members of the UK Cyber Security forum
Soteria is the only UK Company which concentrates solely on SAP cyber security, governance and compliance. That’s all we do! We protect SAP ® environments from cyber-dependent crime e.g. DDOS, Malware and sabotage, and we protect against cyber-enabled crime: fraud, theft, espionage, blackmail and coercion.
SAP ® systems are a prime target for cyber criminals and the reasons are obvious, over 75% of FTSE 100 companies use SAP ®. SAP ® Systems typically hold your employee, customer and financial data. They also frequently hold credit card transaction data, intellectual property, price lists, vendors, business plans, and much more.
Hackers are adept at getting through firewalls, they can easily hide from Intrusion Detection / Protection Systems, and other network devices like routers, switches and hubs. Once on your network they can sniff your network traffic, quickly break SAP ® passwords and access SAP ® systems, often as administrators, and then they have the keys to the kingdom. SAP ® systems have been web enabled for a little over a decade.
Much of the tried and tested ERP systems were not built with cyber security in mind, and so have been retrospectively adapted for web integration.
Information Security Compliance Assistance
The Complexities of Compliance
Soteria can help guide organisations through the complexities of Information security compliance and Data Privacy Assurance. This is a complex area: there are many threats and risks in the cyber environment, and most organisations must also grapple with multiple compliance requirements. Some examples include listing requirements (SOX, J-SOX), industry requirements (GMP, MAS 634, HIPPA, and GLBA), data privacy requirements (GDPR, SOX s404), information security standards (ISO 27001, FISMA, COBIT), audit requirements (SAS70, AGS8) and at times other standards such as ITIL, PMP, CMM.
It is difficult for any organisation to navigate this compliance maze. Often organisations end up duplicating their compliance efforts, without achieving a sustainable compliance process. Soteria adopt a risk based approach to determine the scope and aid compliance with any defined regime.
The need for compliance
In many cases, compliance to an industry or listing requirement is not an option, it is a prerequisite of doing business. Even non-mandatory compliance with information security standards and a demonstrable application of data privacy controls help with customer confidence and demonstrate the maturity of your business and IT processes.
How Soteria can help
Soteria provide assistance in designing and implementing IT processes and controls to achieve compliance with various standards. We can align your business processes and SAP configuration settings with organisational policies. Our approach is based on our understanding of best practice in IT process and controls.
A company’s IT security policy should specify mandatory software requirements for things such as minimum password length, password strength, number of password fails allowed before account lockout, etc. These requirements should be followed by all applications, and SAP is no exception. In SAP, these settings are configurable and can be controlled using system parameters and by adoption of our Baseline Security Configuration.
Soteria perform a Compliance Gap Analysis and a Risk Identification exercise as part of any engagement. This helps us use existing IT processes and controls and minimise the changes required to achieve compliance. We are specialists in many compliance standards and we strive to provide an efficient cost effective compliance pathway.
Soteria offer Security Project Management and independent Security Architecture services for SAP ® products. We can help define the scope, project plan and resource requirements for your security implementation.
Soteria Security Baseline is a rigorous and comprehensive inspection of your SAP ® system landscape and configuration, across your IT estate. We examine configuration across all of the SAP ® technology stack and carry out a thorough examination of your SAP cyber security.
Soteria Layered Defence walks you through all aspects of your corporate security, and we can provide consultancy for working towards achieving PCI DSS, ISO27000 series, CobiT 5, or NIST compliance..
Security Configuration for use with SAP HANA ® walks you through the comprehensive security settings and options which are standard within SAP HANA ®, ensuring your enterprise achieves the best balance of performance and security.
Security Configuration for use with SAP ® Mobile Security applications reviews security policy as it relates to mobile devices which are SAP ® connected. We analyse and address the security risks which are specific to mobile devices and their specific data communication requirements. We also review the new trends which are being adopted in mobile applications, and suggest security measures which can plug vulnerabilities where required.
Soteria have partnered with ERPScan to integrate their Security Monitoring Suite into our SAP Security and Privacy service offerings.
TalkTalk, Ashley Madison and Fiat Chrysler didn’t. According to Investor weekly, “80% of investors would avoid firms which had a history of cyber-attacks”.
SAP ® systems have traditionally sat behind the network firewall and have been considered ‘internal’ systems, subject only to back office access and authorisation restrictions. This old model of SAP ® security is no longer sufficient as the threat landscape has become increasingly complicated. It is not only the insider threat that now needs to be addressed as SAP ® has shifted towards web enabled services, and an adoption of open source protocols, codes and standards. In addition, the SAP Business Suite ® (ERP, CRM, SRM, SCM and PLM) has grown in number and complexity and is routinely linked to multiple proprietary systems connected through the internet.
Terms such as ‘DDOS’, ‘Cross Site Scripting’, ‘Phishing’ and ‘Man in the middle attack’ have entered the popular vocabulary. The Open Web Application Security Project (OWASP) identifies some of the most critical risks facing organisations. We review and reference the OWASP Top 10 as part three of our core services.
The fact that SAP ® is so ubiquitous means that standard vulnerabilities and attack vectors are known by large populations. There is also an ever growing global community with good SAP ® skills; some wear white hats, others wear black hats. Open source software is freely available which can enable identification of SAP ® systems and their IP addresses, similarly there are free password crackers which can crack complex passwords in seconds. SAP ® data packages are typically not interrogated by the most common firewalls, and administrator accounts are very often accessible to determined hackers, not to mention standard delivered privileged accounts with default password that are very easy to find out.
We work with the business to define the security risks and requirements, then Soteria will set up and configure the powerful standard SAP ® security tools to protect and surveil your assets.
Soteria addresses the external cyber threats to your SAP ® landscape, and we protect from potential internal malign forces, adopting access control policy of least privilege and need-to-know across all system and user accounts.
SAP HANA ® security walks you through the comprehensive security settings and options which are standard within SAP HANA ®, ensuring your enterprise achieves the best balance of performance and security.
SAP ® Mobile reviews security policy as it relates to mobile devices which are SAP ® connected. We analyse and address the security risks which are specific to mobile devices and their specific data communication requirements. We also review the new trends which are being adopted in mobile applications, and suggest security measures which can plug vulnerabilities where required.
Meeting Governance, Risk and Compliance (GRC) requirements can prove to be a very costly, time-consuming and material distraction from the core business activities of most organizations. Often high investment does not typically provide the requisite information for senior management to be entirely comfortable with the......
22 October, 2015For many organisations cyber security is an abstract concept that ranks low on the IT department priority list behind the necessary daily tasks of keeping the business running. Whilst PCI compliance is not a legal requirement in the UK, it might as well be; without......
17 September, 2015
