Enterprise applications help reduce complexity and enable large teams to collaborate, share information, and protect data. Applications like Adobe, Microsoft Dynamics, Oracle ERP Cloud, Salesforce, SAP, and Workday have become critical for efficient business and supply chain operations. These applications don’t operate in silos and often share information. For this reason, it’s crucial to safeguard data transfers with strong security and encryption methods.
One of these juggernaut applications, SAP, is used by 99 of the Fortune 100 companies and has over 280 million Cloud subscribers worldwide. However, SAP does not stand alone, and communication between this application and others is crucial; therefore, application access to SAP systems must be secured.
Without encryption of SAP data in transit, the so-called “Man-in-the-Middle” attacks can quickly occur, increasing the risk of unauthorized access and data breaches. According to the National Institute of Standards Technology(NIST), a Man-in-the-Middle attack is “an attack in which an attacker is positioned between two communicating parties to intercept and alter data traveling between them. In the authentication context, the attacker would be positioned between claimant and verifier, between registrant and CSP during enrollment, or between subscriber and CSP during authenticator binding.”
Activating Built-in SAP Protocol Security
SAP provides multiple interfaces to facilitate communication between different systems and applications. These interfaces include SOAP (Simple Object Access Protocol), File, OData (Open Data Protocol), REST (Representational State Transfer), IDOC (Intermediate Document), WebAPIs, FTP (File Transfer Protocol), and many others. Each interface serves specific purposes and caters to different integration scenarios within the SAP ecosystem.
In addition to the interfaces, two transport protocols, RFC (Remote Function Call) and HTTP (Hypertext Transfer Protocol, the open standard), are crucial for transferring data in SAP environments. RFC is the proprietary protocol between SAP systems, allowing uninterrupted data transfer and continuous functionality. Middleware solutions, like SAP PI/PO (Process Integration/Process Orchestration), will enable non-SAP systems to access RFC.
HTTP is also widely used for web-based interfaces between SAP and non-SAP systems. It is a standard protocol for transmitting data over the Internet and allows different systems to work together. If REST, OData, WebAPIs, and other web-based protocols are used for SAP interfaces, the data transfer will depend on HTTP.
Ensuring the security of SAP interfaces is vital for protection. Therefore, secure encrypted protocols, such as HTTPS or SFTP, are wise when transmitting data between SAP and other systems or applications. In addition:
- Encrypted protocol authentication is needed; this is best achieved with secure login credentials, two-factor authentication, or other methods to ensure that the proper users access SAP interfaces.
- Role-based access controls will help keep integrity by creating an environment where users can only access the interfaces needed to perform their specific tasks.
- Logging user activity and monitoring for unusual or suspicious activity must be routine to identify and respond to potential system threats to SAP systems.
- Constant system monitoring and staying current with patches and updates is your edge for fixing known vulnerabilities.
Monitoring and Protecting Data In Transit
By contrast to encrypting data, transmitting information without protection makes it susceptible to interception by bad actors, and Man-in-the-Middle attacks become a significant threat. Simply put, encryption ensures that data transmitted between SAP systems and other endpoints remain unintelligible to unauthorized entities, making it imperative for safeguarding data integrity.
Automation is one of the best ways to ensure SAP interfaces are secure. Static and dynamic testing for RFC, BAPI (Business Application Programming Interface), and web services interfaces is required. Finding third-party applications that detect SQL injection, cross-site scripting (XSS), and insecure direct object references is often necessary to ensure full encryption for data in transit. The added layer of protection augments native security with applications and helps prevent attacks and exploitations by identifying these vulnerabilities.
In addition, some third-party security offerings use automated testing and include the following features that protect interfaces and keep the entire SAP system clean and secure:
- Runtime Security Monitoring – This allows tracking user activities in real-time and detecting suspicious behavior.
- SIEM Integration – Identifies potential security issues and ensures compliance with regulations and industry standards.
- Vulnerability Management – Helps identify and prioritize vulnerabilities, track remediation efforts, and ensure the SAP system remains secure over time.
Making Sure No One Is Listening On The Other Line
SAP comes with Secure Network Communications (SNC), but additional security software should be used to augment its shortcomings. It’s all about protecting communication between the client and server components. Encryption is imperative for securing data in transit—without it, information can be obtained or changed by actors with bad intent. Protecting data within SAP’s complex architecture ensures that information travels without interception.
Knowing all the potential attack vectors and the weaknesses of native security that come with ERP systems will help companies visualize the areas that need attention. The proper attention will come from third-party applications that bring encryption, automatic testing, authentication, monitoring, and patch management to ensure your organization’s data is safe from interception and interference that could disrupt operations.
Christoph Nagy
Christoph Nagy has 20 years of working experience within the SAP industry. He has utilized this knowledge as a founding member and CEO at SecurityBridge – a global SAP security provider, serving many of the world’s leading brands and now operating in the U.S. Through his efforts, the SecurityBridge Platform for SAP has become renowned as a strategic security solution for automated analysis of SAP security settings, and detection of cyber-attacks in real-time. Prior to SecurityBridge, Nagy applied his skills as a SAP technology consultant at Adidas and Audi.