Cyber Defense for SAP and more
Just under a year ago, Pathlock was formed as a unique alliance of leading international providers of access governance and application security with the goal of jointly raising the understanding and scope of holistic security to a new level. Today, Pathlock is already the world's leading security & GRC specialist for SAP and hybrid IT systems. With 500 employees worldwide, it advises more than 1200 customers on protecting business-critical applications, data and processes. Thus, he supports companies with SAP ERP, S/4 Hana, cloud or multi-vendor systems in detecting anomalies, hacker attacks, manipulations or data theft.
Experience and know-how
Cyber defense is about awareness, experience, training, IT tools and a lot of know-how. While earlier ERP generations grew up with virus scanners, so to speak, cyber defense in today's complex architectures is not just about hackers, but about many very different attack parameters from inside and outside. Bodo Kahl, CEO of Pathlock Germany, explains the objective of the merger in an E3 interview: "We have joined forces to develop the industry's first comprehensive automated compliance and risk management solution. Our technology performs concerted financial and data protection controls while protecting all key business applications from cybersecurity threats. By combining capabilities unique to each, we can now offer our customers a solution that covers more applications and more types of risks than any other and any other company before." This cyber-defense approach is critical in an atomized and agile IT world, as the existing SAP customer is dealing with very many threat scenarios simultaneously. Chief Technology Officer (CTO) of Pathlock Germany, Ralf Kempf, explains: "We are focusing on a broad solution that can do more than the classic approach that is common on the market. Until now, there were solutions that focused either on the area of user and access management or on cyber security, but none that encompassed ERP security in general. So, we're talking about a unified solution that covers all the major ERP vendors on the market like SAP, Microsoft and Oracle, and also tools like Salesforce."
The merger to form Pathlock results in a range of services that is much deeper and broader than known individual solutions. It combines both the capabilities in the area of user identity and access management on the one hand and in the area of cyber security, vulnerability management, threat detection and data protection on the other. Pathlock includes Sast Solutions as well as the former Appsian, Security Weaver, CSI Tools, Xpandion and QSoftware. Together, the group has 15 locations in the U.S., Europe, Israel and India.
In practice, Pathlock Germany has a high affinity with SAP. ECC and S/4 architectures are complex and decentralized. Therefore, the cooperation with CSI Tools from Belgium and Security Weaver from the USA, which specialize in SAP, yielded immediate added value. "It means a meaningfully expanded SAP portfolio - in addition to the quick win of having a broad range of solutions for all ERP applications immediately available when needed," emphasizes CTO Ralf Kempf in an interview with E3 editor-in-chief Färbinger. "It is the great advantage of this merger that not only the reach is multiplied, but likewise our expertise. Accordingly, we share our cyber security solutions for SAP and our partners worldwide and can immediately integrate them into their portfolios."
Authorization system
A key security parameter is the authorization system for SAP users. "Many of our major customers have products such as Ariba, which SAP itself has purchased but never really integrated into its portfolio. Until now, they have made it very difficult to track employee authorizations across all applications and to manage accounts, for example when an employee leaves," says Ralf Kempf, describing a use case from his professional practice.
Personnel changes have always been a major challenge for the authorization system: If a person leaves the company, all accounts, all devices should also be blocked, all authorizations worldwide in all systems should be revoked. "Transparently managing accesses in all these subsystems, reviewing them and so on - until now we could only do that for SAP. Now we offer a cross-system overview of identities and accounts," says Ralf Kempf, describing one of the advantages of the merger.
The SAP community has realized the importance and sustainability of cyber defense for quite some time. This awareness is also evidenced by the Investment Report 2023 of the German-speaking SAP User Group (DSAG e. V.). In the investment planning of DSAG members, cyber security is clearly in first place at 88 percent with high and medium relevance. This is not unexpected for DSAG Board Chairman Jens Hungershausen: "Preventing a hacker attack is indeed impossible. But there are a number of measures that companies and users can take to prepare themselves." And this is where the innovative power and efficiency of the new Pathlock Group comes into play.
Dashboards
Security dashboards have been on DSAG's list of requirements for years as a central element for controlling and defending against security-related incidents. Together with SAP, DSAG worked on a corresponding solution for a complete overview of all security aspects, which automatically shows which security-relevant settings must be made and where security gaps exist in the respective SAP landscape of the company. Now Pathlock, also a participant in the DSAG working group, can report success: The development of Pathlock dashboards has been successfully completed and encompasses much more than pure SAP landscapes. "Because," explains Piyush Pandey, Pathlock CEO, in the E3 exclusive, "the time of static singular ERPs was yesterday.
SAP solutions remain the most important part of many companies' line-of-business infrastructure, but solutions from other vendors, especially Oracle, are becoming increasingly important. For example, many of our SAP customer companies manage one or more Oracle ERP instances as a result of mergers and acquisitions. Managing access permissions, including roles, but also segregation of duties (SoD) rules and other aspects around identity, access and security are essential to protecting these business-critical applications."
What's more, many business-critical systems are following the trend of moving to the cloud, for example with solutions from SAP such as SuccessFactors or Ariba. This expands the scope for centralized access controls beyond traditional Abap systems and even beyond SAP. Solution requirements are increasing, either by supporting a broader range of systems or by providing appropriate integration points with other solutions. For the successful implementation of appropriate controls, it is critical that all systems are covered by an effective risk management solution, for managing access control and SoD controls, and for implementing appropriate access governance.
This is reflected in the announcement for this year's Leadership Compass by leading technology analyst KuppingerCole, which focuses on comprehensive support for both SAP environments and third-party business applications: "Customer requirements for access control solutions for their business applications are changing rapidly. Many companies require solutions that cover a range of ERPs from different vendors and operate in different models."
Role models
However, many vendors still lack many years of experience with best-practice role models, critical access rule sets, and SoD role sets for non-SAP solutions, Martin Kuppinger stated as early as 2022, highlighting Pathlock's in-depth support for Oracle systems as an exceptional example. He emphasizes that the Pathlock merger has created "a major competitor for SAP in the security market." Ralf Kempf comments: "We take this verdict as a compliment and confirmation, but above all as an incentive to always be one step ahead of the development and to realize the most comprehensive and best cyber defense for SAP and many other ERPs and solutions with our Pathlock Suite, be it on-premises, web-based or hybrid."
