Tomasz Zajda - Fotolia
Security is a major concern for SAP customers as they undergo an S/4HANA migration and other digital transformation projects.
Migrating to SAP's next generation ERP platform is a complex endeavor and generally involves opening up legacy on-premises SAP systems to the cloud, according to a new survey conducted by the Americas' SAP Users' Group (ASUG) and cybersecurity ERP service provider Onapsis Inc.
The "Digital Transformation and Security" report, which included responses from almost 150 SAP customers in IT operations and other functions and was designed to pinpoint pain points in digital transformation projects, also indicated that these modernization projects such as migrating to S/4HANA have not been slowed significantly by the COVID-19 pandemic.
S/4HANA migrations gain momentum
"The survey touched a lot on challenges, but also the role security plays with organizations as they're making these digital transformations," said Carolyn Szczurek, ASUG market research manager.
S/4HANA migrations are a reality now, according to the survey, as almost half of the respondents reported they are either live on S/4HANA now or are in the process of moving over. Another third reported that they are planning an S/4HANA move but haven't started the process yet, while just 6% said that they have no plans to move to S/4HANA.
Migrating to S/4HANA is a significant digital transformation undertaking in scope, time intensiveness and cost, but it's not the only modernization initiative for SAP customers, according to Szczurek.
"S/4HANA is a piece of that, but the survey also looked at migrating business applications from on premises to the cloud, custom application development that extends ERP functionality, and SAP to non-SAP integrations," she said.
Security is top of mind, as nine out of 10 respondents reported that it's extremely important for digital transformation projects. The pandemic has not significantly affected views on security, as just over half of the respondents reported that security was important for digital transformation projects before the pandemic and remained so during the pandemic and just under one quarter reported that security was now more important.
"Security it is becoming more and more prevalent, especially at the end of last year when we heard about the different compromises to the U.S. government systems, to security vendors, to organizations through SolarWinds and other compromises that are still unveiling," said Juan Pablo Perez-Etchegoyen, CTO at Onapsis.
Consider security when moving to the cloud
SAP organizations realize that they need to carefully consider the security implications of an S/4HANA migration, especially when moving to the cloud, Perez-Etchegoyen said. While customers can stop worrying about some security aspects that are the responsibility of the cloud provider, they are still responsible for the data that goes into the cloud.
Juan Pablo Perez-EtchegoyenCTO, Onapsis
"Even if you go to a pure SaaS model, when you put your customers' data in the cloud, you're still responsible for the security of that data," he said. "Even though the security is deployed, maintained and insured by the cloud provider, you still need to make sure SLAs are in place, proper controls are in place."
Undergoing an S/4HANA migration or other digital transformation projects that involve integrating SAP systems with other applications makes addressing security even more critical, Perez-Etchegoyen explained. Legacy SAP systems run in a company's data centers behind firewalls, which gives the company full security and control.
"That's no longer true, especially in the world where you have some parts of the application running in your data center, some parts running in AWS, or parts served from a SaaS solution such as SuccessFactors, Ariba, Concur or SAP Cloud Platform," he said. "That's a big change and one of the key factors that's making organizations rethink security when they migrate to the cloud or whenever they migrate to a technology that they don't know because everything is open and connected and available 24/7.”
Establish security responsibilities
SAP organizations that are undergoing an S/4HANA migration need to determine what role security will play in a digital transformation project and who is responsible for maintaining security day-to-day. Half of the respondents said that C-level executives should be responsible for determining security roles, and two-thirds said that internal IT staff need to be responsible for maintaining security.
"There's a bit of difference in that it's the C-level who assigns the roles and determines the importance of security in transformations versus the IT staff who maintains it day-to-day, watches the roles, and ensures that it's compliant," Szczurek said.
Moving to the cloud can take some of the security burden off SAP organizations, but there are security aspects for which organizations will continue to be responsible. This is due to the nature of SAP systems, according to Perez-Etchegoyen. Tools from the cloud providers can help to make sure that the cloud deployment and integrations with other applications are secured properly, but customers must also take care of security for SAP applications.
"SAP applications are different from other applications because they are very complex business applications, extensible, integrated, that hold very sensitive and heavily regulated data," Perez-Etchegoyen said.
The software stack and system configurations are particularly vulnerable due to the number of moving parts they require. For example, the 10KBLAZE security exploit targets unsecure vulnerabilities in the SAP system stack, while the RECON exploit targets an SAP NetWeaver web service that connects SAP and other applications through APIs.
"Because of how integrations are built in SAP applications, sometimes Basis administrators end up opening access control lists or interfaces in a way that exposes the entire system," Perez-Etchegoyen said. "These are the top risks for SAP applications, not only for on premises but for the cloud as well, for example, S/4HANA running on Azure, AWS [or Google Cloud Platform] is also vulnerable to these problems."