Security projects do not stop at the authorization concept

Expert talk of IT-Onlinemagazin with SASTAn end-to-end security strategy must also include regular checks, maintenance, and protection of authorizations, installations, and proprietary developments against internal and external threats – especially in an SAP landscape. But what roles do project organization and project management play when it comes to improving SAP security?

 

The following interview between Helge Sanden (Editor in Chief of IT-Onlinemagazin) and Ralf Kempf (CTO SAST SOLUTIONS) was published in IT-Onlinemagazin on April 26, 2022.

What do you think are the greatest challenges that CIOs and CISOs face right now?

One challenge that all IT executives probably face is the shortage of experienced specialists and the resulting competition for new talents. Targeted efforts at further education and training can only partially compensate for this, however. Well-conceived automation steps in the cybersecurity area are crucial to countering the huge lack of resources.

At the same time, it is also important to give end-to-end consideration of security in hybrid IT environments. The trend continues to move away from classic, standalone ERP solutions and toward fully integrated, intermeshed IT system networks that include both SAP and non-SAP solutions.

Another challenge that we repeatedly see in security projects is how companies deal with shadow IT. Employees often install new software – often freeware – to handle specific needs, without obtaining prior approval. Such implementations are almost never compliant, to say nothing of based on a utilization concept. In such cases, vulnerabilities are all but certain. 

SAP know-how and awareness of security needed

Nearly four of five SAP customers intend to invest in improving their cybersecurity, according to the DSAG Investment Report 2022. What do they have to watch out for here?

Companies often try to start with identifying vulnerabilities through automated processes. Recognition isn’t easy to learn, however, and often results in “overlearning” or incorrect learning, with the result that the algorithm fails to respond to actual threats.

We primarily advise our customers to automate and optimize the provisioning of information. A common, end-to-end, enterprise-wide baseline for IT security is decisive here, because it is the only way for SIEM and SOC teams to include SAP systems in their efforts. Dedicated security dashboards offer a key benefit, in that they make the current security situation transparent. Results can be clearly visualized for security teams and changes to the threat situation can be identified and acted upon quickly.

Here, in particular, the targeted expansion of knowledge for internal security efforts has one of the greatest impacts. After all, attack scenarios have to be truly understood in order to be prevented effectively. 

How important are the project organization and project management in security projects?

Like the IT environments they protect, security projects have become much more complex. Well-conceived user and authorization management alone is no longer enough for successful security projects. In addition to the authorization concept, the infrastructure, system interfaces, databases, and customer ABAP developments also have to be scrutinized.

All of these factors have to be considered using state-of-the-art technology. What’s more, spot checks have long lost their effectiveness even if the content is correct – this applies to the source code in particular. New vulnerabilities arise every day, with varying levels of relevance, making continuous checks essential – ideally in real time. All of this means that modern security projects essentially never end; they are subject to constant evolution.

Another factor, particularly in the SAP area, is that areas such as SAP Basis, authorizations, and source code are often separated, both organizationally and in terms of responsibility. All of these areas have to be joined within the project and all activities have to be coordinated, for the benefit of everyone involved. As such, overcoming barriers to communication and enabling the departments to talk with one another are essential to success.

Case story on the SAP system hardening project

What will you be talking about at the IT online conference in May?

We are happy to have enlisted Sven Ruffershöfer as a speaker for this conference. He will provide exclusive insights into the SAP system hardening project at DATEV eG and describe the obstacles that they underestimated, as well as how they ultimately succeeded in executing the security project across all departments – including Basis, authorizations, and source code – through targeted collaboration.

As part of its all-encompassing SAP security strategy, DATEV eG also checked its authorizations, installations, and proprietary developments for internal and external threats. Its lack of internal expertise in functional and organizational matters was no reason for the company to procrastinate in matters of SAP security and we were engaged to provide expert support to the project at a very early stage.

What do you expect the dominating security topic to be among the SAP community in the next 12 months?

Given the current risk situation in Eastern Europe, as well as worldwide, hacking attacks aimed at sabotage – rather than espionage and monetization (ransomware) – are an increasing focus. This applies to highly critical enterprise areas in particular.

While ransomware has been used primarily for extortion attempts and financial gain in the past, it could be deployed more for political purposes in future, with the aim of rendering companies permanently unable to conduct business.

As such, when it comes to cybersecurity, it is more important than ever to not only pursue quick wins and try to balance the costs of security measures against the probability of suffering damages, but instead to give top priority to safeguarding your ability to do business and protecting the continuing existence of a company.

Thank you for the interview.

Helge Sanden, Editor in Chief of IT-Onlinemagazin, asked the questions.

Helge Sanden IT-Onlinemagazin
Helge Sanden (Editor in Chief of IT-Onlinemagazin) 

Ralf Kempf (SAST SOLUTIONS)
Ralf Kempf (CTO SAST SOLUTIONS)

Would you like to dive deeper into this subject? We recommend our SAST Expert Talks, at 10:30 a.m. on May 19, 2022 at the IT online conference (in German). Together with Sven Ruffershöfer (instructor in SAP system design | DATEV), Ralf Kempf will report on the successful protection of SAP systems at DATEV. Registration: https://t1p.de/u0ryv

 

Further interviews with Mr Kempf:

Why are SIEM tools blind to SAP? An interesting question, and not only for operators of critical infrastructure who are migrating to SAP S/4HANA.

Interview with Ralf Kempf and Norbert Klettner – Cybersecurity in logistics: Multinational attacks on the weakest links in the chain