News

When implementing SAP, don't skimp on security

Businesses are paying too little attention to securing their SAP systems, a security expert has warned.

In a presentation at the Black Hat 2008 security conference in Las Vegas later this week, security researcher Mariano Nuñez Di Croce, at Cybec Security Systems will explain why he thinks users need to pay more attention to SAP security.

Speaking to Computer Weekly, prior to the event, Nuñez Di Croce, said, "As installing, customising and going-live with an SAP implementation is a really tough project, the security measures are often ignored or postponed in the best case". Nuñez Di Croce has published a number of security problems in SAP systems.

He warned that default settings in SAP systems were not secure, which could result in the system being exposed to high risk threats that could be exploited by potential intruders.

Nuñez Di Croce, said, "The SAP infrastructure handles all the daily business-critical processes and information. Therefore, the confidentiality, integrity and availability of this systems is highly critical for any organisation."

He urged anyone embarking on a SAP implementation project to take time to lock down default users, secure the interfaces with other systems, encrypt sensitive traffic and remove insecure configurations. He also recommended that users ensure the databases and operating systems used by SAP were also secure.

Nuñez Di Croce advised IT managers implementing SAP to implement a strict control on users' authorisations. In particular he suggested that businesses could enforce security by using Segregation of Duties to limit what individual end-users can access to avoid fraudulent activities that would result in financial losses for the organisation.





Email Alerts

Register now to receive ComputerWeekly.com IT-related news, guides and more, delivered to your inbox.
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
 

COMMENTS powered by Disqus  //  Commenting policy