SAP Fiori is a user interface technology that has, for several years, served as the primary interface for SAP S/4HANA systems, including cloud versions. Over 70% of large companies use SAP systems, which makes SAP Fiori a critical consideration from a security perspective. Data processed through the SAP Fiori interface spans virtually every area of the system, from asset management, human resources, finance, and R&D, to sales and supply chains. Yet, like any technology, SAP Fiori is exposed to security threats. Let us take a closer look at these threats, and at ways to minimise them.
Threats and how to counter them
1) Network security
One of the main ways cybercriminals can compromise a system is by exploiting unsecured network protocols. The SAP Fiori interface is web-only, which is why the use of SSL/TLS is essential, as it provides a secure means of accessing the platform, protecting data transmitted between the user and the server. The security of a site can be confirmed by checking whether a padlock icon appears in the URL bar. It is also important to track the expiry date of the SSL certificate, so that it can be renewed in good time.
2) Data protection
Ransomware is one of the greatest threats of our time - and SAP Fiori is not immune to it either. In a ransomware attack, data is encrypted, and sometimes even partial encryption is enough to disable an entire system. In such cases, regularly creating backups following the 3-2-1 rule (3 copies of data, on 2 different media, with 1 off-site backup) is essential. Large organisations should also consider using public key infrastructure (PKI). In addition, introducing a mobile device management policy for employees is another important element of data protection.
3) User authentication
Traditional passwords, particularly short, dictionary-based ones, remain another weak point in security. SAP Fiori enables stronger authentication, supporting mechanisms such as RSA tokens and biometric methods, for example fingerprints (on mobile devices). The choice of the appropriate mechanism depends on the configuration of the SAP Fiori client and the tool used to help secure this element of the connection, such as SAP Cloud Platform mobile service.
For administrative accounts, the use of multi-factor authentication (MFA) is recommended, using at least two authentication mechanisms to confirm the user’s identity.
4) Device access
Many SAP systems using SAP Fiori are accessed from mobile devices. Some organisations even operate BYOD (Bring Your Own Device) policies, allowing employees to use personal devices for work purposes. Such devices, in turn, have built-in cameras, contain contact lists, and often provide open access to social media. This can be exploited to carry out social engineering attacks, which may ultimately lead to a device being compromised. For this reason, access to SAP systems from such devices should be restricted to authorised users only, and organisations should maintain a mobile device management policy along with real-time monitoring of their network activity. SIEM-type software can be used for this purpose.
5) Data privacy
Data protection should always be a priority. Companies must comply with legal data processing requirements such as the GDPR (General Data Protection Regulation) or, in California, the CCPA (California Consumer Privacy Act), in order to avoid financial penalties resulting from unfavourable audit findings. SAP Fiori includes built-in functionality that helps organisations comply with these regulations. Regular audits and compliance assessments ensure that all data is processed in accordance with applicable law.
6) Protection against clickjacking
Clickjacking is an attack in which an end user clicks a link with a hidden (embedded) link “underneath”, redirecting them to a fraudulent site. To counter clickjacking in SAP Fiori, organisations can use native SAP NetWeaver platform mechanisms to implement advanced “white labelling” strategies.
Expert commentary
Jarosław Zdanowski, Partner at SNOK and Lead Architect for SAP Basis and Cybersecurity, notes: “Securing SAP Fiori requires a comprehensive approach that includes not only technical safeguards, but also user education and regular audits. It is essential not to rely on technology alone, but also on processes and training that help identify and prevent threats. At SNOK, we have placed a strong emphasis from the outset on a holistic approach to security, integrating the latest technologies with best-practice management.”
Summary
Securing SAP Fiori is a complex task that requires a combination of different measures. Implementing robust network security, applying strong user authentication, exercising strict control over data access, and maintaining systematic monitoring and employee education are all essential. These measures can significantly reduce the risk of potential security breaches.
Data security is not just a matter of technology, but also of responsible management and ongoing education. It is important to remember that security is a process requiring regular audits, updates and training to keep SAP Fiori systems secure.
This article was prepared based on material from ERPNews Magazine and information available on SecurityBridge’s LinkedIn page.