Protecting Critical Business Systems: Five SAP Use Cases Protected by CyberArk

Share and earn Cybytes
Facebook Twitter Google+ LinkedIn Email

In November, we wrote a blog about the “7 types of privileged accounts you should know” to highlight potential privilege-related security risks. Today, we are spotlighting  five powerful user accounts frequently found in SAP environments. These accounts are all created during the installation process when using SAP NetWeaver Application Server for ABAP and/or Java.  The accounts can be centrally secured and managed by the CyberArk Privileged Access Security Solution.

  1. SAP*: Also known as SAP system super users, these accounts have sweeping access across SAP systems and are created in all clients immediately upon installation. These accounts need to be manually deactivated in all clients and added to a “SUPER” group, so that only authorized administrators can make changes. CyberArk helps to vault related credentials in an encrypted repository, making sure that even those authorized to make changes to this super group are indeed the only ones able to do so. If these credentials aren’t locked down, malicious actors can potentially achieve unlimited access to the data stored in the system.
  1. DDIC (Data Dictionary): DDIC users have special authorizations for installation, software logistics and the ABAP dictionary. The SAP installer assigns the default password for DDIC users that is designated as the master password during installation. In order to make sure that things run smoothly, DDIC requires authorizations for SAP_ALL during an installation or upgrade and is then locked afterwards. To account for human error, the CyberArk Privileged Access Security Solution allows for automatic rotation of vaulted accounts and can change passwords immediately upon use, removing the required manual authorization process.
  1. EarlyWatch: EarlyWatch is an automatic service that monitors essential administrative areas of an SAP system and is most effective when activated for all SAP components in the stack. Because of the sweeping access that these accounts require, it is crucial to detect, analyze, and when necessary, remediate attempts to access these accounts, something that CyberArk Privileged Threat Analytics can help with. These accounts also need to be provisioned in the SUPER group, so that only authorized users can change the passwords. With a central repository to manage and secure privileged credentials, SAP admins can dramatically reduce risks of privileged credential compromise.
  1. SAPCPIC (Common Programming Interface for Communications): CPIC accounts are used for remote connections to legacy SAP systems (4.5 and older). These accounts are mostly leveraged in Electronic Data Interchanges and have access to the S_A.CPIC profile. Malicious users can remotely execute Request for Comments or create dialog users with any privileges to enter the system and obtain unlimited amounts of information. These accounts can be deleted if unneeded, but additional actions need to be taken if the account is also necessary to change the default password. In this case, access is only granted if required — and related policies can be easily configured out of box with the CyberArk Privileged Access Security solution.
  1. TMSADM: During installation, a master password is set for TMSADM users for Transport Management Systems. This password is automatically set as a default, and it needs to be manually changed. SAP’s recommended best practice is to change the default password for TMASDM users, but this again requires levels of manual attention that can be forgotten or bypassed. The CyberArk Privileged Access Security Solution can also be leveraged to vault these accounts, automatically create complex passwords and rotate them based on policy.

Only CyberArk enables this level of comprehensive discovery, onboarding and management of privileged SAP accounts and credentials. For example, it’s a best practice to require the powerful users in SAP environments to verify their identities in order to access these accounts, and CyberArk can be used to validate and rotate credentials to ensure appropriate access. SAP has a set of security best practices specific to their applications and systems that organizations utilize, and with this certified integration, enterprises can be confident that this critical layer of security – privileged access security — is extended throughout the network.

Find additional information on the SAP Certified Apps Directory and the CyberArk Marketplace (search ‘SAP’ in the search field for all available integrations).

The post Protecting Critical Business Systems: Five SAP Use Cases Protected by CyberArk appeared first on CyberArk.

Share this post and earn Cybytes
Facebook Twitter Google+ LinkedIn Email
About CyberArk
CyberArk is the only security company that proactively stops the most advanced cyber threats – those that exploit insider privileges to attack the heart of the enterprise. The company has pioneered a new category of targeted security solutions to lock down privileged accounts and protect against cyber threats before attacks can escalate and do irreparable business damage. CyberArk is trusted by the world’s leading companies – including more than 40 of the Fortune 100 – to protect their highest value information assets, infrastructure and applications, while ensuring tight regulatory compliance and audit requirements.
Promoted Content
Advanced cyber attacks involve compromised privileged accounts. Cyber attackers target them because they represent the keys to the IT kingdom. Effective enterprise security includes proactively protecting privileged accounts. Industry experts have identified practices that increase an organization’s vulnerability to a cyber attack. How many of these are common at your organization?

Our Revolution

We believe Cyber Security training should be free, for everyone, FOREVER. Everyone, everywhere, deserves the OPPORTUNITY to learn, begin and grow a career in this fascinating field. Therefore, Cybrary is a free community where people, companies and training come together to give everyone the ability to collaborate in an open source way that is revolutionizing the cyber security educational experience.

Cybrary On The Go

Get the Cybrary app for Android for online and offline viewing of our lessons.

Get it on Google Play

Support Cybrary

Donate Here to Get This Month's Donor Badge

Skip to toolbar

We recommend always using caution when following any link

Are you sure you want to continue?