New capabilities from Onapsis are aimed at enabling customers to assess security for and protect SAP Business Technology Platform from configuration and other vulnerabilities.
Cybersecurity vendor Onapsis is expanding capabilities in its SAP security products to target SAP Business Technology Platform environments.
The newly released Onapsis Defend for SAP BTP monitors behaviors inside the BTP development and integration system, looking for threat actor behavior, attacks and abuse, according to Onapsis. It offers real-time alerts for configuration changes and permission assignments, monitors user access authorizations and privileges, and integrates with security information and event management as well as security orchestration, automation and response systems.
Onapsis also updated its Assess for SAP BTP, which was released in March and is aimed at providing visibility into the risks and vulnerabilities of SAP BTP environments. This includes monitoring user accounts and assessing BTP configurations against SAP baseline and BTP security recommendations, as well as Onapsis Research Labs guidelines. Onapsis Assess is getting its third major update and will include AI capabilities that provide BTP-specific insights and personalized, real-time SAP security guidance, according to the company.
"Assess is your checkup, Defend is your monitor," said Sadik Al-Abdulla, chief product officer at Onapsis.
There are potential vulnerabilities as SAP customers move from on-premises legacy systems to cloud environments via Rise with SAP, including SAP BTP, Al-Abdulla said.
"An on-premises SAP ERP system was one of a customer's most important applications, but it was also in the data center behind firewalls that was hard to get to," Al-Abdulla said. "The core SAP business functions and data are more accessible because SAP BTP directly integrates into a cloud service."
SAP customers that move to the cloud are no longer responsible for patching their systems, he said. However, this doesn't mean customers are inherently secure, as this also depends on how BTP is configured. As an integration platform, BTP inherently has many points of activity, many of which aren't used.
"If you turn on an anonymous interface, if you have a permissions issue, if you don't lock down APIs -- that can be a security problem," Al-Abdulla said. "There's a huge amount of the system configuration that continues to be a customer responsibility system and managing the security and vulnerabilities there."
The engine of Defend for SAP BTP contains two core elements: a deterministic-rules base with thousands of rules that identify specific attacks, vulnerabilities and exploits; and an AI-based heuristics engine that identifies bad behavior, he said. This enables users to identify and flag anomalous user activity, for example.
SAP security a cloud move hurdle
SAP customers are aware of the vulnerabilities of moving to the cloud and using BTP for integrations, according to Holger Mueller, an analyst at Constellation Research.
Concerns about security, complexity and change are the biggest technical hurdles that SAP faces to convince customers to move to the cloud on the technical side, along with the lack of value proposition and incomplete automation on the business side, Mueller said.
"Partners [like Onapsis] can help assess and reduce the concerns," he said. "The irony is that cloud complexity is lower than the on-premises complexity, but SAP customers are used to managing that for decades, so changing the comfort factor is a huge driver."
Onapsis is an established SAP security vendor, so customers would do well to look at its products for SAP BTP, according to Jon Reed, analyst and co-founder of Diginomica, an enterprise industry analysis firm.
SAP customers are likely aware that cloud- and BTP-type development pose different security issues than on-premises environments -- the problem is how to address it, Reed said.
A good CISO understands cloud security inside and out and should be able to evaluate cloud security both inside and outside of SAP.
Jon ReedAnalyst and co-founder, Diginomica
SAP environments have different kinds of risks that need to be taken into account, he said. On-premises security risks include anything from older systems that may be missing security updates to on-site sabotage, while cloud systems and BTP include other vulnerabilities.
"A good CISO understands cloud security inside and out and should be able to evaluate cloud security both inside and outside of SAP," Reed said.
The best course of action for SAP customers that have security questions is to consult with an SAP security specialist that's up to speed on BTP, APIs and cloud security, he said.
Jim O'Donnell is a senior news writer for TechTarget Editorial who covers ERP and other enterprise applications.
