Topics
Regions
Industries
Recap of “Evolving Your SAP Security and Compliance Strategy in the Era of Cloud and SAP S/4HANA”
Back to Content

Vendors Mentioned


Key Topics Discussed

Recap of “Evolving Your SAP Security and Compliance Strategy in the Era of Cloud and SAP S/4HANA”

Reading time: 3 mins

By Annie Kennedy, Associate Conference Producer

Jason Fruge (JF)Vice President, Business Application Cybersecurity at ‎Onapsis, was the expert in the Q&A titled “Evolving Your SAP Security and Compliance Strategy in the era of Cloud & SAP S/4HANA,” which aired live on day 1 of SAPinsider’s 2020 Virtual Conference Experience. Although Jason is a more than 20-year security practitioner, he wasn’t familiar with SAP and what it does with organizations’ business functions for most of his career. A few years ago, he took advantage of a business risk illustration and was shocked that none of the security controls he’d invested in detected the threat. As he reflected on what a huge issue that was, how a company can’t have the resources to patch everything with rigor and must consider the most important applications and how those functions are protected, he was prompted to build a business case. He got funding to apply for the approved security process, and he was lucky to have a team that was interested in solving the security problem and understood the importance of finding new solutions. 

The Q&A was moderated by SAPinsider’s VP of Research and Publishing, Robert Holland (RH). Here are a few snippets from the conversation.

Q: What sort of security challenges do you see customers facing as they begin to deploy the cloud? Is this a good time to evaluate their security?

JF: People are beginning to host portions or all of SAP systems or data on someone else’s network. It’s a challenge in this shared model being responsible for securing your data, even on someone else’s network. What tools are you introducing will face that challenge. Organizations need to consider more than firewalls in an age of socially engineered hacks such as phishingYou have to actively educate people on what they can and can’t share. Another factor that weakens security is that SAP is more accessible than ever, put online so people can pull up data on their cell phones. Workplaces are remote during the pandemic, so there’s more cloud-based access of data, and organizations need to consider new modes to combat security threats or leaks.  

 

Q: What is the biggest thing a security lead should know or do before starting a move to S/4HANA?  

JF: Have a meaningful conversation with the team about how they plan to organize and access data in this new environment, what level of risk can be accepted, and what security strategy can be comprehensive enough to protect what’s most important to them. 

 

Q: What steps should SAPinsiders take to ensure security? 

JF: People-process or technology-process, but companies need a holistic strategy that accounts for both. Organizations should look beyond user authorizations; see if the configurations are secure, patches installed, programs updated, etc. Hackers have a lot of incentive to break into SAP systems. 77% of the world’s financial transactions and 78% of the world’s food distribution go through some form of SAP technology; it’s not an enterprise security problem but a national security problem that could have a devastating impact. It’s important to have a strong security system in place.

RH: Warehouses and packing plants being shut down by the pandemic had an immediate impact on supermarket stock. Imagine the issue if someone deliberately attacked our global supply chain. Everyone needs to take notice and ensure the chain is resilient.  How would your company be affected if your supply chain was taken down? It’s a great conversation piece that everyone should discuss. 

 

Q: Are there vulnerabilities people might not be considering, and how important is the security of the HANA database itself?  

JF: SAP is installed on an operating system.  The fastest way to manipulate the SAP application is within the operating system; secure the OS first, then the application next.  

 

Q: How can an internal audit function best partner with the IT organization during a move to SAP S/4HANA?  

JF: Have a good relationship with the architects so they can identify any gaps during production rather than retroactively. Strong relationships are key! We can also automate a lot of the audit, so when they come in to do them, we can arm them with information without having to stop their work to support the audit.  

 

Q: Is there an easy way to apply the SAP security patches that get sent out, and iSAP Solution Manager the best alternative?  

JF: SAP Solution Manager is a fine way to get patches done but it has limitations; it’s an honor system where you check a box and say you applied a patch, but it may not have been applied appropriately. Onapsis’ solution actually tests the patches to be sure they were applied appropriately. Applying patches is a challenge; SAP will give priority scores to patches, and you have to translate the impact of that on your own organization, because what’s high priority for them might be low for you and vice-versa. There’s no quick solution, but the capabilities to put on patches from a technology perspective is the easy part; the business analysis that goes into that decision is the harder part.   

More Resources

See All Related Content

Featured Insiders

Become a Member

Unlimited access to thousands of resources for SAP-specific expertise that can only be found here.

Sign Up

Upcoming Events

  1. Register Now: Supply Chain Management Summit 2024

     

    May 01 - 02, 2024

     

    Chicago, IL

     
    Learn More
    View Event

Sign Up for the SAPInsider Weekly

Always have access to the latest insights with articles, Q&As, whitepapers, webinars, and podcasts. Gain the inside edge. The SAPinsider Weekly helps you stay SAP savvy. Access exclusive bonus materials, discounts, and more.

Get the Newsletter