SAP Security Chat Tips to Improve SAP ERP Security

© Panaya | An Infosys Company1

SAP Security ChatInfosys and Panaya


Today’s Speakers

Gordon MuehlVice

Presidentat Infosys

Rasmi Swain, PrincipalRisk Management &

GRC; Information Security at Infosys

Guy VagoSAP Project

Manager at Panaya

Rafi KretchmerVice President

at Panaya


The State of SAP SecurityBusiness practices for SAP securityBest practice to simplify security auditsThe Panaya solution

Demo

© Panaya | An Infosys Company

PANAYAPOLL1/ 4

PANAYA


The Importance of Safety95% of SAP Systems are exposed to vulnerabilities

60% feared an attack on their SAP applications would be catastrophic

$4.5 Millionis the average estimated cost of SAP systems taken offline**

24% of worldwide ERP software market share belongs to SAP, double their largest competitor***

*Based on Onapsis Research 5/2015** Ponemon Institute Research 2/16*** Forbes 5/2014

SAP - the ERP Market Leader

5


The Underestimated Security Threat*

*Based on Ponemon Institute Research 2/16

ERP ranked in the top 5 SAP applications most vulnerable to attack

75% believe SAP platforms have at least one and possibly more malware infections

70% of enterprises skip security and compliance audits of their ABAP code

47% expect an increase in attacks against SAP infrastructure over the next 2 years.

Only 34% say their companies have visibility into the security of SAP Applications


*Based on Ponemon Institute Research 2/16

63% say C-level execs underestimate the risk associated with insecure SAP applications

21% of senior leadership were aware or shared the concern of an attack on their SAP application

Senior Leadership andthe Security Risk


Security is a hasslebut it needs to be done


What you need to secure your landscapeYou need to ensure 6 areas

Access controlApplication securityInfrastructure GRCData Security On-going monitoring

PANAYA© Panaya | An Infosys Company

PANAYAPOLL2/ 4

PANAYA


Information Security at Infosys


(iCRM) - Security Solutions and Services


SAP Landscape Complexity


SAP Environment -SAP R/3 and SAP Business Suite - On-cloud


SAP Security Risks & Vulnerabilities


Top 10 SAP Vulnerabilities

Authentication Bypass via Verb tampering1. Authentication Bypass via the Invoker servletBuffer overflow in ABAP KernelCode execution via TH_GREPMMC read SESSIONIDRemote ports can Encryption in SAPGUIBAPI XSS/SMBRELAYXML Blowup DOSGUI Scripting DOS

Top 10 vulnerabilitiesSource : ERPScan

Default passwords for DB accessLack of DB patch managementUnnecessary Enabled DB featuresLack of password lockout/complexity checksUnencrypted sensitive data transport / dataLack or misconfigured network access controlExtensive user and group privilegesLack or misconfigured auditInsecure trust relations Open additional interfaces

Top 10 vulnerabilitiesSource : http://www.cvedetails.com/vendor/797/SAP.html


Infosys iCRM & PANAYA-SAP Security Offering


NetworkServer OS

Basis ControlsIT Controls

Business Process ReviewConfiguration ReviewIT Application Controls

Role & Authorization ReviewAccess ReviewSoD Review Authorizatio

n/SoD Controls

Process Controls

Infrastructure Controls

Technical Controls

Types of Controls in SAP Inherent or Default controls

Default Controls – Sales order cannot be created without a valid customer

Configurable controlsImplemented through IMG Settings.Example- Tolerance for three way match or PO Approval Hierarchy

Procedural ControlsIT dependent Controls: Review of Exception reportsSecurity ChecksReview Configuration SettingsProcedural ControlsException Reports

SAP Layers of Security & Types of Controls


Infosys-Panaya- SAP Landscape Security offering

Governance Security Review and Monitoring

Review of Audit Logs Change & Transport Management

Access Control and Roles

management

Users & Authorizations Authentication and Single Sign on

Roles Management

SAP Infrastructure

Security

Operating Systems and Database Security

Network Security ( SAP Router),

Data Security

Source Code and Custom Code

Security

Secure Maintenance of ABAP Code & Custom code

Security

VA and PT Front End Security ( FIORI, SAP Enterprise

Portal, SAP-Gui )

SAP New Technologies

SAP HANA appliance & HANA Security

SAP Mobile Middleware

( MDM, MAM, )

SAP Cloud Security

Application Security

Infrastructure Security

Identity & Access Management

Data Security

Governance, Risk and Compliance

Panaya Cloud Quality Project

Infosys Security Offering

Panaya Offering


PANAYAPOLL3/ 4

PANAYA


Panaya CloudQualityTM Suite


Increase ERP agility with zero riskPanaya CloudQuality™ Suite

SCOPE

TEST

ANALYZEAny ERP Change

COLLABORATIONFunctional

Security

Performance

What to fix

What to test

Manage Automate Document & Report

22


Train developers to write secure code

Automate

Integrate security in ongoing ERP maintenance

Simplify Security audits

Make it simple with Panaya


Ongoing seamless security

Security is integrated into ongoing change management

Secure go-live!



PANAYAPOLL4/ 4

PANAYA


Established 2006, Acquired by Infosys - 2014

Quality Automation SaaS Solution for ERP

Powered by:

ERP Domain expertise

Crowd based customer insights

Proven with over 2000+ Customers

50 HANA Migrations

Over 9,000 projects(5,000 business process implementations)

2000+ Stay-current projects (upgrade, patches)

Over 5,000,000 test scripts


Information Security at Infosys


Get your own complimentary assessment from

upload to Panaya Code Box

ERP Health-check & simulation of your upgrade project

< 20 min. < 48 hrs.*

Upload GetRun a simple ABAP report and

* Estimate time based on business days


SAP Security Chat Tips to Improve SAP ERP Security

Technology