SAP Security smartersec

Guarding the Cloud Gateway: Mastering SAP Cloud Connector Security

By
4 Minute Read

What is SAP Cloud Connector (SCC)?

For connectivity and integration purposes from on-premise installations to the (SAP) Cloud, SAP developed a small piece of software called SAP Cloud Connector (SCC).

The SCC is the preferred method in customer (hybrid) environments to connect from on-premise to the (SAP) Cloud, e.g., SAP Business Technology Platform (BTP), SuccessFactors and others, or generally to SAP Public Cloud Applications or SAP Private Cloud Applications.

Looking at the following chart, you will immediately realise that SCC has become a centrepiece of your (SAP) security posture.

Overview SAP Cloud Infrastructure

Security Considerations for SAP Cloud Connector

We have seen several security areas during audits and when hardening the SAP Cloud Connector at our customers. Here are the “most wanted” areas to look out for:

  1. Patch-Management
  2. No High-Availability
  3. SCC location and set up in the network
  4. SCC built-in security features not used
  5. Usage of outdated Cypher Suites
  6. SCC Audit log not enabled or not monitored

1. Patch-Management

We have seen that the SCC itself or the related environments are not thoroughly patched in 100% of all customer environments. Recent research shows that 80% of cyberattacks happen due to unpatched software vulnerabilities.

We advise checking your implemented SCC version regularly. If it is not up to date, you should consider upgrading your SCC to the latest version/patch level as soon as possible.

Between 2013 and today, many versions of SCC have been released, and SAP has also published many security patches related to SCC.

Now ask yourself: When was SCC initially implemented and how often have you implemented a new version or security patches since?

In addition, please keep in mind that the underlying Operating System (OS) must be patched as well. Because SCC uses Java, the JVM or SDK on your OS System must also be regularly patched.

The effort to keep your SCC and its environment up to date is not very high, but you increase your security posture significantly!

Please check the SAP note 3302250 for details about the support strategy of the SAP Cloud Connector (3302250 – Cloud-Connector-Supportstrategie). It is worth mentioning because many customers do not know that security patches for SCC always apply exclusively to the latest SCC version. Therefore, we strongly recommend that customers always install the latest SCC version and patch to the latest patch level available as soon as an SCC security patch becomes available. The last SCC version can be downloaded from https://tools.hana.ondemand.com/#cloud. Check the sections “Cloud Connector” and “SAP JVM”.  

Watch out for the SAP Security Patch Day, every second Tuesday per month on SAP´s blog!

2. No High-Availability

Although some think it is not a security feature, the SCC can be configured to use a High-Availability (HA) architecture.

Regarding the recommendation that the SCC needs new versions and regular patching, it is vital to configure High Availability to minimize downtime and avoid outages.

It is not particular for the SCC itself but for all applications in the (SAP) Cloud that users will access through the SCC.

SAP Cloud Connector Administration – High-Availability

3. SCC location and set up in the network

We have seen SAP Cloud Connectors not located in the DMZ of the customer's infrastructure. Even worse, it happened that there are not only official SCCs in the customer infrastructure, which are perfectly located in the DMZ, but also some test installations on Client PCs for test purposes. Obviously, those test installations are not maintained properly and have been used aside w/o the implemented security measures from the network team needed.

We also strongly recommend using a dedicated server, especially for the SCC, to avoid allowing other administrators for other applications on the same server to access the SCC.

Last but not least, delete all unnecessary applications from the dedicated SCC server. We have seen game accounts on UNIX servers that must not be installed on an SCC environment. Use hard drive encryption to ensure that the configuration and Audit Logs cannot be read by unauthorized users (Security Guidelines | SAP Help Portal). In >90% of all audits, hard drive encryption was not used.  

SAP Cloud Connector location and setup in the network

4. SCC built-in security features not used

The SCC has a built-in security feature that allows customers to check its security status regularly. In 93% of all SCC installations we have audited, the security feature was either not known or not used by the customer.

Following the recommendations, the built-in security feature is the simplest way to raise your security posture to a mature level. In the latest versions of SCC, the SCC can be connected and monitored through a standard API provided by SAP connecting to the solution manager.

If you have an SIEM system, the API can be used to integrate SCC, such as SAP Enterprise Threat Detection or others.

SAP Cloud Connector Security Status

5. Usage of outdated Cypher Suites

In the past some Cypher Suites used by customers became obsolete or in some cases the encryption of some Cypher Suites is not secure anymore. SAP only allows a bit length of minimum 256 – all others deemed to be insecure. See OSS note: 2942602 – “Only TLS ciphers with SHA256 (or greater bit lengths) are deemed secure”.

We recommend using a bit length of 1024 minimum. Together with your security officer you should check the existing security policy to configure the cipher suite and bit length appropriately.

Status and security of the Cypher Suites

6. SCC Audit log not enabled or not monitored

The SCC has its own audit log that can be enabled for monitoring purposes. SAP lets you configure the audit level (subaccount or cross-sub-account). The default value is “Security” but can be extended to “All”. You must never use or configure “Off”.

There is also the option to choose how long you want to keep these logs using the configuration field <automatic cleanup>.

As of SCC version 2.14, the location of the audit log files can also be changed. The files can be imported into a SIEM system.

For more details please check on SAP Help: Manage Audit Logs | SAP Help Portal.

Conclusion

The security topics for SAP Cloud Connector outlined in this article are meant for orientation and first guidance. There are many more topics to consider to make the SAP Cloud Connector properly secure.

The most important message is that you cannot just implement a central SAP component like SAP Cloud Connector and keep it at a low maintenance level. You must integrate SAP Cloud Connector in your software lifecycle management and pay attention to it as if it were your main SAP ERP system, especially regarding security.

Thomas Kastner

Thomas Kastner

Senior (SAP) Security Advisor and innovator of several SAP security products as well as holder of several patents in IT security. Thomas has more than 39 years of experience and a proven track record in business and IT operations, managing large multinational projects, risk management and security assessments. Detailed and multi-year expertise in SAP Software Development, SAP Basis and Configuration, SAP Security especially in the areas of secure programming as well as audits and penetration testing.

Author