Is your hosting service provider helping to keep your critical business applications secure? It is not enough to simply harden machine images and develop policy-driven access; application hosting providers need to understand the vulnerabilities introduced by each and every application in the environment. Otherwise, the system could be exposed to threats directed specifically at the application environment and opportunities it presents.
Many hosting providers will offer customers service for any business application they have, and often provide those services with no significant experience or expertise in dealing with configuration or security issues specific to those applications or environments. Consider the following report from IDC which indicates that numerous SAP deployments remain vulnerable to attack or intrusion, even though SAP has improved security of the products. The problem rests not exclusively with the SAP applications, but also with the approach to implementation of systems and security around those applications. Understanding the various vulnerabilities introduced with SAP products is the first step to securing them. Certainly a skilled IT solution provider is likely to offer a high level of service and capability, but there may be issues presented by various products (like SAP) which introduce additional or unique considerations, and it is important for the service provider to be aware of and address them.
IDG News Service — SAP has significantly improved the security of its products over the past few years but many of its customers are negligent with their deployments, which exposes them to potential attacks that could cripple their businesses, according to security researchers.
The biggest issue is that companies expose insecure SAP services to the Internet — not only HTTP services, but also critical administrative interfaces, Alexander Polyakov, chief technology officer at ERPScan, a developer of security monitoring products for SAP systems, said Tuesday.
Between 5 percent and 10 percent of companies that use SAP products expose critical services to the Internet that shouldn’t be publicly accessible, Polyakov said. This happens because they want to enable remote management or because of improper configurations, he said.
Most of the services have vulnerabilities that can be easily attacked, Polyakov said.
Publicly available exploits exist for many SAP vulnerabilities, including some that are part of Metasploit, a popular security testing tool.
The percentage of companies with exposed SAP services differs from country to country. The situation is better in North America and Europe and worse in the Asia-Pacific region, Africa and Latin America, Polyakov said. However, even 5 percent translates to a very large number of companies, he said.