Large migration projects are often taking priority over data security. Andreas Opfer and Holger Hügel show why that is often less than ideal. [shutterstock: 556017796, Zambir Zakaria]
Although the number of security incidents is growing steadily among large and medium-sized enterprises, many of them prioritize data security lower than IT transformation projects. Andreas Opfer and Holger Hügel from Secude explain how modern security concepts should look like and how SAP executives can integrate them usefully into current Hana migration projects.
This article is the last of a series! If you would like to continue reading the series, please use the 'previous button' in the middle of the screen on left side.
SAP customers worldwide are currently in the digital transformation process. What changes do you see for data security because of the migration to S/4 Hana from your point of view?
Holger Hügel: In addition to retrieving data via the NetWeaver stack, Hana also offers access to data directly or via Hana XSA. As a result, the database necessarily has its own authorization concept, which must be integrated into the existing concept. In addition, Hana as a platform offers numerous new application interfaces, all of which bear per se security risks.
The risk of data leaving the SAP system without any control increases. The largely “opaque” background data transfer between SAP and the third-party applications increases too and as a consequence extends the attack area for hacking and insider attacks. In order to reliably secure SAP data in the future, companies must leverage a forward-looking approach and use technical solutions that minimize these risks.
What are your thoughts on an user authorization concept that integrates the new and the old world?
Holger Hügel: Future authorization concepts are primarily focused on processes and the data processed therein. Such concepts follow the data along the processing chain throughout their life cycle. The security requirement of the data is derived from this, which ultimately corresponds to data classification and leads to a data-centered authorization system. This approach extends the existing role-based concept, but does not replace it as the protection class clearly describes by which role and in which way the data can be processed.
What is your experience? Have you seen companies that can classify their data completely and thus close gaps?
Andreas Opfer: Although, in particular, representatives from the automotive sector are already working on the subject of data classification, I’m not aware of any industry standards that precisely define what the meaning of a status label like “confidential” is and what the effects of this on data processing are.. In order to secure process chains with partners and suppliers in our increasingly interconnected world, there is still an urgent need for companies to catch up.
How can we envison the organizational and technical implementation of the new security concepts in real world?
Holger Hügel: In order to keep pace with the fast evolving and interchangeability of today’s IT technologies, the core processes of companies will increasingly be handled via platform architectures. There is no doubt that in this digital world the IT security belongs to these core processes and needs its own platform. Today many central identity management systems are taking over this role.
There is no doubt that in this digital world the IT security belongs to these core processes and needs its own platform.
However, they are only future proof if they allow a data centric security concept. In any case, you should rely on established standard platforms that are supported by all common applications as a ‘security authority’.
Andreas Opfer: And Secude is helping exactly in such cases with its SAP data security solution Halocore. It is the only solution to apply the Microsoft AIP / RMS security standard that is embedded in the Microsoft Active Directory, to the SAP landscape. And it is for sure certified for S/4. As SAP is now the central data hub in most enterprises, data is exchanged over various interfaces, either manually or automatically, with numerous satellite systems.
The automated data classification capability of Halocore allows the application of the appropriate RMS profile, if the data is authorized to leave the SAP environment. Without appropriate authorization, no data can be exported.
How can companies integrate these steps into their current migration projects?
Andreas Opfer: We understand that large migration projects, such as to S/4 Hana, allocate a large amount of resources. Many customers are therefore trying to keep any further complexity increase out of the project. However, data security is no longer an option. It’s a must. The new EU-GDPR is a compelling event and attacks on intellectual properties of enterprises are increasing.
The architectural changes that are associated with S/4 Hana also provide an opportunity to put all IT architectures to the test in small subprojects and, if necessary, adapt them in the course of the migration. The expenses for this are the lowest as part of S/4 migration. Later it always becomes increasingly expensive.
In addition, numerous migration tools, such as for data and Abap custom code, can be leveraged to reduce the complexity and manage the risks. For example, Halocore can be implemented within a few days and protects the customers’ crown jewels right from day one – both before and after S/4 migration.