SAP Gateway security with Two Factor Authentication

Enterprises which are across the globe, quite often need a security which is robust for protecting their assets and so does SAP! SAP is known as the 4th largest software company in the world which demands a very superior level of security for safeguarding its systems, applications as well as products in data processing.

Quite a few number of security assessments have been conducted in this matter and the top 5 Two Factor Authentication solutions have been listed in detail here. However why does SAP require such a high security? The reason is quite simple that SAP has a landscape which encompasses a gigantic range of data, and all of which requires appropriate level of protection.

1. Security of the SAP Gateway is Critical

One of the biggest security threats to SAP gateways is running an operating system command without the need for proper authentication. Ideally a company should confine all types of access to the internal as well as external control system of the SAP getaway to avoid an unknown source which does not cause havoc. Incase, there are business cases which exist and the need arises for utilizing the RFC communications due to applications such as BEx (business explorer), in that case a proper security application should be applied on the SAP gateway for confining the Type E and Type R connections.

2. A good SAP landscape does not have any weak passwords

A single weak or a faulty password amongst many users of SAP can often cause trouble for the entire system and this is primary reason why User Security for SAP systems should have a proper policy for password. Post ensuring that these policies exist, regular password audits should be conducted to single out weak passwords such as "SAMUEL123", "HALLOWEEN01", and so on and so forth.

3. There should be no critical ICM/ITS services

RFC communications are not advisable for your SAP security and this is the actual reason why access to web services like SOAPRFC and WEBRFC should ideally be restricted. For restricting this, the invoker servlet on SAP Java AS system needs to be disabled. Once this system has been disabled, the hackers cannot simply bypass the security system.

4. Patching SAP system and GUI regularly helps

Every month SAP AG releases security patches. For proper patch management policies should be created for both the SAP applications as well as the client components such as SAPGUI or SAP Netweaver business client.

5. Security against single sign-on attacks

The place where the sensitive information is saved is the PSE file and the attackers utilize these for creating valid system tokens. When the attackers create the tokens, they can easily access the system without the need for any password. Therefore, the PSE files should ideally be protected with proper operating system controls.