Event Recording

Panel: SAP Security in Context of a Corporate IT


Log in and watch the full video!

Log in and watch the full video!

Upgrade to the Professional or Specialist Subscription Packages to access the entire KuppingerCole video library.

I have an account
Log in  
Register your account to start 30 days of free trial access
Register  
Subscribe to become a client
Choose a package  
Yes, and here they are. It's my pleasure to have them on board. And I don't want lose many words to introduce them. I would like to start with Brita ladies first, please go ahead.
Thanks so much, Johan. Great to be back again. Thanks for having me in this panel. I'm a managing director at Accenture security service and I lead our European home security group. I've been in SAP security for about 20 years. New here in Europe. I spent the last five years in the us, so I'm very happy to be in Europe and meeting this new team of SAP security group. Thanks.
Go ahead. The next is step peach.
Yeah. Thank you. Thank you for having me. So my name is peach I'm member of the board of directors at DS a, which is the German speaking user group for SAP. And there we are representing more than 3,500 companies across Germany, Austria, and Switzerland, and within the board, I'm responsible for all technology related topics. And in addition, in my main drop role, I'm with a group, a mid-sized media company based in friar, Germany, and there I'm having the responsibility for business applications, which cover also all SAP related topics and our SAP footprint. And today I'm here with you and looking forward to the discussion.
This is wonderful as you're not, you're really, I'm also taking the vision of all the SAP users in Germany, representing them from DS a wonderful, and I'm humbled to have Marcus mic as well within the panel discussion Marcus, a few words to yourself.
Thanks Johan for having me. Yes. I, a few words to me, I'm chief information security officer at footpath loop. As you can read above me, this is the largest independent lubricants manufacturer in the, in the world. We have a turnover sales around 2.5 billion, and we have approximately like 6,000 employee worldwide and we have like 90, approximately 90 locations around the globe. Yeah.
So thank you very much. So let's start in my first question to you would be, how would you explain that we have almost half a million SAP customers worldwide and in reality only very few have really taken a deeper security project into consideration beyond identity and access management. What would you see as a reason for that starting with Brita? Again,
I think a couple reasons we, we frequently do not see the security organization involved in the SAP programs. And I think that's really the trigger for the lack of involvement for broader security programs think SAP and, and this may be a mindset from clients they're purchasing this leader. SAP is obviously a big name and, and I think there may be a perception of, well, I'm buying this, this E R P system, isn't it secure already? Why do I have to invest in wider security initiative? So I think it's probably a combination of not understanding that you have to really look at security as well. And, and the involvement of the C level leadership.
It was super interesting. I had the conversation on JSEC in Dubai once where someone from Saudi Arabia and said to me, why do I need to secure SAP? It's German quality software. It should be secured by default, but hope is not a strategy. As we learned earlier in the video, what are your thoughts about it? M and said,
Yeah, I think the reason for my perspective, it's more something like a black box to many of the, of the companies there. They do not know what is inside. Exactly. And they do not want to open it because they're afraid something might come out where they have to deal with it and they just try to look away other direction. Yeah.
I assume you get a lot of questions regarding that as well. Peach, what do you think about it?
Yeah, so I'm actually basically with Brita. So SAP software is often considered and perceived as safe and secure, which is basically KOAC, but only as long it is, is configured correctly. And there is often a lack of skills to really assess the SAP systems and the situation and therefore not the right skills to really assess the risks inside the company. And that's why it's often treated as safe insecure, which is not always fact.
Yeah, it's, it's important to understand, understand the risk and then be able to, to act, which leads me to the next question. Imagine you are a C E O not deep into SAP and you get hacked on your most important SAP system. Who would you reach out to in first place? Imagine being the CEO, would it more be like this cheap information security officer like Marco, we, and so, or would it be someone else because mostly SAP security is located in the SAP basis. I always say in the machinery room somewhere, but finding that person in the machinery room costs a lot of time. And within that time, a lot of data can be lost. What are your thoughts about at Marcus?
I said it in my speech earlier today, that from my perspective, the main task of the, of the disease is to search proactively for risks and for security risk, especially, and grab them. Yeah. And, and, and try to deal with them. And that's what I did in our company when I started as a C, because exactly what you mentioned was, was the case that the security was only located in P only in the basis in the machinery room. And yeah, I think if you, if you have asked this question like two or three years ago, exactly. The answer would be that they called the S a P guys, and now today it's changing. Yeah. It's exactly changing that they, they would call me, I, I guess I assume. Yeah.
Better. What do you think?
That's where it should be. Yeah,
Yeah, absolutely agree with Marcus. Right. I think we, we see traditionally the CEO may not necessarily know even who to call right. When they say, oh, she with my SAP system, ideally they should contact the CSO or they contact Accenture to come in and help obviously option number two. Right. But, but yeah, ideally the right answer is the CSO is involved in those. And, or we see a lot of companies that have AP security director or security fund that is connected with the CSO. But yeah, that's the ideal view, but I think a lot of companies just there
Definitely your thoughts on it
All from my point of view, we need the joint forces of the CSO and the CIO, because the C comes with the, let's say method competency and a broad security knowledge. While in the CIO organization, we typically have a lot of knowledge about the SAP, let's say ecosystem and the various aspects, as you mentioned, the SAP basis in the machinery room, for sure they are the right people to configure the system, according to certain guidelines or to, to find a misleading configuration. But security in the SAP space is more than just configuration. We have, for example, custom code. We have also the entire stack, which starts below the SAP system itself, which considers network configurations, or when we look at hybrid landscapes, there's a lot of more, that is not only located knowledge wise in the SAP basis. So therefore I think you need the it organization as knowledge driver in order to figure out where the problem comes from, but also the C organization for the methodological part and how to deal with the problem and escalate steps into the right direction.
I couldn't agree more. I also see audit in that role to complete all the three lines of defense that you see behind me as they need to make sure that the confirmation of risk is acceptable due to regulatory requirements and maybe even internal policies on, on the internal risk appetite, what needs to be done. So I, I, I think from a three lines of defense perspective, all these three lines should sit on the same table when it comes to a big project, like migrating to the cloud or a big system upgrade or whatever, and really consider from all three perspectives, ideally backed up by the C level, what needs to be done. Do you agree on this Marco?
Absolutely. Yeah. That's what we discovered without our recent project. We did. Yeah. And yeah, we got to know that the alignment is the key to success between those three lines of defense need to figure out where the, the competency competency sits, the skills for security and, and yeah. Make, make ends meet that's that's the key to success from our perspective,
You're mentioning skills. Skills is super important because I believe SAP security is not in everybody's comfort zone of skills so far. So how important are skills from your perspective to understand SAP and tackle the risk,
A huge, right. And, and it's a very unique skill because you've got a combination skills there. It's, it's the SAP specific security skills and, and they're very based on the platform, right? So it's a bit of a diverse platform there. And, but then it's really also the generalist security skills, right? Understanding, risk, understanding the broader platform, infrastructure, understanding data and data privacy. And then you've got the other component as well as the, the business process, right? The business application. So understanding how, how is the sales order being processed, right? Our purchase order processed and what are the risks there, and, and not just executing what you're told and what a business user says, but, but being able to think about the risk and potentially arguing other ones. So it's, it's these three combinations of that are very difficult to find.
Yes, definitely. There is also tremendous need for the SI like Accenture is doing a great job in, in, in skilling up the people over there to have the competencies, but there are expectations also to Theis in, in, in the SAP ecosystem. What do you think about that
First? I would like to add one additional point to the skills question. I think it's not only about skills. It's also about the culture. So you need kind of a sense of urgency in the company and you cannot delegate security or SAP security to a certain group of people. They care for the security. It must be the culture of the company to have this feeling that security is relevant for everyone. And then you need these rare speciess of SAP security guys who are able to secure your system and to help you out. So these may come from Theis, but they also should be part of the company itself. So I do believe that investing in your own people's knowledge as an SAP customer is really with the investment and that you can make use of external partners for speeding up this process and giving you some guidance and auditing your processes and your teams and your systems, but ultimately it's irresponsible. And you cannot delegate this responsible neither to an SI in nor to anyone else.
Yes, it's truly right. And the last consequence, it's always the company itself, who's responsible. It's never the SI or anybody else. It's too easy to say. I outsource my SAP and they are responsible for it. No, this is not, this is not the case, but there need to be the skills to review. If the requirements are fulfilled, for example, and I couldn't agree more, it's important to implement the security culture that starts with people. Every culture in the world starts with people, not with technology and due to a matter of fact, almost 90% of all successful breaches in SAP are related to people, issues, not to technology issues. And you mentioned that step and SAP in the standard, it's mostly secure. There's nothing to talk about it, but it's everywhere. The modifications where people take their hand on where extra code is programmed, where, where configuration has been manually said, this is where vulnerability arises and, and where we need to move forward. Marcus, how did you deal with that at Phillip?
Yeah. So as I already said, we, we recently started a, a project because we discovered it together with an external partner. I'm not sure if I can say the name, but anyhow,
You can, you can name it if you want to.
It, it, it was no monkey of course. And it was, was a, was a, was a great project. And with absolutely very good findings that we, we made. And the point I wanted to make is that we tried it on our own several times before and discovered that we absolutely need external help. Yeah, this is, this is the key because it cannot make it with the internal resources and you cannot do it with the internal security organization simply on, on their own. And yeah, I think the, the most important or interesting finding was that throughout the presentation we, we had after, after the, the project was that the, the employees, the staff had had came proactively to us and asked for trainings and said, okay, we feel the need. We, we need training. And I think that, that was really good to see that they, as, as chef also already said, it's, it's key that, that the user recognizes that they have the need to get ranger because they are really the first layer of defense. Then
Thank you for those insights. And thank you for the flowers. We are very glad to get valuable insights out of that, but still going a step beyond that. Sometimes we have even made the experience that we bring up some severe vulnerabilities, like for example, having SAP star with a default password and production, and this is being presented to a C level and the C level still pushes it away because they know we don't need to do anything about that. But understanding SAP, this is like one of the worst case scenarios and nightmares. Definitely. What do you think about companies that just refuse to take that corporate responsibility?
So first I do not want to prejudge anyone without knowing the situation one is in, but ultimately we are talking about budgets and resources. And I think it's not that someone who does not act on that field is only careless this, the question, if Sheri has a power to get the budget for such kind of measures, because improving security typically is not a one day job. These are programs which take some month. And as we talk about culture, change our ongoing efforts, and this is not a one time job. So therefore it is the question. If you are able to bring this up to the board and achieve that kind of priority shift, that security measures are not always deprioritized and other topics are more important on the table. So therefore both again, the, the CIO sitting at the board table must create this kind of sense of urgency there in order to keep, get their budgets.
Brita, what are your thoughts about it?
Yeah. Another percent degree was Stephan, right. And I think STN said earlier, it's, it's a bit of a black box, right? It still is. It's been a black box for 20, 30 years. Right. And, and people take sort of the ostrich approach and put their head in the sand and trying wish it away, but it's become more complex right. Over the years when it was the old R three on-prem, you know, it was a lot easier to protect than it is now. And, and it's, I think you, your, your, your CS or your, your, your leadership things, well, the may, you know, open, but we've got our network on all right. With the, with the way SAP and as four have moved, you really have to look across the enterprise security calls in place across the board and not just rely on your network being secure. So, yeah, it's, it's a, I think it's still considered that black box.
Yes. But now we are in an interesting situation because money enterprises are shifting from on-prem to the cloud. So this is the ultimate opportunity from my perspective, to get rid of vulnerabilities you had in your old work that you don't wanna have into in your new world testing efforts are being there anyways. And a budget needs to be acquired as well to do that. So why do not all companies include security and that cloud migration Marcus, any thought on that?
I, I always get to know it from the conversations with my, my peer partners, other CSOs. They also always say, when it comes to a P security that they always get the comments, do we don't, we have other bigger problems there, nothing can happen there. We have never seen anything happen there. We have those fishing attacks, those cybersecurity attacks, those ransomware attacks. Exactly. Yeah. And yeah, but that could not be the reason just to look away like Austria. Yeah. Like put, set and put the head into the sand and just hope that it goes away. Yeah,
Exactly. That
Definitely any thought on this as well.
For me, it feels like the comparison to sound engineering at the concert hall. You recognize SAP security only when you have a serious problem as with the sound engineering in the console. Now back to the cloud journey, I think we have to distinguish what we mean when we talk about cloud, do we lift and shift and existing on premise tech to, for example, a hyperscaler to do operations in that environment, then we talk about shared responsibilities and the security efforts on the customer size typically increase by far and the necessary skills for secure operations increase as well. This is typically also kind of that journey to, to understand what does it really mean operating an SAP system in the cloud in such an environment which additional skills do I need in order to not end up in the concert hall example? So what we, what we see at the DGS that customers start their journey to the cloud and are happy to getting rid of certain on, on premise obstacles, but they now face very different new challenges, which also are really, really serious to tackle and need to require an upskilling of the internal team. Because again, you cannot delegate these responsibilities entirely to an external party. So in, in my point of view, the security efforts on such a cloud journey are often underestimated.
Yes. And what I see, see, and we discussed that Brita as well. I think it's super hard for enterprises to include security when they don't have the skills and know where the pitfalls might sit. So how do you define a tender if this is not your sweet spot of competency and what, in addition, I also see the issue that security costs time, resources, and money. So it would blow up the entire business case and delay the project, Twitter. You, you might have made that experience as well. So would love to hear your thoughts on that.
Yeah. It's AB absolutely. It's a problem, right? And that's, it's, it's, it's a challenge to the, to the SI equally, right? Because receive these R three that consistently have little security scope, again, depending on an maturity level, you've got more or less scope defined. But in most cases I would say it's very little and that's, I think where, you know, companies like yours and, and Accenture also, we try to get in front of the problem and help even before and RFP is being generated and, or during the RFP Q and a process at least to try and trigger some of these questions to get the thought process rolling, right. To say, well, you've selected X, Y, and Z cloud. Right. Do you have a perspective on what your cloud security reference architecture look like? Do you have a data classification? So some of these basics that we feel are important find before you begin that journey.
So we try and tackle it that way to get discussions going, but quite often, it's to like, that's where we've kind of built in some additional security measures now delivery methodology to at least tackle some of the big vulnerabilities. Right. And also focus on that education, that awareness, right. Make sure the business stands the impact a bit better to hopefully then make, you know, create a change request if that's what needed to add on security sooner, rather than later, it's absolutely a problem. So I agree, right. Education beforehand to make an RFP more specific is, would be a huge value.
Yes. And this is, this was one of the motivation why we founded no monkey independently, because we wanted to build the bridge of the entire ecosystem to unite and educate companies out there to do the right things. This is super important because we believe that security is nothing where you work against someone. It's something where you can learn from each other and really share best practices as these challenges for everybody the same of those 440,000 SAP customers worldwide. So coming to the last, last, quick round, before we end this wonderful discussion, which I could continue for even much longer, I would like to ask you individually, if you had one advice to increase security in SAP, which one would it be beside patch, patch and patch, starting with Brita again,
Patch.
No, I think process, right. Define a governance process. There's lots of tooling out there, right? And I'm all over tooling. There are so many different tools that are in the space. Like I said, we're, we're leveraging Ansis in many cases for vulnerabilities, but not everybody has the budget for it. So the process is really in governance process in my basis to get ahead of that security problem, right. Manually if need, and then build on top of that process, the ad tooling, where you're able to, where your budget allows. So I think build that governance process to tackle the issue manually out of the gate. If you don't have budget for tooling would be my recommendation.
Marcos, thank you, Britain.
Absolutely agree. I think I, I would say skills, but skills is part of the governance of the operating model. Yeah. So training the people, I mean, of course, besides patching and the things that have already been mentioned, giving the, the, the people, the skills that they need to handle that
Definitely,
I would like to add one more patch patch culture, because safety must not be the fifth wheel. It must be Omni present issue. And therefore you need to, again, train and scale up your people and ensure the sensitization of the model of directors as well as other leadership teams.
Okay. So wonderful. I would like to sum up really quick. I think it's super important. What we have learned now to understand the risk, where is where do the crown jewel sit and how do they need to be protected? Who has the responsibility to protect it and do the people have the right skills to do so this is super important. Cause only when we have that equal level of skills, it's also possible to talk about it. It's not possible when you have a heterogeneous knowledge set, I would say then for sure, define the right processes in, in terms of a strategy, understand what needs to be done and who's responsible for it. And lastly, it's also important to have the right tools, supporting the people and processes in place that are tailored to the security strategy, which can be different from every company, depending on risk appetite, resources, budgets, and timelines. So nobody from outside can say that this is what needs to be discussed internally between those three lines of defense and covered by a sea level. And I think then it's a good start to enter a SAP security project with partners like we have here in the round and experts like Marcos. And I think you could always give a good advice and thank you for participating this panel discussion. I'm really happy that you've been here. Thank you so much. Thanks Johan. Thanks. Stay healthy byebye to you, Annie. Bye. Take care.

Stay Connected

KuppingerCole on social media

How can we help you

Send an inquiry

Call Us +49 211 2370770

Mo – Fr 8:00 – 17:00