SECURING SAPACCELERATE BUSINESS WITH SECURE ACCESS

Nothing Is Safe

For 25 years many applications and their users operated safely behind the enterprise perimeter. But advanced attacks have penetrated the traditional perimeter, rendering internal applications visible and vulnerable. At the same time, business and IT priorities have driven the need both for external users to access internal applications and for many applications to move to the cloud.

Between the failure of traditional security tools and the massive change of IT architecture, today’s enterprise reality is that nothing can be implicitly trusted anymore.

As attackers benefit from the rapid reduction of enterprise security efficacy, they are not looking to simply deface web sites or find out what your cafeteria menu is. They are looking to access your most sensitive data behind your most critical applications and will leverage any weak point in your overall infrastructure to establish a foothold in order to discover and exploit your critical assets.

2

SAP – The Big Target

From housing customer data, manufacturing process, and intellectual property, to storing trade secrets and employee data, SAP plays a huge role as a clearinghouse of business transactions. Breeching SAP systems clearly is every attacker’s dream. Therefore, SAP is one of the most, if not the most, critical business platforms to protect.

Securing SAP – Many Challenges

While credential theft and known network-based attacks continue to be top risks, native vulnerabilities also exist in SAP.

For example, on May 11, 2016, the first-ever US-CERT Alert for cybersecurity of SAP business applications was released by the Department of Homeland Security (DHS) to forewarn the cybersecurity community about the significance and implications of a vulnerability of the SAP NetWeaver Application Server Java system, which serves as the foundational technology stack for several key SAP business solutions, information and processes. The vulnerability exploited has been identified as the Invoker Servlet vulnerability and is being leveraged in tandem with a sensitive SAP Java application to remotely gain full administrative access to the SAP systems.

This vulnerability was patched by SAP over five years ago, but is still being leveraged by attackers to exploit SAP systems of many large-scale global enterprises because production SAP systems are often outdated due to the high cost and risk of updating such systems, and/or misconfiguration.

3

Why Traditional Security Approaches Fail to Secure SAP

Identity Management programs put a lot of effort into creating and maintaining role-based access control (RBAC) and attribute-based access control (ABAC) for secure access.These programs rely solely on application authentication to control access, while network access is controlled by separate, disconnected systems.

This represents a significant security risk, as many known native application vulnerabilities and network-based vulnerabilities only require network access to exploit. Equal exposure on the network to both legitimate users who consume and contribute sensitive data stored in SAP, as well as potential attackers, represents a fundamental threat to SAP that must be addressed.

A New SAP Security Paradigm

If mere exposure on the network represents a fundamental security risk, why not eliminate that exposure and, at the same time, raise SAP to a much higher level of security posture than less critical applications sharing the same network?

With Vidder PrecisionAccess™, SAP servers are hidden from all users and devices (and attackers). The system assesses the trust and authenticity of each user, user device, device software, device location, and other factors before dynamically allowing visibility and connectivity to the SAP servers. This extends the concepts of role- and attribute-based access out to the network and networked devices themselves, eliminating the exposures that lead to fundamental security risk today.

4

PrecisionAccess is the most widely deployed solution based on the Software Defined Perimeter (SDP) protocol, which is promoted by the Cloud Security

Alliance (CSA).

Contact Us

info@vidder.com408-418-0440910 E. Hamilton Ave. #410, Campbell, CA 95008

For more information about PrecisionAccess, go to www.vidder.com.

CHARACTERISTIC BENEFIT

Hidden SAP ServersNo server exposure to unauthorized users or unauthorized devices

• Mitigation of security risk of un-patched vulnerabilities

• Mitigation of denial-of-service attacks

Device trust assessmentClient software trust attestation

Isolation from malware on the authorized devices of authorized users

Integrated Device + User Authentication• Cryptographic proof of device authenticity• Correlation to authorized user

Mitigation of credential theft, pass-the-hash, brute force password guessing, etc.

Transparent User ExperienceSoftware-generated and communicated tokens

Transparent Multi-factor authentication for every user for every connection with no need for user action

Network IndependenceConnection-layer access control (independent of network)

• Overlay solution — users and applications can be anywhere

• Common solution for both employee and third-party access, local and remote access, internal and cloud-based servers

Application CentricOne application deployment at-a-time

Enables critical applications to be raised to a superior security posture quickly, without the need for any infrastructure changes or additions