Foreword by Mariano Nuñez

15

Who Should Read This Book

19

Acknowledgments

19

Juan Pablo Perez-Etchegoyen

19

Gaurav Singh

20

1 What Is Cybersecurity?

21

1.1 CIA Triad

22

1.1.1 Confidentiality

23

1.1.2 Integrity

23

1.1.3 Availability

24

1.2 Identification, Authentication, Authorization, and Accountability

24

1.3 Nonrepudiation

26

1.4 Vulnerabilities, Threats, and Risks to SAP Applications

26

1.4.1 Security Vulnerabilities

26

1.4.2 Vulnerability Standards

27

1.4.3 Security Threats to SAP Applications

30

1.4.4 Risks to SAP Applications

31

1.5 OWASP Top 10

31

1.5.1 A01:2021 Broken Access Control

32

1.5.2 A02:2021 Cryptographic Failures

33

1.5.3 A03:2021 Injection

33

1.5.4 A04:2021 Insecure Design

35

1.5.5 A05:2021 Security Misconfiguration

37

1.5.6 A06:2021 Vulnerable and Outdated Components

37

1.5.7 A07:2021 Identification and Authentication Failures

38

1.5.8 A08:2021 Software and Data Integrity Failures

38

1.5.9 A09:2021 Security Logging and Monitoring Failures

39

1.5.10 A10:2021 Server-Side Request Forgery

39

1.6 Ransomware

40

1.7 Frameworks

41

1.7.1 National Institute of Standards and Technology Cybersecurity Framework

42

1.7.2 Center of Internet Security Framework

43

1.8 Security Research

43

1.9 Summary

44

2 Why Do SAP Landscapes Need Cybersecurity?

45

2.1 Evolution of Vulnerabilities and Threats to SAP Applications

45

2.1.1 Security Conferences and SAP Applications

45

2.1.2 Compromises Involving SAP Applications

46

2.1.3 Malware Involving SAP Applications

48

2.1.4 Cybercriminals and SAP Applications

49

2.1.5 Compromised Credentials in SAP

51

2.1.6 Noteworthy SAP Vulnerabilities

52

2.1.7 Actively Exploited SAP Vulnerabilities

55

2.2 Why Traditional SAP Security Can’t Protect against Cybersecurity Threats

56

2.2.1 Digital Transformations

56

2.2.2 Cloud Migrations

57

2.2.3 Hybrid Landscapes

58

2.2.4 Third Party: Open Integrations and Interfaces

58

2.2.5 Mitigating Financial Risks

59

2.2.6 Preventing Fraud

59

2.2.7 Complying with Regulations

60

2.2.8 Preserving Customer Trust

60

2.3 Obstacles to Cybersecurity Implementation

61

2.3.1 Lack of Ownership

62

2.3.2 Incorrect Reporting

62

2.3.3 Lack of Understanding

63

2.3.4 Lack of Responsibility Matrix among Different Stakeholders

64

2.3.5 False Sense of Security

69

2.4 Traditional SAP Security: What Works and What Doesn’t

71

2.4.1 SAP GRC Solutions

72

2.4.2 Identity and Access Management

73

2.4.3 Compliance and Audit Environment with SAP GRC Solutions

75

2.4.4 Internal and External Audits

76

2.4.5 Integration of Basis Administrators and SAP Security Teams

77

2.4.6 Management Oversight and Controls in Financial Reporting

78

2.4.7 SAP Functional Teams, Technical Teams, and Application Owners

79

2.4.8 Change Control Management

80

2.4.9 Application Audit and Logging Mechanism

81

2.5 Summary

82

4 Building a Cybersecurity Program for the SAP Landscape

165

4.1 National Institute of Standards and Technology Cybersecurity Framework

166

4.1.1 Core Functions, Categories, and Subcategories

167

4.1.2 Profiles and Tiers

169

4.2 Center for Internet Security Critical Security Controls

170

4.3 Secure Operations Map

171

4.3.1 Organization

172

4.3.2 Process

174

4.3.3 Application

174

4.3.4 System

175

4.3.5 Environment

176

4.4 Govern

177

4.5 Identify

183

4.5.1 Asset Management: Landscape Inventory

184

4.5.2 SAP Solutions

187

4.5.3 Secure Operations Map

192

4.6 Protect

193

4.6.1 Identity, Authentication, and Access Management

194

4.6.2 Awareness and Training

205

4.6.3 Data Security

207

4.6.4 Platform Security

213

4.6.5 Infrastructure Resilience

237

4.7 Detect

238

4.7.1 Configure and Enable Logging

239

4.7.2 Automated Anomaly Detection

242

4.8 Respond

243

4.9 Recover

247

4.10 Onapsis Platform

250

4.10.1 Onapsis Control: Application Security Testing Designed for SAP

251

4.10.2 Onapsis Assess: Get Deep Visibility into SAP System Risk

255

4.10.3 Onapsis Defend: Continuous Security Monitoring for SAP Applications

258

4.11 Summary

263

5 Vulnerabilities and Patches

265

5.1 SAP Notes

265

5.1.1 Notable SAP Notes

266

5.1.2 Anatomy of an SAP Note

269

5.2 Managing Vulnerabilities in the SAP Landscape

273

5.2.1 Defining the Scope

274

5.2.2 Identifying Vulnerabilities

278

5.2.3 Remediating Vulnerabilities

278

5.3 Patch Days

288

5.3.1 SAP Security Patch Day

289

5.3.2 Reviewing SAP Security Patch Day

290

5.3.3 Patch Days for Operating Systems

290

5.4 Summary

292

6 Threat Detection and Incident Response

293

6.1 Threat Management for SAP

293

6.1.1 Threat Actors

293

6.1.2 Source

297

6.1.3 Identity

299

6.1.4 Target

299

6.1.5 Vulnerability/Weakness

300

6.2 Threat Intelligence

304

6.2.1 Open-Source Intelligence

305

6.2.2 SAP-Specific Data Sources

307

6.2.3 Sites on the Dark Web

308

6.3 Anomaly Detection

309

6.4 Incident Response, Logging, and Monitoring in SAP

310

6.4.1 Logging and Monitoring in SAP

311

6.4.2 Incident Analysis and Response

319

6.4.3 Real Incidents

322

6.5 Summary

327

7 Business Continuity and Disaster Recovery

329

7.1 It’s a Matter of When, Not If

330

7.2 Are We Ready for Disaster?

333

7.2.1 Business Impact Analysis and Risk Assessment

333

7.2.2 High Availability

334

7.2.3 Stakeholders

335

7.2.4 Zero Trust

336

7.2.5 Defense in Depth

337

7.2.6 Awareness Training

337

7.3 Business Continuity/Disaster Recovery for SAP

338

7.3.1 Think NIST CSF

338

7.3.2 Define Scope

341

7.3.3 Key Stakeholders

342

7.3.4 Deployment Model

344

7.3.5 Incident Response

348

7.3.6 Cloud Adoption and the Shared Responsibility Model

349

7.3.7 Logging and Monitoring: Endpoint Detection and Response

350

7.3.8 Cybersecurity Insurance

351

7.4 Backup Strategy

352

7.5 Protect Your Keys

353

7.6 Disaster Recovery Tests

354

7.7 Summary

356

8 Infrastructure Security

359

8.1 Responsibilities and Models

359

8.2 Operating System Level Security: Secure by Design

362

8.2.1 Pre-Hardened Operating System Images

362

8.2.2 Authentication and Single Sign-On

363

8.2.3 Physical Security

363

8.2.4 Certifications

364

8.2.5 Disk Encryption

365

8.2.6 Zero Trust

365

8.2.7 Security Patches

366

8.2.8 Local Firewall

366

8.2.9 Minimal Operating System Packages Selection

368

8.3 Roles and Responsibility Matrix

369

8.4 Inventory

370

8.4.1 IT Asset Management

371

8.4.2 Asset Management Solutions

371

8.5 Privileged Access Management

372

8.6 Logging and Monitoring on the Infrastructure Level

373

8.7 Physical Data Centers versus Cloud Data Centers

375

8.7.1 On-Premise Physical Data Center

375

8.7.2 Cloud Data Centers

376

8.8 Antivirus and Anti-Malware Scanning

377

8.9 Summary

378

9 Network Security

379

9.1 Network Basics Concepts

379

9.1.1 Open System Interconnection Model

380

9.1.2 IP Address

382

9.1.3 Classless Inter-Domain Routing Range

383

9.1.4 Domain Name System

384

9.1.5 Dynamic Host Configuration Protocol

386

9.1.6 Network Address Translation

386

9.1.7 Secure File Transfer Protocol

387

9.1.8 HTTP and HTTPS

387

9.1.9 Simple Mail Transfer Protocol

389

9.1.10 Transmission Control Protocol/Internet Protocol vs. User Datagram Protocol

389

9.1.11 Allowlist vs. Denylist

389

9.1.12 Internet Protocol Security and Virtual Private Network

390

9.1.13 Firewall

391

9.1.14 Software Defined Networking

391

9.2 Network Security: Core Principles and Practices

391

9.2.1 Redundancy, Fault Tolerance, and High Availability

392

9.2.2 Monitoring

392

9.2.3 Identity and Access Management

393

9.2.4 Vulnerability and Patch Management

394

9.3 Network Security for SAP

395

9.3.1 Cloud Network Security

396

9.3.2 RISE with SAP

397

9.4 Summary

401

10 SAP Trust Center

403

10.1 Resources in SAP Trust Center

403

10.1.1 Security

404

10.1.2 Compliance

406

10.1.3 Privacy

411

10.1.4 Agreements

412

10.1.5 Cloud Service Status

413

10.1.6 Data Centers

413

10.1.7 Cloud Delivery Options

414

10.1.8 My Trust Center

415

10.2 SAP for Me

417

10.3 Summary

418

11 Impact of SAP S/4HANA, RISE with SAP, and the Cloud on Cybersecurity

419

11.1 SAP S/4HANA Migration and What It Means for Cybersecurity

420

11.1.1 Cloud’s Five Essential Characteristics

421

11.1.2 Cloud Service Models

421

11.1.3 Cloud Deployment Models

423

11.1.4 SAP S/4HANA Deployment Models

425

11.2 What the Cloud Means for SAP Cybersecurity

428

11.2.1 Shared Responsibility Model

429

11.2.2 RISE with SAP

430

11.2.3 Trust, But Verify

434

11.2.4 SAP Business Technology Platform

437

11.3 Summary

445