Reconciling SAP Cybersecurity to the SANS CIS Critical Security Controls

In order create a strong Cybersecurity program or to leverage an existing program for the benefit of securing the SAP Landscape, the first step is understanding the language used by Security Programs in general.  One of the top road maps used to create a Cybersecurity program is the SANS Institute CIS Critical Security Controls.   The SANS Institute is a research and educational organization focused on information security research and training.  The recommendations made by SANS accepted world wide as the most important in the information security industry.  Detailed explanations of each of the twenty critical controls are available at:

https://www.sans.org/critical-security-controls

The controls ask important questions about connectivity, users, vulnerability assessments, maintenance, defenses, services, disaster recovery, data protection and security, penetration testing, and incident response.  It is appropriate to levy these questions against an entire IT infrastructure, but the same questions should be drilled down into the application layer.  Over the next few weeks we are going to publish a series of blog articles looking at each of the critical controls and discussing the application to the SAP landscape. 

In this article we will start with the following two:

CSC 1: Inventory of Authorized and Unauthorized Devices

CSC 2: Inventory of Authorized and Unauthorized Software

Authorized devices make sense, but how do unauthorized devices gain access to the SAP landscape?  With the growth in the use of web based access to SAP via portal, reporting, HANA, FIORI and other HTTP delivered content, as well as the growth of NetWeaver Business Client (NWBC), more types of devices can connect to the SAP environment.  Bring your own device policies allowing users to utilize personal computers and mobile devices for business use takes the control of the platform interacting with the SAP environment out of the hands of the IT department and introduces new risk into the landscape.  Virus, Botnets, Worms, Hackers may already have access to these unauthorized or unmanaged devices, and the opportunity to drill into the SAP data.

Authorized software makes sense, but how does unauthorized software gain connectivity to the SAP landscape?  All companies have a certain level of 'shadow IT'.  Business areas running IT projects in order to solve a business need.  These projects can create connectivity to the SAP landscape for data augmentation, cloud based access, remote access for consultants and whatever software they implement, along with many other scenarios.  Projects like these give external access to SAP that goes through an Remote Function Call (RFC) connection that may have very broad access.  If the ID associated to the RFC connection has expansive access in the system, then the content of the system is at risk and the ability for malicious code to be injected into the server increases.
​
These two controls are applicable at the overarching IT Architecture level, but also at the SAP Landscape level.  In our next article we will talk about secure configurations and continuous assessment and monitoring.