When we look back to the birth of Enterprise Resource Planning (ERP) we must include SAP as one of the early pioneers. However, emphasis in those days was not on security and the systems were little more than highly customized database management systems. Security was not a top priority and, indeed, that was the general attitude in the beginning of large client-server systems. Compromising an ERP system in those days was not a particularly big deal if you could get physical access to the system. So, SAP, like most ERP vendors focused on separation of duties as a primary security tool.
Indeed, that was a prevailing attitude throughout the industry. Security was not as important as performance and budgets supported that approach. An SAP system could cost in the millions of dollars with most of that money going to deployment and customization. Very little went for security. Times changed and security became a bigger issue, until today it is a huge industry by itself. Huge, except in ERP where many of the old attitudes persisted. That's the bad news.
The good news, particularly for this month's First Look, Onapsis, is that it addressed a market gap that needed to be filled. With today's attackers, going as did (allegedly) bank robber Willy Sutton, where the money is, the systems that hold that money need as never before to be protected. Onapsis drove a stake in the ground and became the go-to company for SAP security that goes well beyond segmentation of duties.
The Onapsis Security Platform (OSP) is a virtual appliance but it can operate in the cloud as well. One of the things we like about the OSP is that it is – on the surface, at least – a pretty simple system. The simplicity is in the way the tool interacts with users, though, not in what it does under the hood. We dropped into the main dashboard and got just what we expected: a top-level view of vulnerabilities, attack posture and compliance status. Across the top is the expected menu bar. It contains drop-downs for assets, assessments, detections and responses.
This sounds about as straightforward as it can get but there is a lot of action going on that you don't see. For example, there is no need to run individual vulnerability scans because vulnerabilities always are being sought out and monitored. If the OSP finds a new vulnerability, it alarms and you then can address the new weakness. It integrates directly with other systems such as Splunk and QRadar. The point is that this is a consistently running monitoring and response tool that treats an ERP system exactly the way serious security platforms treat today's data centers, whether physical or virtual. Clearly, that brings security home to systems that sometimes are treated as unique, arcane deployments that don't match up with any security paradigm.
Setting up alarm profiles is equally straightforward and they can be updated just as easily. Policies are what you'd expect: clear, concise and tied closely to compliance. Everything is couched in business terms so that policies, compliance rules and consequences of an alarm are clear to management and auditors. You don't need to be a technologist to understand the results of day-to-day system security management.
Support is excellent as one would expect from a company supporting ERP systems. Obviously, those systems all are mission-critical and support is crucial. Price is very reasonable in the context of the cost and criticality of ERP systems, and, especially, SAP. We like the attitude of the company as well. Companies tend to be nervous about the safety of their data in an era of nearly constant large-scale breaches. Onapsis seems to understand that concern better than many security providers.
Overall, we see the OSP as an essential piece of your SAP deployment. If you have an ERP system other than SAP, never fear. There are new versions of OSP coming that likely will cover your needs as well. – Peter Stephenson
Price $45,000 per SAP SID.
What it does ERP security and compliance.
What we liked Purpose-built system that addresses the unique security issues of ERP systems, particularly SAP.
The bottom line If you are an SAP shop (with others to follow shortly), you cannot afford to be without the tool, at least if you want your ERP system to be secure.