Unsecured interfaces are one of the top issues in SAP security. Hackers and data thieves can gain access via the unsecured backdoor. [shutterstock: 787105330, g0d4ather]
Unsecured interfaces to and from SAP systems open the doors to hackers. Many companies are aware of this – yet they still do not have sufficient security measures in place. Solutions with which interfaces in SAP system landscapes can be analyzed and monitored comprehensively are needed
SAP system environments grow and change continuously. Amongst others, this is due to general market development, such as globalization, that leads to more and more complex business processes. Companies expand, merge and buy other corporations. On top of that new digitalization trends, such as Cloud Computing and Industry 4.0, require an increasingly strong IT network.
In the course of recent years, up to several thousand data interfaces connecting SAP applications with one another but also with non-SAP systems have developed in many places. Aside from the known interfaces, there are many that are not even known to the system administrators as such, e.g. unauthorized downloads of lists via SAP GUI, direct database access, or the communication with external systems.
Loophole for data thieves
If these interfaces are outdated, wrongly configured or insufficiently protected, they pose as a very attractive entry point for hackers to gather information. Data thieves, hackers and saboteurs are then able to copy, change or delete whole databases, leading to the distortion of balance sheet results or the complete deactivation of the SAP system. This can have severe financial and legal consequences for a company. Furthermore, its reputation suffers. The pressure is further aggravated by more and more strict legal data protection guidelines, such as the General Data Protection Regulation (GDPR) that will become binding on May 25 2018 in Europe.
“Data thieves, hackers and saboteurs are then able to copy, change or delete whole databases (…)”
As a result of GDPR, the requirements for the processing of personal data by companies and public institutions will be standardized throughout the European Union. It obligates them to install appropriate technical and organizational measures to protect personal data from, e.g. the processing by unauthorized personnel and unintentional loss. Furthermore, documentation obligation towards already existing data protection legislation is increased: the data processing officer is supposed to be able to proof the compliance to GDPR. Violations will be punished with high fines of up to 20 million euros or 4 percent of the global annual revenue of a company.
No central documentation
Even though the risks of unsecured SAP interfaces have been known for a long time, most companies do not have control over the issue; especially since there is no comprehensive transparency about existing interfaces. In most cases, there is no central entity that possesses gapless documentation of all interfaces and the data exchanged via them. Often, the departments negotiate the interfaces of their SAP systems directly with the customer, suppliers or system manufacturers without those interfaces being added to the company’s inventory.
“Even though the risks (…) have been known for a long time, most companies do not have control over the issue.”
This makes it next to impossible for a company to analyze and monitor the current interfaces in order to be protected from attacks. In addition, they are incapable of fulfilling the legal requirement of GDPR since they do not even know exactly which SAP interfaces will and can be used for the exchange of personal data. Yet without this knowledge it is impossible to proof that these interfaces are up-to-date and can therefore protect personal data from unauthorized access or unintended leaks without.
Manual analyses cause a huge effort
Secondly, one of the disadvantages of the currently available solutions is that they only analyze the interfaces and data flows locally, meaning within a single system. In order to achieve a complete picture of the communication relations within the SAP system landscape, every interface has to be evaluated from both sides. Thirdly, many of the common analysis tools only concentrate on one problem, e.g. on the issue of which data is downloaded via SAP GUI. In any case, only a selective transparency of the existing interface landscape is achieved.
A new approach is necessary
A complete overview can be achieved with solutions like Virtual Forge InterfaceProfiler. With the InterfaceProfiler, you gain the ability to create a model or a set of rules for the selected SAP system and interface landscape and compare it to the continuously collected information (target-performance comparison) For this, deviations are reported and documented.
Originating from one central SAP system, InterfaceProfiler analyzes all communication relations for the entire system environment. The results are graphically presented and protocols of the found vulnerabilities including their criticality are created. In addition, suggestions for possible improvement of security and technical configuration of the interfaces are provided.
With special security functions, companies can face numerous risks in day-to-day operation of the system at the press of a button. This includes the possibility to block authorizations for downloading results lists in SAP GUI. Copy&paste operations of ALV lists can also be prevented. The authorizations can be clearly and finely depicted in the cockpit of InterfaceProfiler – an important feature for the fulfillment of the requirements of the GDPR.
A monitoring component provides information about interfaces which are technically still functioning but have not been used for a longer time. Furthermore, the usage intervals of interfaces still in use can be identified and therefore also unauthorized and unscheduled interface activity. All events are extensively logged and can be actively reported.