Fortifying Against S/4HANA Transformation Risks

⇨ t is important to understand the nuances of the shared security responsibility model between the various entities - RISE with SAP, SAP as SaaS provider, customers and hyperscale providers.

⇨ Organizations shouldn’t go for a multitude of vendors to promising to manage one or two aspects of their IT but they should look at a platform approach that has broader coverage and is easier to manage.

⇨ While SAP is providing tools to help customers manage the switch, for example, through a clean core, or managing customizations through BTP – security is just one small aspect of this and looks very different.

It would be fair to say that any organization looking to upgrade or move to SAP S/4HANA is entering into something of a twilight zone when it comes to cybersecurity. The challenge revolves around the very idea that the majority of current ERP installations are customized and complex and that organizations have evolved rapidly, with new platforms and devices that may require different forms of authentication and security measures. A shift towards S/4HANA is also not straightforward. A mix of cost, legacy technologies and data compliance demands can create a confusing transformation path that can expose data at multiple points across networks and services.

Today’s ecosystems, where everything is increasingly connected and distributed, either in the cloud or on-premises, demand a technically advanced and robust security response that covers the entirety of the data and systems and not just the ERP application and structure. While applications, such as SAP, have their own security needs and capabilities, the shift to S/4HANA is different. As Roland Wartenberg, Director, SAP Strategic Partner Lead at Fortinet says, this is “a completely new migration to completely new challenges.”

The bottom line is that standard security provision with SAP is not sufficient for the majority of users, especially when transforming the organization to any flavor of S/4HANA. To a certain extent SAP RISE was supposed to help here but only in so far as identifying the demarcation lines of responsibility. RISE, of course, is designed to enable smoother transformations to S/4HANA and part of this is guaranteeing the underlying security of the software.

SAP’s shared security responsibility model outlines where customers need to make up the security coverage, which is essentially anything outside of SAP or anything connected to SAP. As SAP says, customers remain responsible for delegating authentication to customer- controlled identity providers to enable single-sign-on authentication to SAP cloud services. Customers also control the business process, tenant-specific security settings, security audit logs generated by applications and the configuration of integration to cloud and applications development.

So, it’s important to be clear, adds Wartenberg. Customers need to realize that not all security needs are covered by RISE. SAP is consistent in its message about this but is that message getting through to customers? Wartenberg is not convinced and admits there is some confusion despite SAP’s efforts to publicize the shared responsibility model. The fear of course, is that this could leave customers exposed to serious cybersecurity risks, especially as they look to transform their models to S/4HANA.

Connecting data to IoT environments and public cloud providers, for example, comes with more network connections and therefore more risk. Wartenberg suggests this becomes particularly acute in manufacturing and in supply chain management, pointing out that OT and IoT devices in particular, represent an attractive proposition for hackers. In addition, not all devices can be directly connected to SAP as this would create performance issues due to the amount of data generated. IoT therefore demands EDGE devices to help manage data locally before key data is uploaded to the cloud for analytics and so on. This represents an additional security challenge. It’s a key aspect of how organizations can quite quickly become exposed, unintentionally leaving gaps in security defenses due to such a major restructuring of operating models.

As organizations transform to S/4HANA (it’s important to realize this is not really a mere upgrade) there has to be an understanding of how it will impact business processes.

“While SAP is providing tools to help customers manage the switch, for example, through a clean core, managing customizations through BTP – security is just one small aspect of this and looks very different,” says Wartenberg. He adds that customers could look at this with some confusion and that may be enough to instill a little reticence when it comes to transforming to S/4HANA.

For SAP, this is a challenge in itself as it confronts its own reality in how cybercriminals are pursuing its platform. As SAPinsider revealed recently, in 2023 security strategy focus for SAP systems shifted away from ransomware and malware attacks to addressing unpatched systems, concentrating on addressing system vulnerabilities over attack vectors. Increasing regulatory compliance requirements, hybridization of environments, and economic pressures all played a role in influencing this shift in thinking.

The RISE and rise of security challenges

Wartenberg’s point is that the threats are constantly evolving. He talks about how Ransomware as a Service providers see enterprise customers as targets and why cybercriminals are attracted to the big ERP vendors. The sheer size and scope of the software and its ability to connect to multiple applications and hardware installations makes it attractive – control the brain and you control the whole body sort of approach.

It’s therefore key for organizations to recognize what SAP RISE offers to them and what it doesn’t. Fundamentally, RISE is a good thing for customers looking at the complexities of managing multiple customizations and processes and how to transform them into the new world of S/4HANA. But, as Wartenberg says, “it is important to understand the nuances of the shared security responsibility model between the various entities – RISE with SAP, SAP as SaaS provider, customers and hyperscale providers.”

On one hand, the customer isn’t responsible for the application’s security as this is provided by SAP. On the other hand, SAP has no way of identifying if the traffic accessing the applications is legitimate. It is up to the customer to not only ensure that identity management is in place, but that the traffic itself is screened for exploits that might compromise the system.

RISE will also contain Fiori Launchpad applications which can be accessed by employees from anywhere to access; for example, an HR self-service portal. Fiori, like any web application, needs a web application firewall (WAF) to protect the application, as well as custom web applications hosted in the RISE with SAP environment.

SAP says it will manage its application security environment but with some 200 new vulnerabilities found each year, even SAP is challenged with the need for patching. This is where virtual patching is needed, to protect the gap between when a vulnerability is found and when a patch is applied. There is also an access challenge. As RISE with SAP is hosted outside of the customer data center, employees and systems which are located on-premises need to access the SAP systems securely. With an increasing number of organizations employing remote working, this is an obvious priority with, ideally, a Zero Trust architecture, to ensure consistent and rigorous authentication of users and devices accessing SAP systems.

This would also require a security and orchestration solution that integrates with SAP and can trigger pre-defined actions in the SAP applications, as well as within the broader infrastructure of the SAP Enterprise Landscape, customer data center, or office network.

The fabric of change

Wartenberg talks about the entire ecosystem here – a complex mix of SaaS applications and services, private and public cloud services and of course, ERP applications – needing to be viewed as a whole and not in isolation. While RISE promises to protect SAP environments, it’s at least honest about where it draws the line. Organizations therefore have to address security more holistically, integrating security for SAP systems into a broader security fabric.

This security fabric should also include application protection for SAP, routing users to the appropriate application servers and enhancing security measures along the way. This added layer of security ensures that the traffic remains protected and immune to potential threats. But it’s not just about securing user traffic, as it should also be able to identify risks within system-to-system communications, which rely on SAP APIs to access data. The skill gap is also something that needs to be addressed sooner rather than later. Through authorization capabilities, it is possible to safeguard these SAP APIs, while streamlining administration for SAP enterprise landscapes.

According to Wartenberg, recognizing vulnerability and being honest about existing capabilities to counter threats is fundamental to building a security- first culture. With ongoing shortages in cybersecurity skills, and often a disconnect between IT and operations, there is a growing concern that too many organizations are not prepared for an attack. The onus is falling increasingly on consultants and security companies to plug gaps and ensure a broad security coverage.

“The bad guys, they’re always ahead,” says Wartenberg. “You have no chance to catch up with them. Zero trust is about working towards solutions expecting that the bad guys are already in the network.”

For Wartenberg, having IT and operations working more closely together, identifying risks and developing contingency plans is key to an effective security policy. He also suggests a mix of skills, with knowledge of different applications and networks. The idea thatone person has the knowledge and capability to recognise threats across an entire ecosystem of products and services, whether that’s SAP, SaaS applications, cloud services or private data centers, is an anachronism. It comes from a different age.

Wartenberg talks about personas. Different people with different backgrounds and experiences all contribute to a security solution. These personas will vary wildly across organizations but the idea is a simple one that reflects the ecosystem nature of IT and the growing surface of vulnerability. The often fragmented nature of departments demands simplicity when it comes to IT and security, something which very few achieve.

“Companies don’t want a zoo of different security technologies because it becomes really difficult to manage,” says Wartenberg. “If there’s a problem it can become a ping pong game, with everyone blaming each other. So, organizations shouldn’t go for a multitude of vendors to promising to manage one or two aspects of their IT but they should look at a platform approach that has broader coverage and is easier to manage.”

And that’s the point here, that the transformation to S/4HANA is something completely different for SAP users and one that demands a different approach to computing and security provision. While there is no getting away from skills challenges, organizations need to be aware that as far as their core software systems are concerned, RISE can have a significant role to play, but ultimately it is not a security strategy. Recognizing this fact is the first major step on the road to mitigating the risks of what is already a challenging transformation.