10 Tricks to Prevent SAP Security Breach
During the past few months, there were several high priority SAP security incidents. An old SAP security vulnerability – caused by unpatched systems raised the alarm of the United States Department of Homeland Security, resulting in a rare security alert.
10 Tricks to Prevent SAP Security Breach:
1. SAP configuration settings:
A company’s IT security policy should specify mandatory software requirements for things such as minimum password length, password strength, number of password fails allowed before account lockout, etc.
Below are the policies that can be used to secure your SAP: –
- login/password_expiration_time (default 0, recommended 30)—Users are forced to change their SAP password after this number of days.
- login/min_password_lng (default 3, recommended 8+)–Sets the minimum password length.
- login/fails_to_session_end (default 3, recommended 3)—Number of times a user can enter an incorrect password before SAP ends the session.
- login/fails_to_user_lock (default 12, recommended 5)—Number of times a user can enter an incorrect password before SAP locks the user master records from further logins.
2. Accessing generic user accounts:
SAP comes with a number of generic accounts. These are intended to be used for initial installation and setup purposes, and their passwords are well known. It is therefore critical that these IDs are secured once the initial setup activities have been completed.
The most critical setup ID is the SAP* ID. Its status, along with that of other generic IDs, can be checked using the SAP report RSUSR003.
The password for these generic IDs must be reset, and the high-privileged profiles (SAP_ALL and SAP_NEW) need to be removed. It is important to note that the SAP* account can recreate itself with a default and commonly known password when deleted. To cope up with this, however, it is important that the SAP* account is safely secured but not eliminated. Also, the system parameter login/no_automatic_user_sapstar should be set to = 1.
3. High-Privileged Access Procedure:
Roles should be defined to meet the access requirements of support and project teams on a day-to-day basis. However, it is crucial that the users have a proper escalation method available that allows them the access to the extended rights as and when the situation arise: For example, to debug issues not replicable in a non-production system. This access must be approved by the head of SAP application support (or a similar authority), and be allocated for a defined period and tracked for usage.
4. Allocating Wide Access Profiles:
SAP is delivered with a number of high-privileged generic profiles that give wide access to the system. These privileges should only be used during the initial setup and for certain post-setup emergencies.
The most important high-privileged access profile to be aware of in the SAP system is the SAP_ALL profile. This permits the access to all transactional and authorization objects, and subsequently to any function or action in the SAP system.
5. Maintain Properly Configured Systems:
Maintaining properly configured system can reduce the risk of cyber attacks.Homeland Security issued a security alert that at least 36 organizations are vulnerable due to unpatched misconfigured and outdated SAP systems, putting their entire business at risk. The affected patch affected not only SAP ERP but also SAP SCM and other components of the business suite.
Even though the vulnerability could be easily switched off, as Reuters reported, “SAP has fixed the issue, but left the decision over whether to switch off an easy access setting up to its customers, who may sometimes place a higher priority on keeping their business-critical SAP systems running than on applying security updates.”
6. Ensure your SAP Applications are Updated:
The vulnerability mentioned above affected not only SAP but also many other components of the business suite. Make sure you are also keeping your SAP applications patched and up-to-date. They shouldn’t lag behind your SAP.
7. Install SPS (Support Package Stacks):
SAP releases periodic Support Package Stacks. Support Package Stacks are support packages and patches for a given product that should be used together. SAP recommends applying these stacks at least once a year and details the maintenance schedule on their website.
8. Return to Standard Code:
Custom code is code that is not updated and code that is not patched. The custom code opens the door to risks. As programming languages update standards and your SAP applications are updated over the years, it’s important not to accrue vulnerable technical debt in custom legacy code.
By eliminating your unused code and reverting back to the standard installation, you can reduce the risk of a security vulnerability.
9. Providing Access to Sensitive Functions:
As an integrated system, sensitive administration functionality and business transactions are accessed within the same environment in SAP. It is, therefore, crucial that such sensitive functions are appropriately restricted to most and only selected individuals responsible for these activities are able to access them.
This access made by the users can be vulnerable for SAP.
10. Giving Access to Users of SAP:
The security of business ownership – of who can do what in an SAP system – is vital to ensure that there is adequate control placed. Only the business can understand the implications of letting a payments clerk also oversee paying vendor invoices or employee expense claims; so the business must define whether this activity can be performed. It is essential, therefore, to understand which members of staff should be allowed to access each SAP function, managed by constant controlled.
The key is to remember that the CIO is accountable for the overall security and compliance of the enterprise. At this level, there is little room for distinction between general IT security, such as email, firewalls and Web servers, and SAP security, which includes the control of how people access the system, the data they process, and the functionality they execute. Effective IT departments adopt a similar philosophy by viewing the IT security picture in its entirety across the whole organization, thereby reducing the risk of breaches of any kind.
Now, you can easily integrate your SAP ERP with Ecommerce Stores, Marketplaces, CRM, Shipping and POS Systems to automate the business process!