October 11, 2018
SAP HANA like any other SAP system provides many security features. The features like user authentication, user role authorization, network encryption, and security auditing can be used to mitigate risks. But it’s evident by several cases of attacks that merely having these features doesn’t guarantee security.
US Department of Homeland Security (DHS) reported that hackers are increasingly targeting ERP systems and SAP is among the most vulnerable. The attacks on SAP HANA particularly have doubled in the past two years. And this trend is likely to continue due to factors like system complexity, increasing mobility and lack of security skills.
So, how can you be prepared without knowing what risks your SAP HANA system faces? Let’s look at such risks briefly.
SAP HANA uses in-memory computing to deliver real-time analytics for large volumes of data more effectively than traditional databases. However, the data in memory is not encrypted as it negate all it performance gains. Such a change in architecture means that the system is vulnerable to RAM based attacks like RAM scrapping (malware). It is one of the most dangerous security threats since it leaves almost no digital footprint of an attack and thus extremely difficult to detect. This is a reason why RAM based attacks are gaining more popularity in espionage.
In the past, memory vulnerability has been exploited to attack retail chain POS systems to get credit card details from the RAM. More sophisticated attacks are being predicted by experts in the future.
Security is largely neglected while connecting IoT devices especially in case of industries. One of the reasons of poor security is use of hardware in public places. Industries fail to ensure that basic basic protection features are implemented. Also, they often don’t demand IoT vendors to ensure security from misuse of devices.
For example, this year we saw a growing variants of Mirai botnets. These enslave a large number of IoT devices to launch crippling DDoS attacks. Such trends in IoT based attacks on enterprises are likely to grow.
Often HANA systems can be logged in from the internet as it is more web focused than any other SAP systems. This may exposes the system to web based security risks like unauthorized access. In some cases finding the login page is as simple as searching a query on Google.
A typical web hacker would be able to exploit these weaknesses. Say, if SAP Netweaver installations are not secured enough, it could can be vulnerable to a remote unauthenticated attacker who only has a network access to the system. Moreover, the system can be vulnerable to common web based attacks like XSS, SQL injection, ABAP injection and so on.
SAP HANA security is an ongoing process. But often the security patches security are avoided and the security notes that are released almost everyday are not followed. One of the reasons why security patches are not implemented is due to the amount of time and effort it takes. The complexity of patch implementation increases if they are released along with a functional update.
When running HANA in parallel to an existing system also increases complexity for security. Also, HANA includes its own set of security tools, authorization concepts, configuration settings and maybe different operating system setups you may want to secure.
A poor configuration of a strong password policy poses security risk as username-password is one of the basic authentication methods of SAP HANA. Yet some companies aren’t careful they tend to use the same/similar passwords for various usernames.
Segregation of Duties (SoD) is one of the challenges in SAP in general. Designed to limit the data access of the users with respect to their duties, it is key contributor for fraud activities. This is mainly due to complexity in assigning privileges. It is also difficult to find out what privileges are given to the users.
At Evolutyz we help enterprises tackle security risks with their SAP system. Our proven methods removes complexities and accelerates security administration. Contact us and schedule an appointment to secure your SAP system.