The 2022 conference in Vienna has been another great SAPinsider success.
The experiences and challenges that people from companies all around the world share and discuss with each other is essential to support the continuous innovation of our way of working and enriching us professionally.
Security as a key priority
Out of about 150 presentations in Vienna, more than 50 were focused on Security, Enterprise Risk Management and Business Resiliency.
This is more than a third of the whole conference focus and it shows how SAP, our partners and companies from every region and industry, are realising how critical the cyber threat become.
Conferences like this are instrumental to build stronger partnerships with one common goal. Safeguarding business, together.
What were the main topics and questions at the conference on Security
RISE with SAP was a key topic on the agenda. The number of companies looking into the RISE offering and model is growing significantly, and with that, the interest on how security is managed in the cloud.
To summarise, these were the main 3 topics I heard people at the conference discussing and asking the most questions about.
1. Shared security responsibility between customers, hyperscaler and SAP
"How do we distribute the daily security work and responsibilities in RISE, between our internal security teams, our external security advisors, the hyperscaler and SAP?"
Roles and responsibilities vary depending on the deployment approach, however, in general we can say that with RISE: network and infrastructure security are managed by SAP and the Hyperscaler; whilst application security measures like identity and access governance, as well as security logging and application security hardening, are decided, prioritised and managed by the customer (often supported by their specialised partners).
This is because the implementation of application security measures are often dependent on the business processes that run on these applications and needs to be strongly aligned with the company's business priorities.
Example of Shared Responsibilities in Cloud Architecture
2. Where to start with application security.
"What are the tools, solutions and services we should be using to secure the SAP application layer?"
First of all, you need the security culture, mindset and processes embedded at every level of the organisation. This is the foundation for success.
Then, a good way to start is to map the security framework (e.g. NIST, ISO27001/2) to services, tools and solutions that can support each framework area and domain.
Then based on this mapping understand: 1) what solutions are there by default, and depending on the contract with SAP, managed as a service; and 2) what solutions are there for the customer to opt in.
The first ones are usually referred to as SAP standard tools which are included as part of the SAP installation, and the second ones are Cybersecurity or Compliance solutions which companies can invest on, to improve their overall application security posture.
Additionally, security services are provided by SAP consulting, or specialised partners, to support customers with their security priorities.
Example of services and solutions to support the NIST framework in SAP
3. SAP Security standard documentation for Cloud solutions
"Where can we find security recommendations for SAP cloud solutions?"
Official SAP security documentation that can be found on SAP.com.
This objective of this documentation is to suggest customers the implementation of certain security measures. But ultimately, the customer is the one that needs to decide and approve how their business applications should be secured.
A good starting point is the SAP Trust Center where there are many security topics documented, covering various areas. From recommended system security configuration settings, to information about internal security operations, until audit and compliance certifications of SAP solutions.
SAP customers and SAP partners can also subscribe to My Trust Center, where a subscription functionality offers you email notifications about changes and updates for content which is of particular relevance to you. One example is the Recommended Security Configuration for SAP Cloud Services. (access only available to SAP customers and SAP partners).
One example of content available on My Trust Center
Other discussions worth to mention
A recurring a very popular discussion at the conference was the one about humans being the weakest link in cybersecurity.
Millions of people are targeted every single day with advanced phishing attacks, and it is very difficult for a victim to realise when they are being scammed. Therefore increasing the chances for an hacker to break in.
Training people on recognising these scams is a rising priority for companies that want to reduce the risk of their sensitive business data being breached, but also educate their employees on how they can safeguard their personal digital assets.
Security is a key decision factor when moving business applications to the cloud. It is paramount for companies to understand how security responsibilities are shared between them and their vendors. And it is equally important for them to recognise that even if they delegate responsibility to a third party, the accountability remains theirs.
Ultimately, it is the customer data, processes and business. And we can safeguard it together.