The challenge with communicating about security is that everyone needs to address it, yet no one wants to talk about it. Today, SAP security has moved into the spotlight again, forcing customers to address it.
A recently published Reuters article indicated that more than 90% of SAP customers are at risk of their systems being exposed to hackers that can exploit vulnerabilities because they haven’t installed certain security patches. This news is not exactly new, but the timing of it coming out just ahead of SAPPHIRE NOW and ASUG Annual Conference left many security professionals working a long weekend and many customers concerned that they may not be safe.
ASUG had the opportunity at the conference last week to speak to Tim McKnight, SAP’s chief security officer, and Mariano Nunez, CEO of Onapsis, the partner that helped bring these vulnerabilities to light.
Configuration Is Key
“50,000 may be the number published, but we believe one customer is too many,” says McKnight. Both McKnight and Nunez were clear that customers have had these patches available to them for nearly ten years to protect against the integration vulnerabilities that were uncovered. “We think the issue here is primarily one of customer governance,” Nunez explained.
For legal reasons, SAP was not able to directly address where the line is drawn between SAP and the customer in terms of responsibility for the security of SAP applications, but the emphasis should be on the customer’s organization preparing to handle its own needs through the security team it already has in place. SAP is not prepared to handle the unique setups and complexities of each individual customer, which is why the burden shifts to the customer to understand which of the patches it needs to adopt to stay secure.
Meet the New Risk
The challenge lies in knowing quickly whether or not your security settings are configured correctly as you adopt new applications to run next to your legacy systems. “The news is basically that the risk changed. Customers did risk assessments in the past and decided about these updates at that time based on the likelihood of someone exploiting those vulnerabilities.” Now that the flaws within the security settings have been publicized for all to see via the internet, the reassessment of the configuration has moved from low priority to top priority because the likelihood of an attack is significantly higher.
Onapsis has delivered one of its proprietary tools through SAP, taking an unprecedented step by open sourcing a part of its technology. This tool first helps customers determine if they’re exposed to risk. Then it triggers a fix to the exposure and continues to monitor the fix to make sure there are no additional pathways for a threat to find its way in.
Innovating for Smarter Security
McKnight encouraged SAP customers to look to the future as a quicker path to security. “Getting to the cloud faster for most companies is a smart move from a security perspective. The ability to manage security at scale has gotten better and better over the last five to seven years.” The logical conclusion is that putting the security of your systems in the hands of professionals who are focused solely on security allows your IT team to minimize its resource investment in this area and leave it to the experts at these cloud infrastructure providers to protect them.
Nunez was also clear that you can’t leave the responsibilities related to security to just one kind of IT individual. “I would say you need both a security specialist and an integration expert working together in order to make sure that the patches are applied correctly. If you go at it with just a cybersecurity team, it won’t work because they don’t know the SAP components. The SAP team alone may not have the context for what is a real threat. So my perspective is that you need both working together.” This suggests that IT teams may have to restructure to make sure that these teams are not siloed but working together to handle the critical threats coming at them.
Find a Security Sponsor
To move on these patches, McKnight strongly suggests finding a sponsor at the executive level. “In times like this, it’s going to be easier to address. But ongoing, having someone as a key stakeholder on the business side to own this is important. Just as they would focus on disaster recovery or business continuity, they are the ones responsible for the health of their own systems.”
Interestingly, threats can also provide opportunities to take advantage of business buy-in. Nunez said, “I was talking to a CIO yesterday who said, ‘Right now I both love you and hate you. I hate you because my team had to work all weekend getting the patches set up properly. I love you because I have wanted to do this for years now but haven’t been able to get the business to invest the resources for my team to actually do it.’” Still, the quickest path to security relevance is likely to have someone sponsoring security as a topic of ongoing conversation at the executive level.
A Three-Line Defense
McKnight recommends an approach to security with three lines of defense: business users with executive sponsorship, a security team devoted to the SAP applications, and a rigorous external audit through partners like Onapsis. But ultimately, the one key takeaway is to stay up to date and implement security patches when they become available rather than responding to the change in risk. Adding more cloud-based workloads will also help reduce the challenges of security breaches that most often occur in legacy systems with highly customized code bases and integrations. These are the types of practical steps that will minimize the business time spent on security so you can maximize the business time spent on innovating for the future.
ASUG research has discovered its own set of security truths you should be aware of when making decisions about how to protect your business.