SAP Zero Trust Framework Explained (July 2021)

The SAP security team is overwhelmed. I wish there was more to say but the message is clear, and the data is unmistakable:

Median dwell time: 56 days

Number of disparate tools: 25 - 50

Skills gap: Extreme

Noise: Too much

On May 12th, an executive order from the White House summarized the importance of this issue. Critical supply chain cyber-attacks cannot be ignored. 

We must detect faster, and this requires scaling the security operations center through comprehensive data availability. Our SoC’s must have the visibility and searchability into all datasets, regardless of how generic that data is thought to be. 

In addition, we must get away from the legacy standard of implicit trust. “Always assume breach” is a mindset and a culture we must move towards, and this is the basis for Zero Trust Architecture. A risk-prioritized approach is important to detection and critical to the containment of a breach.

The same is true with SAP. An SAP Zero Trust Framework is required to protect SAP systems and critical information from unauthorized access in a distributed environment while accessing the system locally or remotely. It should cover various authentication methods, database security, network and communication security, SAP application security, protect standard users, and additional best practices that should be followed in maintaining your SAP Environment.

In an SAP distributed environment, there is always a need to protect your critical information and data from unauthorized access. Human errors and incorrect access provisioning shouldn’t allow unauthorized access to the system, and there is a need to monitor and review the profile policies and system security policies. SAP Security teams spend a lot of time monitoring daily activities like user admin, authorizations, permissions, etc., running several critical transactions and reports to monitor and troubleshoot security issues. Legacy or traditional solutions have been used to monitor the security events, however, there are severe limitations and constraints, and security experts agree, not only is it not ZERO TRUST COMPLIANT, but it’s also frustrating and of limited value.

Zero Trust Mindset

Zero Trust – important now more than ever before. But what is it? Is it a framework or is it an initiative? We think Zero Trust is an organizational mindset that manifests in frameworks, products, solutions, and change agents. SAP teams have varying degrees of the definition for Zero Trust within the corporation’s mission-critical systems, and they require agile solutions to map to their security maturity.

Zero Trust Architecture is at the foundation of security modernization and its foundation is data. We seek to achieve visibility through all these layers by enabling a data platform approach. This is where PowerConnect is fundamental in data access for security operations. With a whole organization approach, it is critical for SAP security data to become available, visible, and searchable as a bare minimum capability. We can no longer make assumptions about SAP data.

My colleague Ravi Kummitha, who works as a Consultant for Fortune 500 Companies, is responsible for overseeing the security of large SAP landscapes with 100+ SAP systems. He puts it this way.

“With the Implementation of PowerConnect, the monitoring of complex security use cases with huge data generated out of several transactions is now quicker, simpler, and realistic. It encompasses the practice of actively analyzing all movements within a large number of production and non-production systems and identifying both external and internal threats, with critical data sets any unfounded and rarely thought vulnerable security use cases within the SAP environment can be easily cracked. The out of the box feature to extract and analyze the deep insights of security data is extremely useful to monitor, alert, and troubleshoot the issues almost real-time, The SAP Security Support teams can consume the events and immediately begin the process of mitigation or remediation resulting in a huge improvement in MTTR. This is as close to ZERO TRUST as we have today for SAP. “

Zero Trust framework for SAP with PowerConnect

RHONDOS PowerConnect – The Modern Solution. 

Key components to an SAP Zero Trust Framework?  

Monitoring SOD violations (segregation of duties) user maintenance, user authorizations, role & profile assignment & changes, and its authorization objects and troubleshooting any complex user behavior use case can easily be solved with the data insights from typical transaction codes. The key is ingesting the following data in near real-time and overlaying to progress from point-in-time reports to streaming correlation.

SU01, PFCG, SU53

SUIM, ROLE_AUTH, USR*

AGR

SM20 & SM19 are often used for quarterly and annual compliance reporting but modern threats don’t wait. Streaming these datasets detect SAP security vulnerabilities and configuration changes before the audit report is due.

And as we move up the maturity model, proactive threat detection use case scenarios like dangerous RFC Callbacks, a user accessing critical data/transactions, downloading sensitive data from tables, multiple logons from the same terminal, system USERID connection issues, account sharing... the list goes on... monitoring and alerting Firefighter users, unauthorized activities, Fiori App security, HANA security, transport movement, certificate & license management.

These are all in the RHONDOS PowerConnect Zero Trust framework

Move to Modern with a Skilled and Empowered Security Team 

Empowerment, at least per Webster, means having the knowledge and confidence to make decisions for oneself. When it comes to SAP, knowledge is definitely available to the BASIS and functional teams but the velocity by which that knowledge is assimilated is just too slow for modern cyber threats. Additionally, SoCs do not have the same visibility to security-focused transaction details such as those found with SM20, SM04, SU53 or STRUST. This is where SAP PowerConnect has an immediate return on investment. Straight out of the box, teams are empowered to visualize and alert upon in real-time, privileged account abuse, sensitive transaction frequencies, and suspicious login activity.

Problems become solved like tracking habitual users of SAP* login credentials and monitoring for “land speed records” such as geographically impossible successive login attempts, or multiple terminals used by the same account.

SAP Security Essentials dashboard

Share and Incorporate Threat Intelligence 

The RHONDOS team has a development team that builds and maintains an Enterprise Security Integration Package for SAP Data. This integration takes the SAP security-focused datasets, made available by PowerConnect, and models it to match the architecture of Enterprise Security. The resulting solution brings an SAP-specific domain into the Security Operations Center where SAP-specific Indicators of Compromise can be monitored. The SoC and SAP BASIS and function teams can now progress toward the convergence of security efforts spanning these large, complex systems. Ultimately, maturing the security posture requires joint ventures across the organization and the first step in breaking down organizational silos is working from the same sheet of music.

Correlation Search Configurator dashboard
Security Posture Splunk Enterprise

Bringing the data to the forefront is not just a technological challenge but a mindset and as security practitioners, we must all act as change agents through bringing people together. We’re just not going to get there with the next shiny tool or new-fangled software. We must act as trusted advisors and be approachable to drive evolution and education.

Introducing the concept of SAP ZERO TRUST FRAMEWORK can be challenging but today’s cyber threats demand it.

Join us at our next webinar. We usually host these live events once a month to showcase the PowerConnect technology and share some deep dives into common use cases. 

https://www.rhondos.com/webinar

Not a fan of webinars? Request a demo instead.

Previous
Previous

What I Love as a Splunker — SAP and RHONDOS (September 2021)

Next
Next

Dad Bod vs STAD Bod… Splunking SAP Returns! (March 2021)