Identity Management and Governance
Whether it's international relations between states or protecting homes from break-ins and corporate networks from cybercriminals, security plays a prominent role in everyday life.
In fact, a similar premise applies to corporate networks as to one's own front door: There is no guarantee, and those who do not consistently deal with their own security will, in the worst case, end up with the short end of the stick. While the consequences of a break-in at home are largely foreseeable - and are usually paid for by insurance - negligent planning and implementation of cybersecurity can quickly lead to immense damage and far-reaching loss of reputation for companies.
As many companies are currently working on implementing new concepts for their own IT architecture as part of their digital transformation, cybersecurity issues are increasingly becoming the focus of managers and decision-makers.
For example, if part of the applications and databases are moved to traditional cloud providers as part of a move from previously used SAP systems and landscapes to S/4 Hana, potential vulnerabilities naturally arise within the planned architecture.
In the past, for example, all databases and applications in on-premises solutions were protected by their own firewall within the company's own network, but outsourcing and expansion have resulted in various difficulties that must be clarified as part of cybersecurity assessments. A particularly critical situation arises when third-party data and personal information are also processed in the company.
[adrotate banner="284″]
The three pillars of cybersecurity in hybrid environments
In order to avoid unauthorized access to their own IT architecture and infrastructure, those responsible should focus primarily on three pillars and develop appropriate strategies for integration into the process of digital transformation.
Since cyber criminals use all available means to compromise a network, clear authentication guidelines must be developed. These policies regulate communication within and outside the company's own infrastructure and ultimately also familiarize employees with the cybersecurity guidelines through regular training.
To ensure that only authorized persons have access to the data and applications within an organization, an approach must be found that, on the one hand, holds up employees' work as little as possible with repeated logon processes, and, on the other hand, is secure enough to ensure that they actually belong to the company. Single sign-on solutions, for example, can be an adequate approach here.
With regard to the data stream, which must also be able to take place outside the company's own network, the selection of possible solutions is sometimes more difficult. What is certain, however, is that the data stream must be secured at all times and have end-to-end encryption.
If, for example, the use of a large cloud service provider is planned, redundant WAN structures are a good solution. For employees who work remotely, on the other hand, end-to-end encrypted VPN tunnels can also be a suitable solution.
While these two central pillars of cybersecurity are being implemented through appropriate strategies, employees should be made fit for the new technological infrastructure. In addition to regular employee training on the subject of cybersecurity, special attention must be paid to ensuring that all employees are aware of the advantages of the new applications and understand how they work.
Just as with all other business areas, it is also true for IT that employees are the linchpin of business success. Accordingly, they are also an essential asset in terms of a company's cybersecurity strategy and must not be disregarded in the planning process. Ultimately, only employees who successfully work with the appropriate solutions and applications can achieve the desired increases in productivity.
Through the process of digital transformation, companies can create immense added value for their own employees and processes. However, many managers take the planning of a functioning cybersecurity strategy lightly and are not aware of the possible threats.
In the worst case, the advantages gained are directly nullified and brand trust built up over years is squandered. This can be remedied by concentrating on the three most important pillars of cybersecurity. In addition, those responsible must always be aware that a strategy once established can be useless against new forms of attack in just a few years if it is not consistently developed further. Relying on the supposed achievements of the past is just as dangerous as leaving your front door wide open.
Interview: Cybersecurity from the user's perspective
Mr. Lindackers, Barmer has been using a central identity management system for some time now. How did the cooperation come about and what projects have already been implemented together?
Lindackers: We rely on a comprehensive SAP on-premises system landscape in which several thousand roles and employees are stored.
An obvious step was therefore to also use this system landscape to manage access rights and general authorizations using SAP Identity Management to cover key cybersecurity aspects.
In the course of a call for tenders, we started working with Devoteam employees. Since 2016, we have successively ported the roles and authorization assignment for all employees to the central SAP Identity Management.
What difficulties did you encounter during the changeover?
LindackersIn any case, we had to ensure that we achieved a high level of security when handling relevant data. A large part of the authorizations (e.g., drive assignments and SAP roles) are derived automatically via organizational management, but we still had to rely on manual, multi-level approvals by line managers and special function holders.
Interview with Benjamin Lindackers, Team Leader SAP Competence Center at Barmer
What benefits have you gained from implementing SAP Identity Management?
LindackersWhere we used to process written applications in physical form, we can now rely on automated digital workflows that speed approvals and ensure compliance with company policies at all times.
Furthermore, we have established a recertification process, so manual assignments have to be validated again after one year. All in all, we have achieved a lot and are very satisfied with the results - both from the management and from the employees.
The Covid 19 pandemic has certainly created further challenges in this area. In the course of this, does the topic of the cloud also play an increasing role for you?
What are the advantages of such a partnership?
LindackersThe pandemic has probably posed challenges for all industries. While the traditional office routine shifted to the home office within a very short time, the necessary work on the infrastructure was also running in the background at our company.
With the support of our partners, we managed to set up permissions for all our employees within a tight deadline. We also managed to set up permissions for digital collaboration tools and integrate external employees into our digital infrastructure.
In a privacy-sensitive industry like ours, cloud applications were initially viewed critically for a long time. However, we are increasingly seeing a rethink as a result of the pandemic, also due to the availability of more and more secure solutions. Because of the sensitive information and data we work with, cybersecurity is a top priority.
What developments and plans regarding cybersecurity does the
Barmer for the future?
LindackersBased on our experience in recent years, further automation within the administration of authorization assignments is a core concern. We want to reduce the manual processes as far as possible and in this way make them even more efficient.
In addition, we are currently working on handling our development and quality assurance SAP systems via a separate identity management instance.
This project again has its own requirements in terms of corporate policies and governance. Cloud migration is another project we are increasingly working on.
Thank you for the interview.