Security Best Practices for SAP Fiori Implementations
August 20, 2018
SAP Fiori has upgraded the SAP user experience with modern, HTML5 interfaces that replace the forbidding and stiff SAP UX of earlier generations. At the same time, Fiori’s reach into the public Internet and mobile realms, as well as to backend architecture, exposes core SAP systems to a number of new security risks. SAP managers need to pay close attention to mitigating such risks through SAP Fiori security best practices.
SAP Fiori: An Overview
Deriving its name for the Italian word for flowers, SAP Fiori is a collection of software tools that facilitate the creation of new, modern user interfaces for SAP applications. Supplanting the traditional SAP Graphical User Interface (GUI), Fiori creates streamlined, user-friendly interfaces with tiles and other consumer-grade features.
The Fiori UI development tools, and the interfaces it builds, can access SAP backend systems through the SAP NetWeaver Gateway. Reaction to Fiori in the industry has been positive. Users praise the toolset’s ability to enable intuitive designs, ease of use, increases in worker productivity, better SAP mobile experiences and improved connectivity with SAP HANA workflows.
Security and Other Related Risks
Fiori’s architecture and breadth of deployment expose enterprises to unfamiliar security risks. The old SAP GUI used a transactional method of connecting with the back end. This was relatively fixed in scope and therefore somewhat easier to secure than Fiori’s use of service authorizations. The Fiori approach is not inherently insecure, but it is a change that must be addressed in risk management.
Fiori also significantly expands the SAP attack surface area. Fiori takes SAP systems, which used to be fairly isolated, out into the wide world of the public Internet and mobile computing. This is good for business, but it presents a big increase in risk. Attackers now have far more points of vulnerability to explore and exploit through Fiori user interfaces.
All of this could not have happened at a worse time, either. Warnings of attacks directed at ERP platforms are multiplying. US-CERT issued a warning specific to SAP in June of 2018, for example. This makes sense. SAP is where most sizable corporations store their most valuable business data.
While Fiori may introduce some new vulnerabilities, the reality is that the entire SAP environment is at risk from deficiently secured Fiori interfaces as well as a long list of other vulnerabilities throughout the stack. SAP systems are vulnerable to data breaches and disruption via threat vectors like phishing, code injections, cross-site scripting (XSS), “man-in-the-middle” attacks and a host of other forms of malware. SAP can be hacked by external attackers, internal users and third parties like IT consultants or those impersonating them.
The entry point is almost irrelevant with today’s cyber threat landscape. As we are now increasingly seeing, attackers are leveraging vast arrays of automated, AI-driven bots to probe corporate networks for vulnerabilities. The automated attackers can find their way into networks and take up residence, going to sleep until they are activated by their “masters.” Or, the bot relates your weakness to a seller on the “dark web,” who sells unauthorized access to your network to highest bidder. Once inside your network, attackers can target your SAP assets at leisure unless you have extremely sophisticated threat detection. They may establish fake SAP user accounts to preserve access in the event the initial penetration is discovered.
SAP Fiori Security Best Practices
Mitigating risks to SAP systems and the valuable data they contain involves adopting a number of SAP Fiori security best practices. Some of these will be familiar to you already, but the underlying message is still important: Whatever you’re doing, now is the time to up your security game with SAP. The stakes are too high for any other approach. Best practices include:
- Redoubling your focus on security basics for SAP – Be diligent about patching and monitoring privileged users. Crack down on bad habits like password sharing and get rid of old user accounts.
- Watching your connections – Use Security Assertion Markup Language (SAML), proxies and Secure Socket Layer (SSL) to avoid unnecessary exposure to unauthorized access.
- Managing your access controls – Know who is using your SAP systems, why and when.
- Inventorying your attack surfaces – Enumerate your points of vulnerability, including devices operating outside the firewall, e.g. mobile phones.
- Placing a firewall in front of the SAP Web Dispatcher – Protect against attacks that exploit this Fiori connector. Prevent direct connections to the backend SAP servers.
- Setting hardening policies – Harden SAP infrastructure according to strict policies. Monitor compliance with hardening policies.
- Identifying and analyzing SAP security settings – Get an understanding (and control) of trust relationships between SAP and the broader enterprise.
- Encrypting connectivity and data – Make SAP data hard to access and useless to attackers.
- Defining security baselines for SAP – Continuously monitor for compliance violations. Remediate deviations.
- Leveraging threat intelligence tools – Work with SecOps to stay up to date with the latest threats and how they might affect SAP.
- Monitoring SAP for suspicious user behavior – Keep a close eye on both privileged and standard users.
GRC for SAP: The Security-Compliance Nexus
Securing Fiori and its many related risks touches up against the broader field of Governance, Risk Management and compliance (GRC). The SAP Fiori security best practices outlined here address the “R,” or risk management aspects of GRC. However, implementing good security controls for SAP also helps with the “C,” making you compliant. In particular, if you focus on access controls with an eye on Segregation of Duties (SoD), which is required for regulations like Sarbanes-Oxley (SOX), you will end up being both secure and compliant.
In our experience, SAP GRC was built mostly around the traditional SAP GUI. SAP Fiori can generate “false positives” that indicate SoD conflicts. To combat this problem, our ControlPanelGRC offers a true SAP Fiori solution for access control. It’s the first SAP GRC solution that works across both Fiori and SAP GUI. Learn more about ControlPanelGRC today.