The global and independent platform for the SAP community.

Protect the crown jewels

Although the number of security incidents at large and medium-sized companies is steadily increasing, many are subordinating the topic of data security to transformation projects. Andreas Opfer and Holger Hügel from Secude explain what modern security concepts should look like and how SAP managers can integrate them sensibly into current S/4 Hana migration projects.
E-3 Magazine
September 21, 2017
Protect the crown jewels
avatar
This text has been automatically translated from German to English.

SAP customers worldwide are currently undergoing a digital transformation process. What changes do you see for data security with the switch to SAP S/4 Hana?

Holger Hügel: In addition to retrieval via the NetWeaver stack, Hana also offers the option of accessing data directly or via Hana XSA. This means that the database inevitably has its own authorization concept, which must be integrated into the existing concept.

In addition, Hana as a platform offers numerous new application interfaces, all of which inherently carry security risks. The risk of data leaving the SAP system in an uncontrolled manner increases.

Background data transfer between SAP and third-party applications, which is largely "opaque" to security managers, is also on the rise, increasing the attack surface for hacking attacks and insider attacks.

To be able to reliably secure SAP data in the future, companies must act with foresight and implement technical solutions that minimize these risks.

What do you think an authorization concept that integrates the new and old worlds might look like?

Hill: Future authorization concepts will initially be based on the processes and the data processed in them. In a sense, they follow the data along the processing chain over its entire life cycle.

The need to protect the data is derived from this, which ultimately corresponds to a data classification and results in a data-centric authorization system. This approach expands the previous role-based concept, but does not replace it. This is because the protection class clearly describes which role is allowed to process individual data and how.

Sacrifice And Hill, Data Security

What practical experience have you had in this regard? Are there already companies that classify their data consistently and seamlessly?

Andreas Opfer: Although representatives from the automotive industry in particular are already championing the issue of data classification, to my knowledge there are as yet no industry or sector standards that define exactly what is behind the status "confidential", for example, and what impact this has on data processing.

In order to be able to secure the process chains with their partners and suppliers in our increasingly networked world, there is still an urgent need for companies to catch up here.

How can we imagine the organizational and technical implementation of the new security approaches in practice?

Hill: To keep pace with the fast pace and interchangeability of today's IT technologies, companies' core processes will increasingly be handled via platform architectures in the future.

In a digital world, IT security is undoubtedly one of these core processes and requires its own platform. Today, you can often find central identity management systems that take on this role.

However, these are only viable for the future if they allow a data-centric security concept. In any case, one should rely on established standard platforms that are supported by all common applications as a "security instance".

Victim: And this is exactly where Secude helps with the SAP data security solution Halocore. It is the only solution that enables Microsoft AIP/RMS security standards to be applied to the SAP landscape, and is of course also certified for S/4 Hana.

Because SAP is now the central data hub in most companies, data is exchanged with numerous satellite systems via various interfaces, whether manual or automated.

The automated data classification built into Halocore enables the application of the appropriate RMS profile, provided that the data is allowed to leave SAP. Without the appropriate authorization, the export of the data is prevented.

How can companies integrate these steps into their current migration projects?

Victim: We can very well understand that such large migration projects as S/4 Hana tie up a large part of the resources. Many customers therefore try to keep any further increase in complexity out of the project. However, data security is no longer an option today, but a must.

The DSGVO imposes obligations and attacks on corporate IP are on the rise. The architectural changes that accompany S/4 Hana also offer an opportunity to put all IT architectures to the test in small completed sub-projects and adapt them as necessary in the course of the migration.

The effort for this is lowest as part of the S/4 Hana migration. Later, it becomes more and more expensive. In addition, numerous migration tools, e.g. for data and Abap custom code, help to reduce complexity and manage risks.

Halocore, for example, can be implemented in a matter of days and protects SAP customers' "crown jewels" from day one - both before and after the S/4 Hana migration.

avatar
E-3 Magazine

Information and educational outreach by and for the SAP community.


Write a comment

Working on the SAP basis is crucial for successful S/4 conversion. 

This gives the Competence Center strategic importance for existing SAP customers. Regardless of the S/4 Hana operating model, topics such as Automation, Monitoring, Security, Application Lifecycle Management and Data Management the basis for S/4 operations.

For the second time, E3 magazine is organizing a summit for the SAP community in Salzburg to provide comprehensive information on all aspects of S/4 Hana groundwork.

Venue

More information will follow shortly.

Event date

Wednesday, May 21, and
Thursday, May 22, 2025

Early Bird Ticket

Available until Friday, January 24, 2025
EUR 390 excl. VAT

Regular ticket

EUR 590 excl. VAT

Venue

Hotel Hilton Heidelberg
Kurfürstenanlage 1
D-69115 Heidelberg

Event date

Wednesday, March 5, and
Thursday, March 6, 2025

Tickets

Regular ticket
EUR 590 excl. VAT
Early Bird Ticket

Available until December 24, 2024

EUR 390 excl. VAT
The event is organized by the E3 magazine of the publishing house B4Bmedia.net AG. The presentations will be accompanied by an exhibition of selected SAP partners. The ticket price includes attendance at all presentations of the Steampunk and BTP Summit 2025, a visit to the exhibition area, participation in the evening event and catering during the official program. The lecture program and the list of exhibitors and sponsors (SAP partners) will be published on this website in due course.