The Three Pillars of Safe Migration of SAP Environments to The Cloud

By Daniel Romio, Fortinet’s Cloud Business Manager for Latin America.

The public cloud is today an important tool for innovation and new business development. Essential business systems and applications that were previously only implemented in traditional data centers are being transformed by this new reality, either because of technological advantages, such as virtually unlimited scalability and availability, or because of investments and lower maintenance costs.

These are some of the reasons that motivate many companies to start new implementations, upgrades and conversions of SAP systems to S/4HANA, using public clouds.
Cybersecurity needs serious thinking in these cases, as new attack surfaces emerge with the adoption of the public cloud, requiring special care to ensure that customer data and sensitive information are protected and privacy laws are respected.
The discipline of applying security fixes to critical systems, which is so important to reduce the risk of incidents involving high-value assets, is always a challenge for most companies, as these updates often result in system downtime while the fix is applied, tested and validated. This is something that often conflicts with the availability demands imposed by the company.

At the same time, the number of threats exploiting vulnerable SAP environments has grown, demonstrating that malicious agents are looking for more critical and valuable targets, resulting in data leaks and damage to the companies involved. Recent examples of these threats are 10KBLAZE and RECON, two exploits for SAP that are readily available to criminals and do not require extensive technical knowledge to use. SAP itself has templates with security parameters that help a lot in this process, but they do not detail how to prevent the latest advanced attacks.

Due to the increased attack surface in the cloud and the difficulty of applying security fixes, many executives end up fearing security incidents and revising their strategy for migrating from SAP to the cloud. The good news is that there are security architectures that can be employed to mitigate all of these risks and enable a safe transition from SAP to the public cloud.

From Fortinet we remind you that the cloud security strategy must take into account three main pillars: network security, application security and cloud platform protection.

Using efficient network security, through segmentation and advanced inspection of known threats and anomalies, it is possible to mitigate most of these attacks. Next generation firewalls (NGFWs) can be used as a first line of defense, but it is important that they have the ability to inspect encrypted traffic, block common network attacks and especially attacks specific to the SAP environment. It is therefore essential to check with the vendor which attack firms are available and which will be relevant for the specific protection of SAP systems. This NGFW component can also be used as a VPN concentrator, both for user access and for secure communication with other cloud environments or data centers.

The second pillar, application security, is important to mitigate Front End specific attacks (SAP Fiore or Web Dispatcher). The suggestion is to use a comprehensive protection against denial of service attacks, protection against major vulnerabilities (OWASP TOP10), malicious bot blocking and one that can understand the application behavior dynamically, using machine learning techniques. With a good web application and API protection solution, which is the evolution of the traditional WAF, it is possible to mitigate most attacks that exploit vulnerabilities such as SQL Injection or Code Injection.

The third pillar is the security of the cloud platform. There are tools that allow real-time inventory and monitoring of assets and components used in the various public clouds, mapping network flows, identifying configurations that violate policies or best practices. This allows complete visibility into the cloud’s security status and the ability to mitigate breaches in an effective and agile way.

Last but not least, the use of multi-factor authentication (MFA) technology is recommended. In this way, it is possible to protect not only user access accounts to SAP systems, but especially privileged administrative access to SAP or the cloud management plan.

Choose tested technologies that provide native integration with cloud providers. Look for security vendors that allow you to centrally manage multi-cloud and even traditional data center environments through the same interface, making the job of defining and implementing security policies much easier, reducing the administrative burden and increasing complete visibility into the various environments. In this way, it is possible to use SAP systems in the cloud in a secure way without compromising critical business information and enabling all the benefits derived from this transformation.