Secure Azure infrastructure for SAP applications

Introduction

In episode 273 of our SAP on Azure video podcast we talk about Infrastructure Security.

In the past few weeks we had a lot of discusisons around SAP and security. We talked about application protection and even had already partners that we collaborate with on the show. Today we want to take another look – this time more on the infrastructure. For this I am glad to have Cameron back with us.

Find all the links mentioned here: https://www.saponazurepodcast.de/episode273

Reach out to us for any feedback / questions:

• Goran Condric: https://www.linkedin.com/in/gorancondric/
• Holger Bruchelt: https://www.linkedin.com/in/holger-bruchelt/

#Microsoft #SAP #Azure #SAPonAzure #Security #Infrastructure

Summary created by AI

• Comprehensive SAP Security Strategy Overview:
• Cameron Gardiner, joined by Goran and Holger, provided an in-depth overview of the new Microsoft documentation on SAP security strategy, emphasizing the need for a multi-layered approach and referencing recent high-profile security incidents to illustrate the evolving threat landscape.
  • Evolving Threat Landscape: Cameron explained that traditional methods of isolating SAP systems are no longer sufficient due to sophisticated, fileless threats, such as malware hidden in Windows event logs, and highlighted the need for organizations to assume both pre-breach hardening and post-breach detection and response.
  • Documentation Purpose and Scope: Cameron described the new documentation as a starting point for customers, providing a minimum security checklist while acknowledging that security measures must be tailored to each organization’s operational needs to avoid hindering system refreshes or disaster recovery processes.
  • Zero Trust and Security Domains: The team discussed the importance of adopting the Microsoft Zero Trust architecture and outlined the main security domains covered in the documentation, including identity management, audit logging, SIEM/SOAR integration, antivirus, encryption, OS and infrastructure hardening.
  • Recent Security Incidents: Cameron referenced a recent attack on a UK car manufacturer, demonstrating how attackers exploit multiple vulnerabilities, including SAP-specific ones, and stressed the severe consequences of inadequate security, such as operational disruption and financial loss.
• Defender for Endpoint and Antivirus Best Practices:
• Cameron detailed the deployment and operational best practices for Microsoft Defender for Endpoint across SAP environments, emphasizing its readiness for all major platforms and the importance of comprehensive endpoint protection, with Goran and Holger contributing practical insights.
  • Deployment Coverage: Cameron stated that Defender for Endpoint is fully supported and benchmarked for SAP workloads on Windows, Linux, HANA, Oracle, and DB2, and should be deployed on all endpoints to prevent attackers from exploiting unprotected systems.
  • Operational Considerations: He noted that while Defender is robust, certain scenarios, such as SAP mount directories with extremely large file counts, may require special attention, and any issues encountered should be reported for resolution.
  • Custom Detection Rules: Cameron described the creation of custom hunting rules to monitor and alert on dangerous SAP functionalities, such as external command execution via SAPXPG, and recommended collaboration between SAP BASIS and security teams to manage these risks.
• Database Encryption and Key Management:
• Cameron, with input from Goran and Holger, discussed the critical role of Transparent Data Encryption (TDE) and Azure Key Vault in protecting SAP database backups and credentials, addressing platform-specific capabilities and limitations.
  • TDE Implementation and Performance: Cameron recommended enabling TDE for all SAP databases, noting minimal performance overhead (0-2%) on HANA and SQL Server, and no negative feedback for Oracle and DB2, with modern CPUs handling encryption efficiently.
  • Key Storage Practices: He explained that while SQL Server integrates TDE keys with Azure Key Vault, HANA currently lacks support for HSM or Key Vault storage, and Oracle/DB2 can use PKCS#11-compliant HSMs, advising customers to monitor for future updates.
  • Password and Secret Management: Cameron advised storing all operating system, DBMS, and application passwords in Azure Key Vault, and using certificates for Linux systems to enhance security.
• Operating System and Infrastructure Hardening:
• Cameron provided detailed guidance on hardening both Linux and Windows environments for SAP, including recommendations for VM generation, secure boot, repository management, and privilege minimization, with Goran and Holger clarifying practical implications.
  • Linux Hardening: Cameron recommended using Generation 2 VMs with Secure Boot, limiting third-party repositories, disabling password sign-in, and adopting managed identities for Pacemaker clusters, while noting the upcoming mainstream adoption of SELinux in Red Hat releases.
  • Windows Hardening: He emphasized the importance of ensuring the SAP service SID is not an administrator, configuring firewalls and SMB encryption via Group Policy, and minimizing third-party software installations.
  • VM Generation and Trusted Launch: Cameron urged customers to migrate from Generation 1 to Generation 2 VMs with Trusted Launch for enhanced security and future-proofing, acknowledging the complexity of migration for some platforms.
• Ransomware Protection and Immutable Storage:
• Cameron highlighted the necessity of using Azure immutable vaults and WORM storage for SAP backups to defend against ransomware, and discussed practical backup strategies and configuration options with Goran and Holger.
  • Immutable Backup Strategies: Cameron recommended configuring Azure Backup with immutable storage policies, such as requiring PIN or MFA for modifications, and suggested at least weekly immutable backups if daily is not feasible.
  • Ransomware Incident Examples: He referenced real-world ransomware incidents affecting SAP customers in the Asia Pacific region, underscoring the importance of immutable storage and regular backup validation.
• SAP Security Notes and Vulnerability Management:
• Cameron explained the importance of monitoring SAP Security Notes, acting promptly on high CVE scores, and leveraging available notifications and mitigations, with Holger and Goran reinforcing the need for continuous vigilance.
  • Security Note Monitoring: Cameron advised customers to check SAP Security Notes released monthly, filter for CVE scores above 9, and apply relevant patches or mitigations to development, QA, and production environments as quickly as possible.
  • Application Layer Security: He stressed that hardening infrastructure is insufficient if application-level vulnerabilities remain, and recommended not overlooking SAP application layer notes.

• Secure Azure infrastructure for SAP applications
• Investigation Report on Jaguar Land Rover Cyberattack

• 0:00 Intro
• 2:10 Introducing Cameron Gardiner
• 4:20 security with SAP
• 7:15 Impact on Security holes
• 8:45 Looking at Secure Azure infrastructure for SAP applications
• 11:47 Deployment Checklist
• 15:40 Defender for Endpoint
• 17:18 Defender XDR
• 19:23 Microsoft Sentinel for SAP
• 20:00 Database-level encryption - TDE and backup encryption
• 21:40 Key management
• 22:50 OS hardening -
• 24:05 SUSE, Red Hat and Oracle Linux
• 26:50 Windows operating system
• 29:40 Azure infrastructure security
• 31:30 Encryption in transit
• 32:00 Encryption at host
• 33:06 Virtual network encryption
• 33:50 Intel Totel Memory Encryption
• 36:00 Ransomware protection
• 39:00 SAP Security Notes