SAP HANA will often run an organisation’s most critical applications including ERP, CRM, supply chain, analytics and business intelligence.  A report recently issued by the Ponemon Institute on SAP HANA vulnerabilities highlights some of the more critical areas where users need to be cautious. Primarily the vulnerabilities are relating to authentication, patches, authorisations and general misconfigurations. Because of the demands on the business to deploy systems faster, users of SAP HANA are deploying in hybrid deployment models but security is often neglected by database administrators and IT.

These vulnerabilities, if successfully compromised, have the potential for significant data loss where the user is running SAP HANA in applications. Typically, SAP HANA will store the organisation’s most critical business data interlinked with the compliance mandate including PCI, PII, HIPAA but also new GDPR will require an exploit of these systems to be communicated externally in a timely fashion.

When organisations make a data breach public it has far reaching consequences but in our experience the most damaging aspect is the loss of brand trust and reputation by their own customers.

However, these enterprises may not completely understand the risk that weak security for SAP HANA can present.

The report by the Ponemon Institute, titled “Trends in SAP Cybersecurity” revealed key findings about organiations that use SAP HANA:

• There is no single function in the enterprise that owns SAP security.
• There is no one role in the organisation accountable in case of a SAP data breach.
• The SAP platform is likely to contain at least one malware instance.
• There is often a significant delay in discovering a data breach on a SAP system.

The Challenge With Vulnerabilities

Across all industry verticals, irrespective of size, managing vulnerabilities is a challenge. Typically, organisations on the enterprise scale will have good vulnerability management practices on the standard operating systems but when you move to third party applications and non standard environments utilising hybrid deployments managing and prioritising of vulnerabilities becomes an issue. In SAP HANA there are well publicised vulnerabilities relating to configuration changes, system level privileges and missing patches.

The Solution

Products like QRadar & Guardium from IBM automate the process and scan all SAP HANA instances, identifying critical and sensitive data, and providing a comprehensive listing of all vulnerabilities such as missing patches, use of default configurations, inadequate password policies, subpar file permissions, poor file ownership and more.

The DBA’s, CIO, CISO, Risk and Governance and IT teams can then have the ability to get a snap shot at these results and understand the impact and more importantly prioritise remediation.

When the vulnerabilities have been identified the development of a (PVG) Patching Vulnerability Group helps to put structure to the ongoing hardening of the organisations security posture.

The steps in this process include :

• Identification
• Prioritisation
• Detailed Remediation
• On-Going Visibility and Monitoring

IBM Guardium Provides :

• Ease the path to compliance
• Identify SAP HANA vulnerabilities and bad practices which can be exploited
• Recommendations for remediation of these vulnerabilities
• Best practices for SAP HANA security

Smarttech.ie runs a 24×7 NSAI ISO 27001/ ISO 9001 SOC where our security analysts work with the world’s leading software products from IBM to deliver solutions that help with this complex enterprise challenge. For any recommendations or expert advice, do not hesitate to contact us!