Why are we doing security research at SAP?
Our world is undergoing a digital transformation, in business, society and private life. The need for physical distancing that we face in these times of pandemic even accelerates this process: working from home, virtual meetings and events, new forms of remote and online interaction, even re-inventing traditional types of entertainment like concerts and theater performances, are all indicators of digitization starting to dominate our lives, as a professional and as an individual.
With the pervasion of digital technologies come the concerns. Can we securely navigate in this new world? Can we trust our digital counterparts? Is new technology, AI and ML in particular, causing more harm than benefit? Are we losing control? Will our data be used as ammunition in a cyberwar between corporations or even nation states? These questions have led to security and privacy being high on the agenda of individuals, organizations, businesses and authorities. For instance, in recent years the European Commission came up with a number of cybersecurity related regulations, including the Cybersecurity Act and the NIS directive. Data protection regulations like GDPR and CCPA set the standard for privacy. Almost all major ICT corporations and associations issued ethics guidelines – most prominently for the use of AI technologies – that include commitments to security and privacy being a priority. And security incidents make it regularly into the news, with vivid reactions by the public.
To avoid that security and privacy become an existential threat to SAP’s business, we not only have to do our daily security routine (where lots of challenges remain), but also need to look into the future. Despite the great developments of the recent past, such as AI based threat intelligence, automated security analysis and differential privacy, achieving and maintaining security and privacy is still hard work. And it is getting harder: distributed systems and the Internet of Things extend the attack surface, new technologies – always – introduce new vulnerabilities, AI empowers not only the users, but also the attackers, and the sheer amount of potential security events make it easy to overlook critical threats – to mention but a few of the issues that are not solved today and that are mission-critical for our future business.
To build a secure future for SAP, its customers and partners, at manageable efforts and costs, some grand challenges need to be addressed:
- Secure and privacy-friendly data business – take full advantage of the data collected without compromising the security of the systems and the privacy of the data subjects, and ensure that data business is following ethical principles
- Trustworthy large-scale and distributed systems – build security into systems consisting of billions of entities, resulting from a complex supply chain, and demonstrate that the expected security properties are valid for such systems
- Elimination of software vulnerabilities – build software systems that are secure by design and default; integrate protective measures in development environments, cloud infrastructures and application frameworks; ensure the security testability of software and increase the accuracy and coverage of security testing tools (which means, reduce the number of false positives)
- Self-healing systems and applications – accept that security mechanisms can be bypassed (e.g., when insiders attack) and equip applications with capabilities to detect and mitigate threats while they are running
- Usable security and human factors – Humans are the weakest link in the security chain (for instance, when analyzing protocols or security mechanisms, security engineers assume that it is always possible to make a human click on a link), and security technologies should make it easier for all of us to manage security and privacy preference and assess the impact of our actions.
- Quantum-safe cryptography – Quantum technology challenges the foundation of our security technology. New cryptographic algorithms need to be designed, implemented and migrated into SAP’s technology to mitigate the threat.
At SAP Security Research, we believe that innovative technology plays a key role in inventing the future of security by addressing the grand challenges. Even if some issues like the concept of privacy in the digital age, lawful interception of encrypted traffic, or digital sovereignty of states or federations, cannot be solved by technology alone and the points of view might differ across varying social, economic and political contexts, technology provides the building blocks that determine what is feasible and can be implemented. Given the many yet unmet challenges in security and privacy, scientific research is the key to invent and build those blocks that can solve them.
We conduct security research at SAP because we are convinced that security and privacy is not only needed to protect our business, but also has the potential to become a business enabler. Only with moving toward the grand challenges, digital business based on intelligent technologies will meet customers’ concerns and is trusted by them. The leaders in security, privacy and trustworthy AI will also be the market leaders. And while collaboration is essential given the dimension of the challenges, we cannot just rely on academia to come up with relevant results but need to conduct own targeted research in priority areas determined by SAP’s technology and business context. As we are driven by emerging trends and directions from the scientific community, we aim at stimulating academic research by setting priorities and strategic goals from SAP’s point of view, thus, building bridges between science and business.
Together we work towards inventing the future of security – a future in which digital business and life can be conducted safely and securely, respecting human values and rights. We are ready to accept the challenges that lead us there. Please have a look at our strategy to learn about research areas and projects, and visit our Google Scholar Group for the results we have achieved in the recent years.
Discover how SAP Security Research serves as a security thought leader at SAP, continuously transforming SAP by improving security.