Secure and Compliant Cloud Services to Increase Customer Trust Part 2: Introducing SAP’s New Chief Security Officer
This article is part two in a series introducing SAP’s new security and compliance leadership. For part one, please see Secure and Compliant Cloud Services to Increase Customer Trust: Introducing SAP’s New Chief Security Compliance & Risk Officer
SAP Global Security & Cloud Compliance
In the previous article, we listed the main pillars of SAP’s security strategy:
- Secure Cloud Services to protect customer business operations
- Compliant Cloud Services to meet external regulations
- Trusted Cloud Services to help customers win
We scale this through these five execution principles:
- Shift-left, to get as close to the source of risk as possible
- Cloud First, with cloud-native central security and compliance services
- Customer-centric, always aware of the needs of external and internal customers
- Data-centric, for measurable and effective security and compliance outcomes and visibility
- Automation of processes and controls
The focus is on bringing security and compliance closer to developer teams and embed security and compliance into engineering.
Our customers don’t only expect us to be compliant. They expect our cloud services to be secure. As goes for compliance, with a move to the cloud customers transfer the security risks of the systems that run their most critical business operations to SAP. Our customers expect us to safeguard the systems that run their business. Having made significant progress over the past 5 years, the executive board has directed us to start a new transformation striving for excellence in cybersecurity.
Chief Security Officer Sebastian Lange was appointed to lead security for the organization to manage the ever-increasing attack surface with the continuous growth in the landscape. SAP continues to organize its security programs and processes along the range of the NIST CSF Functions Identify, Protect, Detect, Respond and Recover, as well as the newly added Govern Function included in the version 2.0 draft, which has a particular focus on oversight.
Following the five execution principles, we will continue to expand security controls across the entire secure development and operations lifecycle (SDOL) and embed security into engineering and operations. The primary vehicles for that in the cloud solutions are secure-by-default infrastructure, platforms, and services, as well as central security services provided internally. This drives efficiency and reduces the security and compliance controls each individual team in the business units needs to meet.
Beyond the SDOL, in a vast landscape covering both public and private cloud, as well as corporate IT, we must assume breach. We will build further sophistication in our centrally managed and federated detection, response, and recovery processes. This involves a model where the business units participate in the process, contributing their solution-specific domain knowledge in supporting detection and incident response capabilities, while the central team ties all the strings together.
Building Trust Through Greater Transparency
That brings us to the third pillar of our security strategy: Trusted Cloud Services. It is not enough to be secure and compliant. We have to explain how we achieve that. In the past, we have defaulted to only sharing what we must. That left customers only with information contained in audit reports. However, customer security teams expect more from us to conduct their own risk management and threat modeling.
There is an ongoing evolution in the relationship between cloud providers and their customers when it comes to the security of cloud landscapes. It started with the Shared Responsibility model, where there is a clear separation between the security responsibility of the cloud provider and the customer. Over time and recognizing that customers were struggling with their responsibilities, the cloud industry started to turn to a Share Fate model. In this model, cloud providers recognize their responsibility to support their customers to run more securely. For instance, through more secure-by-default service configurations.
SAP takes this further with Shared Faith. Given the criticality of SAP solutions to their business operations, we have a responsibility to show our customers how we, as their cloud provider, build, run and act securely. We therefore plan to work towards greater visibility with our customers into the secure operations of our cloud services. Our new goal is to be transparent and to only withhold information if releasing it increases security risks to our customers and SAP.
This is a significant cultural change for the organization and will not be achieved overnight. Blogs like these have been an early start, sharing how SAP went through its own cloud transformation. However, we are now working on concrete projects to bring greater transparency into our security and compliance processes and operations and are working on a two-year road map. It is too soon to go into details but expect meaningful changes in 2024 already.
The Next Wave of Secure Cloud Transformation
New leadership, a new focus and direction and a new strategy sets us up for the next wave of secure cloud transformation. Bon voyage to Chief Security Compliance and Risk Officer Marielle Ehrmann, Chief Security Office Sebastian Lange, the new SAP Global Security & Cloud Compliance organization, and all our security and compliance stakeholders across the company on the next stage of this journey.
- Managing Security Risks and Cyber Resilience – How SAP Protects our Customers in the Cloud (YouTube)
- Shared Responsibility, Shared Fate, and Shared Faith: An Evolution in Trust in Cloud Services (SAP Blogs)
- EP145 Cloud Security: Shared Responsibility, Shared Fate, Shared Faith? (Cloud Security Podcast by Google)