ASUG News + Views
What’s the Real Threat Lev­el? SAP’s Response to News of Poten­tial Secu­ri­ty Risks for Customers
May 12, 2019
Bookmark
Share Article:

The chal­lenge with com­mu­ni­cat­ing about secu­ri­ty is that every­one needs to address it, yet no one wants to talk about it. Today, SAP secu­ri­ty has moved into the spot­light again, forc­ing cus­tomers to address it.

A recent­ly pub­lished Reuters arti­cle indi­cat­ed that more than 90% of SAP cus­tomers are at risk of their sys­tems being exposed to hack­ers that can exploit vul­ner­a­bil­i­ties because they haven’t installed cer­tain secu­ri­ty patch­es. This news is not exact­ly new, but the tim­ing of it com­ing out just ahead of SAP­PHIRE NOW and ASUG Annu­al Con­fer­ence left many secu­ri­ty pro­fes­sion­als work­ing a long week­end and many cus­tomers con­cerned that they may not be safe.

ASUG had the oppor­tu­ni­ty at the con­fer­ence last week to speak to Tim McK­night, SAP’s chief secu­ri­ty offi­cer, and Mar­i­ano Nunez, CEO of Onap­sis, the part­ner that helped bring these vul­ner­a­bil­i­ties to light. 

Con­fig­u­ra­tion Is Key

50,000 may be the num­ber pub­lished, but we believe one cus­tomer is too many,” says McK­night. Both McK­night and Nunez were clear that cus­tomers have had these patch­es avail­able to them for near­ly ten years to pro­tect against the inte­gra­tion vul­ner­a­bil­i­ties that were uncov­ered. We think the issue here is pri­mar­i­ly one of cus­tomer gov­er­nance,” Nunez explained. 

For legal rea­sons, SAP was not able to direct­ly address where the line is drawn between SAP and the cus­tomer in terms of respon­si­bil­i­ty for the secu­ri­ty of SAP appli­ca­tions, but the empha­sis should be on the customer’s orga­ni­za­tion prepar­ing to han­dle its own needs through the secu­ri­ty team it already has in place. SAP is not pre­pared to han­dle the unique setups and com­plex­i­ties of each indi­vid­ual cus­tomer, which is why the bur­den shifts to the cus­tomer to under­stand which of the patch­es it needs to adopt to stay secure. 

Meet the New Risk

The chal­lenge lies in know­ing quick­ly whether or not your secu­ri­ty set­tings are con­fig­ured cor­rect­ly as you adopt new appli­ca­tions to run next to your lega­cy sys­tems. The news is basi­cal­ly that the risk changed. Cus­tomers did risk assess­ments in the past and decid­ed about these updates at that time based on the like­li­hood of some­one exploit­ing those vul­ner­a­bil­i­ties.” Now that the flaws with­in the secu­ri­ty set­tings have been pub­li­cized for all to see via the inter­net, the reassess­ment of the con­fig­u­ra­tion has moved from low pri­or­i­ty to top pri­or­i­ty because the like­li­hood of an attack is sig­nif­i­cant­ly higher.

Onap­sis has deliv­ered one of its pro­pri­etary tools through SAP, tak­ing an unprece­dent­ed step by open sourc­ing a part of its tech­nol­o­gy. This tool first helps cus­tomers deter­mine if they’re exposed to risk. Then it trig­gers a fix to the expo­sure and con­tin­ues to mon­i­tor the fix to make sure there are no addi­tion­al path­ways for a threat to find its way in. 

Inno­vat­ing for Smarter Security

McK­night encour­aged SAP cus­tomers to look to the future as a quick­er path to secu­ri­ty. Get­ting to the cloud faster for most com­pa­nies is a smart move from a secu­ri­ty per­spec­tive. The abil­i­ty to man­age secu­ri­ty at scale has got­ten bet­ter and bet­ter over the last five to sev­en years.” The log­i­cal con­clu­sion is that putting the secu­ri­ty of your sys­tems in the hands of pro­fes­sion­als who are focused sole­ly on secu­ri­ty allows your IT team to min­i­mize its resource invest­ment in this area and leave it to the experts at these cloud infra­struc­ture providers to pro­tect them.

Nunez was also clear that you can’t leave the respon­si­bil­i­ties relat­ed to secu­ri­ty to just one kind of IT indi­vid­ual. I would say you need both a secu­ri­ty spe­cial­ist and an inte­gra­tion expert work­ing togeth­er in order to make sure that the patch­es are applied cor­rect­ly. If you go at it with just a cyber­se­cu­ri­ty team, it won’t work because they don’t know the SAP com­po­nents. The SAP team alone may not have the con­text for what is a real threat. So my per­spec­tive is that you need both work­ing togeth­er.” This sug­gests that IT teams may have to restruc­ture to make sure that these teams are not siloed but work­ing togeth­er to han­dle the crit­i­cal threats com­ing at them.

Find a Secu­ri­ty Spon­sor

To move on these patch­es, McK­night strong­ly sug­gests find­ing a spon­sor at the exec­u­tive lev­el. In times like this, it’s going to be eas­i­er to address. But ongo­ing, hav­ing some­one as a key stake­hold­er on the busi­ness side to own this is impor­tant. Just as they would focus on dis­as­ter recov­ery or busi­ness con­ti­nu­ity, they are the ones respon­si­ble for the health of their own systems.”

Inter­est­ing­ly, threats can also pro­vide oppor­tu­ni­ties to take advan­tage of busi­ness buy-in. Nunez said, I was talk­ing to a CIO yes­ter­day who said, Right now I both love you and hate you. I hate you because my team had to work all week­end get­ting the patch­es set up prop­er­ly. I love you because I have want­ed to do this for years now but haven’t been able to get the busi­ness to invest the resources for my team to actu­al­ly do it.’” Still, the quick­est path to secu­ri­ty rel­e­vance is like­ly to have some­one spon­sor­ing secu­ri­ty as a top­ic of ongo­ing con­ver­sa­tion at the exec­u­tive level.

A Three-Line Defense

McK­night rec­om­mends an approach to secu­ri­ty with three lines of defense: busi­ness users with exec­u­tive spon­sor­ship, a secu­ri­ty team devot­ed to the SAP appli­ca­tions, and a rig­or­ous exter­nal audit through part­ners like Onap­sis. But ulti­mate­ly, the one key take­away is to stay up to date and imple­ment secu­ri­ty patch­es when they become avail­able rather than respond­ing to the change in risk. Adding more cloud-based work­loads will also help reduce the chal­lenges of secu­ri­ty breach­es that most often occur in lega­cy sys­tems with high­ly cus­tomized code bases and inte­gra­tions. These are the types of prac­ti­cal steps that will min­i­mize the busi­ness time spent on secu­ri­ty so you can max­i­mize the busi­ness time spent on inno­vat­ing for the future.

ASUG research has dis­cov­ered its own set of secu­ri­ty truths you should be aware of when mak­ing deci­sions about how to pro­tect your business. 

You Might Be Interested In


Insights Included in Membership
View All Insights
Bookmark
Bookmark
Bookmark
Bookmark