough to get the fullest possible picture of the communication relationships within an SAP system environment. Finally, many analysis tools are limited to just one problem, such as the question of what type of data is downloaded via the SAP GUI.

it management: But now you can plug this gap with the new Virtual Forge InterfaceProfiler. Can you elaborate more on this tool? 

Dr. Panchenko: That’s right. This tool enables a complete inventory of the interfaces, including those that many users aren’t even aware of, such as unauthorized downloads of lists via the SAP GUI, direct access to the database, and exchange with external systems. In addition, it analyzes the communication relationships of the entire system environment and displays the results graphically. If security vulnerabilities, such as lack of encryption, insecure connections, and authorization problems with Remote Function Call connections, become apparent, the system administrators receive suggestions for better security.

it management: What are the possible application scenarios for the InterfaceProfiler?

Dr. Panchenko: One option is to use the tool during projects. If, for example, a company relocates its SAP systems to a different data center, it’s important to know which interfaces to other components are active. This is the only way of ensuring that all required systems and components can be relocated and correctly configured in the new environment. At the same time, this is a good opportunity to clean up the system landscape. During ongoing operation, the InterfaceProfiler monitors the data flows. Rules for the desired SAP system and interface landscape are defined for this purpose in the tool and compared with the current information in target/actual analyses. For example, if a sales representative tries to download confidential HR data, an alarm is triggered, and the person responsible for the system can immediately shut down the relevant interface. Also, rules can  be used to prevent personal data, like customer names or credit card numbers, from getting out into the open. This means that companies comply with the requirements of the General Data Protection Regulation.

it management: This tool allows automatic data classification for the first time. What advantages does that offer users?

Dr. Panchenko: It enables users to maintain a clear overview where very large data volumes are involved, and to focus on critical data streams. The categorization means that they don’t need to monitor the data flows directly. Instead, they can use metadata from function calls and communication relationships to deduce the type of data exchanged. This also speeds up the search and alert functions considerably. What’s important for our customers is that, with InterfaceProfiler, we provide them with predefined classifications that they can fine-tune and adapt to their individual needs.

Which means that they don’t have to start from scratch with a greenfield approach and can benefit from  years of our expertise in the form of the content delivered with the solution.