Simply Securing a System Is No Longer Sufficient
By Robert Holland, VP Research, SAPinsider
Securing an SAP system used to involve checking access and process controls and ensuring that the most recent SAP Notes had been applied. Now it involves not only ensuring that the system itself is up to date but must address cybersecurity and compliance issues as well.
The Threat Landscape for SAP Systems
A few years ago, the most critical systems that SAP customers needed to secure were SAP ECC and SAP NetWeaver and the on-premise applications to which these connected. However, as organizations have started digital transformation projects, security and compliance have evolved as has the risk and threat landscape.
Organizations may now be in the process of migrating to SAP S/4HANA either on SAP HEC or with a public cloud provider, as well as consuming SAP Cloud Platform using Cloud Connector and utilizing data from solutions running though SAP SuccessFactors, SAP Ariba, or SAP Concur. And as they grow through acquisitions, or simply because they are running both SAP and non-SAP solutions, they may find they need to integrate solutions from Oracle, Salesforce, and Workday into their SAP landscapes. This complexity of applications, and the complexity of integrating these systems, also complicates the security landscape.
But even as organizations ensure that they are working to detect and control the risks in their landscapes, as well as defend them against potential intrusions, they also need to ensure that they are addressing increasing compliance requirements. To gain a better understanding of how this is impacting SAP customers, SAPinsider recently spoke with Juan Pablo Perez-Etchegoyen, CTO of Onapsis, about security, compliance, and the trends he’s seeing from SAP customers around the world.
Making Your Systems Secure and Compliant
According to Onapsis’ Perez-Etchegoyen, the threat landscape for SAP systems is growing. For example, since the RECON vulnerability was addressed by SAP in July, there has been an uptick in sources exploiting that vulnerability across the internet. “Most of the time it’s not as simple as a patch, because the process of deploying the patch requires a downtime window which introduces a lot of friction with the business,” said Perez-Etchegoyen. This downtime window means that someone needs to decide when the system will be offline. And any mitigation can also have a different impact when they must be applied per node or per system, or when the weakness can still be exploited via user credentials. According to Perez-Etchegoyen, “because these are business applications the complexity levels require the right technology and focus to keep them secure.”
A big trend that Onapsis is seeing is that of not only keeping systems secure but ensuring that they are also compliant. “Regulators realize more and more the need to include cybersecurity as part of system control because in large enterprises SOX compliance is critical,” said Perez-Etchegoyen. He sees both regulators, auditors, and the compliance ecosystem really starting to pay attention to cybersecurity specifically when it comes to SAP applications. This is especially true when it is covered by some sort of compliance regulation. “Somewhere, these organizations will be covered by a compliance regulation, and so they’ll need to make sure that they have tools in place to measure that and ensure that they are meeting those regulations,” added Perez-Etchegoyen.
This is where having a security and compliance solution can make an impact in an organization. Onapsis’ offering in this space, The Onapsis Platform for Cybersecurity and Compliance, provides four main functionalities to assist organizations: Assessment, so that risks can be detected; Control, so that a risk can be prevented from being introduced; Defend, so that a user has the right visibility when risks are identified; and Compliance, which automates the compliance posture to address compliance needs. Any risks found can then be completely transparent to the end-user who can readily address the issue. This also extends to the cloud, where the data consumed in a cloud instance is still the responsibility of the customer. Even with SaaS applications like SAP SuccessFactors where patching isn’t an issue for the end user, there may still be data issues because of the complexity of services, modules, components, and customizations that organizations don’t have visibility into. And the more that any functionality is customized, the more difficult the application is to secure and ensure compliance.
What Does This Mean for SAPinsiders?
As organizations accelerate deployment of cloud-based technologies, something which 99% of the SAPinsider Community say they are already running, the security and threat landscape within an organization must be extended to include these new systems. At the same time, these systems must also follow compliance regulations like GDPR, SOX, and CCPA. What steps should you be taking to make sure that your systems and data are secure?
- Determine your security and compliance plans before deploying applications in the cloud. “Adopting security and compliance policies when migrating to the cloud provides an acceleration of timelines,” says Perez-Etchegoyen. If these policies aren’t in place in the beginning, organizations will need to come back and implement them which causes delays. Having policies in place early helps ensure a faster and more secure adoption.
- Investigate which regulations impact your organization and implement plans for ensuring compliance. With the growing prevalence of regulations for data and financial governance, organizations need to know exactly which ones impact them, and how they will ensure that they meet those standards. Given that these standards may come into play even if they only work with a vendor or have a customer in a region impacted by these regulations, knowing the extent of regulations and having plans in place to comply to those is very important.
- Carefully examine your existing security tools to determine whether they will meet future needs. While most SAPinsiders ensure that their systems apply critical SAP Notes and patches, SAPinsider research showed that the top driver around enterprise security was a demand for a more holistic security strategy. In addition, a key action they were taking was that of building an integrated security strategy. Both these steps suggest that most organizations current security strategy does not fully meet their needs, so examining what they are doing from a security standpoint and what they will need for the future, particularly when moving to the cloud, is critical.
- Implement training plans for internal security and compliance teams. Although solutions like The Onapsis Platform do not require every user to be a cybersecurity expert in order for the organization to gain significant benefit, ensuring that compliance teams and SAP security officers have the appropriate training can help provide a greater benefit for the organization. And while benefits will be gained in the security tools being used, they will also extend to the whole organization as they help SAPinsiders prepare for future regulation changes and compliance and security challenges.
Based in Boston, Massachusetts, Onapsis protects mission-critical applications from SAP, Oracle, and Salesforce, and serves more than 300 of the world’s leading brands including 20% of the Fortune 100. Onapsis’ flagship solution, The Onapsis Platform for Cybersecurity and Compliance, is an SAP Endorsed App and is one of the first cybersecurity and compliance platforms to become an SAP endorsed app. It is currently available in the SAP App Center.