Headset on top of script
Beitrag

Building Security into SAP Cloud Migrations

I recently had the opportunity to participate in the NextLabs Experts Series, with the topic Building Security into SAP Cloud Migrations. The video has been recorded in my homeoffice with no special video equipment. Many thanks to NextLabs for having me in this eries. Check it out.

Below you will find the questions and the script.

Source: https://www.youtube.com/watch?v=uuG4B0jYarA

Script

1. Why is it critical to embed security into every phase of cloud migration, especially when dealing with complex systems like SAP?

Well, there are several reasons for this. But first, I would like to emphasize that SAP Security is often still misunderstood. Even though it has already changed, I still observe that many customers perceive SAP security mainly as roles and authorizations or GRC. However, if we look at the full range of SAP security topics, we need to approach the topics in different steps.

Let me give you some concrete examples: If you start defining an SAP security concept or an SAP security baseline in the implementation phase, it might already be too late. This can result in situations where the Basis and Authorization teams set up the environment in an insecure way, or the network team has not yet segmented the network sufficiently, simply because the colleagues do not know what needs to be considered. Once the systems are set up, additional internal and external efforts are usually required to close the gaps, which of course leads to additional costs.

It is therefore crucial to support, train and advise the project teams in all areas and phases to ensure that security is implemented by design. Not forgetting that at the end of the day, it needs to be checked that the environment has been implemented securely. In other words, you already need to start in the preparation phase with defining the rules, support and advise during the implementation phase, and finally ensure with monitoring that the requirements are met.

That might sound easy but considering that a usual SAP environment has many different systems, stages, technologies, products and interfaces to other solutions, this can be incredible huge as you need to check every single component for necessary security controls. So, you might end up with hundreds of components in huge landscapes. And we’ve not started to talk about the different security domains.

2. What security challenges should organizations anticipate when moving their SAP systems to cloud environments such as AWS, Azure, or Google Cloud?

That’s a really good question, there are numerous challenges for organizations. Usually, it’s barely a simple cloud migration or transformation. And as already mentioned, the hundreds of potential components present the very first challenge.

What follows is the usual mix of different deployment scenarios and contracts that need to be coordinated. And in many security areas, it is necessary to go into detail to understand whether the expected level of security can or will be met. And since every company has its own requirements, there is no one size fits all.

If a company lacks a holistic SAP security concept and an SAP security baseline, it is very likely that the systems will have a low level of security, which is exacerbated by the fact that SAP systems are only secure to a limited extent by default, especially older release versions. As you can imagine, it will take a while to check all vectors, which is why I see a lift-and-shift approach with a few security improvements as the only viable way forward if you don’t want project costs to explode. But it’s very important to identify all the gaps during the project and start remediating the gaps afterwards.

Having a look at the shared responsibilities, it is very important to have a close look at the Security related RISE services, provided by SAP, to understand who is responsible and to which extend. It’s also important to compare the different hosting providers as AWS, Azure or Google Cloud Services are offering different services and service levels.

3. How can organizations ensure their cloud providers meet the security and compliance requirements specific to SAP data and applications?

There are some key elements that a company needs to address. First of all, a company needs to know its assets and the level of protection they require. It also needs to know how it wants to protect them, and that also means translating policies and standards into SAP-specific controls.

Once the baseline is defined, it is important to start implementing and monitoring the controls. At this stage, it is important to also cover the process-related controls. And not all processes can be monitored in an automated way, which is why an internal control system should cover SAP specific controls as well which is especially important for the SAP Cloud environment. This has a nice side effect; you can support and prepare the audit upfront and reduce the efforts during the audit.

Another important key element is clear roles and responsibilities, which must be actively communicated so that employees know their rights and obligations. This brings me to the points of training, awareness and corporate culture. Blue- and white-collar workers generally have a different approach to security. Everyone knows the stories with passwords on a post it, but I’ve also seen a whole list of users with passwords as barcodes ready for the barcode scanner. Which emphasises that physical checks need to be executed as well.

4. What are some best practices for ensuring secure data transfers and maintaining access control between on-premises and cloud-based SAP systems?

A starting point should always be the SAP security concepts and an SAP security baseline to know what and how to secure the environment. This is usually a mix of a strong authorization and authentication concept. Additionally, clear standards and guidelines for interface hardening such as encryption, web application firewalls, block and allow lists or SAP routers and web dispatchers, should be included. Or to name a few buzzwords: Zero Trust and Privilege Access Management, which is of course strongly related to the customer’s security maturity.

However, one of the most important components for an SAP environment is the SAP Cloud Connector. It is the central communication channel between SAP On-Premises and the SAP Business Technology Platform (BTP), which offers various settings for the aforementioned topics. And considering that the BTP is the central platform for the SAP cloud environment, which offers around 90 different services, this can provide quite a large attack surface. Another important topic to consider is the SAP Integration Suite, which offers some nice functionalities to protect the interfaces.

But if someone doesn’t know where or how to start, I highly recommend starting with the SAP Security Baseline Template and the SAP Cloud Security Recommendations. They provide a whole lot of very important information that should be considered state of the art, which is becoming more and more important in the European Union due to the recent and upcoming cybersecurity regulations such as the Network Information Security Directive (NIS2) and the Digital Operational Resilience Act for the financial sector. And last but not least, documentation. It is important to have an overview of your landscape and your expected target status, which is the basis for your system hardening and reporting.

5. What steps can organizations take to align their cloud security practices with regulatory compliance and to future-proof their SAP environments against emerging threats?

A tricky question, especially considering that many customers still have some on-premises systems that they should not forget, in order to avoid having backdoors in the environment. Many security controls that apply to on-premises systems also apply to the SAP Private Cloud Edition and, to a certain extent, to the public cloud.
However, with regulatory requirements in mind, we should not forget that the origin of SAP security is often the SAP Basis team, which means that many of the administrators like to configure their SAP systems and are often not interested in all the paperwork that comes with general governance and regulatory requirements. With the move to the cloud, more attention needs to be paid to this aspect. Every basis administrator has a natural conflict of interest, he has to keep the systems running and, in some cases, this leads to security being ignored or given a lower level of attention and mostly seen as a hobby alongside the day job. Also, the skills required are changing. Information security involves a lot of governance and control activities that are often not in the mind of a traditional system administrator.

In view of the topics mentioned and to come back to your question, I highly recommend appointing a dedicated SAP security officer to take care of all SAP security topics. However, this does not mean that this person is a superhero who can handle all issues alone. In the end, it’s a team sport where you must break down all the silos in an organization. But the SAP security officer can dig into the details, reconcile all the requirements and pass them on to the appropriate stakeholders such as the information security team, the legal department, the various IT departments, corporate communications and many other stakeholders. And this is exactly what will become increasingly important in view of the many regulations and the fact that you must get ahead of the attackers.