The global and independent platform for the SAP community.

Effective security starts with infrastructure design

Cyber espionage is the scourge of the digital economy - and is usually noticed too late. To effectively protect the crown jewels in their SAP systems, existing customers must start with the design of the infrastructure.
Peter Goldbrunner, Nutanix
November 7, 2019
It Security
avatar
This text has been automatically translated from German to English.

Existing SAP customers must switch to the new software generations from Walldorf by 2025. They are taking the opportunity to digitally transform their processes and business models.

But they must also be aware of the associated security risks. After all, more digitization means more opportunities for cyber spies and saboteurs to attack, especially via security vulnerabilities.

Migration to S/4 Hana goes hand in hand with the modernization of IT landscapes, and virtualization is the tool of choice. This is an opportunity that existing SAP customers should take advantage of not only from a business perspective, but also for more effective security.

This is because in virtualized environments, in addition to security vulnerabilities in the guest operating systems of the virtual machines, potential leaks in the hypervisor and the underlying layers - including storage and networking - must be considered. Since there are many more logical systems and applications running in such infrastructures, the problem becomes even more acute.

A secure design of infrastructures helps to reduce the number of security vulnerabilities. Faster installation of security updates reduces vulnerability.

But even then, a residual risk remains that must be covered with the help of specialized solutions. This is most easily achieved when virtualized, software-driven infrastructures provide IT security providers with predefined integration options.

Software-driven infrastructures have the advantage that security can be implemented in them as an equal functionality alongside all others.

This maps all steps of a development designed for security: from design and deployment of the software to testing and additional "hardening" of the solution.

The overall process is known in technical jargon as the "Security Development Lifecycle" (SecDL). In this process, the program code is systematically examined for security vulnerabilities.

If any are found, the developers immediately tackle their elimination. This procedure is repeated constantly and runs through the entire software development lifecycle.

SecDL also offers the option of taking security regulations into account in the process. These include in particular Common Criteria Certified according to EAL-2, FIPS 140-2, NIST-SP800-131A, NSA Suite B Support, Section 508 VPAT and TAA Compliant.

Another advantage of a purely software-driven infrastructure is that security vulnerabilities can be identified and closed largely automatically.

In particular, security checklists in the machine-readable description language XCCDF (Extensible Configuration Checklist Description Format) serve this purpose. This allows the simple implementation of security guides, so-called Security Technical Implementation Guides (STIGs).

Automated assessment tools can be used by STIGs to identify security gaps. In practice, the time required for this is reduced from nine to twelve months to just a few minutes, depending on the case.

If the infrastructure software also contains auto-repair functions, it can independently restore production systems to their proper state.

Self-encrypting drives also enable encryption for data at rest ("Data at Rest Encryption"), i.e. not currently needed for processing services and applications.

Let's face it: even the best infrastructure software cannot guarantee 100 percent protection against attacks. It must therefore make it easy for existing customers to benefit from the expertise of established IT security providers and provide connectivity options via open application programming interfaces (APIs).

Whether large or small, existing customers working on the future of their SAP landscape have a unique opportunity to minimize security risks right from the start, rather than after the fact as in the past.

avatar
Peter Goldbrunner, Nutanix

Peter Goldbrunner, Country Manager and Regional Sales Director Central Europe at Nutanix.


Write a comment

Working on the SAP basis is crucial for successful S/4 conversion. 

This gives the Competence Center strategic importance for existing SAP customers. Regardless of the S/4 Hana operating model, topics such as Automation, Monitoring, Security, Application Lifecycle Management and Data Management the basis for S/4 operations.

For the second time, E3 magazine is organizing a summit for the SAP community in Salzburg to provide comprehensive information on all aspects of S/4 Hana groundwork.

Venue

More information will follow shortly.

Event date

Wednesday, May 21, and
Thursday, May 22, 2025

Early Bird Ticket

Available until Friday, January 24, 2025
EUR 390 excl. VAT

Regular ticket

EUR 590 excl. VAT

Venue

Hotel Hilton Heidelberg
Kurfürstenanlage 1
D-69115 Heidelberg

Event date

Wednesday, March 5, and
Thursday, March 6, 2025

Tickets

Regular ticket
EUR 590 excl. VAT
Early Bird Ticket

Available until December 24, 2024

EUR 390 excl. VAT
The event is organized by the E3 magazine of the publishing house B4Bmedia.net AG. The presentations will be accompanied by an exhibition of selected SAP partners. The ticket price includes attendance at all presentations of the Steampunk and BTP Summit 2025, a visit to the exhibition area, participation in the evening event and catering during the official program. The lecture program and the list of exhibitors and sponsors (SAP partners) will be published on this website in due course.