Secure RISE with SAP – How to secure the unknown?

What is RISE with SAP?

Today enterprises are turning to new business models to avoid disruption, to gain efficiencies, to drive innovation, and to transform mission-critical systems without business risk. SAP offers RISE with SAP to enable companies in all industries to reach these goals. SAP for Rise includes Cloud ERP for every business need, industry best practices and extensibility, analytics and business process intelligence, and outcome-driven services from SAP and partners.

With RISE, customers can take the lead with industry innovation for top-line, bottom-line, and green-line growth. Rise enables customers to constantly improve with real-time insights, allowing them to continuously optimize processes. Rise includes embedded cybersecurity and automated data protection to help to protect SAP applications and data.

But are these security features and functions sufficient? Let’s look at this more in detail.

Challenges to secure RISE with SAP

RISE with SAP offers customers a friction-free, easy to deploy & use solution to run SAP in the cloud. This provides many advantages as discussed in the previous section. But when it comes to secure the critical business assets, visibility and knowledge is a key to success.

This is where it gets tricky when using RISE with SAP. On one hand, the customer isn’t responsible for the application’s security as this is provided by SAP. On the other hand, SAP has no way of identifying if the traffic accessing the applications is legitimate. It is up to the customer to not only ensure that identify management is in place, but that the traffic itself is screened for exploits that might compromise the system.

From a customer perspective, RISE with SAP is a black box where traffic is going in and out and SAP takes care of the security and the availability of the SAP Environments. However, as stated, the communication to and from the RISE with SAP Environment is up to the customer to secure, this brings some possible challenges:

• Customer needs to control who, and/or which type of traffic is allowed to communicate into the RISE with SAP Environment and which not. This requires application awareness and the ability to identify and manage SAP traffic such as SAP DIAG, SAP RFC, SAP Router, SAP HANA….
• Ports used by SAP apps can change in unpredictable ways – security solutions require the ability to dynamically identify and apply security and routing policies to ports used by SAP.
• RISE with SAP environment will also contain Fiori Launchpad applications which can be accessed by employees from anywhere to access, for example, an HR self-service portal. Fiori, like any web application needs a web application firewall (WAF) to protect the application as well as custom web applications hosted in the RISE with SAP environment.
• SAP itself is responsible for patching the SAP systems. But with some 200 new vulnerabilities found each year, even SAP can’t keep up with the need to patch. Virtual patching provided by a next generation firewall or a WAF is needed secure the system during the gap between when a vulnerability is found and when a patch is applied.
• RISE with SAP provides the platform and applications to the customer, but custom developed applications, data or user access are up to the customer to maintain and secure. Information sources like audit log, change log, etc. are still critical and need to be reviewed and evaluated by the customer.
• As RISE with SAP is hosted outside of the customer data center. Employees and systems which are located on-premises need to access the SAP systems on a secure way. To accomplished that, a secure peering and access control must be established. Ideally, a Zero Trust architecture would be employed to ensure consistent and rigorous authentication of users and devices accessing SAP system.
• In case of security breaches, a process should be implemented to mitigate further risks and losses immediately. This requires a security and orchestration solution that integrates with SAP and can trigger pre-defined actions in the SAP applications but also within the broader infrastructure of the SAP Enterprise Landscape or even in the customer data center or office network.
• Security for SAP systems should be integrated into a broader security fabric

How to secure RISE with SAP?

Fortinet has focused on 5 key use-cases for securing SAP deployments. These use cases are suggestions – a place to start thinking about SAP security. They include:

• Secure SAP Enterprise Landscapes

This use case focuses on network security for SAP.  It relies primarily on utilizing the SAP Connector and SAP traffic awareness of the Fortinet FortiGate NGFW to provide secure access to and from SAP servers (N/S traffic) as well as to create security zones to prevent breach transversal (E/W).  FortiGate’s can also enforce zero trust policies, provide IPS and virtual patching and anchor a secure SD-WAN.  

• Secure SAP Solutions in a hybrid world

SAP application servers, whether on-premises or in the cloud, must be both assured and secured. This use-case relies on Fortinet’s web application firewall (WAF) – FortiWeb as well as on Fortinet’s secure application delivery controller to ensure the security and performance of your SAP solutions. 

• Enhancing SAP Identity Management with Zero Trust Access

Zero trust is the concept that trust between people and application access must be earned – and re-earned with every access attempt. The idea is simple, no one inside or outside the network should be trusted unless their devices have been vetted and their identification and their devices have been thoroughly checked. This verification applies whether or not the device or user is already within the network perimeter.

 Fortinet’s zero-trust solutions rely on either FortiGate or FortiADC as enforcement gateways and is included at no added cost. 

• Secure SAP Security Operations 

A security operations center (SOC) is a command center for monitoring each element of your SAP infrastructure, identifying existing and potential threats, and preventing future threats. FortiSOAR extends the Fortinet Security Fabric into your SOC, providing security orchestration, automation and response (SOAR) as well innovative case management, automation, and orchestration. FortiSOAR integrates with SAP Enterprise Threat Detector (ENT) to provide automated interactions by the SAP ETD server using FortiSOAR™ playbooks. 

• Secure RISE with SAP – the topic of this blog

Finally, the usage of SD-WAN allows the remote sites to connect more easily to networks, data centers, and/or multiple-clouds with lower latency, better performance, and more reliable connectivity.

With the addition of FortiClient on users’ devices, the same architecture can enforce zero trust policies

In addition to these basic security enhancements, customers will see the following benefits when adding Fortinet solutions to the RISE with SAP security framework:

• Increase SAP application specific security
• Secures also custom web applications hosted in the RISE with SAP environment
• Gain visibility and control
• Ability to protect from external malware coming from external (SAP-) systems
• Ability to enforce customer policies
• Dynamically identify and apply security and routing policies to ports used by SAP
• Ability to protect data across entire hybrid landscapes or infrastructure
• Correlate security incidents
• Security for SAP systems integrated into a broader security fabric