To understand the extent of the issue, Turnkey Consulting carried out research to better understand how SAP customers manage privileged accounts across their estates.
The headline figure in need of highlighting is that more than three quarters of respondents (78 percent) don’t have full visibility of the privileged accounts within the SAP estate. Anecdotally, experience tells us that visibility tends to be good at the application layer, but often doesn’t go deeper to look at the root-level accounts in the operating system and database layers. Establishing that visibility can be complex, especially for organizations where third-party access is involved, but it’s an important part of preventing cyberattacks caused by credentials falling into the wrong hands.
On a more positive note, with unmanaged admin accounts and credentials being prime targets for hackers, it is encouraging that 71 percent of respondents are changing their admin user passwords at least once a quarter (with half of these doing so on a monthly basis). In addition, the 87 percent of people taking the survey that use password vaults or managers to govern privileged accounts represents a big step forward over the past decade in how businesses protect passwords.
Managing superuser accounts
Over two fifths (43 percent) of respondents report having no formal superuser account management in place, a finding that is concerning as it puts valuable SAP data at risk. Even the 30 percent with manual firefighter processes, while addressing the issue, are signing themselves up for processes that are time-consuming, prone to human error, and don’t generate the same proverbial paper trail that can help prove compliance to auditors. Only 26 percent have adopted tools to support superuser account management, despite the clear benefits of doing so.
Extending PAM solutions
83 percent of people taking the survey said they extend PAM accounts to the database, operating systems, and servers (as well as the application) for their SAP environment. However, in view of a potential (and understandable) unwillingness to admit to incomplete coverage, this finding needs to be treated with a degree of caution. Experience indicates that very few organizations extend their PAM accounts sufficiently enough to provide complete protection to this extent.
When it comes to extending PAM to govern access to superuser accounts in the cloud, 82 percent report they do, an encouraging finding at a time of accelerating cloud adoption.
Businesses have clearly taken on board that the migration towards cloud means that their data no longer reside within their own data centres, and that privileged access to that data is therefore a key consideration.
Third parties and superuser accounts
Almost half (47 percent) use tool-based controls to monitor and control the use of superuser accounts by third parties, showing that many businesses realize the benefits of automation, and ensuring that their third parties have to operate at the same security level as the business demands.
42 percent go down the manual control route, potentially exposing themselves to risk if third parties are left to control superuser access themselves and do so in less secure ways.
A total of 87 percent of respondents have applied at least some automation in how their privileged accounts are controlled, although a substantial proportion still have work to do in fully embracing it.
There is a growing realization of the need to protect underlying SAP infrastructure. 60 percent felt they were very effective at managing privileged accounts overall. However, organizations need to continue to be proactive in looking for any previously undiscovered issues – and many still have a lot more work to do.
Sensitive data reside within the infrastructure as well as the application layer, and, given the majority of access to it is privileged, robust controls are essential to minimize the risk of threats, both internal and external. The key to this is PAM tooling, which can add useful automation to how access credentials are issued, monitored, and refreshed.
However, PAM implementations can be challenging if not delivered as part of a well-defined strategy, and require a pragmatic, incremental approach in order to deliver on the benefits required to truly protect the SAP estate.
The full report, SAP Privileged Access Management Survey Report 2021, containing a break-down of the results, further insight into the findings, and offering advice on PAM implementation, is available to download (requires registration).