It is interesting to watch the security world undergoing a dramatic change. The classic world of protecting the good SAP system against the evil with a good firewall and relying on the closed SAP ABAP technology (known only by the good guys) does not longer live up to the promise.
The old security assurance, that SAP is so isolated and so exotic in the company network, that nobody will enter the premise, is slowly deteriorating over the last decade. Suddenly, the Internet, the Extranet, the VPN’ns are all over the place, connected straight to the ECC core system. SAP Hacks is a standard program on any blackhat convention.
While there are so many new Security Technologies in Firewalls, Appliances and software security frameworks, the Security World at SAP is still old-fashioned. But this is also a tribute to the ever growing complexity of the SAP eco systems. The impression, to live behind a secure wall in a secret garden, is just the glorified view to the past.
It is easy to say “Fix and harden the SAPRouter and Web Dispatcher”. But what if you have thousands of routes and dozen of routers and web dispatchers? Just keeping them always up to date is a job by itself.
Customers need to learn to manage this complexity in a new way. I know a lot of SAP sites that are discussing continuous patching, upgrading, testing and enhancing. But this by itself is a daunting task. One of my larger customers has 60 SAP systems in one tier, all related and connected. Multiply this by three and you have Dev, QA and PROD tier with 180 machines. Tell me how to do “permanent changes” to this landscape and ensure maximum security while testing all 60 app systems in unison every time after patch day. In theory, you can add unlimited resources, 24×7 uninterrupted strategies and unlimited budget. Yes, you can solve it. But in economic terms, it is not feasible. It is the old economic story of limited resources and limited spend money.
The first step in a new strategy for security is risk assessment. There was a great blog of Balancing Danger and Opportunity in the New World of Cyber Domain
a great summary of Derek Klobucher about the keynote speech of Gen. Michael Hayden (retired NSA Chief) who spoke to the attendants of the SAP Retail Forum 2013 .
Hayden drastically stated the new security paradgm : “If you have anything of value, you have been penetrated,” Hayden said. “You’ve got to survive while penetrated — operate while someone else is on your network, wrapping your precious data far more tightly than your other more ordinary data.”
He basically stated, that Security is no longer about vulnerabilty alone. He introduced the formula, that Risk is always a relative value for your assets.
Risk = vulnerabilty x consequence.
This is the most important message for the near future for everyone involved in security You need to manage risk. Security risk in time and over time.
That must be the goal, even more for such a critical system like the central SAP system. The new security paradigms lives in real time, defending against frequent attacks, internal and external threats to capture or manipulate data. Organizations must face the new complexity, new organizational challenges and security risk management.
And with the risk, you need to change the security thinking from “defending walls” like in medieval castles to “pattern recocgnition”, to an approach, where you anticipate the next attack while it is building up. Here, the technologies of Big Data, SIEM and Artificial Intelligence emerging. In Germany, T-Systems and Telekom have a great “Real Life” showcase: the “Advanced Cyber Defense Center” in Bonn. (Maybe I do a blog one day about it).
Yes, this is a very complex and demanding world. And this is why even big companies need to talk, act and cooperate on security issues.
But this is the topic of my next block:” Quantum Dawn – What SAP Data Centers can learn from SIFMA war games”.
Just relying on your good old firewall is a thing of the past.