Q&A: Securing SAP ERP Systems with CyberArk
Privileged accounts exist in every layer of an ERP system implementation, from the underlying infrastructure to the enterprise applications powering the business. In the right hands they help safeguard business-critical assets and data. In the wrong hands they can be used to disrupt operations and steal confidential information.
In a recent, popular On the Front Lines webinar, we explored critical challenges enterprises face in protecting SAP ERP systems, and we also gave a quick demo of the CyberArk SAP Certified Privileged Access Security Solution. We had a large audience and a number of technical questions were raised and addressed during the session. Following are some excerpts. You can also read presentation takeaways or tune in to the full webinar and demo on demand.
Q: What type of configuration in SAP is required to set up SAP with CyberArk?
You don’t have to do anything specific inside SAP to start managing privileged credentials with CyberArk. Since we use the native SAP API to rotate credentials, the CyberArk solution will appear just like any other SAP client from the outside to SAP, and therefore, no special changes or installations are required.
You can utilize CyberArk SAP Scanner to detect privileged accounts across the SAP system. Once you have a good handle on where these accounts exist and how many there are, you can automatically onboard these privileged SAP accounts through a configuration within the CyberArk Enterprise Password Vault leveraging the CyberArk REST API. Within minutes, you can apply policies to effectively manage these credentials in a single location and prevent unauthorized access to critical systems. Additionally, you can begin to rotate and update credentials at regular intervals or on demand (based on policy), including managing the sensitive DDIC credentials used in the SAP upgrade process.
Q: Does CyberArk integrate with SAP HANA Database and SAP Java Portal?
Through CyberArk’s partnership with SAP, Certified by NetWeaver we integrate with SAP HANA – you can view details of this integration on the CyberArk Marketplace, as well as several other SAP integrations including SAP Concur, SAP GUI, SAP Sybase ASE Database – Adaptive Server Enterprise and SAP Sybase ASE ODBC Driver.
For integration needs for Java Portal, please get in touch with your CyberArk representative, so we can learn more about your integration needs. We’re more than happy to work with you on a customized solution, and we continue to add new integrations to the CyberArk Marketplace regularly.
Q: How long can you store session recordings and histories?
Session information storage time can be configured to your organization’s specific needs. You can keep them for one year, five years or longer as required. You can also specify where these recordings are stored. For example, you can store the SAP recordings within CyberArk and the operating system recordings elsewhere if you choose.
Remember that the average lag time from a breach to discovery is 99 days. If you’re deleting your recordings after just three weeks, you’re going to lose a lot of material that could be helpful during a forensics process. A best practice for SAP-related recordings is to store them for about 18 months.
Q: Can you explain how override accounts work in SAP environments?
A reconciled user inside the CyberArk solution is a privileged account on the target system inside SAP that can be used to override the password of other privileged accounts. As an example, imagine you would have the password of DDIC, which is not synchronized anymore. In other words, something went wrong or perhaps somebody actually modified the password during the session manually. You can use a reconcile account to override that password. Of course, adequate privileges are required to perform such an override action. The recommendation here would be to use a very powerful, high privileged user.
Editor’s Note: These responses have been edited for clarity and brevity. Have additional questions about protecting your ERP applications and systems? Check out the following resources or get in touch with us.