Without a doubt, SAP is one of the leaders in ERP software worldwide, more than 437,000 companies in 180 countries use some SAP system and among them 98% of the 100 most valued brand companies, 92% of ForbesGlobal 2000 companies Many of these companies have suffered some type of security breach related to SAP, either in terms of Functional, Operational, Transactional and/or Source Code (ABAP), which has led the companies to suffer financial losses.
Companies that use the SAP system as the main support for their operations need an adequate implementation of access controls to prevent unauthorized use of programs or system transactions that cause situations of internal fraud or operational errors that may affect the company. We can say that in our experience, 70% of companies have suffered these events due to the lack of a SAP security model, due to the inadequate definition of Roles and Transactions that indirectly cause unauthorized access to users.
For this reason, it is important that during the implementation of SAP an adequate SAP security model be defined to mitigate these gaps at the operational and transactional level, considering the following
:1. Identification of the processes and people involved in the use of SAP.
2. Define an appropriate Segregation of Duties Matrix
3. Define a role model according to the business and the authorizations according to the job, considering a structure such as the following:
Where Authorization is the set of values that allow the user to execute certain transactions or data access.
The Authorization Object is the one that allows the restriction of access to the system, the transaction the command that allows executing the tasks or function within SAP, the Values of the required permissions.
For example, a role so that a user can register a supplier for a Company 0001 and the Perfumery Supplier Group with transaction XK01, should be as follows:
However, breaches at the transactional level always exist and for this reason it is important to define constant monitoring of critical transactions executed in the system and validate that only authorized users execute them. Other SAP security breaches observed in recent years are vulnerabilities that affect the Operating System, Database and Source Code levels. Although we know SAP uses its own source code known as ABAP. (Advanced BusinessApplication Programming) which makes it somewhat more complex when performing a vulnerability analysis to determine security gaps in the system.
According to a SAP report that was presented in conjunction with a Cybersecurity company, they confirmed the detection of 300 successful exploits out of a total of 1,500 attempts targeting previously known vulnerabilities and insecure configurations specific to SAP systems between mid-2020 and March 2021. Among these vulnerabilities we can identify Password encryption, RemoteLogon (Remote Access Jumps), Access to developments in production, among others. In the following Link you can see an attack using the Remote Logon vulnerability.
Due to the above, it is demonstrated that SAP is also a system vulnerable to internal and external attacks, regardless of the instances defined (Production, Development, Quality).
For this reason, SAP has developed a series of security tools that allow it to reduce the risks of fraud due to the inadequate definition and assignment of roles, and has relied on cybersecurity companies that have developed tools to perform vulnerability analysis with respect to infrastructure and ABAP code such as Layer Seven's Cybersecurity Extension For SAP.
Which has supported different organizations in the detection, prevention and mitigation of vulnerabilities in the system.
The use of this type of tools allows the automation of controls and reviews in real time of possible breaches in the system at the transactional level through the review of logs, and analysis of vulnerabilities in terms of infrastructure and ABAP code, added to them it is important to define a segregation of functions matrix, eliminate default configurations, define a security model with respect to Roles, Authorization Objects and Transactions.