SAP Security anno 2017 Tim Lynen, Manager axl & trax 2017
Agenda Introduction axl & trax Importance of landscape security Where to start Top items to focus on Security in the organization Q&A
Introduction axl & trax
axl & trax who are we - the name Fact sheet 20 years expertise Consultancy/advisory/audit/training/implementation/operations in access governance for SAP environments +-30 Dedicated SAP security, GRC & IAM experts With more than 250 customers
Importance of SAP landscape security
Why landscape security SAP = part of critical business applications Financial data Personal data (customers, vendors, employees, ) Confidential data (recipes, strategy, ) Increasing number of cyber attacks on SAP environments Targeting of application vulnerabilities SAP vulnerabilities are known in public New regulations (ex. GDPR) New technology requires new approach HANA, S/4HANA, Fiori, Screen Personas, Increase in connectivity Cloud, Mobile, IoT,
The cyber threat is real Known breaches due to misuse of vulnerabilities 2012 - Greek ministry of finance 2013 - First malware looking for SAP data 2014 - High tech company s SAP breached 2015 - Attack on USIS SAP systems 2016 - First ever US-CERT alert on SAP 2017 -. Many remain unknown to avoid image damage
Where to start
How to increase your security level Find out where you are Start with solving the most obvious issues 1. Patches (All stacks) 2. Gateway security 3. Default users & passwords 4. Open unused RFC connections & Java Services 5. Custom (ABAP) coding 6. RFC connection hopping 7. Critical access rights & SoD 8. Switchable authorization framework 9. System parameter configuration 10. Advanced security topics
How to find out where you are Differences (Release, EHP, SP,..) between SAP systems in your landscape Focus on productive but don t neglect the others Use your SAP Solution Manager to help out Service Level Reports (SLR) automate vulnerability reporting for SAP systems System Recommendations is an application in Solution Manger that performs automated patch management for SAP systems Security Dashboards monitor critical key performance indicators to track vulnerabilities and threats across SAP landscapes in real-time Interface Monitoring is used to map and track system interfaces in SAP landscapes including RFC, HTTP, IDOC and Web Service connections. Security Alerting is based on the Monitoring and Alerting Infrastructure (MAI) of Solution Manager. MAI connects to data providers including event logs to monitor for security vulnerabilities and incidents
Solve 1 - patches Most common issue at customers = insufficiently patched system Vulnerabilities are publicly known SAP releases security patches every 2 nd Tuesday of the month Source: https://blogs.sap.com/2017/09/12/sap-security-patch-day-september-2017/
Solve 2 SAP gateway security Very common that customers do not have any gateway security But my system is not connected to the internet.. We don t use the gateway By default no security is implemented 2 ACL files ( Access Control List = security files) should be setup File reginfo controls the registration of external programs in the gateway. The secinfo security file is used to prevent unauthorized launching of external program Gateway logging should be activated Your SAP Solution Manager is a gateway to all your SAP systems this makes Solution Manager mission critical
Solve 3 Default users & passwords All SAP systems have default users and password SAP* does not even have to exist as a user to be in use Run report RSUSR003 on each system
Solve 4 Open unused RFC connections and JAVA services RFC = Remote Function Call +/- 38.000 remote enabled function modules in an SAP system Typical SAP customer uses a few hundred of them* Close function modules not in use by using SAP UCON = Unified Connectivity For external connections only Included in SAP NetWeaver as of SAP_BASIS 7.40 For JAVA services the same logic applies unused = deactivate SAP UCON is ABAP stack only * source = SAP.com
Solve 5 Custom (ABAP) coding Every SAP customer has custom code in their system Namespace Y*, Z*, /* Security in custom code is a major issue at most customers Some example: Missing authority checks SQL code injection possibilities Hard code users, systems, clients A customer specific development policy should be implemented having a chapter on security and secure coding Default (limited scope) SAP tool is available SAP ABAP test cockpit (ATC) SAP code inspector (SCI) Extended program check (SLIN) Syntax check (SE80, check) 3 rd party tools cover a broader scope
Solve 6 RFC connection hopping RFC connections exist in every SAP system in your landscape Connection can and are made between systems DEV to QAS, QAS to PROD, sandbox to a BI to an ERP,. Fixed credentials might be in the connection especially in sandboxes which later on become production systems
Solve 7 Critical access rights Define what s critical for you organization There is no ruleset that fits all companies Monitor critical access rights within the system Debug access (maintenance) Direct table access (confidentiality, GDPR, ) Using other users access rights to launch jobs Build in tools exist for certain items SAP Read Access Log who read which data SAP Solution Manager 3 rd party tools cover a broader scope
Solve 8 Switchable authorization framework New approach from SAP Non disruptive way of implementing security by SAP Security is build-in but mostly not activated by default Recommendation is to activate all used scenarios Available in all NetWeaver releases as of a certain SP
Solve 9 System parameter configuration System configuration is partially done by setting system parameters A SAP security policy or at least guideline should be available in the company management decides, IT executes This is mostly not in line with best practices and not aligned between systems Wrong configuration opens the door for exploits Some critical parameters with regard to security login/no_automatic_user_sapstar SAP* users login/disable_multi_gui_login account sharing auth/no_check_in_some_cases deactivate authority checks Tools to compare and / or correct system parameter settings Solution Manager Configuration Validation 3rd party tools cover a broader scope
Solve 10 Advanced security topics Discovering vulnerabilities not yet known Cover for zero day exploits until SAP releases patch Evaluating new releases and technologies for security impact Upgrades, EHP s, SP s, Many security tool vendors invest in security research Pattern evaluation requires software Good security does not consist out of securing 1 system, the whole landscape is involved
Security in an organization a lifecycle It all starts with a clear governance structure, policies, guidelines, Budget allocation for security should not be underestimated Protection Apply your security policy Implement an ABAP coding process with security attention Secure your perimeter Conduct regular penetration testing Detection Use solution manager to the full extend Implement other tools to augment the security level Response Have a dedicated security team with decent skills on the SAP level
Affiliations and partnerships affiliations partnerships
Q&A Thank you for your attention Tim Lynen manager axl & trax Certified SAP NetWeaver Security Consultant CRISC tim.lynen@axl-trax.com