Home >> June 2018 Edition >> Cybersecurity: Protecting SAP Systems—Governments and municipalities need to consider three key areas
Cybersecurity: Protecting SAP Systems—Governments and municipalities need to consider three key areas
By Thomas Kastner, Managing Director and Chief Technology Officer, Virtual Force GmbH

 

Technology and, just as importantly, data, were critical even before the full emergence of the internet.

For example, government agencies rely on technology to run more efficiently and must be able to leverage data to better understand their constituents.

When the internet exploded and subsequently morphed into mobile shopping via tablets and smartphones, government agencies of all sizes started to leverage technology such as SAP to run highly complex operations that joined physical and online processes, such as driver’s licenses, deeds and permits, business documentations and other pertinent forms.

Because of SAP’s vast amount of code and data, this also means agencies have constantly been weary of cybersecurity threats — from internal and external audiences. In fact, there are roughly 320 million lines of code in SAP’s Business Suite alone. What’s more, they’ve also struggled to remain in compliance with changing regulatory expectations.

The challenging part governments and municipalities face is that, even if they’re large enough to have a dedicated internal IT department, their focus remains on tying operations to the IT function.

The notion that most IT staff are cybersecurity experts is a widespread misconception, leaving thousands of agencies and their millions of constituents exposed to everyday cybersecurity threats.

Such vulnerabilities can be costly —  the CISO of a Fortune-500 company once said, “If our company’s SAP system is breached, it will cost us $22 million per minute.”

There are three key areas government agencies and their IT staff must be aware of to help keep their SAP data secure:

SAP Systems, Custom Code and Transports.

SAP Systems
A large proportion of all SAP security vulnerabilities are a result of improper configurations to the broader SAP System.

This area is difficult for IT staff to comprehend simply because there are so many settings in a typical SAP landscape. Interfaces are difficult to identify and manage and patch management is not as easy as you might find with a Windows applications, for example.

IT personnel frequently consult with reliable SAP security experts who provide a comprehensive overview of all SAP interfaces; complete transparency of data streams; continuous protection of interfaces; and a proactive approach to ongoing and automated monitoring of the entire system landscape.

Custom Code
One of the great benefits of SAP for agencies is the ability to customize the system for the benefit of a specific organization’s unique mission.

As an example, a local government entity will have slightly different IT needs as compared to a Federal bureau. As such, the SAP system running both organizations and their functions will each be customized for their specific needs.

In this case, custom code must be developed and implemented for the agency to realize the benefits of SAP.



The challenge here is that there are millions of lines of custom code developed for SAP and it is virtually impossible to manually scan this code for security vulnerabilities.  What’s worse, developers typically do not have the proper knowledge needed to fully vet code for cybersecurity vulnerabilities.

To combat this challenge, developers and organizations are now using cutting edge technologies that automate the scanning process of custom code implementations. These solutions are similar to a spell-checker system and are able to  quickly scan lines of custom code with the click of a button to help protect against any vulnerabilities.

Transports
As mentioned earlier, organizations that use SAP software add in their own customizations and developments.

This means that functions and settings are often modified and enhanced, which can lead to changes made to hundreds of objects every day, along with manipulation of data.

These changes are reviewed and adjusted in development and test environments before getting deployed to the live production system. Unfortunately, these transport files can’t be checked before the import takes place to production, leaving systems vulnerable to stability issues when the data is transported.

Any slight modification during development and test environments can change critical settings of the data, leaving important applications unable to operate or even result in a complete system failure. What’s worse, there can be possible intrusion situations that involve transporting a user and password or other critical data without drawing attention.

In response, advanced SAP system solutions today leverage technologies designed to ensure the integrity of transports, as well as configuration and application data that are critical for running error-free operations.

Today’s government landscape is beyond complex, and the global economy has digitally connected businesses, vendors, governments and constituents in a way that helps move information, services and goods at lightning speed.

This velocity of commerce and information as well as vast networks of interconnectivity also means organizations are vulnerable to malicious entrants they may not be aware of for weeks — or even months. On average, it takes an organization 80 days to realize their SAP system has been penetrated; and another 50 days until the vulnerability is fixed.

By leveraging new SAP security solutions and technologies, agencies of all sizes realize they will be defended in a more efficient way, keeping them in compliance with the latest regulations and ensuring their data and that of their constituents remain safe.
www.VirtualForge.com

Thomas Kastner is the Managing Director and Chief Technology Officer at Virtual Forge GmbH, the leading provider of Cyber Security solutions for SAP® systems and applications. He is responsible for the product management and development, consulting services and IT Infrastructure.