The golden rule for securing SAP solutions: embed it from the start
Today’s businesses recognize their future lies in the cloud. Whether it’s the need to innovate faster, adopt new and emerging technologies, or adapt to rapid evolution in customer and market expectations, cloud offers a faster track to business reinvention — and a way to stay ahead of the blistering pace of change.
RISE with SAP provides a clear and streamlined runway to ERP systems in the cloud, with SAP S/4HANA Cloud at the core. RISE with SAP, combined with SOAR with Accenture, enables organizations to navigate the complex decisions that need to be taken to jump-start business transformation, and innovate and achieve more value from the cloud, faster.
A growing attack surface for cybercriminals
But what does this mean for information security? One consequence of the shift to flexible cloud-based IT environments is the creation of thousands of new potential entry points through which attackers can reach key data.
Most large organizations now operate in a hybrid cloud environment. Systems, applications, and data are spread across the world on a range of different on-prem, private cloud, and public cloud infrastructure. And the number and complexity of all the access points, integrations and connections between those systems and solutions — and their points of potential vulnerability — is so much larger.
It’s a real and growing challenge. Almost three-quarters of companies’ ERP systems are now accessible via the internet according to IDC data — and almost two-thirds have had their ERP system breached in the last two years. Every time SAP publishes a security update, legions of attackers scan the internet, on a massive scale, looking for potential victims.
This is simply the reality of modern information management and cyber-security. Accenture’s own research shows that the average number of cyber-attacks per company has grown by a huge 31 percent since 2020. And perhaps more worryingly, almost a third of clients admit that security “is not yet part of the cloud conversation”.
The solution: security built in, not bolted on
In the past, SAP system security was too often treated as an afterthought in a transformation program — something that could be bolted on later or dealt with as an implementation detail. Similarly, there was a temptation to view security as merely a question of imposing the right authorization controls.
But the shift to the cloud and the complexity of new hybrid environments means the rules of the game have changed. It’s now absolutely essential to make security a core part of any program from day one. This, ultimately, is how companies can minimize both risk and complexity in their SAP environments as well as take advantage of the many optimization and automation opportunities that a journey to cloud allows.
Of course, the critical question is how to do that in practice. At Accenture, we take a holistic approach to finding a best fit security solution for an organization early on in an SAP software-powered transformation. This begins by getting a comprehensive view of both the “as is” and “to-be” security position. It considers everything from infrastructure to applications to integration with other systems, as well as the applicable regulatory, data privacy, and identity and access requirements.
Choosing from a menu of cybersecurity services
This tailored baseline assessment then feeds into the selection of a range of different security services, covering everything from integrations across a hybrid cloud environment, the security of individual applications (including implementing DevSecOps), data privacy and protection, identity and access management, or how SAP system security feeds into the overall cyber-defense strategy, and network and endpoint security.
Governance and the broader awareness of business users are also very important here. Companies typically need to rethink compliance processes for the cloud and educate (or reeducate) the business with basic security standards and functionality. In a multiparty ecosystem, they also need to be clear where the security controls lie — with the cloud provider, the IT service provider, with SAP, or with their own organization. The overarching objective is to ensure the business understands its new security requirements and is equipped to take control of its own security investment decisions.
In mixing and matching these various security services, we believe two factors are particularly important.
The first is the organization’s risk posture and cyber-security maturity. Every company faces its own unique threat landscape — whether that’s nation-state espionage, criminal ransomware, or anything else. It will also have its own unique requirements and ambitions for information security. Some companies are already quite advanced and are looking to move up to the next level — introducing automated monitoring, making use of machine learning, and so on. Others are less well advanced in their security journey and are looking for help simply meeting their compliance obligations.
The second key factor is the organization’s SAP system deployment model. That is, which combination of on-prem, private cloud, public cloud, SaaS and/or PaaS will be implemented. This is a critical consideration, not least because the greater the use of cloud infrastructure and cloud services, the greater the number of security responsibilities that lie with the cloud provider rather than the organization (and vice versa).
Release the handbrake on your business
Above all, we believe the key is to make security a natural integrated component of every SAP system, whichever infrastructure it sits on, and however many connections it has with other systems.
To do this, our approach is supported by a series of accelerator tools and a global network of security and SAP solution expertise. This includes our Cyber Fusion Centers who continuously update guidelines on risks and threats for each industry. We also provide cloud security reference architectures for deployment on hyperscaler platforms reference architectures for deployment on hyperscaler platforms.
In all this, it’s important to recognize one key point. Strong information security isn’t simply a question of doing what you need to do to stay compliant. Rather, it’s an enabler of your future business in the cloud. As one of my Accenture colleagues pointed out to me, “security is no longer only about roles and authorizations and the segregation of duty. Security as an enterprise topic will need to be an integrated component of your journey to cloud.”
Embedding security tools and practices out of the gate allows you to not only enable your business but also to accelerate it. You can use new cloud technologies to take advantage of automation and functionality to increase efficiency and drive your business at the speed required in the 21st century — creating new products, developing new offerings, entering new markets — faster, and with greater confidence.
If you want to discuss SAP system security further, we’d love to hear from you. So please do get in touch.
Britta Sims (Accenture Security) and Steve Deliën (Accenture SAP Business Group)
Copyright © 2022 Accenture. All rights reserved. Accenture and its logo are registered trademarks of Accenture This document refers to marks owned by third parties. All such third-party marks are the property of their respective owners. No sponsorship, endorsement, or approval of this content by the owners of such marks is intended, expressed, or implied. This content is provided for general information purposes and is not intended to be used in place of consultation with our professional advisors.
Accenture is a global professional services company with leading capabilities in digital, cloud and security. Combining unmatched experience and specialized skills across more than 40 industries, we offer Strategy and Consulting, Interactive, Technology and Operations services — all powered by the world’s largest network of Advanced Technology and Intelligent Operations centers. Our 699,000 people deliver on the promise of technology and human ingenuity every day, serving clients in more than 120 countries. We embrace the power of change to create value and shared success for our clients, people, shareholders, partners and communities. Visit us at www.accenture.com.
