Solving the patching paradox challenge: How important is it to enforce a security policy in a SAP environment

A secure SAP platform can’t be understood without a patched and updated SAP environment. Vulnerabilities pose a significant risk to an organization’s operations, and patching is crucial to maintain system security and stability, so patching and updating software is always a top priority. However, the reality of patching complex systems like SAP differs from patching less complex software that isn’t mission-critical. The patch of the system may mean service downtime and a complex operation that could directly impact a company’s business, creating a paradox.

After defining the paradox and understanding why it occurs in the SAP platform, we will see how SUSE Linux Enterprise Server for SAP Applications, SUSE Live Patching and SUSE Manager can help to navigate this challenge by implementing a dual patching policy by providing seamless, continuous system updates without the need for downtime, minimizing disruption and enabling a more efficient approach to maintain the SAP environment.

The Paradox of Patching

The more critical a system is and the more it needs to be available, the less likely it is to be patched.

That patching paradox is one of the main security challenges that SAP environments face. And the result of the paradox is reflected in reports like SAPInsider’s cybersecurity research, which states that most SAP customers consider unpatched systems a major security threat and “Keeping Up with Patches and Updates” the most significant challenge related to cybersecurity. This is because patching and updating software can be complex, especially for mission-critical systems like SAP S/4HANA^®, where a simple reboot of a large SAP HANA^® database can take hours. If something goes wrong, it could result in a significant outage. Although the patch goes as planned, negotiating a maintenance window involving multiple teams and departments further complicates the process.

But on the other side, keeping systems unpatched for a long time is not an option. An unpatched system is vulnerable to cyberattacks and could have bugs that create system instability resulting in data loss. One example is the recent bug on the glibc library that resulted in a random HANA database crash.

The paradox of patching highlights the need to enforce a Day-1 patching policy with a more straightforward patching process that requires neither service downtime nor more maintenance windows.

The Need to Enforce Security Patching Policies

Organizations should define and implement a patching policy that outlines when to apply patches, factors to consider, and time windows for patching once a vulnerability is discovered.

The patching policy should address both Day-1 vulnerability patching and regularly scheduled updates. Day-1 patching applies when a serious vulnerability or system bug is discovered, and a patch must be applied immediately rather than waiting for a maintenance window.

That requires a clear workflow and synchronization between the involved organization’s teams, so enforcing these policies in an SAP environment is not just a matter of the security team. It needs the commitment of multiple departments, from SAP BASIS to infrastructure teams, and the acknowledgment of the line of business in case a service downtime is needed. And each team has priorities, so patching a system is neither a simple nor short process that includes tasks like testing the patches and patch staging that can require multiple systems reboots.

There is where SUSE Live Patching becomes a requirement. Live Patching allows customers to patch critical vulnerabilities and severe bugs on their OS without service downtime or reboot, reducing the number of maintenance windows and allowing them to patch immediately.

Live Patching

SUSE’s Live Patching technology allows customers to apply patches to the SAP systems without requiring a reboot or SAP service downtime. By using Live Patching, organizations will reduce the complexity of the process and the internal cost of patching, besides the reduction of maintenance windows. All of them minimize the impact on the organization’s operations while maintaining the security of the systems.

But having the technology to provide “live” patches is not enough to implement a patching policy It also necessitates a long-term commitment from the OS provider to consistently release “live” patches for all high-severity issues affecting the Linux kernel and libraries, thereby reducing the frequency of maintenance windows.

Efficiently addressing the majority of vulnerabilities and bugs requires not only kernel patches but also patches for user-space code, particularly for essential security libraries such as OpenSSL and glibc. Applications like the SAP HANA database depend on these libraries, and extending Live Patching coverage to include them eliminates the need for restarting SAP-related applications, further enhancing system stability and reducing downtime.

Ultimately, “live” patches for critical bugs are also essential, as preventing crashes and data loss in the OS and applications connected to affected libraries is a vital aspect of maintaining a secure SAP platform. In this regard, Live Patching can be considered a proactive tool for addressing potential incidents before they surface, thereby enhancing overall system stability and security.

SUSE’s unique commitment to deliver kernel and user-space live patching for a whole year allows customers to implement a truly agile patching policy, ensuring the availability of critical patches to guarantee that both applications and OS don’t need to be restarted for longer periods of time.

SUSE Linux Enterprise Live Patching offers a dedicated repository containing security and critical bug patches, streamlining the patching process. SLE Live Patching is especially beneficial for mission-critical systems like SAP that demand high availability and minimal downtime. This approach also mitigates the risk of exploits and simplifies overall operations, contributing to a more secure and stable environment.

Implementing Dual Patching Policies with patch management tools

A dual patching policy defines two patching workflows: An immediate remediation patching workflow and a regular maintenance patching workflow. With this approach, SUSE’s Live Patching will address critical vulnerabilities and bugs without having to implement costly maintenance windows. At the same time, regular planned maintenance windows can be scheduled with a lower frequency, reducing the burden on IT teams and minimizing the disruption to the organization’s operations.

Click here to enlarge the video

In such situations, a vulnerability and patch management tool like SUSE Manager is essential for simplifying policy implementation and harnessing the potential of patch workflow automation. Patch workflow automation significantly decreases the risks associated with patching and alleviates the burden on IT teams. Automating processes like SAP HANA cluster patching (learn more here) and defining patch lifecycle management workflows (watch the video), which include testing patches before applying them to production, minimizes misconfigurations and mitigates error-prone processes. Moreover, SUSE Manager enhances security visibility within the system by assisting in cataloging patches and identifying system vulnerabilities.

As stated, by enforcing a dual patching policy, organizations can ensure the patching process is reliable and secure, even for mission-critical systems like SAP.

Conclusion

The patching paradox underscores the difficulties organizations encounter when updating complex systems like SAP. Understanding why critical systems tend to be less patched, despite the priority of securing the platform and ensuring these systems are up-to-date, is crucial for addressing security and stability concerns and circumventing the paradox. Recognizing and overcoming these challenges helps create a more robust and secure environment for mission-critical systems.

In summary, organizations can alleviate IT burden, minimize downtime, and mitigate the risk of exploits and system bugs causing data loss by establishing patching policies with a comprehensive organizational commitment and implementing a dual workflow that incorporates Live Patching and patch management tools.

SUSE Linux Enterprise Live Patching technology is the only supported solution that allows SAP customers to patch critical vulnerabilities on both OS kernel and key user-space libraries without SAP services downtime or reboots. Coupled with SUSE Manager’s comprehensive support for automating the live patching of your SUSE Linux Enterprise for SAP Applications servers, SUSE delivers all the necessary capabilities for effortlessly implementing a consistent dual patching policy.

For more information on enhancing the security of your SAP platform and exploring Live Patching technology, visit www.suse.com/secure-sap.