Unsecured interfaces to and from System Applications Products (SAP) provide an entrance to hackers. Many organisations are aware of this weakness yet do not put sufficient security in place to combat this vulnerability.
Continuous market development means SAP systems are constantly changing, systems environments, globalization, market demands and amongst bigger businesses mergers and acquisitions are also factors in this change. In addition to this, new digital trends such as Industry 4.0 and cloud computing are pushing IT networks to be stronger.
In recent years there has been several thousand data interfaces connecting SAP applications with one another as well as with non-SAP systems, which have developed in many places. Aside from the interfaces that are known to system administrators there are many unknown such as unauthorised downloads or communications with external systems.
Loopholes for data thieves
When interfaces are outdated, configured incorrectly or not sufficiently protected, they are vulnerable to becoming an entry point for hackers to gather information. Hackers, data thieves and saboteurs are then able to get into your network copy, change or delete databases, corrupt your network and cause problems which deactivate SAP systems.
This can have both financial and legal consequences for the company and depending on the scale of the problem, its reputation may suffer. To top things off, pressures will be more aggravated with more and more strict legal data protection guidelines such as the General Data Protection Regulation (GDPR) coming into play on 25th May 2018.
The processing of personal data will be standardised throughout the European Union (EU), it obligates organisations to install appropriate technical and secure measures to protect the personal data in their care. Furthermore documentation obligations towards already existing data protection legislations will increase. Data Protection Officers need to proof their organisation from GDPR non-compliance to ensure avoidance of fines of up to 20 million euros or 4% of global annual revenue.
Although the risk of unsecured SAP interfaces have been widely known for a long time, most organisations do not have control over this problem. This makes it difficult for a business to analyse and monitor their interfaces and protect them from attacks. In addition to this problem, most businesses are incapable of fulfilling the legal requirements of GDPR as they are unaware of which SAP interfaces will and can be used for processing and exchanging personal data. It is impossible to prove that interfaces are up to date and can therefore protect personal data from unauthorised access and unintended leaks.
Current solutions and their drawbacks
Another disadvantage with currently available solutions is that they only analyse the interfaces and data flow locally within a single system. To achieve a complete picture of communications in relation to the SAP system, every interface must be evaluated from both sides.
The ever-changing IT landscape and the impending GDPR regulation is no doubt sending organisations into a frenzy, a frenzy that has little solutions to the problems posed.