Results from the 2nd Annual SAP Security Research Seminar
I was recently asked: “What is the most challenging security problem SAP has to solve?” There is a clear answer to it. We must balance two things: The importance of daily security operations, by responding to known threats, while monitoring new cybersecurity trends to be prepared early for new kinds of attacks. Security is a constantly moving target, and we must stay prepared by engaging in continuous learning and research.
A few weeks ago, I participated in the 2nd Annual SAP Security Research Seminar at SAP Labs France in Mougins. This event was part of an annual series of invitation-only seminars that began last year. Dedicated to an exchange with selected academic thought leaders in cybersecurity, and related topics. for the 2019 series, 13 renowned professors from Universities in Canada, the U.S., France, Germany, Italy and the UK spent two days with SAP security researchers, executives and customers. This year it was a pleasure to meet SAP’s Chief Security Officer, Tim McKnight, as attendee and active contributor at the seminar. Selected security topics were presented from different points of view and lively debate by prominent experts ensued. The open exchange allowed us to gain insight into SAP’s security challenges, understand academia’s approach, and to engage in a discussion about how scientific research and the industry’s innovation needs are able to align for mutual benefit.
Machine Learning is a hot topic nowadays and was discussed at length during the Seminar. Experts from engineering and security research discussed the crucial role of Machine Learning in Security. SAP’s strategy is based on the belief that the next era of enterprise computing will be defined by intelligent technologies such as Machine Learning and security is not an exception: The Intelligent Enterprise must have intelligent security. Cyber-attacks have become increasingly complex, diverse, and automated and are now often powered by intelligent technologies. As a result, enterprise systems need to have a similar, if not better, level of security during all phases of the software lifecycle.
New Kinds of Attacks
Malicious 3rd Party Software was the title of our second track. This topic presented yet another challenge: how do organizations balance daily operations with new trends? A major security challenge for a large software vendor is to ensure that software is free of vulnerabilities, backdoors and other malicious code as much as possible. Driven by this “zero vulnerabilities” vision, we discussed the recent subtle threat of malicious open source components, including the question of how malicious 3rd party code in the supply chain can be systematically detected and mitigated. While research tries to master this new trend, the industry still heavily faces Cross-Site-Scripting in open source, as was mentioned in one presentation. We need to deal with both, the well-known Cross-Site-Scripting, now in open source, and the new trend of malicious code harming the complete software supply-chain.
I see an active discussion ongoing in the EU, in the U.S. and other areas of the world about how much we can rely on technologies from other countries. And what kinds of foreign technologies are needed to allow for critical infrastructures and important economy drivers, to offer the best and most secure technology. Some answers to these questions were provided during the session “Cryptography for auditable Software Execution”.
The digital transformation is a fundamental change in all business organizations and SAP is accompanying its customers along this journey. But what are the privacy challenges? Vast amounts of data are collected, shared, and processed over cloud and open platforms. Much of this data is sensitive, e.g., personal or strategic business data, and needs to be protected, while at the same time we can benefit from its value for analytics and Machine Learning driven applications. Hence, data needs to be protected when processed and it needs software execution to be auditable. Cryptography can provide adequate means to verify the processing of data, as showed by two different and innovative approaches that were presented and discussed during the seminar.
As introduced initially, we need to master our current business while anticipating the technology evolution. One extreme instance of this motto was presented and discussed in the “Privacy-Preserving Computation” session.
Two different technology perspectives for “blind computation” were presented. One resides in the classical, digital technology, and proposes a solution for decision trees. The second approach looks further into the future assuming the availability of Quantum technology and introducing a blind computation algorithm for a Quantum computer. The race between classic computing and Quantum computing has only just begun.
The SAP Security Research Seminar 2019 concluded with a panel discussion on the security of the industrial Internet of Things (IoT). The podium was prominently casted with participants from Universities, industrial research and industry stakeholders. Questions and security challenges discussed included, among others; the trend towards distributed application logic at the edge, the inclusion of Machine Learning in IoT use cases, and the impact of the frequently risen demand for IoT security certifications.
I, like the members of the audience, appreciated the thoughts, insights and discussions triggered by looking at strategic security research topics from both the academic and the industrial viewpoints. The overwhelmingly positive feedback from external guests and SAP participants tells us that the 2019 edition of the SAP Security Research Seminar was a real success.
I would like to express my sincere appreciation to our guests from academia as well as the internal and external presenters, all seminar participants and the organization team.
Stay tuned for the 2020 Session, where we will learn more about how to balance security operations with new security trends.
For more information about SAP Global Security and SAP Security Research go to the SAP Trust Center at www.sap.com/security.