How to yeah. Build a stronger or a better security and compliance foundation for your SAP landscape. All right. So that's the typical SAP dis disclaimer that we would have to look at for a couple of seconds, at least begin of each presentation. And then we can look at our presentation. So I would like to go through this four topics here with you today.
So what, what types of text do we see? So we actually saw and discussed a lot about this in other presentations during the day. And then we gonna look at the structured approach for SAP cybersecurity map our SAP products to the list, cybersecurity framework, and talk a little bit more about the list cybersecurity framework and the SAP products in, in that way and how they can help to protect SAP systems against the fraud against cyber attacks and data misusage. Right.
Well, first question, actually, it's been answered quite often during the, the, the other presentations are systems SAP systems under attack. And well, when we look at the news, what we see is very often is attacks to, to the, to the it infrastructure. And that's why, where CSOs are very aware. And that's where companies invest already today, quite a lot of money to protect against attacks from, from outside, but as well, for sure, from, from inside as well.
But since, and that's been said as well already today, the people in security or it infrastructure security speak completely different languages than SAP people or people coming from the SAP side or SAP security. So those parties usually don't understand.
And since the seasonals are main, mainly looking first of all, into the it infrastructure landscape, they often, somehow not focusing so much on the SAP systems, which they actually should, and to be able to protect the SAP environments as well since when, when I'm an, a hacker and I want to get to the real data of a company, I would not try to go by a network sniffing or buy any other types of attacks into the direction maybe of, of the database.
If I, if I would be able to hack the database, yes, find great.
I will end up with thousands of tables, millions of entry, and eventually they're completely encrypted. So I cannot cannot really read the data. And if I would be able to read the data, then it's a mess to combine the right tables and to get the right information out of such an SAP system. So finding somehow access to an SAP environment, maybe via a privileged user, maybe via an unpatched system is then a great opportunity then for, for a hacker, being able to get into an SAP system.
And as soon as he got appropriate authorizations within such an SAP environment, then he can guess for sure, look up any kind of transactions can look up any kind of IP information of the customer, or can look at any kind of HR information business transaction can start manipulating, spying out any kind of information in the SAP environment.
And that is then a real attack to an SAP environment.
And this is what we do see as well in the field or in the news, because every time we look in the news and we are talking about this and that amount of data has been stolen or copied from, from an environment, we just simply have to quickly get our heads around and think what types of application systems are on top of these databases or where are these data or where's this data usually been used. And that is done for sure, very often as well. The case within SAP systems since SAP is the biggest vendor worldwide for E systems. So we do have to take care of our SAP environment as well.
And that's what SAP has been doing for the past years and doing, and, and trying to do even even harder nowadays with every yeah, every week.
I, I, I get news about what we do here and what we do there and updating and getting more products on the market, making our products more secure and helping our customers to secure the environment and making our customers more and more aware of that. It is important to look at the SAP systems as well. Many of you maybe have seen the SAP security operations map it's been just recently updated.
And now recently it's already one and a half years ago when this update was done here. And I'm since the, the older version of the SAP secure operations map was more real technical related operations map. And this now are this rework here now integrates, and I'm quite happy with this version at the moment. We already working on another update for this, but I'm already happy with this because this sets the organization on top of the whole list here.
And it sets the awareness of the topic cybersecurity on top of the list here and sets the security government and the risk manage the overall risk management here on, on top of the whole picture here, when we are talking about organization processes, application systems, and the whole it environment that sits underneath, and then we are, and when looking so, so for me, this is more really organization awareness people, organization processes, and then we follow into the applications and into the technology.
And this is where real, a mind shift has been gone through SAP as well, going, going as well into this direction of people, processes and technology here. And this is what been, what has been reflected for me within the security operations map here. And then we can talk, start talking about the processes, the regulatory compliance processes, data, privacy protection processes. We can talk about audit and fraud management, and that's where this map, then our helps our customers to get involved within these topics.
And on the application layer we talking, well, we have the topics for the user identity management, authentication management, single sign on custom code security and on the system level, which I'm not so happy with at the moment is that security monitoring of forensic is only being named here in the system environment should be as well being across to the application as well, because this is what we have to monitor as well, because that's where exactly our data is. But the most important part for me in this diagram here is more or less the, the secure SAP code.
So this actually is the, the part where we talking about patching of the SAP systems. So do you all know SAP delivers new security patches on a monthly basis, and we've seen very severe security patches or very severe vulnerabilities in the past year or two years.
And customers are still not patching them in a, in a feasible time. And the systems are often facing to the internet. And then for sure hackers can lock onto these systems or exploit the vulnerabilities that are left open.
So I can only encourage everyone and each and every single company in the world, as soon as the patch is out, you have to patch the systems as soon as possible because it only takes days and hours to, for hackers to, to create an, an exploit and then start really exploiting SAP environments that are accessible via the internet. So patch, patch, patch your SAP environment, because that is the most important and very, very, very first thing that you would have to do to get a more secure SAP environment, right?
Hopping over to the next slide, which is the giving you a little bit more depth and breadth about how does SAP actually supports the intelligent enterprise. So we, we do have our logo here for the intelligent enterprise, which sits right in the middle of this, a slide here and surrounding. This is really a people, a processes and technology, but why do I have technology underneath here, people and processes more in the focus. And that is the way it should be really at the companies, because if I don't have the right people enough, I don't have the right processes.
I will just simply fail to implement the right technology or choose the, choose the right technology here. And since to my knowledge, yes, there is great technology that can be used, but without the people having the right knowledge in their heads, they cannot then apply the right patches to the right systems, get the right switches done, get all the vulnerabilities from the past removed from, from the, from the systems.
So really turning red flags. Green is the job that has to be done, and that is not being done by technology.
Technology only shows the red flag and we still have to switch these flags to green flags or make them become green. And that's mostly a manual task, and this is then really people and processes behind it. Because if I don't have a process, for example, to secure my SAP gateway, an administrator or himself will not be able to secure the SAP gateway.
If there is no process, if there is no governance behind this, because if he forget just a single server that connects once in a while to the productive environment, and that is a super important process behind this, that an administrator may be missed. He cannot just simply close the gateway for, for this particular server and maybe he's getting fired then.
So this is all a top down approach that we have to go through the whole business business unit and organizations. And that's, that's why we have that awareness on top of this here.
And awareness here is a kind of a gateway as well to people process and technologies protecting the intelligent enterprise. But when we're talking about securing really the intelligent enterprise, we actually have these four pillars that we have to discuss about. We have the identity and access governance area here. We have data protection and privacy. We have cybersecurity and we have the area of enterprise risk and compliance. And this is only touching the different areas. And this is for sure that's where, where SAP has products in there as well, or works together with partners.
And because, but these products and this information, they, this is a circle and all these different types of products and processes have to have to communicate with each other as well, because what can I do with identity and access management only identity and access management has to report into cybersecurity as well.
Data priv protection and privacy has to report as well into cybersecurity because that's where my data control is. That's where my data masking is. That's where my data custodians sit and these technologies have to communicate with each other.
And this is partly a, a roadmap to establish this at SAP as well. But this is what, what we are doing here today, already with the products at SAP, what we found out as well, it is very important. And that's the one of the main problems. In my opinion, in organizations today, at the moment, it is very difficult to quantify the real risk that is coming from a single vulnerability in the area of cybersecurity or in the area of identity, identify and access and governance or within the data protection area.
And as soon as we not able to quantify the risk, nobody will in board level will be able to recognize that there is a real threat to his business because it's not quantified.
It's just a red flag somewhere. And as soon as we are able to quantify all the risks and visualize this to, to a board level, then we become, we get into the position to, to, to make a seed level, really more aware of the situation that systems might be under a tech systems might be not patched or might be in include vulnerable code and, and so on and so forth.
And so that's where then actually that whole circle comes together within audit management, within business business, integrity screening within three lines of defense. And then that all goes into process control and into risk management because every cybersecurity risk is a risk to a company. Every risk to data privacy is a risk to the company, and it's gotta be treated equally to any other kind of business risk.
And this is what we are trying to achieve when we are looking at the SAP products, then here, all right, what we've done in, in the past was as well, starting looking at the missed cybersecurity framework, this cybersecurity framework was as well already mentioned several times as well with, with no monkey here, here today.
And in other speeches, which the, the cybersecurity framework is gives you just a guidance where to start and how to start. And this is where we have this identified, protect, detect response, and recover pillars within the cyber in this cybersecurity framework.
And just to flipping through this here a little bit, oops, that was a little bit too fast. We really can have to identify where are the crown jewels in our SAP environment, which are the most important SAP systems where the most important data sites. So that's actually the area where I can start protecting these systems so I can start classifying this systems, always keeping in mind that these systems have communication passes with among each other and all the systems that are communicating with each other have to be in the same security level as well.
So we should not only focus on, on productive environments.
We should always focus on solution manager and such systems as well. They're often neglected than to here, but this is where SAP then can really help. This is where we know this is where the business environment is. This is where we can do a first risk assessment. This is where we can start doing and planning real risk management strategy together with them services of SAP, for example. And then we can start talking about the other pillars and it is not really a 1, 2, 3, 4, 5 pillars.
So I can start working on the left hand side and work through from identify to protect, detect response, and recover while identify is yeah, pretty clear. That is the first thing that I would have to do. And then I can go into the protection mode. I have to have my excess control set up, get my segregations of duty done.
I have awareness trainings internally. So we are SAP.
We're doing lots of awareness trainings internally getting, we are getting fishing emails on, on a frequent basis, actually from sent to us by our internal guys, just to see if there's somebody clicks onto these links to make sure everybody in the company is aware that you should not click onto these links. And sometimes these emails are getting better and better as well. And sitting on the so far on a Sunday afternoon, maybe it is very dangerous that you click one of these links and there could be real fishing links.
So awareness training is a very important part when, when talking about cybersecurity then here as well. And then we can start talking about data security, information security, and now we can talk, start talking about all the different types of protective technologies, so where we have our vulnerability management for coding, for configuration and, and so on and so forth.
And then we can as well talk about the detection area, where we have to find out about the anomalies anomalies happening within system configuration, for example, or in user behavior or in data behavior.
And we have to continuously then start monitoring this information here and have the right detection processes on board for be enabled them to respond as well to any kind of anomalies or to any kind of unusual events that that might occur. So I can then hopefully trace down a hacker activity as fast as possible. And then for sure companies would have to have as well a plan, how to recover from such a, from such a security breach or from such an tech to an SAP environment, and this gotta be trained as well. So what do I do when something happens to my SAP environment?
Can I just simply switch it off?
Can I spell the user? I have to think about this first and this doing, doing this thinking gets the companies really more and more into the position to be more resilient, to be able to recover from a threat or preventing the threat on, on the beforehand. Right. What we've done then within SAP is started looking at all the different types of products and solutions that we deliver to our customers. So we've created this slide here, when looking at this slide, we have the green products here, which are standard products.
So this is what the SAP delivers out of the box. This is what customers already have. They only have to enable it and use it to protect their, their environment. And so this comes all for free and can be used by the customers and that already, if this is being used extensively gets you to a, to a very good already, I would call it security status, but for sure you can enhance the security status when then introducing other tools from SAP or from, from other vendors and then enhancing and your security and your security maturity over, over this.
And then we have the, yeah, the, the blue mark cybersecurity solutions. And then we have the yellow mark compliance solutions here within this diagram and service and support solutions where we can have a look at as well, open up this a little bit into the direction of the HANA database. So there's another bunch of solutions there as well for authorizations encryptions in H Hannah data masking as well. So if an administrator locks onto the system should not be able to see the data and that's where we can anonymize anonymize the data, then as well.
And this all, all of this information then really has to go band back into the process control area into risk management and into cybersecurity dashboarding. And that's, that's an area where SAP as well is working on too, right? When looking at drilling deeper into each and every single solution here would take another half an hour or something like this.
So I just flip through this with you quickly, when starting talking about security with inside of the company, I would have to know, first of all, what is the patch statues of my SAP environment and which vulnerability are open?
And the, the best thing I can do at the very, very beginning is not starting doing an penetration test. This is what I hear very often.
Yes, we've done a penetration test for our SAP environment. And we came across that there is some vulnerabilities left open for, for years, and we have to now implement the patches and so on of forth.
Yeah, thanks customer. You could have, have, or could have seen this vulnerabilities already when having a look at the SAP early watch report, because that's where you can find most of the most important and critical vulnerabilities that have been known in the past years.
And this has been updated as well on a frequent basis. So without having a look into the early watch service, that's where you find already quite a lot of information, and then you can start going into the SAP configuration validation. You can have a look at the system recommendations.
We provide several pages on from the SAP environment, like the trust center and the security operations map page, where we provide lots of information to our customers about cybersecurity. And then we can go into the direction of the more enhanced solutions about cybersecurity. That's where we can start talking about focused run because actually cybersecurity is as well, in my opinion, a topic that should be completely embedded in the overall operation of an SAP environment.
So it should be a tool that is completely integrated in the basis technology as well, because it is the administrators who have to set the flag from red to green, clearly the password hashes from tables, get policies done within the environment for passwords and Porwal for any other kind of controls that we have here that can be done with, with focused run very, very extensively.
And that's, that's a tool where SAP support as well, huge landscapes with, with the overall operation of SAP systems. And that includes as well, the secure configuration and the patch management.
So we can see here as well, a gap analysis between what is, what patches are implemented, what parts of the patch are implemented, artist manual steps to be done. So that can be visualized here then as well, as in focused run, now we can start talking about code vulnerability, analyzers theba test cockpit is one of the oldest tools it's already there inside of your SAP environments. And on top of this, you can use the SAP code vulnerability analyzer, which is actually already there in, in your systems too, but you would have to license it as, as well as it is.
It is marked blue in this PowerPoint here. And then for sure, for every single coding activities that you do it on top of the HANA database, you can, can use solutions like SAP 45 by Microfocus, or you use check marks for, for instance, to make sure that the whole coding app coding and non app coding does not contain any yeah, security vulnerability, single sign on then is one of the most famous solutions from SAP brings in a very huge benefit when we don't find too many passwords underneath the keyboards as well.
And that's where we can then then talk about user and identity management there too. And access management is one of the compliance solutions as well. SAP data custodian becomes more and more interesting to all of the companies that go into the cloud that use that they run their SAP systems on a hyperscale and everybody from worldwide is accessing this data. And that's where we have the, the possibility to restrict access via geolocation, via other attribute to the users.
So I cannot access all the data from my company, for instance, when I'm logging on from China and, and the system is reciting in, in Europe or in the us, for instance. And so I can restrict the excess, or I can just simply mask this information in the screen and just don't show the value anymore. And this is a part of the solution that we have in, in UI data protection, masking and logging as well.
So that's where we can mask each in every single critical field before it can be accessed by a user. So just a very simple use case as a, as a HR employer.
Yeah, employee, I have access to all salary information, but I should not see all salary information. Each time I access the data record there and the salary information just can be masked. And I can only see the salary information if I make a reveal on demand for such a case, and then the value is being displayed to me, I can change it and then can store it back again in the system. And then we have the area of detect and response where we have SAP and our press threat detection, where we can correlate all the different events in an SAP environment.
And then see if there's any P or security relevant activities in the system. Same as with business integrity screening, that's more related to the, to the business side. So if maybe you see some flip flop of bank accounts before a payment run and, and stuff like this. So that's where we can then help our customers business integrity screening. All right.
So due to the time constraints within this presentation, we skipped quite a few slides, but I've uploaded the whole slide deck where all of these solutions are a little bit explained in a more detail, and you can download this for, from the copy Cowell event platform.
