S 5.13 SAP System
Description
SAP systems are used in companies and government agencies to automate and provide technical support for internal and external business, company, and government agency processes (Enterprise Resource Planning, ERP). An SAP system therefore typically processes confidential data, which means that corresponding protection for all system components and data must be guaranteed and that the protection level must be adapted to the threat scenario. In addition, the integrity and availability of the data also play an important role.
SAP offers an extensive range of systems, components, and functions, which means the term "SAP system" cannot be used to refer to a distinct installation or group of components. It is impossible in the framework of this module to deal with all SAP products available, and instead this module only deals with the core installations commonly encountered in practical applications.
An example of a typical SAP system is a mySAP ERP system (previously referred to as SAP R/3) with the following Enterprise Core Components: Human Capital Management (HCM), Finance, & Controlling (FI/CO), Materials Management (MM), Sales & Distribution (SD), Production Planning (PP), Project Management (PS), and Quality Management (QM). The SAP NetWeaver Application Server (previously called the SAP Web Application Server) functions in this case as core component. Other components of the current NetWeaver platform (current version: NetWeaver 04) include SAP XI, which operates as a data integration platform between individual SAP systems and between SAP and non-SAP systems, as well as the SAP Enterprise Portal, which operates as an integration platform for applications and users. These two components are also run on the SAP NetWeaver Application Server.
A brief overview of SAP systems and important terminology used in SAP environments can be found in safeguard S 3.53 Introduction to SAP systems.
The threats and safeguards in this module are based mainly on the SAP NetWeaver Application Server, which is the most important technical basis component of the NetWeaver platform. Since several versions of this basis component are available, which differ in terms of the functionality they offer, we will deliberately refrain from mentioning the differences between these versions. This makes the module applicable for a longer period of time while also making it possible to apply it to existing SAP R/3 systems. The basic security of an SAP system at the basis administration level is the focus of the safeguards and threats in this module. The securing of applications and modules (e.g. HCM, FI, etc.) is not included in this module. However, since many applications and modules use the security mechanisms of the basis component, the specified safeguards can also be applied to applications and modules after adapting them accordingly.
The goal of the module is not to reproduce the existing, extensive SAP documentation, but to present recommended security-related approaches and notable, special characteristics of SAP. For all other information, refer to the existing SAP documentation, which contains detailed technical descriptions. The relevant SAP documentation has been centrally compiled in one main safeguard; safeguard S 2.346 Use of the SAP documentation. The module not only helps IT security officers and administrators to plan the use of SAP, but also mentions the most important technical aspects to take into account from an IT security perspective.
Threat scenario
This module deals with threats to the SAP NetWeaver basis component, i.e. the SAP NetWeaver Application Server, which are relevant when performing basis administration for this component in intranet and Internet scenarios.
In general, the threat scenario of an SAP system depends on its operational scenario. An SAP system in an isolated government agency or company network is generally subject to fewer threats than a system that is connected to the Internet. However, a lack of protection at the network or SAP system level can also open up gaps in internal networks that can be exploited to gain unauthorised access. In such cases, it is important to know if the data can only be accessed for reading or if it is also possible to change the data. This is generally a critical issue for government agencies and companies, and the type of access is also checked, for example, when performing audits based on the Sarbanes Oxley Act. In this context, the problems of inadequate authorisations and a lack of separation between the functions are particularly relevant.
The number of threats posed to SAP systems has increased greatly, especially due to the use of web technologies such as HTTP-based access capabilities and web applications that are connected to the Internet. Due to the ability to connect an SAP system to the public network, significantly greater threats are posed when the systems are improperly or incorrectly configured. This also applies in the case of missing or incompletely established processes, especially in outsourcing scenarios.
Force Majeure
| T 1.1 | Loss of personnel |
Organisational Shortcomings
| T 2.7 | Unauthorised use of rights |
| T 2.37 | Uncontrolled usage of communications lines |
| T 2.87 | Use of insecure protocols in public networks |
| T 2.108 | Lack of, or inadequate, planning of the use of SAP |
Human Error
| T 3.8 | Improper use of the IT system |
| T 3.9 | Improper IT system administration |
| T 3.16 | Incorrect administration of site and data access rights |
Deliberate Acts
| T 5.2 | Manipulation of information or software |
| T 5.7 | Line tapping |
| T 5.9 | Unauthorised use of IT systems |
| T 5.21 | Trojan horses |
| T 5.23 | Malicious software |
| T 5.128 | Unauthorised data access by transferring code to an SAP system |
Method recommendation
To secure the information system examined, other modules will need to be implemented in addition to this module. These modules are selected based on the results of the IT-Grundschutz modelling process.
A series of safeguards must be implemented to successfully design and implement an SAP system, starting with the strategic decision and continuing through the planning and design phase, the installation phase, and up to the operation phase. In addition, it must be noted that a system needs to be disposed of properly once it has reached the end of its operation phase.
Parallel to the operation phase, the contingency planning phase must ensure that operation of the system is also maintained in an emergency. The Information Security Management and Audit departments must make sure that these rules are also followed.
The steps to be taken to accomplish this as well as the safeguards to be implemented in each phase are listed in the following:
Planning and design phase
If the decision to use an SAP system has been made, then the use of the SAP system must be planned and designed. The aspects to be taken into account during the planning and design phase can be found in safeguard S 2.341 Planning the use of SAP. It is important in this phase to plan the user authorisations for the users of the SAP system. Subjects relevant to planning and design are dealt with in safeguard S 2.342 Planning of SAP rights. It must be borne in mind that it is possible to influence the security of an SAP system significantly during the planning and design phase by taking security-related aspects into account in this phase. There are also safeguards relating to SAP-specific user training in S 3.52 Training on SAP systems since the security of an SAP system is affected by the users' and administrators' level of knowledge.
Special attention must be paid to planning the security in application scenarios that pose special threats to SAP systems. Such application scenarios may include typical Internet scenarios, in which case the recommendations in safeguard S 2.344 Secure operation of SAP systems on the Internet must be implemented. However, they may also include intranet scenarios, for example when an SAP system will be operated over a government agency or company portal. In this case, the recommendations in safeguard S 2.343 Protection of SAP systems in a portal scenario are relevant. A frequently encountered scenario that comes in conjunction with specific threats is the outsourcing of an SAP system, because, in this case, the configuration and administration of the system is performed by persons not employed by the company or government agency. Recommendations and information for such cases are available in safeguard S 2.345 Outsourcing of an SAP system.
Implementation phase
Once the preparatory organisational and planning tasks have been completed, the SAP system can be installed. Safeguard S 4.256 Secure installation of SAP systems must be taken into account for the installation.
However, the actual installation of the SAP system represents only a small portion of the work needed to be done during the implementation phase. Most of the work involves setting up the initial configuration of the SAP system after installation. The initial configuration defines and specifies the base level of security that will be available when the SAP system is put into operation as well as the framework for the security of the SAP system in the future. For this reason, the following aspects must be taken into account in the implementation phase:
An initial configuration must be set up for the ABAP stack as well as for the Java stack. In particular, situations in which both stacks are left unconfigured, because they will not be used, are to be avoided. The corresponding recommendations can be found in the following safeguards:
- S 4.258 Secure configuration of the SAP ABAP Stack
- S 4.266 Secure configuration of the SAP Java Stack
The core of every SAP system is the database, its tables, and the data these tables contain. The database does not only store the business data of a company or government agency, but also the internal functions and administrative information of the SAP system. For this reason, security problems in the database environment will always have an immediate effect on the overall security of the SAP system. The database-related safeguards are provided in the following:
- S 4.269 Secure configuration of the SAP system database
SAP systems are designed as distributed systems and therefore communicate with each other or with other external client or server systems over a variety of interfaces. Securing communications is therefore an important task. In general, an SAP system can use many different communication channels. The channels used depend on the applications and modules installed. However, usually only a few basic communication mechanisms and interfaces are actually used. The relevant introductory safeguard in this case is:
- S 5.125 Protection of communication with SAP systems
An SAP system must be adapted to the local functional requirements of the company or government agency. This is accomplished by customising the system (i.e. adapting it to the customer's needs). The relevant safeguard in this context is:
- S 2.348 Security aspects relating to the customisation of SAP systems
Operation
After the initial installation and a test operation phase, regular operations can be initiated. The following security aspects must be taken into account in this phase:
To be able to detect security violations, it is necessary to monitor the SAP system accordingly. Information on monitoring can be found in the following safeguards:
- S 4.270 Logging of SAP events
- S 2.347 Regular security checks of SAP systems
Newer versions of the SAP software offer users the ability to connect to a computer virus protection program so that documents and data sent to the SAP system can be checked for viruses, for example. More information on this subject can be found in:
- S 4.271 Computer virus protection for SAP systems
Since an SAP system is subject to constant changes, usually due to new or changed requirements or modified application scenarios, it must be ensured that the desired level of security is also maintained (see also S 2.221 Change management and S 1.14 Patch and change management). This applies especially to software developed in-house. The relevant safeguard in this context is:
- S 2.349 Secure software development for SAP systems
New code or other changeable components will need to be integrated into the system. The SAP transport system is available for this purpose for ABAP-based changes. However, a different mechanism is used to deploy software for the Java stack environment. In both cases, though, the mechanisms must be secured so that they cannot be misused. The relevant safeguards are:
- S 4.272 Secure use of the SAP transport system
- S 4.273 Secure use of the SAP Java Stack software deployment
Disposal
Recommendations for the deinstallation of SAP systems, for example when regular operation is terminated, can be found in safeguard S 2.350 Withdrawal from operation of SAP systems.
Contingency Planning
Recommendations for contingency planning for SAP systems can be found in safeguard S 6.97 Contingency planning for SAP systems.
All safeguards for SAP systems are listed in the following:
Planning and design
| S 2.341 | (A) | Planning the use of SAP |
| S 2.342 | (A) | Planning of SAP rights |
| S 2.343 | (C) | Protection of SAP systems in a portal scenario |
| S 2.344 | (C) | Secure operation of SAP systems on the Internet |
| S 2.345 | (C) | Outsourcing of an SAP system |
| S 2.346 | (A) | Use of the SAP documentation |
| S 3.52 | (A) | Training on SAP systems |
| S 3.53 | (W) | Introduction to SAP systems |
Implementation
| S 4.256 | (A) | Secure installation of SAP systems |
| S 4.257 | (A) | Protection of the SAP installation directory on operating system level |
| S 4.258 | (A) | Secure configuration of the SAP ABAP Stack |
| S 4.259 | (A) | Secure use of the ABAP Stack user management |
| S 4.260 | (A) | Rights management for SAP systems |
| S 4.261 | (B) | Secure handling of critical SAP rights |
| S 4.262 | (C) | Configuration of additional SAP authorisation checks |
| S 4.263 | (A) | Protection of SAP destinations |
| S 4.264 | (A) | Restricting direct table changes in SAP systems |
| S 4.265 | (B) | Secure configuration of batch processing on SAP systems |
| S 4.266 | (A) | Secure configuration of the SAP Java Stack |
| S 4.267 | (A) | Secure use of the SAP Java Stack user management |
| S 4.268 | (A) | Secure configuration of rights for the SAP Java Stack |
| S 4.269 | (A) | Secure configuration of the SAP system database |
| S 5.125 | (B) | Protection of communication with SAP systems |
| S 5.126 | (A) | Protection of the SAP RFC interface |
| S 5.127 | (B) | Protection of the SAP Internet Connection Framework (ICF) |
| S 5.128 | (B) | Protection of the SAP ALE (IDoc/BAPI) interface |
| S 5.129 | (C) | Secure configuration of HTTP-based services on SAP systems |
Operation
| S 2.347 | (B) | Regular security checks of SAP systems |
| S 2.348 | (C) | Security aspects relating to the customisation of SAP systems |
| S 2.349 | (C) | Secure software development for SAP systems |
| S 4.270 | (A) | Logging of SAP events |
| S 4.271 | (C) | Computer virus protection for SAP systems |
| S 4.272 | (A) | Secure use of the SAP transport system |
| S 4.273 | (A) | Secure use of the SAP Java Stack software deployment |
Disposal
| S 2.350 | (A) | Withdrawal from operation of SAP systems |
Contingency Planning
| S 6.97 | (A) | Contingency planning for SAP systems |