On-premises SAP deployments are notoriously complex with extensive customer customizations to the point where even making configuration changes for security reasons might require months-long planning and testing to make sure they break nothing in the environment. As more companies move their ERP deployments to the cloud, they have an opportunity to ensure the systems are configured securely.
The Cloud Security Alliance (CSA), a not-for-profit organization that develops and promotes best security practices for cloud computing, released a two-part implementation document this year for ERP applications in the cloud that follows 20 critical security controls. The second part was released this month with a focus and guidance on SAP deployments since it’s one of the most common ERP systems.
“The release of the document comes at a crucial time, as with the hit of the pandemic, organizations have started to streamline digital transformation and cloud migration projects, to enable more users and employees to operate from remote locations through a digital experience,” CSA said in a blog post. “Additionally, with the increase in threat activity and risks affecting ERP Applications … this document covers the controls that could prepare the organization for the increasing threat landscape on ERP applications. It’s our hope that this set of guidelines serves as a springboard for SAP administrators in their journey to implementing and securing their ERP solutions.”
SAP vulnerabilities and challenges
Security researchers have been finding serious vulnerabilities in core SAP components for years and such flaws typically impact all the SAP enterprise applications that rely on those components to function. While finding vulnerabilities in such a large software stack is not unusual, patching the issues in a timely manner has been a problem for customers.