And companies have to keep up. Partners, suppliers, customers, and coworkers can’t wait days or hours for the information they need to do their job. They need it within minutes.
SAP applications have provided a massive advantage to companies, centralizing their data and processes so that each step of a job flows smoothly to the next one, with all of the necessary data being carried along for the ride.
Now, with today’s increasingly mobile workforce and fast-moving processes, more and more businesses are relying on SAP FIORI, with its simple and intuitive user interface that allows users to perform common, everyday functions quickly and with minimal effort
Sounds great, doesn’t it? And it is great … except for one thing.
There are multiple advantages to using FIORI, but it also brings with it new security challenges that you must consider, to ensure the cybersecurity of your company’s entire SAP system.
This resource will help you understand the cybersecurity risks that are inherent to SAP FIORI, so that you can take the right steps to protect your business and its sensitive data.
SAP FIORI: Background
SAP users will be familiar with its traditional interface, which can provide a steep learning curve to any new user. Like many other powerhouse programs, SAP is a multi-faceted tool that can do just about anything, and really shines once you get to know its functions better.
However, SAP’s interface does not lend itself well to mobile use, due to its sheer complexity. Mobile users needed a quick and clear interface that was intuitive and user-friendly.
Thus, FIORI was born.
How FIORI Works
Combined with the power of SAP HANA, FIORI provides a fast and UX-optimized app experience for tablets, desktops/laptops, and smart phones. It provides access to the most commonly used SAP transactions, repurposing them as apps.
Role-based – Deliver the right information at the right time via multi-faceted user interfaces
Adaptive – Get instant, relevant insight – whether using mobile apps or a desktop computer
Simple – Zero in on your most important tasks, functions, and activities
Coherent – Deliver a consistent UX across the enterprise – whether you need to fulfill a sales order, review your latest KPIs, or manage leave requests
Delightful – Enrich your work experience with intuitive, easy-to-use SAP Fiori apps
In practice, FIORI is designed so that mobile users can quickly and easily access commonly used transactions. This video provides an overview comparing a transaction using SAP GUI to a transaction with SAP FIORI:
FIORI has proven to be a popular addition to many companies’ SAP systems. With all of that popularity, however, comes an increased level of risk.
SAP FIORI and Cybersecurity Risk
Many companies already have an unacceptable level of SAP cybersecurity vulnerability, due to a number of factors:
Standard OS-level antivirus programs not being able to recognize or address SAP cybersecurity threats
Gap in assigning responsibility for SAP cybersecurity (does it fall to SAP administrators or Information Security?)
Because FIORI is an external facing feature, it is even more vulnerable to cyberattack than in-office SAP. There are several factors that go into this increased risk level:
The Devices: Unlike in-house SAP access, FIORI is often accessed via mobile device. Many organizations assume that these devices, as long as they’re not rooted or jailbroken, are adequately secured by the manufacturer. That may or may not be the case. Depending on how the device is configured, hackers may easily be able to access secure data. In addition, if the user is careless with their device security (e.g., no lock screen, leaving the device unattended), no amount of manufacturer-implemented safeguards will matter.
The Network: If a user is accessing FIORI from their encrypted home network, that is one thing. However, the very nature of FIORI means that it is often used while on the go. Free and unprotected wi-fi in public places is convenient but provides no network security to users. This can allow access to any cybercriminal who wishes to digitally eavesdrop on FIORI sessions. In addition, with the public server acting as a midpoint between the client and the FIORI gateway server, these applications are particularly vulnerable to man-in-the-middle attacks, where the cyberattacker creates a redirect, allowing them to retrieve sensitive information and confidential data.
The Environment: How much thought do we put into the people who are around us, possibly spying on what we’re doing? A user might not think anyone is watching them enter their credentials into FIORI, but cyberattackers lurk everywhere and are only too happy to sneakily film a user typing in their login information so they can use it later to infiltrate the system.
In our own research, we saw that an alarming percentage of SAP installations are not adequately protected from malicious uploads. Combine that with the increased ease of access FIORI brings, and you have a tunnel straight into the heart of a company’s most vital data.
Cybersecurity Risk Profiles: CRM, ERP, SRM
There are a multitude of applications that can be accessed through FIORI. However, the most commonly accessed apps route through one of three back-end SAP products: CRM, ERP, and SRM.
Let’s look at each app in detail:
SAP CRM is the lifeblood of many a sales team. And its associated FIORI apps make it easy for reps to access vital data while on the road.
Some of the applications a sales rep would use include My Accounts, My Contacts, My Opportunities, and My Tasks. These apps allow reps to access vital information on accounts, contacts, and opportunities, and more importantly (for cybersecurity purposes at least) create new accounts, contacts, opportunities, and tasks, as well as upload and attach files to each one.
If you do purchasing, SRM is always close to hand. Apps like Approve Shopping Carts, My Shopping Cart, and Track Shopping Carts make it simple to have a one-stop mobile solution for all enterprise shopping needs. Adding items to the cart, specifying delivery, approving or rejecting carts and sending them to different employees — it all makes purchasing easier, without being tied to a desk.
SAP ERP is what keeps a business running smoothly. Sales orders, purchase orders, product management, financials — ERP lets your entire enterprise share vital business documents and data easily and in real time. And FIORI apps like Track Purchase Order, Release Production Orders, and Approve Supplier Invoices, it’s easy to make sure production never slows down.
The FIORI apps linked to these products are extremely convenient for remote employees. However, they also offer plenty of opportunity for cyberattack.
Because they all allow attachments and content to be uploaded directly into those back-end products, and consequently, into the company’s SAP system as a whole.
Currently, products like CRM, SRM, and ERP are prime targets for cross-site scripting (XSS) attacks, injection attacks, and directory traversal attacks. These attacks gain access through malicious user input into these web-based, externally accessed applications.
Now, add FIORI into the mix, accessed from often-insecure networks, devices and environments, and the exposure to potential cyberattack, particularly man-in-the-middle attacks, has just grown exponentially.
Securing SAP FIORI
With a full understanding of the many threats FIORI faces, the next logical question is, “How can my business make FIORI more secure?”
Businesses can take a two-pronged approach to improve their FIORI cybersecurity: securing the system and securing the environment.
When rolling out FIORI to devices on public networks, administrators should take a few extra steps administrators to boost security. For example, they can:
Block access to the HTTP port on the NetWeaver Gateway server at the firewall
Implement HTTP Strict Transport Security
Allow access to critical FIORI apps only over VPN
Implement redirections from HTTP to HTTPS URLs in Web Dispatcher and ICM
We outlined above how the FIORI’s use environment is a big contributor towards its heightened cybersecurity vulnerabilities. The good news is this factor can largely be mitigated with some best practices and diligence. For example, FIORI users should be reminded to:
Use strong password protection on their mobile devices
Never leave their devices unattended when in public
Avoid using public wi-fi
Always be aware of their surroundings, particularly when entering login credentials
In-house SAP cybersecurity options are an excellent start. However, as mentioned above, SAP faces a multitude of risks already. Some are due to internal factors (e.g., lack of clarity in who is responsible for SAP cybersecurity, severe shortage of SAP cybersecurity professionals), while others are simply a part of how SAP is constructed (e.g., standard anti-virus programs not being able to recognize or address SAP cybersecurity threats). With more and more people using FIORI, the threats to SAP as a whole are only increasing.
Because of this, top companies are recognizing the need for reliable third-party solutions.
The Benefits of Third-Party SAP Cybersecurity Solutions
In today’s cybersecurity landscape, companies need to be vigilant. Choosing a reputable and reliable SAP cybersecurity solution can save businesses a considerable amount of time and resources, while improving their defenses.
The right solutions will:
Detect and block malicious user input from SAP applications, both in real time and in-memory
Plug directly into the SAP ICM, needing no changes to the application code
When the right solutions are selected, the benefits are significant:
No need to spend time and resources recruiting increasingly rare SAP cybersecurity professionals
In-house IT security does not have to spread itself too thin, allowing it to devote its focus on other vulnerabilities
Specialized solutions are supported by teams who are consistently up-to-date on any new SAP cybersecurity threats and will automatically update the solution accordingly
No more need to worry about FIORI users experiencing a cybersecurity breach or unwittingly uploading a malware-laden attachment and spreading it via the SAP application
Consistent and robust protection for SAP, whether it’s being accessed from behind a desk, on a plant floor, or at a coffee shop
Today’s threats to SAP cybersecurity are multifold. On one hand, you have an increasingly mobile and fast-paced workforce that needs to access SAP when on the move. On the other hand, you have an increasing number (and increasing sophistication) of cyberattacks taking place.
SAP FIORI solves the first problem. bowbridge solves the second one.