SAP security and availability

Having been involved in many Enterprise clients, I have seen the critical nature of the SAP environment and the sensitivity of the business to issues with the Application. Over time, SAP has evolved and become more mission critical and therefore availability is key. One of the areas which impacts availability is security, both from impact and protection perspective.  Moving SAP to the Cloud, can help improve availability and gives an opportunity to enhance the approach around security reducing the impact of scanning and updates on the performance and increasing capability.

Mission Critical

The SAP platform has grown to encompass many different aspects of business function and capability, and therefore the availability and performance requirements of the environment, are key to ensuring the application supports the business effectively. It has in effect always been mission critical but now with straight through processing and digital business transformation it is vital to the bottom line of the business.

Elaborate technology solutions have been deployed to ensure the availability and performance of the environment. For many though this is based on physical hardware inside a datacentre, with the associated needs to upgrade and renew. The new world of Cloud computing offers tremendous scope to create a virtual environment with infinite resource available to deliver a highly performant and available environment. A cloud enabled deployment can introduce an opportunity to use a consistent platform for all modules with Windows/Linux and SQL/Hana as the focus within SAP. The ability to script and automate provisioning of the servers enables entire clone production environments to be created quickly and used for operational task such as upgrades, security audits and Application migration testing.

Security risks

So, whilst the availability of the platform and the performance of the environment are being addressed by many clients the Security challenges are not be tackled with the same vigour, there are regular announcements from SAP and third parties regarding vulnerabilities which have been identified, some of which are critical. Security is both proactive and reactive, once issues are identified the proactive approach is to apply a patch to the affected environment and tools. The Reactive security model is a set of tools which can attempt to identify malicious behaviour and monitor or block the threat activities. SAP environments need both types of protection.

Number of Vulnerabilities identified over the last few months in 2017.

Patching vs availability

The proactive vulnerability protection involves the application of a patch and or installation of new modules. And here is the dilemma, this approach challenges the availability of the platform with an element of down time, associated with the exercise. With a modern cloud based environment there are two areas where the approach can be enhanced. In Azure the whole SAP platform can be duplicated and activated on demand as required, this offers an environment which can be used for a variety of uses including Compliance testing, Software upgrades, and DR / Business Continuity.

So, in the security context, it would provide an environment where patches can be tested and reviewed for impact. If there are restarts of the servers required this can be identified in this phase and an appropriate operational model determined. But the downtime and delay associated with applying and rebooting servers could impact the availability and performance of the application.

A mitigating approach which would reduce the window of risk and improve the availability might include a host based IDS/IPS solution, installed on each VM supporting the Application. The concept has become known as virtual  patching, in which the network traffic is inspected and policy rules applied to identify known threats or malicious intent, the affected packets are then monitored or dropped as determine by the policy to protect or manage the affected server. Advantages of this approach are significant. It is much faster to apply the latest protection with policy automatically updated from the vendors centralised threat database and the policy is customised to the server and specific applications and versions it is protecting.   Advantages being rapid deployment and equally rapid removal of individual policy rules without reboot or impact to the application availability.

Reactive Security tools

SAP has been involved in many situations where the security tools have created problems and impacted performance or availability of the core SAP applications, due to the intensive scanning and filter processes.

Therefore, SAP has been reluctant to support or encourage the use of reactive tools, they have moved to provide an API mechanism to support the use of security tools. The API is designed to reduce the impact of the security processes on the underlying SAP applications and through tight integration with the VSI 2.0 API, Trend Micro for example can provide a comprehensive protection model and minimise the impact of the scan on the SAP applications. Different inspection techniques are built into the tool.

Anti-Malware is one of the security tools which used to consume resource when executing the security task, the scan and inspection process may impact the resources available for the application being protected. The efficiency and optimisation techniques already built into the Trend Micro tools in enhanced by the optimisation processes built into the SAP NetWeaver platform to ensure only new file and interactions are being monitored and protected.  A funnel approach is part of the new world of security, light touch scanning initially to filter obvious bad content out, followed by more and more intensive inspection techniques such as AI or behaviour monitoring against fewer objections which have passed through the previous filters. Files, folders, Network, behaviour, Code and execution are all part of environment where the security tools protection techniques are invoked.

In the case of Trend Micro, a single agent is deployed with multiple protection techniques automatically included, this brings economies with less operational parts and simple threat policy updates.  The operation and tuning of the security to the platform can be automatically carried out to enable cloud and automation based protection.

Top Threat Areas

An area specifically covered with the VSI interface, is the protection of the data and interaction with the portal and web tools.

SAP Cyber Threat Intelligence report August 2017

As you can see from the graph above the cross-site scripting issues in uploaded data or the web portal platforms is the biggest threat every month. The VSI interface enables partners such as Trend Micro to inspect the data being input or uploaded into the SAP environment and block malicious intent before the data is stored in the SAP environment.

Summary

Given the vital nature of the SAP platform now, supporting real time manufacturing and or web based interactions 24×7, the security and operational approach needs to be reviewed. The protection and availability of the application has been eroded over time, as new innovative threats and lack of availability investment collide to put the platform at risk from malicious intent.

Solution Azure / Automation / Trend

Many new businesses are looking to digitally transform to stay competitive and grow, the use of cloud and modernising the IT platform is a key direction of Travel. The cloud offers an evolution in availability and resource flexibility for SAP, it delivers the right platform at the right time enabling standardisation and billing based on resource consumption. Azure as a SAP certified cloud platform brings a new opportunity for SAP customers to evolve the platform to support the business needs of the customers. Automated provisioning for just in time delivery of resources required for the application based on load or schedule keep costs contained, whilst automated builds of SAP environments help deliver round the clock services enabling upgrades, testing and 24×7 availability. Cloud discussions often open the topic of security risk and threats, the use of the right tools and the right operational approach can really enable secure use of the cloud and deliver on the agile vision offered by the Cloud.  The SAP certified Trend Micro security solutions support the dynamic nature of the Azure Cloud with automated deployment and configuration. Key to the SAP certification and customer endorsement is the low impact of Trend Micro solution on the applications whilst delivering very strong industry leading security capabilities in a single solution Deep Security.