Customer Advisory Group

Think Big - Start Small - Work Smart with CAG

  • Home
  • About
    • Mission
  • Services
    • SAP & CAG Project Rise - ​Resilient Access Governance for the Transition to the Cloud
    • SAP Compliance Assessments and Roadmap Development
    • GRC - Access Control Implementations
    • GRC - Process Control Implementations
    • SAP Security Role Remediation and Re-design
    • GRC & Security Support Services (SmartSourcing)
    • SAP S/4 HANA Upgrade Services
    • Pathlock AVM Implementation Services
  • Testimonials
  • Events and Discounts
  • Contact Us
  • Blog
Let's Talk!

[email protected]

Call Toll Free: +1-888-477-4950
MENU
  • Home
  • About
    • Mission
  • Services
    • SAP & CAG Project Rise - ​Resilient Access Governance for the Transition to the Cloud
    • SAP Compliance Assessments and Roadmap Development
    • GRC - Access Control Implementations
    • GRC - Process Control Implementations
    • SAP Security Role Remediation and Re-design
    • GRC & Security Support Services (SmartSourcing)
    • SAP S/4 HANA Upgrade Services
    • Pathlock AVM Implementation Services
  • Testimonials
  • Events and Discounts
  • Contact Us
  • Blog

Our Blog

Reconciling SAP Cybersecurity to the SANS CIS Critical Security Controls

7/8/2016

1 Comment

 
In order create a strong Cybersecurity program or to leverage an existing program for the benefit of securing the SAP Landscape, the first step is understanding the language used by Security Programs in general.  One of the top road maps used to create a Cybersecurity program is the SANS Institute CIS Critical Security Controls.   The SANS Institute is a research and educational organization focused on information security research and training.  The recommendations made by SANS accepted world wide as the most important in the information security industry.  Detailed explanations of each of the twenty critical controls are available at:

https://www.sans.org/critical-security-controls

The controls ask important questions about connectivity, users, vulnerability assessments, maintenance, defenses, services, disaster recovery, data protection and security, penetration testing, and incident response.  It is appropriate to levy these questions against an entire IT infrastructure, but the same questions should be drilled down into the application layer.  Over the next few weeks we are going to publish a series of blog articles looking at each of the critical controls and discussing the application to the SAP landscape. 

In this article we will start with the following two:

CSC 1: Inventory of Authorized and Unauthorized Devices

CSC 2: Inventory of Authorized and Unauthorized Software

Authorized devices make sense, but how do unauthorized devices gain access to the SAP landscape?  With the growth in the use of web based access to SAP via portal, reporting, HANA, FIORI and other HTTP delivered content, as well as the growth of NetWeaver Business Client (NWBC), more types of devices can connect to the SAP environment.  Bring your own device policies allowing users to utilize personal computers and mobile devices for business use takes the control of the platform interacting with the SAP environment out of the hands of the IT department and introduces new risk into the landscape.  Virus, Botnets, Worms, Hackers may already have access to these unauthorized or unmanaged devices, and the opportunity to drill into the SAP data.

Authorized software makes sense, but how does unauthorized software gain connectivity to the SAP landscape?  All companies have a certain level of 'shadow IT'.  Business areas running IT projects in order to solve a business need.  These projects can create connectivity to the SAP landscape for data augmentation, cloud based access, remote access for consultants and whatever software they implement, along with many other scenarios.  Projects like these give external access to SAP that goes through an Remote Function Call (RFC) connection that may have very broad access.  If the ID associated to the RFC connection has expansive access in the system, then the content of the system is at risk and the ability for malicious code to be injected into the server increases.
​
These two controls are applicable at the overarching IT Architecture level, but also at the SAP Landscape level.  In our next article we will talk about secure configurations and continuous assessment and monitoring.

1 Comment

    RSS Feed

    Picture

    Authors

    Assorted Members of the CAG Team providing insightful information on current topics related to GRC, Security, and Audit.

    Archives

    July 2016
    February 2016
    September 2014
    June 2014
    March 2014
    February 2014
    November 2013
    November 2012
    October 2012
    March 2012

    Categories

    All

Navigation

About Us
Our Mission
Our Services
CAG Blog
CAG Customer Forum

Contact Us

Picture

Customer Advisory Group © 2022  All Rights Reserved