Securing SAP in a Mobile/Remote World

Securing core systems like SAP used to be all about user access levels and privileges to ensure they could only access the data they needed for their job and not access information they didn’t need. This philosophy increased confidentiality and reduced the risk of intentional or unintentional information leaks. With the rapid increase in remote working and now extensive use of mobile devices this year, companies have rolled out various end point device security solutions to help manage security risks. However, are organisations following the right strategies/protocols and are they implementing the best solutions for this new world?

Traditional SAP system security guidelines, according to the online tutorials, are orientated around user roles and responsibilities. IT/Security managers considered user issues such as passwords, user ID’s, generic SAP accounts and their user management policies, such as mandatory periodic password changes. System administrators ensured SAP applications were in line with any corporate policies and determined user information needs based on segregation of duties. Information access was allocated by user roles and responsibilities rather than the employee seniority. Departments/business functions were used as natural ways to limit data sets to stay within an environment. Care was taken on how all the above items were managed and integrated with other SAP software modules. Security being an ongoing process required management & monitoring so that these segregations of duties were up to date and that management procedures and changes were documented and recorded appropriately.

However, the recent COVID pandemic forced a massive shift towards employees now working at home which has created new security threats, risks and environments for IT/Security managers to consider. The speed of this change and haste required to implement a solution has led to what IT Web call “opening a cyber security Pandora’s box.”

A distributed workforce means more shared households, multiple devices and with human tendencies and limitations being what they are, this now provides a less secure and bigger target base for hackers to capitalise on. The lines between personal and professional work fade so do many security practices in a home-based environment which is less strictly controlled than the office environment. Shared passwords within the household and use of the same passwords used for both personal and business accounts are on the increase. So too is device sharing with spouses, children and other family members being a typical occurrence. Many users also prefer their own devices to access work rather than the equipment supplied, all of which present additional challenges for the security team to manage.

Interestingly research from Sailpoint found a significant difference in the attitudes and practices of users based on their age.  Users below the age of 25, who are arguably more comfortable with technology, were shown to actually be the ones at most risk. This age group were almost twice as likely to share their work-related password(s) (39% admitting to password sharing), compared to an average of 23% aged above 25 years. A lack of regular password training and outdated company security protocols were cited as contributary factors.

As hordes of workers made the shift to remote working earlier this year, so was the uptake of mobile devices and cyber threats specifically aimed at them. Mobile security platform company Lookout reported a 25% rise in the use of IOS devices in mid-March 2020, which was at the start of the pandemic and when many companies started to send their staff home to work. The number of mobile phishing attempts reported to rise by a massive 37% over the two consecutive quarters Q4 2019 and Q1 2020.

If mobile devices are not central to a company’s security strategy, then they certainly should be.  Securing employee desktops and laptops may no longer be the main infiltration target with many cyber threats now specifically targeting unsecured mobile devices. An organisation’s integrated security strategy must be purpose-built for mobile devices.

Mobiles are deliberately targeted for a reason. Phishing attempts are much harder to spot on mobile devices with their smaller screen and simplified browser views that shorten URLs to hide the true identity of a webpage. Spearphishing campaigns exploit human vulnerabilities where attackers pose as legitimate parties taking advantage of VoIP phone numbers or the simplified design of a messaging app. The term “vishing” is short for voice phishing which deliberately exploits the lack of mobile-device protection used by remote workers. This is a form of phishing where attackers trick users into giving up information over the phone; often posing as helpdesk or IT personnel.

Many organisations turned to VPNs when shifting to remote work, but this still leaves several security gaps, including the fact that many users don’t use VPNs when connecting using mobile devices. Organisations rushed to deploy end user security software this year, but this perhaps left gaps elsewhere. UK Tech Channel PCR claims the pressure companies faced to quickly secure remote workers has led to many hasty Endpoint Detection and Response (EDR) solutions selected that might not be completely adequate. EDR solutions typically offered from ‘born in the cloud’ vendors to protect dispersed device networks are not considered to be a fully secure solution especially when using unhardened software. Kaspersky experts argue that EDR systems lack the comprehensibility of full Endpoint Protection Platform (EPP) solutions that are required.

Security and compliance are now such an important factor many organisations will choose their MSP based on their relevant security expertise for their particular environment or applications used. Having intimate knowledge of similar systems allows them to fully take advantage of any app specific measures which can often be a real differentiator. For example, SAP systems have functional techniques recommended to ensure individuals have the correct data privileges to only access the appropriate functionality and data. SAP MSPs will have systems, processes and security partnerships in place to offer their clients cost effective protection of their data especially as remote working can no longer rely on physical location-based security measures.

An SAP MSP will also have the benefit of the experience gained from managing these applications for many customers and can provide the relevant advice how companies should ensure secure user access and data protection. A partner will also likely offer numerous security solutions that can best fit specific client needs. Given such a broad choice of hosting options, different SAP middleware environments and more importantly now, access systems, all these combinations can be a mine field. Remote users could access data a number of ways including virtual desktop technologies or inter app connectors. Application partners will also be familiar with how SAP integrates or operates with other IT security measures such as Multi Factor Authentication (MFA) or SAP Single Sign On technologies to ensure that although many different layers of security are in place to protect the user, they are not presented with too much inconvenience when logging on and using the system.

Learn more about Opal Wave’s SAP Platform here and Read more of my SAP/Cloud blogs here

References

I            SAP Security online tutorials

II           Sailpoint Technologies "The Cybersecurity Pandora’s Box of Report Work” 2020

III          Lookout Phishing Spotlight Research Report, 2020

IV          PCR Online, Remote working pressures organisations into risky security acquisitions, 3rd Dec 2020

V           Info Security Magazine “Remote Worker Training”