SAP FIORI and Cybersecurity Risk
Many companies already have an unacceptable level of SAP cybersecurity vulnerability, due to a number of factors:
Because FIORI is an external facing feature, it is even more vulnerable to cyberattack than in-office SAP. There are several factors that go into this increased risk level:
The Devices: Unlike in-house SAP access, FIORI is often accessed via mobile device. Many organizations assume that these devices, as long as they’re not rooted or jailbroken, are adequately secured by the manufacturer. That may or may not be the case. Depending on how the device is configured, hackers may easily be able to access secure data. In addition, if the user is careless with their device security (e.g., no lock screen, leaving the device unattended), no amount of manufacturer-implemented safeguards will matter.
The Network: If a user is accessing FIORI from their encrypted home network, that is one thing. However, the very nature of FIORI means that it is often used while on the go. Free and unprotected wi-fi in public places is convenient but provides no network security to users. This can allow access to any cybercriminal who wishes to digitally eavesdrop on FIORI sessions. In addition, with the public server acting as a midpoint between the client and the FIORI gateway server, these applications are particularly vulnerable to man-in-the-middle attacks, where the cyberattacker creates a redirect, allowing them to retrieve sensitive information and confidential data.
The Environment: How much thought do we put into the people who are around us, possibly spying on what we’re doing? A user might not think anyone is watching them enter their credentials into FIORI, but cyberattackers lurk everywhere and are only too happy to sneakily film a user typing in their login information so they can use it later to infiltrate the system.
In our own research, we saw that an alarming percentage of SAP installations are not adequately protected from malicious uploads. Combine that with the increased ease of access FIORI brings, and you have a tunnel straight into the heart of a company’s most vital data.
Cybersecurity Risk Profiles: CRM, ERP, SRM
There are a multitude of applications that can be accessed through FIORI. However, the most commonly accessed apps route through one of three back-end SAP products: CRM, ERP, and SRM.
Let’s look at each app in detail:
CRM
SAP CRM is the lifeblood of many a sales team. And its associated FIORI apps make it easy for reps to access vital data while on the road.
Some of the applications a sales rep would use include My Accounts, My Contacts, My Opportunities, and My Tasks. These apps allow reps to access vital information on accounts, contacts, and opportunities, and more importantly (for cybersecurity purposes at least) create new accounts, contacts, opportunities, and tasks, as well as upload and attach files to each one.
SRM
If you do purchasing, SRM is always close to hand. Apps like Approve Shopping Carts, My Shopping Cart, and Track Shopping Carts make it simple to have a one-stop mobile solution for all enterprise shopping needs. Adding items to the cart, specifying delivery, approving or rejecting carts and sending them to different employees — it all makes purchasing easier, without being tied to a desk.
ERP
SAP ERP is what keeps a business running smoothly. Sales orders, purchase orders, product management, financials — ERP lets your entire enterprise share vital business documents and data easily and in real time. And FIORI apps like Track Purchase Order, Release Production Orders, and Approve Supplier Invoices, it’s easy to make sure production never slows down.
The FIORI apps linked to these products are extremely convenient for remote employees. However, they also offer plenty of opportunity for cyberattack.
Why?
Because they all allow attachments and content to be uploaded directly into those back-end products, and consequently, into the company’s SAP system as a whole.
Currently, products like CRM, SRM, and ERP are prime targets for cross-site scripting (XSS) attacks, injection attacks, and directory traversal attacks. These attacks gain access through malicious user input into these web-based, externally accessed applications.
Now, add FIORI into the mix, accessed from often-insecure networks, devices and environments, and the exposure to potential cyberattack, particularly man-in-the-middle attacks, has just grown exponentially.
Securing SAP FIORI
In-House Options
With a full understanding of the many threats FIORI faces, the next logical question is, “How can my business make FIORI more secure?”
Businesses can take a two-pronged approach to improve their FIORI cybersecurity: securing the system and securing the environment.
The System
When rolling out FIORI to devices on public networks, administrators should take a few extra steps administrators to boost security. For example, they can:
- Block access to the HTTP port on the NetWeaver Gateway server at the firewall
- Implement HTTP Strict Transport Security
- Allow access to critical FIORI apps only over VPN
- Implement redirections from HTTP to HTTPS URLs in Web Dispatcher and ICM
- Activate MIME-type integrity checks on their SAP application
The Environment
We outlined above how the FIORI’s use environment is a big contributor towards its heightened cybersecurity vulnerabilities. The good news is this factor can largely be mitigated with some best practices and diligence. For example, FIORI users should be reminded to:
- Use strong password protection on their mobile devices
- Never leave their devices unattended when in public
- Avoid using public wi-fi
- Always be aware of their surroundings, particularly when entering login credentials
Third-Party Options
In-house SAP cybersecurity options are an excellent start. However, as mentioned above, SAP faces a multitude of risks already. Some are due to internal factors (e.g., lack of clarity in who is responsible for SAP cybersecurity, severe shortage of SAP cybersecurity professionals), while others are simply a part of how SAP is constructed (e.g., standard anti-virus programs not being able to recognize or address SAP cybersecurity threats). With more and more people using FIORI, the threats to SAP as a whole are only increasing.
Because of this, top companies are recognizing the need for reliable third-party solutions.
The Benefits of Third-Party SAP Cybersecurity Solutions
In today’s cybersecurity landscape, companies need to be vigilant. Choosing a reputable and reliable SAP cybersecurity solution can save businesses a considerable amount of time and resources, while improving their defenses.
The right solutions will:
- Detect and block malicious user input from SAP applications, both in real time and in-memory
- Plug directly into the SAP ICM, needing no changes to the application code
- Retain end-to-end encryption
- Detect and block malware hidden in file uploads, even if hidden or otherwise camouflaged
When the right solutions are selected, the benefits are significant:
- No need to spend time and resources recruiting increasingly rare SAP cybersecurity professionals
- In-house IT security does not have to spread itself too thin, allowing it to devote its focus on other vulnerabilities
- Specialized solutions are supported by teams who are consistently up-to-date on any new SAP cybersecurity threats and will automatically update the solution accordingly
- No more need to worry about FIORI users experiencing a cybersecurity breach or unwittingly uploading a malware-laden attachment and spreading it via the SAP application
- Consistent and robust protection for SAP, whether it’s being accessed from behind a desk, on a plant floor, or at a coffee shop
