Home
 > Research and Reports > TEC Blog > The "S" in SAP Doesn't Stand for Security (that goes for ...

The "S" in SAP Doesn't Stand for Security (that goes for PeopleSoft too)

Written By: M. Reed
Published On: December 8 1999

Event Summary

During the course of product evaluations for a customer, the Technology Evaluation Center has uncovered a potential security hole in SAP R/3's three-tier architecture. SAP has revealed that it expects the database or third party products to handle security between the application server and the database server. If the client does not take these extra measures, the master password for the SAP database instance travels over the network in the clear, and can be captured. PeopleSoft has the same issue.

The original answer to TEC's questions to Dr. Peter Barth, Technology Marketing Manager for SAP AG in Walldorf, Germany, was "With all the customers using SAP R/3, I have never heard this question before. We will have to investigate it further."

Further investigation by Walldorf revealed the following response: "SAP supports for the connection between database and application server support by security standards provided by the database as well as open interfaces to external security products. Typically, database specific features - from e.g. Oracle, MS SQL, etc. - are used to protect initial logon. In case the data transfer needs to be secure also either database specific or database independent security mechanisms can be used. However, note that SAP advises to use a separate, internal subnet in the networking environment. Thus, if it is physically impossible to sniff, the security mechanisms are not mandatory. Note, that application server and database server are expected to be in a LAN environment and not connected via WAN or open Internet connection to the outside world (Only the presentation client should be used over WAN and open Internet connection; here security can be achieved by various means (e.g., PKI infrastructure)."

SAP states that their Secure Network Communications Interface (BC-SNC) has the following certified interfaces: CyberSafe (TrustBroker Security Solution for R/3), Entrust/PKI, Platinum Technology (Computer Associates) Single Sign On, Seclude Sicherheitstechnologie Informationssysteme Seclude for R/3, and Security Dynamics Technology Keon Agent for R/3. They state "SAP has decided not to include cryptographic modules in its own software. Instead, external products can be integrated."

Market Impact

TEC feels that this approach to security is inadequate. Our customer was not informed that this was an issue (note SAP said they had never heard the question before). Even though SAP explicitly recommends that R/3 users put the database and application servers on a separate, internal subnet, our fear is that a customer will fail to install a third party security product, and make it possible for a disgruntled employee to "sniff" (examine packets travelling over the network) the ID and password that "own" the SAP instance. In the case of PeopleSoft, the traffic between the client and the application server is secured via encryption, but the same problem with lack of encryption exists between the application server and the database server.

User Recommendations

Customers using either SAP or PeopleSoft in a three-tier configuration should be very careful to employ a third-party encryption product that has been certified by the ERP vendor. In the absence of this, or a secure database client (i.e. Secure Oracle), a serious security breach could occur.

 
comments powered by Disqus

Recent Searches
Others A B C D E F G H I J K L M N O P Q R S T U V W X Y Z

©2014 Technology Evaluation Centers Inc. All rights reserved.