With the vast majority of SAP user activity taking place at the application level, it stands to reason that security professionals should focus their access management efforts in this domain.
Yet in doing so, they often neglect the infrastructure on which those applications run - despite the fact that all data stored in the programme layer is equally available via the infrastructure.
An organisation’s underlying infrastructure is a complex web of operating systems, databases, network connections, servers and interfaces, all pushing and pulling data around the business. As such, it represents an almost infinite array of access points that, without proper access controls, pose significant risk.
In many cases though, these risks are overlooked, with infrastructure managed purely for performance, not security.
While SAP security experts take care of the application layer, infrastructure is often passed off to operational teams with more limited knowledge of SAP security and access management best practices.
These teams are usually tasked with just one key goal: to keep SAP up and running.
As a result, while access may be managed appropriately at the application level, access to infrastructure often remains wide open.
At the very least, this puts the organisation at significant risk of regulatory compliance breaches because today’s key legislation covers all places where data is stored, processed and transmitted.
Auditors, too, are increasingly looking beyond application controls and into infrastructure, providing more cause for concern for organisations failing to cover both bases.
In addition, there is the potential downtime and disruption that would be caused by an actual incident, the likelihood of which also naturally increases with poor access management provisions.
SAP S/4 HANA - a further complication?
As more and more SAP customers migrate to SAP S/4 HANA, the security challenge arguably intensifies further.
SAP S/4 HANA allows multiple different ways of accessing databases, meaning more connections to infrastructure that could theoretically be compromised.
What’s more, some SAP S/4 HANA users are creating end users on the database itself, giving rise to further issues around secure permissions.
More user accounts mean more avenues of attack, abuse or mistake, as it's no longer just the DBA or Unix administrators who have access. With SAP S/4 HANA, anyone who manages one of the connected applications has access too - extending the requirement for greater control.
Gaining control over infrastructure
Rising levels of threat and legislation mean it’s time for all organisations to take firmer control on their infrastructure - taking access management beyond the application layer – regardless of whether they are migrating to SAP S/4 HANA.
Addressing the following four key questions will determine current levels of control – and therefore where this needs to be increased:
1. Who has access to the organisation's infrastructure?
It should be straightforward. In an ideal world, only the basis team, database admins, backup administrators and some Unix administrators or operating system administrators should have access at infrastructure level.
But more often than not, access extends much further. There may be old accounts still in existence, left behind from team members or third parties who have since moved on. In most instances, these accounts would not be closed automatically.
Depending on the validation protocols, password sharing could also be taking place, spreading the network of access further still.
2. Are users’ changes being logged appropriately?
Enabling logging functionality is essential to maintain visibility on who’s accessing the organisation’s infrastructure and what they’re doing.
It will enable critical changes, system restarts or any other significant events to be monitored, and any instances of inappropriate use to be detected.
However, in order for the logging to be effective and insightful, it’s crucial that users are logging in with their own identifiable credentials. More often than not, that isn’t the case - they’re using shared accounts, or accounts incompatible with the enterprise’s naming conventions.
3. Is the access is appropriate?
Once it has been ascertained who has access to theinfrastructure, the organisation also need to know if that access is appropriate in every case.
Why do the individuals in question require the access they have? Who are they, what is their job role, and what part of that role makes access a necessity? Are they even using their access?
Without this kind of insight on users, it's impossible for the business to know if its permissions are appropriate.
Ultimately, the key question to answer here is what access should a user have, as opposed to what access do they have?
Even if access has historically been given (with justification) to certain roles, it may not be necessary for every individual in that position - and unnecessary access is simply unnecessary risk.
4. How quickly could the organisation act in the event of an incident?
While assessing how the infrastructure access is secured and controlled, it’s important to take the worst case scenario into consideration.
If controls were to fail and the database went down, how quickly would the organisation be able to act? How soon before it could get its systems back online?
Beyond that - how quickly and easily could it find out what happened and who caused it? Could any of this be proved?
Regardless of how fast a business might be able to get up and running again, it’s these final two points that will ensure disaster doesn’t strike twice.
In summary
While SAP security professionals focus heavily on access management across the application layer, securing access to the underlying infrastructure is often something of an afterthought.
Yet all the data stored within the application itself is also available via the infrastructure - and the risk of malicious data access or internal misuse at this level is often just as high.
Organisations must, therefore, start to take firmer control on infrastructure access management, starting by addressing the four key questions above to define their current status.
For those unable to answer in a satisfactory fashion, a more thorough investigation into infrastructure access will be required to ascertain the risks, and tighten the lock on business data’s back-door.
As SAP landscapes become more open to the outside world the risk of cyber attack increases exponentially. Watch our on demand webinar: 'The increasing cyber threat to SAP and what to do about it' to learn more about protecting your business from these threats.