Layer Seven Security

Security Compliance for SAP RISE Solutions

S/4HANA and other ABAP systems provisioned by SAP for RISE customers are based on standard system builds. The builds include default settings to apply security by default based on hardening requirements and best practices. The settings are outlined in SAP Note 3250501 – Information on Mandatory Security Parameters & Hardening Requirements for ABAP systems in SAP Enterprise Cloud Services (ECS).

The requirements include recommended settings for security-relevant profile parameters, deleting unused clients, securing standard users, restricting access to password hashes, RFC gateway and message server hardening, deactivating critical ICF services, managing system and client change options, and applying transport layer security. There are over 120 specific requirements across 12 areas that customers must abide by to comply with SAP security standards for RISE solutions.

The Cybersecurity Extension for SAP (CES) performs automated gap assessments to ensure RISE solutions comply with SAP security requirements. The assessments are performed using Compliance Reporting accessed from the CES launchpad.

SAP RISE should be selected from the framework selection screen.

Once the framework is selected, you can select a target system from the available systems in your SAP RISE landscape and click on Execute.

The results are summarized for each requirement and an overall compliance score is calculated for the system.

You can drilldown into each requirement to navigate the detailed findings.

You can click on the > icon for each finding to view further information and create an action plan to manage the remediation of compliance issues.

The report filters can be used to focus on specific requirements or results. For example, you can suppress compliant areas to isolate compliance failures.

Shortcuts can be created and published to the Fiori launchpad for fast access to compliance results.

The shortcuts can be published as custom tiles to existing or new work groups.

Compliance reports can also be scheduled to run on regular intervals. The reports are automatically distributed in PDF or CSV to recipients by email during each run.

The Cybersecurity Extension for SAP is an SAP-certified addon for SAP Solution Manager and SAP Focused Run. An addon version for other SAP NetWeaver AS ABAP systems such as SAP GRC is expected in Q4 this year.

SAP Cybersecurity Buyers Guide from SAPinsider

The SAP Cybersecurity Buyers Guide from SAPinsider provides a valuable, independent assessment of the capabilities of technology vendors and consultants for SAP security solutions and services. The guide reviews key solution providers and consultants in the cybersecurity domain for SAP. It performs a Vendor Capability Assessment across the following areas:

Threat Intelligence and Detection
Access and Identity Management
Data Protection and Encryption
Vulnerability Management
Incident Response and Forensics
Cloud Security and Compliance
Secure Code and Application Review

The Cybersecurity Extension for SAP is a featured vendor in the Buyers Guide and acknowledged in the review for its strong coverage in all areas. The solution is also cited for its support for S/4HANA and cross-stack security in SAP systems including application, database and host layers, rapid deployment, and lower costs and maintenance compared to alternatives.

DOWNLOAD

SAP Solution Manager, Private Cloud Edition, for SAP RISE Customers

Usage rights for SAP Solution Manager are included in SAP support and maintenance agreements for on-premise SAP solutions. The rights include database licenses for SAP HANA and ASE. Customers with Enterprise Support agreements have usage rights for all functional areas of Solution Manager, whereas customers with Standard Support agreements have restricted rights that include commonly used areas such as Change and Release Management (ChaRM), System Recommendations, and System Monitoring, but excludes areas such as Custom Code Management and Business Process Analytics.

SAP Cloud ALM is an alternative Application Lifecycle Management (ALM) solution that is provided to SAP customers with active cloud services. It can be used for both cloud and on-premise SAP solutions. Enterprise Support customers have usage rights for Cloud ALM but customers with cloud services and no on-premise solution supported by SAP do not have usage rights for Solution Manager.

There is currently no feature parity between Cloud ALM and Solution Manager. In other words, Cloud ALM does not support the same scenarios as Solution Manager. Since many customers require ALM functions that are not provided by Cloud ALM, SAP provides cloud-only customers with the option to subscribe to SAP Solution Manager, Private Cloud Edition (PCE).

Solution Manager PCE is the successor to SAP Solution Manager for SAP S/4HANA Cloud and like its predecessor, it is available in two versions: Project Documentation and Full. The main difference between the two versions is that the project documentation version is deployed as a single-system landscape, whereas the full version is deployed as a dual-system landscape, similar to on-premise installations. The full version is required to support the deployment of agents to managed systems.

Cloud-only customers can order the full version of SolMan PCE from SAP Enterprise Cloud Services (ECS) using SKU 8014172 providing they are using SAP S/4HANA or ERP on RISE. It is provisioned by SAP ECS within 30-40 days and includes SAP HANA.

The Cybersecurity Extension for SAP can be deployed to both on-premise and cloud installations of SAP Solution Manager. This includes SolMan PCE for RISE customers. Layer Seven Security provides a fully managed service for RISE customers that includes setup and maintenance of SolMan PCE.

Maximize Your SAP Security Budget: How to Cut Costs Without Downgrading Cybersecurity

According to a recent report from SAPinsider, almost two-thirds of organizations are placing cybersecurity projects on hold or scaling back planned investments in cybersecurity due to the current economic climate. 18 percent of organizations are reducing the size of cybersecurity teams. The latter can have a drastic effect on collaboration and morale. The impact is also long-lasting and difficult to reverse. According to the Ponemon Institute, it takes an average of 7.3 months to recruit and train security analysts. The training required by new analysts also draws time from experienced analysts, reducing the overall effectiveness of cybersecurity teams.

Organizations are experiencing budgetary and resource constraints against a background of rising cyber attacks. The SAPinsider report quotes JP Perez-Etchegoyen, CTO of Onapsis, “threat actors aren’t going to slow down because of a recession. The risk is real, and the impact is huge. We see threat actors targeting organizations even more now than before.”

This article discusses several ways organizations can manage cyber threats without increasing cybersecurity budgets or resources. In fact, many of the recommendations will lead directly to cost savings and the more efficient use of resources in cybersecurity teams.

1. Eliminate Duplicate Security Solutions

Based on research performed by IBM Security and the Ponemon Institute, organizations deploy an average of 45 security solutions. The quantity of tools used by organizations does not lead directly to improved cybersecurity. Organizations using 50 or more tools were ranked as less able to detect and respond to attacks than those using fewer tools. Increasing the number of security solutions creates complexity, requires more employee training, and creates integration issues. Since security solutions can also suffer from software vulnerabilities and widen the attack surface, too many solutions can increase both workloads for regular patching and aggregate risk.

SAP Application Lifecycle Management (ALM) platforms such as SAP Solution Manager, SAP Focused Run, and SAP Cloud ALM are widely-used for monitoring and diagnostics scenarios in SAP landscapes. With the exception of SAP Focused Run, usage rights for the platforms are included in SAP support agreements. The platforms include direct connectivity to SAP systems and applications to extract and analyze configuration, software and user-related data in SAP applications, databases and hosts. The platforms also include security tools to support vulnerability management and patch management.

Organizations can leverage these ALM platforms to perform many of the same functions of costly third-party alternatives. This will avoid unnecessary license fees and installing and maintaining hosts, connections, agents and users required by third party tools.

Organizations can extend the capabilities of ALM platforms using addons such as the Cybersecurity Extension for SAP from Layer Seven Security for areas such as threat detection and custom code security. This is less costly and involves less maintenance than third party solutions that require separate servers, infrastructure and connections, including external connections to other networks using Internet protocols.

2. Minimize Manual Steps in SAP Security Patching

Regularly patching SAP systems is the single most important action you can take to secure business-critical SAP applications from cyber threats. Despite the concern surrounding zero-day vulnerabilities, every known SAP exploit targets existing vulnerabilities patched by SAP through security notes. In other words, there is no evidence of the exploitation of zero-day vulnerabilities for SAP applications. However, there is a wealth of evidence for the exploitation of known vulnerabilities that have been fully patched by SAP. This includes well-known SAP vulnerabilities such as ICMAD, RECON and 10KBLAZE.

Organizations take an average of three months to implement hot news notes for critical SAP vulnerabilities. Yet threat actors can weaponize SAP vulnerabilities within 72 hours of a patch release. Therefore, it is important to minimize the window of opportunity for attackers by rapidly discovering, analyzing and implementing SAP security notes.

System Recommendations (SysRec) in SAP Solution Manager should be used to automate the discovery and full lifecycle management of SAP security notes. SysRec is a standard application, recommended by SAP for patch management. It is automatically enabled during the installation and setup of Solution Manager. However, many of the security notes reported by SysRec are false positives. SAP administrators spend a great deal of time manually validating the results of SysRec every month to remove false positives. The workload is especially high in large SAP landscapes with large volumes of systems. The Cybersecurity for SAP automatically identifies and removes false positives in System Recommendations. This improves the quality and reliability of security notes calculated by SysRec and removes the need to manually validate notes before applying corrections.

3. Automate SAP Compliance Audits

SAP solutions often support business-critical processes such as financial reporting, customer relationship management, and human capital management and therefore need to comply with strict standards for information security. This includes requirements for secure configuration, system changes, and administrative access. SAP solutions are subject to regular audits by internal and external auditors and other groups to confirm compliance with such requirements. The audits can place a significant burden on SAP teams. Automating audits can lead to significant improvements in the quality and timeliness of compliance monitoring and lower the manual effort involved in gathering evidence, analyzing results and reporting findings.

Compliance Reporting in the Cybersecurity Extension for SAP automates compliance gap assessments for SAP solutions. This includes regulatory frameworks such as SOX, GDPR and PCI DSS, industry standards such as HIPAA HITRUST and CIP, and security standards such as CIS, NIST and ISO. It also supports SAP frameworks such as the SAP Security Baseline and the S/4HANA Security Guide. Customers can also create and publish custom frameworks for monitoring compliance against company-specific policies and standards. Reports can be scheduled and automatically sent to stakeholders including compliance and audit teams on a regular interval.

4. Tune Security Alerts

Security solutions can trigger alerts and notifications for suspected security incidents that upon further investigation are false positives. Solutions can also overwhelm users with a large volume of alerts that cannot be realistically investigated with available resources. The latter scenario is known is alert flooding. This leads to wasted effort and reduces the confidence level of end users in the underlying solutions. It can also increase infrastructure costs through higher data volumes and events per second.

False positives and alert flooding can be minimized by tuning alerts for specific systems and landscapes. This enables security solutions to learn the unique event and user patterns for each system and exclude the patterns from alerting. The Cybersecurity Extension for SAP supports advanced tuning for event collection and alerting. Users can maintain exclusions for alerts based on user, client, event ID, transaction, source/ destination IP or terminal, and other variables to prevent false positives and alert flooding. Users can also select enable/ disable specific alerts to customize monitoring and focus, for example, on critical or high priority incidents only.

5. Automate Incident Response

Automating incident response for security alerts can improve the efficiency of security operations and response times. It also supports compliance with standard operating procedures for incident management since there is less risk of human error. The guided procedure framework in SAP Solution Manager and SAP Focused Run includes a library of automated alert reaction procedures.  SAP users can also use the framework to author their own procedures as custom guided procedures. The procedures can automate routine tasks such as transaction, program or report execution, as well as more complex tasks such as locking/ unlocking users or restarting systems that may have been disrupted by a denial of service attack.

The Cybersecurity Extension for SAP also includes incident response procedures that users can execute to investigate security alerts. The procedures provide best practices and playbooks for responding to alerts and enable users to document findings, attach evidence, generate reports, and manage the status of alerts. It also provides a complete audit trail for each investigation performed by analysts.

6. Integrate SAP Logs with SIEM Solutions

Security Information and Event Management (SIEM) solutions enable Security Operations Centers (SOC) to ingest and monitor logs from various endpoints in networks. They provide a centralized platform for monitoring multiple assets within an enterprise. Centralized monitoring through a single or multiple SOCs can improve efficiency and lower costs, as well as improve visibility and capability to respond to threats across different assets.

There are inherent challenges with integrating SAP logs with SIEM solutions. The challenges are discussed in detail in the whitepaper SIEM Integration for SAP from Layer Seven Security. The Cybersecurity Extension for SAP supports seamless integration with SIEM solutions. It removes the effort and complexity for successfully ingesting SAP logs. This is achieved through filtering, normalizing and enriching of SAP logs and through the creation of a single point of integration between SIEM solutions and a data source containing event logs from all target SAP systems.

What to Expect in the Cybersecurity Extension for SAP Version 5.0

Version 5.0 of the Cybersecurity Extension for SAP (CES) is scheduled for general availability in September. It includes several enhancements, configuration checks and new patterns to improve vulnerability management and threat detection for SAP solutions. This article discusses some of the key changes.

Trend Analysis
Trend Analysis is a new application in CES that tracks changes in vulnerabilities, security notes, and alerts over two years. It can be used to monitor security results across periods. For example, the number of vulnerabilities in the current period can be compared with results from the prior month to assess the effectiveness of remediation activities. Results can be analyzed using daily, weekly, monthly, or quarterly intervals, as well as custom date ranges. Results are visualized using multiple charts and tables with the option to export results. The advanced filter can be used to focus trend analysis for specific business units, areas, landscapes, systems, priorities, and other variables.

Systems
Systems is another new application in CES. It displays system information for targets that are monitored by CES. Target systems are selected from the available managed systems in SAP Solution Manager and SAP Focused Run. System information is displayed in cards for each system. The information includes attributes such as the SAP System ID, landscape, environment, priority and group. Groups are typically business units that are maintained during the installation phase. The application includes a filter to search for specific systems based on attributes.

Actively Exploited Vulnerabilities
CES version 5.0 automatically detects actively exploited vulnerabilities. The vulnerabilities are identified and flagged based on automated correlation with event logs and alerts in CES. Results in Vulnerability Management can be filtered to focus on vulnerabilities that have active alerts. Users can also create and publish alarms to their Launchpads for actively exploited vulnerabilities using the Save as Tile option.

SAP GRC Integration
SAP GRC identifies users with access to sensitive functions and conflicting functions that should segregated between users. It also detects if the functions that comprise an access risk are executed by users. CES v5.0 integrates with SAP GRC to report and alert for access risks where the relevant sensitive or conflicting functions are executed by users.  This enables organizations to be notified immediately for access violations and investigate the risks using the incident response capabilities of the Cybersecurity Extension for SAP.

Report Scheduling
The Cybersecurity Extension for SAP supports export to PDF, CSV and Excel for compliance, vulnerability and other security reports, including reports related to security notes, events and alerts. In earlier versions, the reports were exported on demand. Version 5.0 supports the scheduling and automatic distribution of reports by email. Users can customize email settings including the subject and text. Distribution lists are supported.

User Experience
CES v5.0 includes a redesigned application launchpad.

Vulnerability Management includes a card view for system selection. Users can switch to the dashboard view supported in earlier versions, if preferred.

Compliance Reporting also includes a redesigned interface for selecting frameworks and systems and navigating results.

Security Alerts includes a heat map for analyzing alerts by system and column charts for analyzing alerts by 24 hour, 7 day, and 30 day intervals.

SAP ASE
The Cybersecurity Extension for SAP supports full-stack monitoring for SAP systems including application, database and host layers. SAP ASE is a widely-used relational database server for SAP solutions. Version 5.0 includes extended support for ASE monitoring including new vulnerability checks for checking logon settings, remote logins, password policies, database users including default and inactive users, critical database roles, database encryption, and audit settings. It also delivers alerts for critical database events such as failed logons, locked users, logons by default users such as sa, changes to the database configuration including disabling auditing, role and user changes, new procedures or services, remote procedure calls, the execution of stored procedures, and table contents transferred to/ from external files.

SUSE Linux Enterprise Server
Version 5.0 includes several new alerts for SLES operating systems supporting SAP solutions. This includes alerts for locked and unlocked users, new users, login failures, password changes, replay attacks, users that switch to root, and threats from the execution of malicious programs in SAP hosts.

What’s New in the Cybersecurity Extension for SAP

The new release of the Cybersecurity Extension for SAP (CES) is scheduled for general availability on April 24. It includes several important enhancements, configuration checks and patterns for threat detection to further protect SAP solutions from advanced cyber threats.

The prior release of the CES provided capabilities for SAP customers to automatically discover and remove false positive security notes calculated by System Recommendations (SysRec) in SAP Solution Manager. This improved the quality and reliability of results in SysRec and reduced the manual effort required by SAP administrators to analyze security patches. The new release of CES extends the enhancements for SysRec by including CVE, CVSS and vector information for calculated security notes.

The new release also includes configuration checks for protection against directory traversal in ABAP systems. The checks review path validation for files with no defined physical paths and the definition of physical file paths for logical paths. Checks are also applied for settings in SAP Virus Scan Interface (VSI) profiles and supported MIME types. SAP VSI integrates with scanning engines to discover and block malware in file uploads and downloads from SAP solutions.

The new release includes extended checks for Unified Connectivity (UCON) including HTTP whitelists for protection against clickjacking attacks and relevant background jobs. It also includes extended checks for Read Access Logging including log domains, groups and fields. In addition, checks for the masking and encryption of payment card data are included in the new release.

There are over 210 checks for critical transactions in S/4HANA included in the release. Future releases will rollout authorization checks for solutions such as S/4HANA, ECC, BW/4HANA, BW, CRM. The checks will enable customers to use the Cybersecurity Extension for SAP to monitor critical access and segregation of duties in lieu of SAP Governance, Risk & Compliance (GRC), given the scheduled end of maintenance of GRC.

There are several new checks for code vulnerabilities in custom SAP programs. This includes checks for XSRF protection and the forceEncode attribute.

New patterns for detecting Indicators of Compromise (IOCs) in SAP solutions include successful and unsuccessful program installations, uninstallations and changes in Microsoft Server platforms for SAP. Similar patterns were included in earlier versions of CES for Linux platforms to support the detection of potential ransomware attacks.

IOCs are also included for the detection of changes to specific security-relevant parameters in SAP ABAP and HANA systems.

A new security framework has been added to CES for S/4HANA. The framework will enable customers to automatically check the compliance of S/4HANA systems with SAP requirements in the Security Guide for S/4HANA.

The new release of CES deprecates custom infocubes and process chains used in earlier versions. This dramatically improves the stability and performance of CES and the ability of the solution to rapidly process large data sets with minimal resources.

Security alerts for multiple hosts can be mapped to specific SAP System IDs in the new release. Also, filters for security alerts include a new field to support searching of security alerts based on time ranges using the format HH:MM:SS for start and end times.

Finally, vulnerability details now include tables containing the complete fields and values from source CCDB stores. The tables support data filtering and export.

The next release of the Cybersecurity Extension for SAP is scheduled for June 2023 and will include support for detecting IOCs in logs for SAP ASE databases, vulnerability and event correlation, and trend analysis for tracking changes in vulnerabilities, patches and alerts for periods covering up to two years.  

Configuration and Security Analytics with SAP Focused Run

SAP Focused Run supports real-time monitoring for high-volume SAP landscapes and customers with advanced requirements for system management, user and integration monitoring, and vulnerability management. Configuration and Security Analytics (CSA) in SAP Focused Run applies security policies to  discover vulnerabilities in SAP systems. The policies read the contents of configuration, software and user-related stores in the Configuration and Change Database (CCDB). The CCDB stores are refreshed daily using the Simple Diagnostics Agent (SDA), installed in SAP systems monitored by Focused Run.

This article explores capabilities in CSA for tuning security checks using exclusions, configuring alerts for critical vulnerabilities, and investigating security-related changes reported by CSA.

Exclusions can be applied to exclude specific checks in security policies. In the example below, we have applied an exclusion to exclude a check that validates the status of the standard DDIC user. The first step is to open to CSA in the Advanced Configuration Monitoring workgroup.

The next step is to select the relevant policy and select Exemption for Policies.

Select Create to add the exemption. Select the Check ID based on the available checks in the policy and add an Exception ID and Description.

You can add a date range if the exclusion is temporary and should be automatically removed after a target date. Once saved, the check will be excluded from the policy. Exemptions can be maintained and deleted after they are applied.

Alerts for systems that fail checks in security policies can be configured using Configuration Validation Alert Management.

Select Create and add an Alert ID and Description. The Alert Source should be set to Configuration Validation – Policy. Select the Policy and maintain options for Aggregation Level, Scope, Frequency and Severity. Select ON and click on Save to activate the alert.

Alerts can be configured for specific systems or groups based on Customer ID, Data Center, IT Admin Role, Lifecyle Status, or Networks.

IT Admin Role can be used to apply alerts for systems based on environments.

Email and SMS options for alert notifications can be maintained using Outbound Variants.

Alerts can be investigated and managed using Alert Management. In the example below, we can see the alert configured in CSA for changes to standard users. Alerts in Alert Management be integrated with SIEM and service desk solutions. For detailed information, refer to the SAP Help Portal.

Changes in SAP systems are captured and logged in CSA. This includes areas such as parameter settings, RFC destinations, ICF services, and user authorizations, profiles, roles, and transactions. The details of the changes can be viewed using the option to display change of configuration items. Select a time frame for changes using Time Frame Selection.

You can also maintain a custom time frame.

Select a system to view to view a summary of the changes.

Select a store to view the details of changes. In the example below, we can see the details of users that were assigned the SAP_ALL profile in a system over the last three months.

The details can be filtered, sorted and exported to Excel.

The Cybersecurity Extension for SAP integrates with CSA in Focused Run to apply thousands of security checks for known vulnerabilities in SAP solutions. It also integrates with System Monitoring in Focused Run to detect and alert for more than 600 indicators of compromise in SAP event logs. To learn how you can protect your SAP systems from cyber threats using the Cybersecurity Extension for SAP, contact Layer Seven Security.

Security Alerting with SAP Focused Run

SAP Focused Run provides real-time application monitoring, alerting and analytics for large-scale SAP landscapes and hosting providers. It leverages SAP HANA to support centralized monitoring for up to thousands of systems in high-volume environments. Focused Run is intended to complement Solution Manager in SAP landscapes by substituting configuration, integration, system, and user monitoring scenarios from SolMan. Solution Manager is required for all other scenarios including change management, patch management, custom code management, business process monitoring, service management, and test management.

This article explores the alerting capabilities of SAP Focused Run using the workgroups Advanced System Management and Advanced Event & Alert Management.

Similar to SAP Solution Manager, Focused Run includes preconfigured monitoring templates and data providers for SAP platforms and solutions including ABAP, HANA, and Java. It also includes database and host templates for monitoring SAP infrastructure.  The standard metrics and alerts within the SAP-delivered templates include content for monitoring the availability and performance of SAP applications, components, agents, interfaces and infrastructure.

The Cybersecurity Extension for SAP extends the coverage of SAP Focused Run to include security monitoring.  The SAP-certified addon provides more than 500 metrics and alerts for detecting indicators of compromise in SAP logs. This includes ABAP logs such as the Security Audit Log, Gateway Server Log, HTTP Log, System Log, Transaction Log, Read Access Log, and Change Documents. It also includes support for the Audit Log in HANA platforms. The current version of the Cybersecurity Extension for SAP supports ABAP and HANA platforms. Future releases are expected to support Java systems and operating system logs in Linux hosts.

Alerts can be accessed using Alert Management in the Advanced Event & Alert Management workgroup.

Focused Run supports the grouping of systems into Customer IDs. This can be used to segment results for business units. Alert Management will summarize the results for the Customer IDs selected during the initial selection screen.

You can select the list view to display the current alerts.

You can open and view the details of alerts in the list. The example below is an alert triggered in a managed system for changes performed for the roles assigned to the standard SAP* user.

The Metrics tab includes information related to underlying event including the event timestamp, source IP, target IP, and user information. This information can be automatically integrated with Security Information Event Management (SIEM) systems. Notifications can be also sent for alerts through email or SMS using the Send Notification option in the Actions menu.

Alert Reporting in Alert Management provides a dashboard for monitoring alerts by date, category and systems.

Alerts can be also managed using System Monitoring in the Advanced System Management workgroup.

System Monitoring includes an Alert Ticker in the right pane that displays the latest alerts in real time.

The application also includes a hierarchal view for displaying alerts by managed object type including systems, application servers, instances, databases and hosts.

Securing the Journey to SAP S/4HANA

Earlier this month, Layer Seven Security released the new whitepaper Securing the Journey to SAP S/4HANA: A Security Framework for S/4HANA Migrations. The whitepaper provides a comprehensive guide to S/4HANA security to support the transition from SAP ERP to S/4HANA.

Mainstream maintenance for ERP will end in December 2027. Therefore, organizations must migrate to S/4HANA by the beginning of 2028. To date, only one third of organizations have migrated to S/4HANA. Therefore, the majority of SAP customers will be migrating over the next five years.

Security is one of the largest roadblocks to successful migrations. This is due to significant differences between ERP and S/4HANA that require the restructuring of access and technical controls. It is also due to concerns related to cloud security since almost 70% of organizations are electing to migrate to cloud-based S/4HANA installations. Other security concerns arise from the migration of custom SAP programs from ERP to S/4HANA. These programs often contain hidden and unresolved security vulnerabilities since they were never subject to in depth code vulnerability analysis.

The whitepaper includes detailed recommendations across twelve domains to deal with these and other security concerns and facilitate the smooth transition to S/4HANA. The recommendations are aligned to best practices in the SAP S/4HANA Security Guide. The whitepaper also includes guidance for automating pre and post go-live security checks for S/4HANA migrations using SAP Solution Manager and the Cybersecurity Extension for SAP.

Securing Microsoft Platforms with the Cybersecurity Extension for SAP

SAP systems consist of multiple integrated technological layers. SAP solutions comprise the application layer. The application layer is supported by database and operating system layers. The layers are closely integrated to form a software ecosystem linked through several connections including trust relationships that bond the layers to form an SAP system. The layers are more tightly integrated in SAP HANA installations where application, database and OS functions can share physical resources.

Since SAP systems are comprised of multiple layers, security must be applied across all layers within a system. Threat actors can bypass secure SAP applications by targeting weaknesses at the database or OS level to compromise SAP systems. Ransomware, for example, can lead to a denial-of-service for SAP services by exploiting vulnerable operating systems. Application-level data protection mechanisms can be bypassed by exfiltrating data in SAP solutions directly from the database.

The need to secure databases and operating systems in SAP systems is more pressing when SAP applications are coupled with Microsoft platforms that are widely targeted by threat actors and suffer from a host of known vulnerabilities and exploits. The Cybersecurity Extension for SAP is the only security solution that secures all layers within SAP systems including databases and operating systems.

Together with over 2000 vulnerability checks for SAP solutions, the Cybersecurity Extension for SAP performs automated vulnerability scans for Microsoft SQL Server and Microsoft Server to detect more than 300 known security weaknesses in the platforms. This includes active vulnerable services that widen the attack surface for databases and hosts, authentication settings including password policies, file and table encryption, users with administrative privileges including system and user administration, the availability of standard users, logging and auditing, open ports and services, and host firewall settings.

The Cybersecurity Extension for SAP also monitors database and operating logs to detect indicators of compromise in Microsoft platforms and trigger alerts and email/ SMS notifications for security incidents. This includes system, role and user changes, direct access to user tables, changes to database schemas, user groups, scheduled tasks, stored procedures, passwords and firewall settings, failed logons including attempted remote logons, packets blocked by host firewalls, remote procedure calls, service activation, device and program installation, and changes to system auditing.