It's a debate worth delving into at any time! Should organizations adhere to the default security configurations within an application, or should they design their own to enhance security?
In today's digital world, keeping sensitive business information safe is more critical than ever. As organizations rely heavily on SAP systems which are connected with many other applications to manage their operations, the need for strong security measures is paramount. One key debate in this realm is whether organizations should adhere to standard security configurations that the applications provide or design additional layers to enhance security?
Let's break down these two approaches: "Security by Default" and "Security by Design."
As the name says, "Security by Default" essentially means sticking to the pre-established security settings provided by SAP or other applications. I am limiting this blog to SAP application as the subject itself is vast. SAP application has the following Security measures by default:
While default security capabilities provide a certain level of assurance that applications are protected, the question arises: is this level of security truly sufficient? If you're prepared to answer "yes," it's worth revisiting your stance in light of the latest 2024 Cyber Crime Statistics (updated February 2024).
Now let’s understand Security by Design and how it can help in securing the system with additional layers of security.
Embracing Security by Design
"Security by Design" goes beyond implementing the standard security measures. It integrates security considerations into the entire development lifecycle of SAP solutions. It emphasizes proactively identifying and addressing security risks at every stage, from design and development to deployment and maintenance.
How to implement Security by Design?
Identifying and implementing various solutions to secure the system is a tedious task. It is advisable to adapt to a framework/model. One such model is the Security Operations Map (SOM), which serves as a reference model structuring the broad areas of cybersecurity. It establishes a solid foundation for conducting a comprehensive 360-degree review of cybersecurity and compliance practices within customer landscapes.
The SOM was crafted based on SAP's insights into security needs and branches. However, it can also be aligned with other well-known cybersecurity frameworks like the National Institute of Standards and Technology's Cybersecurity Framework or the German Federal Cyber Security Authority's IT-Grundschutz. What sets SOM apart is its global applicability within the SAP environment. Read the SAP Insider article that details more about SOM.
Security Operations Map (SOM) as per NIST framework (Source: SAP)
Wait!! Am I endorsing the concept of Security by Design?
Not at all. Infact, the answer isn't straightforward and largely depends on various factors, including the organization's risk tolerance, regulatory requirements, and the nature of its operations. While sticking to default configurations can offer simplicity and consistency, it may not provide the level of protection needed in high-risk environments or industries with stringent compliance mandates.
On the other hand, designing custom security measures allows organizations to address specific threats and vulnerabilities effectively. However, this approach requires careful planning, expertise, and ongoing maintenance to ensure that security controls remain robust and adaptive to evolving threats.
In conclusion, there's no one-size-fits-all solution when it comes to securing SAP environments. Organizations must carefully weigh the pros and cons of both approaches and develop a security strategy that strikes the right balance between effectiveness, efficiency, and compliance. Whether opting for Security by Default or Security by Design, the ultimate goal remains the same: safeguarding critical data and infrastructure from cyber threats in an ever-changing digital landscape.
Additional References:
I suggest you to go through my previous blog - Beyond Firewalls: A Holistic Strategy for Application and Data Security. The Security Pentagon!
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.