Protect the crown jewels

SAP customers worldwide are currently undergoing a digital transformation process. What changes do you see for data security with the switch to SAP S/4 Hana?

Holger Hügel: In addition to retrieval via the NetWeaver stack, Hana also offers the option of accessing data directly or via Hana XSA. This means that the database inevitably has its own authorization concept, which must be integrated into the existing concept.

In addition, Hana as a platform offers numerous new application interfaces, all of which inherently carry security risks. The risk of data leaving the SAP system in an uncontrolled manner increases.

Background data transfer between SAP and third-party applications, which is largely "opaque" to security managers, is also on the rise, increasing the attack surface for hacking attacks and insider attacks.

To be able to reliably secure SAP data in the future, companies must act with foresight and implement technical solutions that minimize these risks.

What do you think an authorization concept that integrates the new and old worlds might look like?

Hill: Future authorization concepts will initially be based on the processes and the data processed in them. In a sense, they follow the data along the processing chain over its entire life cycle.

The need to protect the data is derived from this, which ultimately corresponds to a data classification and results in a data-centric authorization system. This approach expands the previous role-based concept, but does not replace it. This is because the protection class clearly describes which role is allowed to process individual data and how.

What practical experience have you had in this regard? Are there already companies that classify their data consistently and seamlessly?

Andreas Opfer: Although representatives from the automotive industry in particular are already championing the issue of data classification, to my knowledge there are as yet no industry or sector standards that define exactly what is behind the status "confidential", for example, and what impact this has on data processing.

In order to be able to secure the process chains with their partners and suppliers in our increasingly networked world, there is still an urgent need for companies to catch up here.

How can we imagine the organizational and technical implementation of the new security approaches in practice?

Hill: To keep pace with the fast pace and interchangeability of today's IT technologies, companies' core processes will increasingly be handled via platform architectures in the future.

In a digital world, IT security is undoubtedly one of these core processes and requires its own platform. Today, you can often find central identity management systems that take on this role.

However, these are only viable for the future if they allow a data-centric security concept. In any case, one should rely on established standard platforms that are supported by all common applications as a "security instance".

Victim: And this is exactly where Secude helps with the SAP data security solution Halocore. It is the only solution that enables Microsoft AIP/RMS security standards to be applied to the SAP landscape, and is of course also certified for S/4 Hana.

Because SAP is now the central data hub in most companies, data is exchanged with numerous satellite systems via various interfaces, whether manual or automated.

The automated data classification built into Halocore enables the application of the appropriate RMS profile, provided that the data is allowed to leave SAP. Without the appropriate authorization, the export of the data is prevented.

How can companies integrate these steps into their current migration projects?

Victim: We can very well understand that such large migration projects as S/4 Hana tie up a large part of the resources. Many customers therefore try to keep any further increase in complexity out of the project. However, data security is no longer an option today, but a must.

The DSGVO imposes obligations and attacks on corporate IP are on the rise. The architectural changes that accompany S/4 Hana also offer an opportunity to put all IT architectures to the test in small completed sub-projects and adapt them as necessary in the course of the migration.

The effort for this is lowest as part of the S/4 Hana migration. Later, it becomes more and more expensive. In addition, numerous migration tools, e.g. for data and Abap custom code, help to reduce complexity and manage risks.

Halocore, for example, can be implemented in a matter of days and protects SAP customers' "crown jewels" from day one - both before and after the S/4 Hana migration.