SAP Security for CISO. Part 2: Beginner’s introduction to SAP
Welcome to the second part of SAP Security for CISO series. This time, we will speak about SAP in particular and start from SAP Security for beginners. So, what is SAP?
First of all, SAP is a German company that develops and sells business software. SAP is famous for its ERP system – the most widespread business application. However, SAP provides much more than just an ERP. In 2005, it introduced its SAP Business Suite – a number of integrated business applications such as ERP, CRM, PLM, SCM, and SRM. These business applications consist of different components. For example, ERP includes several basic modules such as FI/CO – finance and controlling, SD – Sales and Distribution, MM – Material Management, PP – Production Planning, HR – Human resources. SAP also delivers a scope of applications to fulfill specific industry requirements such as SAP modules for Oil, Gas or Retail companies, but basically, all those modules are just add-ons for their main platform, and they only introduce some business functionality while the platform is the same in terms of technical features. All these solutions have made SAP the world-renowned business application vendor with 250000 customers worldwide including 83% of Forbes 500.
SAP Security for beginners
So, when people talk about ERP Security they are likely to mean SAP because it’s the most common ERP System. However, there are many other systems developed by other companies such as Oracle, Microsoft, and Infor and these systems also deserve attention.
Now, let’s see how SAP ERP system looks like from user’s point of view. Simply saying, SAP ERP is a client-server application consisting of SAP NetWeaver ABAP application server and SAPGUI application as a client interface. SAP GUI tool connects users with the central SAP server. All data are transmitted between a client and server using DIAG protocol. This is a proprietary protocol developed by SAP. Looking ahead, this protocol doesn’t provide necessary security level by default and transfers data almost in the plain text. Only a kind of compression is in place, but there are tools that can decode it and, for example, obtain user passwords transmitted, as mentioned before, in the plain text.
When a user connects to the server, he can execute different functions. To perform any action, for example, create payment order, new user or fill in a form, he needs to execute a particular transaction that is responsible for this functionality. To execute this transaction, he needs to write a particular transaction name in SAP menu. The system will open a dialog window where the user can specify different parameters. For instance, if a user executes transaction SU01 which is used to create new users in the system, he will see a screen where he should fill in a form with all details about new user and then click the “Create” button. If he enters the information correctly, the new user will be created in the system. In case existing functionality is not enough, SAP customers can extend it by writing programs via SAP’s proprietary language called ABAP. Customers can write their own transactions using ABAP language, for example, if they have specific requirements for some forms that are used to create payment order or if they have specific business processes relevant only for their industry. Those programs, by the way, may have vulnerabilities because of developers’ mistakes, but we will cover it later.
However, connecting via SAPGUI and running transactions is not the only way to perform SAP functionality. As you will see later, SAP systems are very complex and the same action can be done by multiple ways, and needless to say, all those ways should be somehow secured. For example, the other ways how to execute functionality in SAP system are the following:
- Running background job using RFC function (like RPC in Windows).
- Calling the same function via SOAP interface – a web-based interface to run RFC programs remotely.
- Executing Web Dynpro application. Web Dynpro is a web-based frontend for SAP System that can be used if users don’t have a client application and only have a web-browser.
Apart from SAP GUI application and SAP NetWeaver application server, SAP infrastructure includes multiple services that provide some management functionality. In real life, there are multiple application servers in one SAP System. The users connect to SAP Message Server first and then message server redirects their requests to one or another Application server.
SAP Message Server is a kind of Load balancing system, which role is to balance load on different application servers. In large organizations, there can be thousands of users connected with dozens of application servers via Message Server.
Another service which would be useful to know is SAP ICM, or Internet Communication Manager. It allows running transactions via web interface.
SAP Gateway is a separate service, which is usually enabled by default. It allows performing some functionality as a background job. It means that you don’t need to interactively log into the system. You can run a simple script that will automatically connect to SAP Gateway and perform some functionality. All the functionality is provided by means of RFC Functions. There are 30k+ RFC functions in SAP that can be called to perform almost every function in the system: from technical (such as create user and read table) to business ones (such as create vendor or payment order, close financial period, and so on).
There are many other services enabled in SAP by default and not very well described in the documentation. However, sometimes they provide very critical functionality. We will speak about them soon, but here is the first lesson, keep in mind that SAP is a very complex system with multiple services, so the first step in SAP Security should be analyzing if these services are enabled in your system and understanding all potential risks associated with them.
SAP terminology: Landscape, Instance, Client
Now let’s define some other SAP terms you need to know. The first and main one is an SAP Landscape. Usually, SAP Landscape is identified by three-symbol name – SID (System ID). As in traditional network, you need to have an identification to connect multiple systems in one network such as domain name, in SAP world we have SID that identifies so-called SAP Domain.
Traditionally, for each system there are 3 or 4 landscapes called production, quality assurance, test, and development. In most cases, Quality assurance and Test are combined in one Test landscape. Usually, all new programs and changes are developed in a development landscape. The development landscape is where consultants do the customization as per the company’s requirement. When new development is done, companies transport these changes into the test landscape. In the test landscape the core team members and other members test the customization on the copy of real data. If everything is OK, they transfer all changes to Quality assurance landscape, where users can test everything on real data which are a copy of production data. After all tests, new programs are transferred to the production landscape where the live data of the company are recorded.
Now let’s talk about Instances. If you have a small system, you usually have one instance, which is actually one application server. If you have many users and want to enable some load balancing, you add more application servers (SAP Instances). Because the system should somehow differentiate application servers, each of them has an instance number. The instance number is a two-digit value from 00 to 99. SIDs of all application servers of one system are the same. It is important that every application server can be configured differently and some services can be enabled or disabled. It means that you need to check each and every application server to be sure that your landscape is secure.
The last thing we are going to talk about is SAP Clients. Assume you need to manage two or more separate business entities in one system because you don’t have enough resources to install two systems on a separate hardware. SAP Clients can resolve this issue. With this solution, you can manage multiple business entities in one system. Clients are essentially self-contained business entities or units within each SAP system. Using a web browser or one of SAP’s special user interfaces, you log into a client in SAP to actually access and use the system. The client has its own separate master records and own set of “tables”. The best way to grasp this idea might be to imagine a really large company like ExxonMobil, General Motors, or Honeywell. Within each of these large multinational organizations, you might have three or more other companies or business units. Each SAP client might be tied to a different business unit. Really big companies might have two or even three production clients for a single SAP component like ERP. For example, the company might structure its clients around discrete business groups (Chevrolet, Cadillac, and GMC) or by geography (Americas, Europe, and Asia). When you log into SAP, you choose the specific client you need to log in. Each one is assigned a unique three-digit number (from 000 to 999), which you are required to know and type in at login time. This makes it easy to distinguish between clients.
In theory, users of one business unit are connected with one client and restricted to access any data of other business unit located in the separate client, but in reality there are multiple ways how they can escalate their privileges and get access to OS or Database directly where all data are stored without any separation. You also need to know that there are some clients which are installed by default such as clients 000 001 and 066 and there are some default users preconfigured in those accounts, usually it’s the most common and, unfortunately, dangerous vulnerability.
SAP uses multiple platforms to build their business applications. While NetWeaver ABAP platform (the core of ERP) is the most widespread system, and previous information was mainly about SAP NetWeaver ABAP, there are many other platforms. On top of these technical platforms, SAP provides different business applications. Here is a list of SAP Platforms:
- SAP R/3 (old and not supported)
- SAP NetWeaver ABAP (still the most widely used)
- SAP NetWeaver J2EE (less common)
- SAP Business Objects (for data analytics)
- SAP HANA (will be the most common soon)
- SAP Mobile Platform (for mobile access)
- SAP Afaria (for mobile device management)
SAP NetWeaver ABAP is the main SAP Platform. Almost all business applications, which are developed to automate different business processes of an organization such as Enterprise Resource Planning or Supply Chain Management are based on SAP NetWeaver ABAP Platform. Their security is of a great importance, once somebody gets access to these applications, he can stop mission-critical business processes, commit industrial espionage of even fraud.
SAP Netweaver J2EE is usually considered as an additional platform mainly for applications used by IT department. The objective of such applications is primarily the integration of different business systems based on ABAP engine. Examples of systems based on SAP NetWeaver J2EE include SAP Portal (a starting point for access to all SAP and non-SAP applications, or SAP Process Integration, a system that simplifies data transfer between different systems. Although those systems usually don’t store critical data directly but transmit them or provide access to them, if somebody can compromise, say, SAP PI system, he can get control over all mission-critical processes, so the consequences may be even more hazardous comparing to attacks on particular ABAP-based system such as SAP ERP.
SAP Business Objects is less common platform and mainly used in analytics tools such as SAP Business Intelligence. If an attacker hacks this system, he can modify some analytics results so that a management will take wrong decisions.
SAP HANA is a new but quite widespread platform with more than 6400 installations. SAP HANA is, first of all, an in-memory database but it also contains application server called SAP HANA XS. Later it will be a base platform for every SAP Business application (Currently supports ERP, CRM, HR…) and will replace the old SAP NetWeaver ABAP platform. If somebody can compromise this platform, consequences will be the same as after hacking SAP NetWeaver ABAP – espionage, sabotage, and fraud.
Here are some resources that can help you to know more about SAP systems and now, since you have already known what SAP is, we are ready to talk about SAP Security in particular.
- SAP Security for CISO How I started my SAP Security journey
- SAP 101 (very simple description what SAP is)
- More detailed info about SAP and its architecture
- SAP IDES Practical Guide
- Good article about SAP for absolute beginners
- SAPTEC – SAP’s training about technical details of SAP