Effective security starts with infrastructure design

Existing SAP customers must switch to the new software generations from Walldorf by 2025. They are taking the opportunity to digitally transform their processes and business models.

But they must also be aware of the associated security risks. After all, more digitization means more opportunities for cyber spies and saboteurs to attack, especially via security vulnerabilities.

Migration to S/4 Hana goes hand in hand with the modernization of IT landscapes, and virtualization is the tool of choice. This is an opportunity that existing SAP customers should take advantage of not only from a business perspective, but also for more effective security.

This is because in virtualized environments, in addition to security vulnerabilities in the guest operating systems of the virtual machines, potential leaks in the hypervisor and the underlying layers - including storage and networking - must be considered. Since there are many more logical systems and applications running in such infrastructures, the problem becomes even more acute.

A secure design of infrastructures helps to reduce the number of security vulnerabilities. Faster installation of security updates reduces vulnerability.

But even then, a residual risk remains that must be covered with the help of specialized solutions. This is most easily achieved when virtualized, software-driven infrastructures provide IT security providers with predefined integration options.

Software-driven infrastructures have the advantage that security can be implemented in them as an equal functionality alongside all others.

This maps all steps of a development designed for security: from design and deployment of the software to testing and additional "hardening" of the solution.

The overall process is known in technical jargon as the "Security Development Lifecycle" (SecDL). In this process, the program code is systematically examined for security vulnerabilities.

If any are found, the developers immediately tackle their elimination. This procedure is repeated constantly and runs through the entire software development lifecycle.

SecDL also offers the option of taking security regulations into account in the process. These include in particular Common Criteria Certified according to EAL-2, FIPS 140-2, NIST-SP800-131A, NSA Suite B Support, Section 508 VPAT and TAA Compliant.

Another advantage of a purely software-driven infrastructure is that security vulnerabilities can be identified and closed largely automatically.

In particular, security checklists in the machine-readable description language XCCDF (Extensible Configuration Checklist Description Format) serve this purpose. This allows the simple implementation of security guides, so-called Security Technical Implementation Guides (STIGs).

Automated assessment tools can be used by STIGs to identify security gaps. In practice, the time required for this is reduced from nine to twelve months to just a few minutes, depending on the case.

If the infrastructure software also contains auto-repair functions, it can independently restore production systems to their proper state.

Self-encrypting drives also enable encryption for data at rest ("Data at Rest Encryption"), i.e. not currently needed for processing services and applications.

Let's face it: even the best infrastructure software cannot guarantee 100 percent protection against attacks. It must therefore make it easy for existing customers to benefit from the expertise of established IT security providers and provide connectivity options via open application programming interfaces (APIs).

Whether large or small, existing customers working on the future of their SAP landscape have a unique opportunity to minimize security risks right from the start, rather than after the fact as in the past.