C/4HANA – how does security work for this? Our take.

SAST SOLUTIONS C/4 HANAC/4HANA is the name of the newest product in the SAP portfolio. The company based in Walldorf, Germany, promises nothing less than a revolution of customer experience. But is C/4HANA secure? And what does “C/4HANA” mean, anyway?

We’ll start with the question of what C/4HANA is and will go back to the very beginning. Then, we can give the answer: C/4HANA is a big, black black box. We’ve “borrowed” this statement, but the truth is not far off when you look at it in terms of security. C/4HANA (currently) boils down to little more than a conglomeration of different cloud services under the umbrella of SAP. These services are intended to be consolidated – eventually, and the idea is to provide a uniform front end – a uniform “customer experience”.

Spotlight on IT security

It will be some time before things reach that level. This means that customers can take advantage of this time to focus on security now. There are three main reasons for this.

  1.  1+1 can equal 3: This really is true, in a negative sense and in particular for IT security. For example, a vulnerability in a widespread WordPress plug-in recently became known. WordPress is the most widely used content management system for websites across the world. Some even estimate that nearly two-thirds of all websites overall run on this popular open-source system.
    The loophole in the Woo-Commerce plug-in was not, technically, a loophole, meaning that hackers were unable to achieve penetration despite the bug. Rather, it was the combination of the plug-in and WordPress that created the vulnerability and enabled the affected websites to be fully compromised. Of course, none of this means that C/4HANA has a similar vulnerability. Nevertheless, C/4HANA does comprise five different technologies and this possibility cannot be excluded.
  2. Authorizations: Even just the migration to S/4 HANA, wholly SAP technology, is a challenge for many customers. This is because a number of authorization concepts are undergoing fundamental changes, not to mention the authorizations that must be adjusted for the new platform.  In the case of C/4HANA, SAP is now faced with the task of fitting five different technologies – and the respective authorization concepts – into a uniform concept. It will not be easy and will mean extra effort for customers who are already using one or more of the five cloud products. This is because any adjustments to authorizations must be adjusted again for C/4HANA.
  3.  More interfaces: C/4HANA “lives” in the cloud. However, to ensure its functionality is used in a practical way, integration into the backend (the ERP system) is essential. And here, too, more systems in the cloud – more interfaces – mean more avenues for attacks. By contrast to the first two items mentioned, customers are the ones who are responsible for ensuring that the interfaces are secure.

Advantages of C/4HANA

Of course, C/4HANA does have a number of positive aspects. For one thing, it follows from the above that when C/4HANA is complete – when the separate technologies are consolidated – it will certainly bring some added security. Among other things, this will be the result of a uniform data model, which, one hopes, will require just one interface to the ERP backend.

End users will be happy to learn that data protection one of the major goals of C/4HANA. Customer and company data should thus be particularly well protected in compliance with the GDPR, a boon for everyone’s security.

C/4HANA: Next generation CRM

To summarize, we can say that the product vision of C/4HANA is both justified and will certainly mean more security. However, this will be the case only once the design is final: once the data model, the front end and the integration into the backend have been consolidated. Until then, customers do not need to wait for the next generation CRM: Just follow these basic tips:

  1. Check security: SAP checks its cloud solutions for vulnerabilities regularly. The data centers where the cloud is hosted are certified, meaning they comply with many different security norms. Nevertheless, it is worth paying attention to details, especially when you are responsible. In particular, this involves the security of clients that access the cloud.
  2. Interface security: The cloud itself may be secure, but are the backend interfaces secure too? Here, we recommend deploying a tool, such as the SAST SUITE Interface Management, to obtain an initial overview of all the interfaces and to secure them as needed.
  3. Authorizations: We can attest that it is not easy to keep an eye on authorizations with five clouds and a backend. However, SAST SUITE makes it easy to identify SoD conflicts and potentially critical authorizations.

No matter what you decide to do, we recommend performing a security audit before implementing cloud technologies or even migrating specific business processes entirely into the cloud. In this way, you can reduce risks and can also make your systems fit and secure for the cloud, and in turn for C/4HANA.

Do you want to learn more about securing your SAP systems? Check out our SAST SOLUTIONS website or send us an e-mail us at sast@akquinet.de.

Patrick Boch
Product Manager SAST SOLUTIONS