Safety begins with the design of the infrastructure
Vulnerabilities are the viruses of today. They are even more dangerous. This is because they allow cyber criminals to silently infiltrate a network and IT environment, penetrate the crown jewels and ultimately steal valuable intellectual property, blackmail the board of directors or paralyze business operations and production.
We rarely hear about successful attacks. For reputational reasons, many companies prefer to keep a low profile and are even prepared to pay millions to cyber extortionists.
Existing SAP customers are aware of the risk; after all, their SAP systems are the heart of the company. They therefore invest in traditional security software to ward off the dangers of cyber threats in advance.
This protection is extremely useful and effective, but it is not enough. On the one hand, unknown security gaps cannot be shielded by definition; on the other hand, it often takes weeks and months in large SAP landscapes before security updates are installed to close the gaps.
In addition, the boundaries between IT security and legal security are becoming blurred due to an increasing number of ever more demanding rules and regulations - the EU GDPR and SOX should definitely be mentioned in this context.
Precautions that serve to increase the traceability of changes to system configurations and primarily fulfill legal requirements also make a valuable contribution to greater IT security.
These challenges can be met with a triad of the right infrastructure for SAP landscapes, a high degree of automation, which starts with the design and programming of this infrastructure platform, and a security ecosystem.
Updating security mechanisms in a conventional three-tier architecture takes a long time and is expensive due to the large number of manufacturers involved and the differences in their technologies.
However, if an IT infrastructure is completely virtualized and controlled exclusively by software, this effort can be significantly reduced. Even in large and very large SAP landscapes, security updates are possible within hours or a few days instead of weeks or months as was previously the case.
Software-controlled infrastructures also have the advantage that security can be implemented in them as an equal functionality alongside all others. They represent the entire process of security-oriented development.
This ranges from the design and deployment of the software through to testing and additional "hardening" and is known in technical jargon as the "Security Development Lifecycle" (SecDL).
Furthermore, security gaps in such infrastructures can be identified and closed largely automatically. The implementation of security guidelines, known as Security Technical Implementation Guides (STIGs), is particularly useful for this purpose.
Software-controlled infrastructures also help to track and secure the integrity of database configurations. But let's be honest: even the best infrastructure software cannot guarantee 100% protection.
This is why connectivity to third-party solutions via open application programming interfaces (APIs) is a must. This applies in particular to the areas of encryption key management, endpoint security and microsegmentation.
Absolute security is impossible. But with the right infrastructure, the attack surface in SAP environments can be significantly reduced and the time from the discovery of a security vulnerability to its closure massively shortened.
