Why SAP Security matters

The growing importance of Cyber Security has become evident recently by the increasing number of media reports of high-profile breaches and data theft. Understandably, the actual source of those breaches is usually not revealed. However, for most companies, especially larger corporations, those data resides in their Enterprise Resource Planning (ERP) systems. Therefore it is safe to say that a considerable number of those attacks have been targeted at ERP systems. 

Continuing the argument, the single biggest supplier of ERP systems is German-based SAP. To illustrate the importance of SAP systems all over the world, let me state a few numbers: SAP, while focusing on bigger companies, still has approximately 300.000 customers world-wide. This results in a few interesting facts: 

• 77.0000 cars are produced each day using SAP software
• 52% of all movies are produced by SAP customers
• 65% of all television sets produced rely on SAP systems. 
• More importantly: 72% of the world’s beer production lies in the hand of SAP customers. 

These facts alone stress the importance of securing SAP systems. Unfortunately, SAP systems often are the weak link in a cyber security strategy. In fact, the Ponemon institute, which specializes in research on ERP security, estimates that 95% of all systems are vulnerable for both outside and inside attacks . My own experience supports the view that this is by no means exaggerated. 

To understand this seemingly high vulnerability ratio, it is necessary to understand the history of SAP systems. When SAP released their best-selling product R/3 in the early nineties, it fueled the transition of SAP from a local software vendor to one of the biggest IT corporations in the world. Back then, SAP systems were isolated silo systems, with hardly any connection to the overall IT infrastructure. This resulted in some developments which still affect SAP security today: 

• In the past, the SAP department was (and in quite a few instances still is) separated from the overall IT organization. Consequently, when cyber security became more of a focus topic, the IT department didn’t feel responsible for also securing SAP systems. 
• When the Internet swept across corporate IT departments starting in the early nineties, SAP systems were slow to adapt, mainly due to the difficulty of applying upgrades to a software which effectively controls the entire company. Consequently, a lot of security fixes are not implemented by customers at all.
• The difficulty of upgrading an SAP system also means that the underlying architecture of SAP systems has not seen major changes since it was designed in the early 90s. Nevertheless, SAP products have evolved over time to account for increased connectivity. In other words: the complexity of SAP system grew while the basics still rely on concepts developed more than 20 years ago. That fact itself increases the attack surface of SAP systems. 
• SAP has done their part to tackle security issues: ever since the so called “patch Tuesday” was introduced in 2010, SAP has continuously worked on securing their solutions. However, for the reasons stated above, customers have been hesitant to follow SAPs lead. Which means that most companies treat SAP security as a matter of low priority, if they have it in focus at all. 

Of course, SAP is a huge platform with solutions for almost any industry. To illustrate: The SAP business suite consists of 319 million lines of code. Compare that to 67 millions lines of code for a Debian Linux operating system or 44 million lines of code for the Microsoft office suite, and the complexity of an average SAP system becomes evident. Additionally, SAP systems are heavily adapted to customers’ processes: an average SAP system contains about 2 million lines of custom code. Not to mention thousands of settings relevant for security in any given SAP installation. In fact, regardless of which industry solution customers are using, all potential issues mentioned above are valid for all installations of SAP. There is light at the end of the tunnel, though: the recent shift to the HANA platform which uses In-memory-computing not only signifies an entirely new architecture, but increased security as well. But, again: ERP systems run most business processes in a company and are therefore slow to adapt, which means that the old SAP system architecture will be around for quite a while. In other words: maintaining a highly secure SAP environment is time-consuming and costly for SAP customers. 

What is the alternative, though? I think we can agree that following a three-monkeys-approach to SAP security is not a valid solution. Instead, three measures should be implemented by any company running SAP: 

• Make SAP security a focus topic. After all, the most valuable data, the “crown jewels” of any company, usually reside inside the SAP system
• Get to know SAP security. SAP security is very different to cyber security in general, therefore it is vital to allocate dedicated resources who know the specifics of SAP security to the matter. 
• Make use of specialized SAP security solutions. As mentioned above, SAP security is a very complex topic and there are a few vendors which specialize in SAP security tools, ranging from solutions to validate custom code to preventing unauthorized data download. 

In any case, SAP security should be an integral part of a cyber security. After all, no one wants the world’s beer production to run dry. 

¹http://www.darkreading.com/operations/5-reasons-sap-security-matters-/d/d-id/1324468