Last year came to a very pleasant end, as we won the award for “Top Identity and Access Management Solution Provider in Europe 2021”. The December issue of Enterprise Security Magazine reported extensively on our IAM solution and about the innovative features that make our software so unique. We interviewed Mr. Kempf to find out more about the software solution and the current technology trends.
Mr. Kempf, congratulations on your win. What is behind SAST SOLUTIONS and the offered IAM solution?
Half of all enterprises worldwide have already fallen victim to at least one significant IT security incident. SAP systems are increasingly becoming targets of such attacks. The growing complexity of system environments and generally limited security experience of many employees often give rise to serious security vulnerabilities. That’s why current SAP security requirements go far beyond conventional access governance of users and their roles.
With our SAST SOLUTIONS portfolio, we have specialized in the end-to-end security of SAP environments. In addition to the software suite, SAST SOLUTIONS also offers all-round protection for SAP ERP and S/4HANA systems, including consulting experts and managed services.
What makes your SAST SUITE software product so special?
Nowadays, the question isn’t so much “if” an IT security incident will occur, but rather “when”. And more and more frequently, it’s the company’s own employees who cause such incidents, whether accidentally or in bad faith.
The SAST SUITE is designed to give companies the exact support they need to implement identity and user access management concepts, because it reports violations immediately – and not only after the damage has already been done.
Can you name a few of the current trends in the IAM sector and how you have implemented these technology trends in your solutions and offerings?
It is interesting that the “trends” involving vulnerabilities of SAP systems have remained unchanged for years, yet many companies still haven’t rectified them.
In light of the constantly changing threat landscape, with both internal and external actors, the real-time recognition of anomalies and unintended behavior through analytic technologies is becoming more and more important. This is exactly what the SAST SUITE was developed for and we continue to optimize it for the newest attack scenarios. These include incorrect system configurations, which leave many gaps open for attackers; the abuse of user roles and authorizations; and unintended user behavior in the system; all of which result in internal security incidents.
In addition to the aspects of IT security and IAM, there are two primary trends that are currently affecting the entire SAP world and will continue to do so for some time. The first is the technology switch from SAP ERP to SAP S/4HANA. From our perspective, it will certainly be interesting to see whether more companies will learn from the early adopters and take a holistic view of their SAP S/4HANA transformations. After all, around 20% of companies neglect IT security completely during their migration to SAP S/4HANA. To meet the technical and functional requirements of the new SAP S/4HANA environment, we developed the SAST SUITE for S/4HANA as an independent product. This will insure that our tried and tested software can continue to be used over the next decade.
Aside from the big SAP migration topic, we are also increasingly fielding inquiries regarding the cloud in the SAP context. My tip: Sensitive data shouldn’t be saved outside your own area of control. Accordingly, companies should implement security solutions and dashboards on premise instead of in the cloud wherever possible. All the same, the SAST SUITE of course covers both conventional on premise SAP solutions and the SAP Cloud solutions, and the further development of the software is oriented towards following the transformation to the cloud.
Identity and user access management alone is not enough from a security perspective. IAM solutions should always be just one part of an end-to-end security strategy and should also support regular audits. In addition, IAM solutions should offer functions for the SAP environment that enable automatic detection of user misconduct (such as changing security settings) and support structural countermeasures.
What exactly do your IAM solutions offer and how do they help your customers to improve their capabilities?
The SAST SUITE enables our customers to configure automated role management and eliminate separation-of-duty conflicts, thus better controlling the access permissions of all users – including privileged users. Our software can even adjust authorizations on its own and greatly streamline them without limiting day-to-day business.
No two companies are alike. What strategies is SAST SOLUTIONS following to beat the competition on the market?
The SAST SUITE offers separate solutions with clearly defined functions for specific aspects in the areas of SAP security and IAM, which are offered as an integrated package and enable seamless combination of different functions. Based on this approach, the SAST SUITE can be custom-tailored to the requirements of the respective use case.
For more information, feel free to read the success stories of our customers Takeda, s.Oliver, NordWest Handel, and BWB (Berliner Wasserbetriebe).
Do you have any advice for interested companies?
Sure: People repeatedly ask us what they should do when they’ve discovered an attempted intrusion. Unfortunately, there is no patent remedy that cures all ills, because the best reaction is highly dependent on the respective attempted attack. I’d advise all companies to establish a well-defined risk management system with defined processes, to play through risk scenarios. The process models from the NIST (National Institute of Standards and Technology), ISO2700x, or BSI (German Federal Office for Information Security) can be useful here.
In closing, can you say what makes SAST SOLUTIONS so unique in attracting potential customers?
Our software is enhanced regularly with innovative features that arise directly from our own practical project experience. A real USP on the market, however, is certainly our brand-new security dashboard, which was added to the SAST SUITE in the most recent release.
Some SAP customers have to monitor the results of around 2,000 individual check processes from 300 SAP systems daily in practice, to identify vulnerabilities caused by critical configurations and conspicuous user behavior. Our security dashboard makes this simple and in real time. You can navigate through the different levels, all the way down to the details of a specific alert.
The security dashboard in the SAST SUITE assesses the current security status at the touch of a button, based on predefined risk indicators, identifies the causes of security vulnerabilities, analyzes and illustrates developments over time, and provides valuable risk information at a glance at all times. Through this approach, companies can achieve a level of transparency that allows end-to-end real-time monitoring, which in turn enables rapid, qualified responses to unforeseen threats to a very large extent.
Thank you for the interview, Mr. Kempf.
Tanja Dietz (Head of Business Development SAST SOLUTIONS)
Ralf Kempf (CTO SAST SOLUTIONS)
For more information, also read the original article from the December issue of Enterprise Security Magazine, Page 18.
Further interviews with Ralf Kempf: