Zero Trust in SAP Systems
Meet the Authors
⇨ Protect the bridge between SAP systems and non-SAP systems
⇨ Address key areas in your business case
⇨ Build security out from the core
Amid digital transformation – with so much data moving from one system and placed into another – tracking and securing data as it moves across an organization’s landscape has become a critical focal point for SAP customers.
From a big picture perspective, this is what’s driving more SAP customers to adopt cloud security solutions. According to SAPinsider’s Securing the SAP Landscape Against Cyber Threats Benchmark Report, the number one driver for organizations was the “Need to protect access to sensitive and confidential data.”
According to Hank Schless, Senior Manager, Security Solutions at Lookout, every organization has a different approach to security and builds risk tolerance and security policies based on those approaches. What’s common is the idea of creating a security program with a zero-trust mindset.
SAPinsider’s Vice President of Research, Robert Holland, sat down with Schless to spotlight the core values and principles of the zero trust philosophy and framework and discuss strategies that organizations can put in place to maximize the success of their SAP cloud security programs.
Trust Across Systems Can Create Weak Points
According to a recent SAPinsider report, 90% of SAP customers conduct non-SAP to SAP integration. With all these connections, maintaining compliance across all SAP and non-SAP data systems throughout every part of the infrastructure can be difficult and complex.
This is due mainly to the data moving fluidly in and out of sanctioned and unsanctioned apps, managed and unmanaged devices, and across the entire user base, notes Schless.
As data moves between these systems, some devices may be compliant while others are not. Additionally, each device may be running different types of data protection tools, creating a patchwork of complexity that can make security difficult to manage.
“The bridge between SAP systems and non-SAP systems tends to be one of the least monitored areas where a lot of data is moving,” Schless says. “And that’s just the connectivity side between different services.”
Schless explains that there is typically a lot of trust between the systems, creating risk.
“APIs talk to each other securely, but that actually ends up being a pretty common weak point,” he says, explaining that areas where there is less monitoring of data are going to become the focus of attack for data breaches in the coming year.
Leveraging The Core Values of Zero Trust
SAPinsider research data reveals that 27% of SAP customers had experienced credentials compromised within their organizations. The number of organizations having experienced their credentials compromised is likely higher because it can be days or weeks before a compromise is detected, if at all.
In fact, credentials compromise, together with unpatched systems, were among the topmost security concerns for SAP customers according to a recent LinkedIn poll conducted by SAPinsider.
The core values of zero trust can help address these worries.
One of the essential aspects of zero trust is that “no device and no user is who they say they are unless otherwise validated,” Schless says.
He emphasizes that organizations that understand what zero trust means – in the context of how fluidly data is moving, how many ways it is moving, and what’s needed to know whether the activity is legitimate or malicious – are better prepared to address the challenges.
“Zero trust is most importantly about removing the idea of implicit trust from the entire infrastructure,” he says. “Just because someone logs in with the right username and password doesn’t necessarily mean it’s actually that person. It could be someone using stolen credentials,” he adds.
A Continuously Circulating Ecosystem
Organizations need to be able to apply a high level of conditional access by understanding the context of how users are accessing and interacting with data as well as the risk level of the device they’re using, explains Schless.
“Another consideration of zero trust is that just because a device is managed, it doesn’t mean that it can be trusted,” he says. This expands to user devices, mobile devices, or more traditional endpoints.
Organizations also need to understand where the risk lies and the nuanced specifics to risk, Schless explains.
“They need to be able to apply that sort of continuous assessment of risk to a user and a device, and then implement the proper level of access or security to make sure users are not going to violate security policies,” he says.
“You can’t just think of the cloud platforms, the on-premise, or private applications, and then the users and devices,” he says. “You really have to think about it all as one continuously circulating ecosystem.”
“These cloud and on-prem ecosystems are only getting more complex and bigger every day. If you go through every single one and implement the right policy for each one, it just turns into a mess,” he says.
Security Spans Nearly Every Team
Architecture or infrastructure teams use security solutions to understand where data is moving and how integrated systems are talking to each other, according to Schless.
However, Schless notes that security spans nearly every department for many SAP customers.
The challenges inherent in setting security policy are why some of the primary champions in the process include risk and compliance teams.
Schless notes that organizations want to be able to apply uniform policies for both cloud and on-premise at the same time from a business efficiency standpoint, but also for compliance and auditing purposes.
Members of the IT team will also want to include their input in the decision-making process because it is their job to implement the solution and make sure it works within the organization’s existing infrastructure, according to Schless.
“The inability to extend a cloud-level of security and access policies to on-premise assets almost inevitably silos them from a security standpoint, creating friction,” Schless explains.
Therefore, a critical requirement for IT is the ability to control their encryption and their own key management.
Then, there are the actual users of an organization’s SAP systems, which in the sudden move to remote work in the last year, now expect to be able to access that data from wherever they need it whenever they want it, according to Schless.
He explains that users of security solutions also expand out to teams handling the types of data movement that require a high level of visibility – data that helps compliance teams or legal departments inside the organization with decision-making.
Who uses security solutions at organizations also depends upon the organization’s size – some organizations have dedicated security teams. In contrast, others may have SAP Basis Teams serving in multiple roles.
Balancing business requirements with end-user expectations and an organization’s security, risk, IT, and compliance requirements is an increasingly complex challenge. In the end, an organization needs to tie its ultimate decision to business outcomes.
It’s why, according to Schless, decision-makers for security solutions, typically seasoned roles such as the CISO or VPs InfoSec or Infrastructure, are looking at KPIs and metrics focused on four areas: data quality, reduction in the number of incidents, increased visibility, and reduction in the number of compromised accounts.
Additionally, as organizations look to keep their data compliant amid their SuccessFactors and SAP S/4HANA initiatives, cloud security becomes an integral part of the conversation.
Schless explains that SAP customers often turn to Lookout to help move from on-prem solutions to the cloud.
“Lookout provides a full endpoint to cloud security platform. and the main part of that for SAP customers is the company’s cloud access security broker or CASB solution,” he says, adding that the company, as part of the SAP Partner Edge program, offer integrations with SAP.
What Does This Mean For SAPinsiders?
Protect the bridge between SAP systems and non-SAP systems. Apply the core values of zero trust to help address worries about unpatched systems and credentials compromised and defend weak points where data moves between SAP and non-SAP systems.
Address key areas in your business case. Security teams, as well as architecture and infrastructure teams, are the primary users of security solutions. Ultimately, however, the decision must be tied to business outcomes. In building the business case, help CISOs and VPs InfoSec or Infrastructure see how a zero trust approach can help enhance data quality, reduce incidents, increase visibility, and lower the number of compromised accounts.
Build security out from the core. SAP systems provide strong physical and infrastructure security at the data center, network, database, and data storage levels, according to Schless. Use that as the baseline to determine what your organization needs to build on top of that level of infrastructure.
Ensure consistent zero trust policies across platforms. Organizations need to improve visibility into user actions and access control from various locations and devices. For example, it is important for organizations to ensure that mobile device users are held to the same zero trust access policies as someone from a Windows desktop to protect against malware and other threats.
Leverage the value of a unified platform approach. Deploying zero trust from a central vantage point, and the help of a trusted partner with experience in SAP systems, can help an organization ensure full coverage for every device and user across an organization’s infrastructure.