Category Archives: Article

High Performance SAP Security – Guard Your Business, Not Just Your SAP ERP

November 28, 2011 1:47 pm Leave a Comment

Businesses are now inseparable from their IT systems, computers, networks and data; companies are their ERP, which in turn enables most of their business processes. Accordingly, risk management, security and compliance are increasingly viewed as board level concerns.

Maintaining awareness of potential security incidents all the time, every day, is difficult, and knowing how to react to incidents is more difficult still. Your company needs to be ‘right’ all the time, but intruders only need to be ‘right’ once. Imagine an IP, Design, Customer Data, Financial data theft from your SAP system! It can lead to both a reputation loss and a loss of business.

Companies that run SAP ERP & their security teams should understand how vulnerable your SAP system is! Here are some facts that might shake you:

  1. In a typical SAP environment, data transferred between a client and the server is unencrypted. E.g. Any communication with the SAP server using a Desktop or mobile device or client app or portal transmits unencrypted data! It is a high risk area, “client to server un-encrypted communication”, and makes your entire SAP system highly vulnerable.
  2. To fix this gap, SAP has recently introduced “SNC Encryption module” in
    October 2011 and is a free release for the SAP clients. Through this
    small upgrade you can quickly fix one of the most vulnerable areas of
    your SAP system.  Point to note here is that this un-encrypted
    communication vulnerability existed for a long time in your SAP system
    and even now you are vulnerable without this fix.

SAP did two acquisitions to provide a Secure SAP system and these are recent events.

  1. SAP acquired MaxWare Identity Management solution in 2006. This is incorporated as SAP Netweaver Identity Management solution & sold with a licensing model.
  2. SAP acquired SECUDE (a Swiss SAP Information security company) software assets in March 2011. With this acquisition came Single Sign-On (Secure Log-In), ESSO – Enterprise SSO and SNC Encryption.

There is a lot to catch up and be compliant with these security solutions – to ensure a secure SAP environment. To bring you up-to-date on the SAP security and improve your SAP Security posture – you need a roadmap. 

The road map broadly should focus on a combination of business focus, scenario analysis and SAP security tools. The combined knowledge of your security experts and a purpose driven SAP security assessments, provide you with a world-class SAP security service at a low cost.

High Performance SAP Security road-map is developed with a three phased approach:

1. Assessment – This phase is designed to understand the ‘as-is’ risk profile of your organization, and how it fits with the business requirements of your enterprise. Based on this assessment you should tailor SAP Security design and controls to monitor and protect key business assets as well as the enabling IT of your enterprise.

2. Implementation – Deployment of controls processes and tools to put the right monitoring capability in place, and building of the right rule-sets to prioritize and escalate events in line with business priorities.

3. Ongoing Management –SAP Security process that works on intelligent escalation as required and continuous improvement of your risk management and security posture with a managed SAP Security service. A Security Management Portal should be built so that your company can drill down into the status of threats and remediation actions underway.

The benefits of a high performance SAP Security includes:

  • Business-focused security delivery model: guard your business, not just your SAP ERP
  • Improved security efficiency as a result of wider SAP Security situational awareness and Business asset aligned prioritization
  • SAP Security and compliance tools, dashboards that provide you with a view of your security posture and results of security improvement programs
  • Improved manageability and reduction in security operating costs
  • Reduced security ‘distraction factor’ so that you can focus on your core business objectives.

Author:
Dr. Jagan Nathan Vaman PhD CGEIT CISA
Chief Consulting Officer
Aujas Risk Management Services

Filed Under: Article

Security by the Wall

March 9, 2010 9:01 am Leave a Comment
Organizations have started to invest heavily in technology to help them scale their business. People are now aware of security issues that they are going to face and want to take preventive steps.


I recently had an interesting experience on my interaction with a prospect.I was there at the prospects place to understand and explain to them about managing and improving security. As we started the conversation, I realized the basic misconception about improving their security.


Read the excerpts from our conversation,

Mr.X: Ah well we need a firewall.

Mr.X: Ah well we need a firewall.

Mr.X: Well we want more security. We have couple of internet facing applications and creating more DMZ you see.

Me: But as per your network diagram you already have a firewall protecting your perimeter.

Mr. X: Yes, that is there, but we want to replace that coz it is no more supported version and want to add a few more.

Me: We will have to do a review of your network before we can exactly determine how many firewalls you will need.

Mr. X: Ah well you see time is a factor and I want this to happen quickly before our auditors come next month. I need to show them something. We will share with you the network diagram, and why don’t you have a look and recommend us by end of day.

Me: Yeah sure we will try to do that. But security is not always about adding devices to your network. You also need to periodically review your servers, firewalls, network devices and applications to ensure that they don’t have vulnerabilities that could be exploited by a potential hacker. Also it is a fact that 90% of the vulnerabilities are now discovered at the application level.

Mr.X: Well for the time being we are looking at firewalls maybe you can recommend,……(after a pause and deep thought) IDS.



The point that I want to make is; adding perimeter security devices alone will not help improve security. And why replace a device which is working just perfectly fine unless you have performance issues with the device or want to utilize the features offered by the newer versions. The other advantage that you have in retaining the old device is that all the vulnerabilities in that device are already exposed and you have patches/solutions/workarounds readily available to fix those vulnerabilities. Attackers will not continue to find loopholes in the older devices rather spend time to find loop holes in the newer devices. It is safer to be around with a known enemy than trying to befriend an unknown one.



In order to manage risks effectively you need to constantly review your policies, risk management methodology, systems and applications. This will ensure that the dynamics of the day-to-day business does not leave loop holes open for an intruder to just walk-in to your systems or network.

Filed Under: Article

The Long Tail of Security

November 8, 2009 3:28 pm Leave a Comment


 Background
 

“The Long Tail” is a concept put forth by Chris Anderson which described the niche strategy of businesses, such as Amazon.com or Netflix, which sell a large number of unique items, each in relatively small quantities. Anderson elaborated the Long Tail concept in his book The Long Tail: Why the Future of Business Is Selling Less of More.

Anderson argued that products that are in low demand or have low sales volume can collectively make up a market share that rivals or exceeds the relatively few current bestsellers and blockbusters, if the store or distribution channel is large enough. Research showed that a significant portion of Amazon.com’s sales come from obscure books that are not available in brick-and-mortar stores. The Long Tail is a potential market and, as the examples illustrate, the distribution and sales channel opportunities created by the Internet often enable businesses to tap that market successfully.

An Amazon employee described the Long Tail as follows: “We sold more books today that didn’t sell at all yesterday than we sold today of all the books that did sell yesterday.”

Application to Security

In the Risk management or security world we focus on the “head” which are the common or major risks we face or hear that others faced. Needless to say all our protection efforts & postures are deployed to protect against the “head risks” and rightly so. E.g. when we decide to put up some applications or services on the Internet, we ensure we protect the application against risks such as the OWASP top 10 vulnerabilities, malwares, infrastructure security etc. Content security aspects such as spam filtering, antivirus etc. become “head risks” when we talk of email systems.  

Time and again we are faced with risks which lie in the “long tail” which we haven’t thought of or heard of. E.g. Terrorists hacked into the home WiFi network of Keith Heywood in Mumbai and sent out an email about their impending attack minutes before 19 explosions killed 49 and wounded more than 200 people in Ahmedabad. Since then WiFi access point security has got attention all across, with the Mumbai Police now planning to test open WiFi access points across the city and would issue notices & citations to the users found using open WiFi access points. Suddenly WiFi access point security has moved from the “long tail” to the “head” with everyone taking about it and taking appropriate protection measures.

The question which challenges us is would we face a situation where it’s said that “We got attacked more using vulnerabilities today, which were not exploited at all till yesterday than those which were exploited till yesterday”. Like what Amazon said about the Long tail.


Sounds complex isn’t it; well we are already facing this issue, “how do we protect ourselves against those seemly obscure risks which suddenly might become important”.

The answer is not simple and its implementation is possibly more difficult. What is required is a comprehensive Risk management framework which would help us identify our assets, its weaknesses, the probability of attacks and hence the risk. We should also consider the current security posture we have and then the residual risk. What is critical is that this framework needs to be “live” and “in use” all the time, doing it once won’t help. This should be part of normal business function which would help us identify new or modified risks all the time.

We can never say we are 100% safe and protected, what we owe to ourselves and our business is doing all we can to protect our information technology assets.

Filed Under: Article

The Long Tail of Security

October 26, 2009 11:50 am Leave a Comment

Background

“The Long Tail” is a concept put forth by Chris Anderson which described the niche strategy of businesses, such as Amazon.com or Netflix, which sell a large number of unique items, each in relatively small quantities. Anderson elaborated the Long Tail concept in his book The Long Tail: Why the Future of Business Is Selling Less of More.



Anderson argued that products that are in low demand or have low sales volume can collectively make up a market share that rivals or exceeds the relatively few current bestsellers and blockbusters, if the store  or distribution channel is large enough. Research showed that a significant portion of Amazon.com’s sales come from obscure books that are not available in brick-and-mortar stores. The Long Tail is a potential market and, as the examples illustrate, the distribution and sales channel opportunities created by the Internet often enable businesses to tap that market successfully.



Application to Security

In the Risk management or security world we focus on the “head” which are the common or major risks we face or hear that others faced. Needless to say all our protection efforts & postures are deployed to protect against the “head risks” and rightly so. E.g. when we decide to put up some applications or services on the Internet, we ensure we protect the application against risks such as the OWASP top 10 vulnerabilities, malwares, infrastructure security etc. Content security aspects such as spam filtering, antivirus etc. become “head risks” when we talk of email systems.


Time and again we get faced with risks which lie in the “long tail” which we haven’t thought of or heard of. E.g. Terrorists hacked into the home WiFi network of Keith Heywood in Mumbai and sent out an email about their impending attack minutes before 19 explosions killed 49 and wounded more than 200 people in Ahmedabad. Since then WiFi access point security has got attention all across, with the Mumbai Police now planning to test open WiFi access points across the city and would issue notices & citations to the users found using open WiFi access points. Suddenly WiFi access point security has moved from the “long tail” to the “head” with everyone taking about it and taking appropriate protection measures.


The question which challenges us is would we face a situation where it’s said that “We got attacked more using vulnerabilities today, which were not exploited at all till yesterday than those which were exploited till yesterday”. Like what Amazon said about the Long tail.


Sounds complex isn’t it; well, we are already facing this issue, “How do we protect ourselves against those seemly obscure risks which suddenly might become important?”.

The answer is not simple and its implementation is possibly more difficult. What is required is a comprehensive Risk management framework which would help us identify our assets, its weaknesses, the probability of attacks and hence the risk. We should also consider the current security posture we have and then the residual risk. What is critical is that this framework needs to be “live” and “in use” all the time, doing it once won’t help. This should be part of normal business function which would help us identify new or modified risks all the time




We can never say we are 100% safe and protected, what we owe to ourselves and our business is doing all we can to protect our information technology assets.


Filed Under: Article

Our Psychology and Security: The way we think

September 29, 2009 6:43 am Leave a Comment

Annual Conference of ISACA (Information Systems Audit and Control Association), Mumbai Chapter was held at ITC Grand Maratha on 4th-6th September 2009. The theme for this year was “Success in the Challenging Times: Securing the Unsecured – Assurance beyond Audit.”

The conference featured executives from several leading public and private organizations for panel discussions and presentations. Sameer Shelke, co-founder & COO, represented Aujas and delivered a presentation on Our Psychology & Security: The Way We Thinkat the annual conference.

 

In his talk Sameer stressed on the thought process of people in dealing with IT risks.He drew an analogy with various reactions to the H1N1 epidemic, specifically of people and media to this “risk”.  

 

The presentation highlighted the top 6 security weaknesses the companies have and the reasons for the same. His examples sent a clear message that people should correct and change their behavioral aspect to improve the IT risk and security posture of the respective organizations they work for.

The industry patrons applauded Sameer for his remarkable and meaningful presentation. “Sameer’s presentation was practically related with out of the box approach”, said Richard DeSouza, Head Operational Risk of Reliance Life Insurance Limited

To download a copy of Sameer’s presentation please click on http://www.aujas.com/presentations.html 

Filed Under: Article