SAP Security and Hosting: Hacking 40 SAP Systems in One Fell Swoop

SAP Security and HostingIn spite of the hype surrounding the cloud, the on-premise model in which customers run their own SAP software is still the norm. However, that doesn’t rule out a service provider handling part of the operations; indeed, hosting is a widely used model, particularly among SMEs. While the roles at hand are usually clearly assigned in a hosting model like this, the same unfortunately doesn’t always apply to SAP system security.

Why your hosting provider may not be as secure as you might think

A penetration test carried out by AKQUINET brings this problem into focus. When a customer tasked us with breaking into its SAP system, it took just over an hour for us to report that we’d gained full access to Solution Manager. This came as something of a surprise to the customer, which informed us that it didn’t even run Solution Manager itself; it was meant to be one of its hosting provider’s responsibilities. We then expanded our pen test – and suddenly had access to the SAP systems of more than 40 customers!

We should mention that this episode took place some time ago and isn’t representative of the largely excellent infrastructure that hosting providers offer. That said, it does underscore the fact that the contracts between customers and service providers (also known as service level agreements, or SLAs) often fail to sufficiently cover the topic of security. To understand why, we’ll need to take a moment to explore the various models available from hosting providers. Two variants are generally the most prominent in this context: The hosting company either handles the hardware alone, or takes care of SAP Basis operations, as well.

In securing SAP systems, many things are unclear between customers and hosting providers

Both of these variants present a great deal of potential for aspects that haven’t been considered regarding system security. In the former case, the provider is clearly responsible for the security of the server, network, and operating system at hand. But what about the SAP system settings that access one of these components? To take one example, is SAP Gateway the customer’s responsibility even though a file (in purely physical terms) is located directly within the operating system in this case? What about securing the database and database user for the SAP system?

If the provider also runs the SAP system in question, it gets even more complicated. Roles and authorizations should then be defined and implemented by the customer, for instance. And what should be done about critical combinations of authorizations that could theoretically facilitate unfettered access to the SAP Basis? Does this fall within the customer’s purview, or the hosting provider’s? What about the applications the customer has developed that require access to the file system or web services? In times marked by UI5 and browser access, it’s a question that’s very much of the moment.

Clear responsibilities lead to greater SAP security

To avoid the related risks that can result from poorly defined responsibilities, customers and their hosting providers should always discuss security before implementing their arrangements. The standards and guidelines available from SAP itself or the DSAG’s audit guidelines are good places to start when clearly delineating which party is in charge of which tasks. Another element should involve ongoing efforts to safeguard not just the usual infrastructure components, but SAP systems, as well.

In Security Radar (which is part of SAST SUITE), we offer a monitoring solution for this purpose that also analyzes your current security status through the other modules of the suite and makes it available to you at regular intervals. This makes it possible to clear up any discrepancies between you and your provider in short order.

Would you like more information on our SAST SUITE or would you like to find out more about ALL ROUND protection of your SAP systems? Check out our SAST SOLUTIONS website or send us an e-mail us at sast@akquinet.de.

You’ll also find a webinar on this subject in our SAST webinar archive. To request the link to the recordings, please click here: SAST webinars on-demand.

SAST SOLUTIONS Patrick Boch
Patrick Boch, Product Manager SAST SOLUTIONS

 

Related articles in the SAST BLOG

10KBLAZE and SAP Security I: All Quiet on the Western Front

One step at a time: How to secure and harden your SAP Gateway