Cloud Security Trends for SAP Customers Hosted by Microsoft Azure
Webinar On-Demand
Meet the Experts
Key Takeaways
⇨ Learn about why organizations are moving workloads to the cloud
⇨ Explore what is behind their cloud security strategies
⇨ Understand the actions they are taking with their cloud security strategy
Read More:
Robert Holland (00:00:00):
And welcome to today’s webinar, cloud Security Trends for SAP Customers, hosted by SAP Insider, and presented by Microsoft Azure, Path Lock, Rubrik and Susa. I’m Robert Holland from SAP Insider. Just a couple of announcements before we begin. Uh, after the presentation, I will answer as many questions as, uh, time permits. So if you want to ask a question, please do so. Using the q and a panel that is opened at the bottom of your zoom window. Uh, a link to a copy of today’s presentation will be provided via email after today’s session. All right, so let’s sort of jump right in here. Um, this is, uh, we’re talking, going to be talking about the cloud security trends for SAP P customers research report that was published at the end of November. So, uh, as with most of these presentations, and, and many of you may be familiar with this, um, we start off with a bit of an overview of the project, what we’re trying to achieve. Uh, we’ll look at some of the, the data that, uh, that is there, will look o and then we’ll run through the data analysis focusing on the driver’s actions, requirements, and technologies. And then we’ll move to, uh, we have key takeaways and, and an opportunity to answer any questions at the end.
(00:01:18):
So, um, the goal of our research, uh, or at least our research, was focused on members of IT and those involved with the security, uh, or with security in their organizations. Um, obviously all of the members that we’re surveying are part of the s a P insider community, and what we did is we asked questions about their cloud security strategy. Now, the objective of the research was to really look into why they’re moving to the cloud, the expectations they may have for cloud service providers, some of their security process, um, and their plans for their cloud security strategy. Because as more and more organizations move workloads to the cloud, it’s more important than ever that they have a security strategy in place for the cloud. Um, now, like any s a p insider research report, um, we examined the driver’s actions requirements and technologies on which they’re focused as part of those steps towards, did not update disliked effectively towards their cloud security strategies.
(00:02:29):
So, I mean, if we look at, uh, a bit of an overview of the, the demographics and, and this is what we’ll sort of start off with, looking at demographics. Um, we conducted the, we had the survey in the field between August and November of 2022. Uh, in total, 164 members of our community responded to that survey, uh, spoke with a number of them post-survey with interviews, uh, or by exchanging email about what’s there. Um, unusually we had a, a relatively high number of respondents from a p j. Um, a lot of the time, you know, we sort of see, um, respondents talking about, you know, reflecting largely SAP’s customer base. So, north America is typically the largest respondent group around about the low forties. EMEA is usually second in the low to mid-thirties, followed by a PJ and Latin America. Uh, obviously in this instance, um, the number of respondents from a p J was significant, and I, I’m not sure entirely for the reason for that.
(00:03:34):
But what I do know is, when we did cybersecurity research earlier in 2022, um, a lot of the respondents from a p j sort of indicated that they had experienced cyber-attacks or credentials, compromise, or some form of security breach that impacted there SAP systems at a far higher rate than respondents from other, other parts of the world. And maybe that’s why we’re seeing a, a higher number of respondents from a P j because they’re sort of more interested and more actively engaged in that topic. Now, in terms of where these people came from, uh, in their organizations, um, the largest respondent group is, is, is IT management? Nearly a third of respondents were identified themselves as being from, from that area, followed by IT operations, the s a P team, um, finance and accounting. We have some respondents. Only 7% of people identified themselves as being specifically in a security team.
(00:04:38):
Um, but for many s a p, um, organizations or organizations rather running s a P systems rather, um, the security for that is managed from within the s a P team. Um, we also had a number of people in, in systems implementation and integration, uh, and a other respondent, other areas that people identify as being in application development. That was 5%, uh, the basis or administration team that was 3%. And then we also had 3% that sort of said they were in some other area, uh, in the organization in terms of where respondents were coming from, um, about a quarter of the respondents identified their company as being somewhere in the industrial sector. So that includes manufacturing, agriculture, energy, and natural resources. Um, nearly 20% were from software and technology, so that could be a, a high tech company or a potentially, it also could be a, uh, consultant, a consulting organization of some kind.
(00:05:41):
Um, 15% were from hospitality, transportation, and travel, um, financial services and insurance, media and entertainment, healthcare and life sciences, public sector and retail distribution, C P G. But you can see that there’s a respondents coming from, uh, a, a very dis, very broad set of, um, sectors across the, uh, across market sectors. You know, sort of indicating that there’s lots of different companies in lots of different areas that are potentially thinking about this. Now, um, in terms of the size of the organization, so we ask, we do ask respondents and, and, and some people do respond that they don’t, they don’t know, that’s why this numbers don’t add up to a hundred. Um, but about, you know, the largest number of respondents. So over half were some, were sort of somewhere in that 50 million to 2 billion range with slightly larger group being in that 500 million to 2 billion.
(00:06:40):
Now, the way SAP categorizes organizations is that, um, anyone, uh, with an annual revenue under 2 billion is sort of essentially categorized as small or medium enterprise by s a p. Um, so, you know, like I said, I mean a varying of sizes, but probably more of the respondents from this group would be categorized by s a P as being small or medium enterprise. But as you can see, that’s not, they’re not necessarily all that small. Um, 4% of the respondents were the ones that said, uh, they did not know, um, their organization’s annual revenue. So sort of moving into the, the sort of snapshot here, one of the first questions we asked respondents is, what are your top business motivations for adopting cloud-based technologies? Now we’ve, we’ve sort of seen this, uh, in other research that I’ve done, particularly the, um, enterprise cloud deployment research.
(00:07:41):
The number one reason for people moving to the cloud continues to be flexibility and scalability. They’re, they’re looking to have, um, increased flexibility and scalability for their systems. Um, but we’ve also sort of started to see other factors playing into the picture. And obviously, uh, uh, over a third are saying it, it’s necessary for new innovation, new business models. Um, they’re not, they’re finding that they can’t necessarily achieve that sort of innovation by looking at on-premise systems, um, other organizations running into end of maintenance deadlines for current on-premise systems, such as, and that says SAP S/4 Hana. Um, but I mean, it’s, it’s, it’s interesting to sort of see that that’s a reason. Um, and that’s certainly not the only SAP system for which end of maintenance deadlines are approaching. Uh, a p is, uh, updating many of their products to be, uh, to sort of have end of maintenance coming up over the next few years.
(00:08:46):
Um, but I mean, obviously, you know, as those organizations are approaching the end of maintenance of their existing systems, it’s an opportunity for them to evaluate the cloud, um, see what it is that can be done or achieved from a, a new infrastructure, new solution, uh, standpoint. Uh, but another factor that, that it does sort of come up and, and when I sort of did research on infrastructure in August of 2022, is that the, the goal of continuing to reduce cost, um, and obviously reduced capital expenditure on infrastructure is important for organizations as there, you know, looking to update things they don’t necessarily want to do that significant capital expenditure that they’ve done in the past. You know, when it comes to deploying new systems, um, not only has it potentially been a struggle for organizations over the last couple of years to actually secure that hardware because there have been, um, supply chain delays, uh, problems with manufacturing chip sets.
(00:09:55):
Um, I mean, I think everyone was sort of aware of the, the fact that, uh, it was very difficult to get an automobile for, a period there between sort of late 2020 and early 2022 because chips were, chips were unable to be produced. Um, the, the plants were having issues or, um, with staffing, et cetera. So that sort of has a, an ongoing, uh, knock on effect to infrastructure if you’re planning to secure a new infrastructure. Now, some of the cloud providers, um, didn’t really seem to have some of those issues because a lot of them build their own infrastructure. Um, you know, they, they are potentially buying from hardware vendors, but they’re also potentially, some of them are building their own infrastructure. So it, it allowed them to, you know, continue to operate and expand capacity as people started to move to the cloud. So that reduced capital expenditure is, is a, is a major thing. Um, improved security, interestingly is not one of the top factors. I know that when organizations move to the cloud, they want to make sure that, um, security is in place for the systems that they’re moving there, but perhaps it isn’t one of the reasons why they’re moving there in the first place.
(00:11:15):
Now, once we, we sort of understood why people are moving to the cloud, we asked what expectations do they set for cloud providers around security? Um, so if you’re moving to the cloud, what do you sort of expect your cloud provider to do? Now, automatic security updates, I think is a, um, an expectation that nearly two thirds of the respondents said that they had for their cloud vendors. And I think from an operating system and platform perspective, um, you know, that can make a lot of sense. I think it also have to, but it also has to be weighed against what does your cloud provider actually do for you from a security standpoint? Because it very much depends on the type of deployment that you’re running in the cloud. Um, you know, for example, if you are, if you are running in a, um, you know, if you’re running in a software service solution, then, um, you know, then you are really just responsible for controlling who accesses that solution.
(00:12:18):
Do you know, almost a GRC type thing? You, you just need to make sure that the right people have access to the solution. And then within the solution, what data should they be able to access? But if you’re running infrastructure as a service environment, then that’s quite different because in an infrastructure as a service environment, you are basically just getting the bare metal and you’re deploying the operating system potentially. Um, you are then deploying the software on top of it, and you may have, from your perspective, more that you need to do in order to secure that. And I think it’s important for, um, organizations to sort of remember that simply because you’re moving to the cloud doesn’t necessarily mean that your cloud service provider is going to do everything or manage everything from a security standpoint. Um, also when other expectation vulnerabilities, transparency, so you know, when there are vulnerabilities they’re made, uh, customers are made aware of that.
(00:13:14):
Um, and in downtime thresholds, because obviously, as, as you move to the cloud, and this is one of the things that organizations do expect, is they do want to have downtime thresholds. So if something does happen, you know, there’s a, there’s a, uh, a service level agreement that, you know, determines when and how quickly services are going to be restored. Um, now in terms of the process for securing cloud systems and infrastructure, um, so we, we sort of basically said, what’s your process for doing that? Um, and I think it, it sort of makes, uh, a lot of sense here that about half the respondents say they’re customizing security configurations to meet their needs in-house. Um, so not every piece of security software is going to be tailor-made for your organization, so you may need to, to, to customize configurations to meet your needs. Um, but almost as many people say, they’re utilizing external partners to assist with custom security configurations.
(00:14:16):
Now, this is, this was a question where respondents could provide multiple answers, and I, you know, there’s, there’s an overlap between those two. So, for example, I think about half of those who said that they were customizing security configurations to meet their needs in-house. Were also utilizing external partners to assist with customized custom security configurations, right? So sometimes there’s in-house expertise to do that customization, and sometimes you may need to rely on, uh, an external partner to help with that. Um, only 30% of respondents said they were just utilizing standard configurations, um, for securing cloud systems. Uh, and then 16% of the respondents said they, they weren’t sure what their organization was doing, uh, around securing cloud systems in infrastructure.
(00:15:07):
Now, one of the things that it’s critical for SAP systems, regardless of whether they’re running in the cloud or whether they’re running locally, is the response time for patches. Um, so we sort of said, what is your typical response time when made aware of necessary patches for cloud infrastructure and cloud platforms? Um, now, you know, the system or the, the approach that organizations take might be slightly different for on-premise systems. Um, but I mean, half the respondent sort of said they’re simply addressing these patches on a regular schedule. Now, for many large s a p organizations or organizations, large organizations running systems, it’s complex. You know, you want to minimize downtime on your systems. It’s very difficult to simply to take a system offline and, um, apply a patch simply because Patch Tuesday comes around or SAP releases a critical patch. Um, so it’s, it’s important to ensure that so, or at least they’re, they’re building the, uh, deployment of unnecessary patches into their regular schedule.
(00:16:18):
So for global organizations that have, uh, you know, s a p systems that are accessed from, you know, uh, users around the globe, or at least in multiple countries, it can often be very difficult to find that right time to do patching. It’s, you know, weekends often can still be, the systems can be used, um, you know, even the middle of the night isn’t necessarily a time when there isn’t somebody in another part of the world that might be potentially using or leveraging the system. So building those patches into the regular schedule, um, is, is important. Now, we, I do know from, you know, we do sort of know from surveying organizations earlier in the year that keeping up with patches and updates is, is, is a struggle for many companies. Um, and that may be why, you know, they’re simply building it into their regular schedule.
(00:17:12):
Um, 9% of the respondents on the other hand said they put them in immediately. So, you know, when a, when a new, when a new patch becomes available, or at least a, a necessary patch becomes available, they’re deploying it immediately to their cloud infrastructure or cloud platforms. Um, what is a little bit concerning in this, in this data is that nearly a quarter of respondents said they’re not addressing necessary patches regularly for cloud infrastructure and cloud platforms. Um, obviously that can be kind of a problem because sometimes, you know, if there are exploits that are actively being, um, or vulnerabilities that are actively being exploited, uh, and, and that’s something that’s happening more and more with, uh, you know, sometimes it literally being just hours before between, you know, when a patch or when a vulnerability is disclosed and, you know, a code potentially exploiting that is available on GitHub or something like that, um, it can be a very short period of time for org for patches or vulnerabilities to start being exploited.
(00:18:19):
And so implementing patches is necessary, um, in a timely manner is necessary. Now, it might be slightly different on premise, um, than in the clown, but a lot of times if you have cloud systems, those are potentially accessible from outside your organization or maybe more accessible from outside your organization. So it is a little concerning that, you know, nearly a quarter of respondents said they’re not doing that patching regularly. Um, and just over 10% was sort of saying it’s not applicable, or they sort of expect the provider to do that. Now, if you’re running a software as a service solution in the cloud, then yes, the provider is going to, is going to take care of that. You know, for example, if you’re running S A P S for HANA Cloud or Success Factors, concur, you know, something that is a cloud-based software as a service application, you’re really just managing who’s accessing it.
(00:19:11):
S A P or your, you know, whoever it is that you’re running the software as a service application from is going to be patching the software. They’re going to be patching the operating system. You don’t need to worry about that, but that may not be the case in, uh, if you’re running in a sort of a different environment and sort of expecting the provider to do that is something you have to ensure that the provider is actually going to do. Um, now as a follow up question to this, we sort of asked, you know, whether respondents had a patch management process in place for cloud infrastructure and platforms, and while over two thirds did 67%, um, that sort of also indicates that about a third do not have a patch management process in place for cloud infrastructure and cloud platforms. And that probably is something that organizations should, uh, should look to address in terms of SOC one and SOC two.
(00:20:06):
Um, we sort of ask the question, does your, does part of your cloud vendor selection process include ensuring your cloud vendors follow SOC one and SOC two compliance? Um, obviously the majority 60% said yes. You know, that is, that is part of their cloud vendor selection process. Um, a quarter said, no, it’s not. Uh, but that doesn’t necessarily mean they’re not, um, looking at SOC one and SOC two compliance for their cloud vendors. It simply means it’s not necessarily part of their selection process. And then 15% of respondents, uh, did not know the answer to that question.
(00:20:41):
Um, we did then ask the question, when do you sort of expect to move your S A P E R P systems to the cloud? Um, now not everyone necessarily is running an S A P E R P system, and that sort of could be in that sort of 8% category, um, who sort of have no plans to move their S A P E R P to the cloud, because I mean, I think we’ve sort of found in other research that a significant number of respondents, um, are doing a lift and shift to the cloud, even if they’re not necessarily moving to SAP S/4 Hana. Um, but I mean, when we look at this, almost a third of respondents, uh, the largest number of respondents said that they, they plan to move to the cloud when they deploy SAP S/4 Hana.
(00:21:24):
And this is, this is certainly something from an infrastructure perspective we’ve seen already. They’re, they’re sort of tying their move to SAP S/4 Hana, um, or they’re trying their infrastructure change to the move to SAP S/4 Hana. They’re doing both at the same time, given that both are potentially large projects, um, there’s a lot of, uh, a lot of reason to synchronize those and, but it, it does make it into one very large, um, project. Um, 30%, slightly less, were saying they’ve already moved their other S A P E R P system to the cloud, likely a lift and shift. Um, so that would be probably business suite users or S A P E C users that have sort of moved their other, uh, e R P system to the cloud. Um, 10% or 9% say they’ve already deployed SA on top of that S A P S for HANA in the cloud.
(00:22:20):
And that sort of makes about 40% of respondents who of already moved an E R P system to the cloud. Uh, 22% sort of just say they have plans to move to the cloud in the future, um, but haven’t necessarily determined, uh, when those are going to be. Now in terms of the number of cloud solutions, so we sort of asked people how many cloud solutions s a P are otherwise do they currently have deployed? And as you can see, um, the significant number of, of organizations are running at least six. Um, so, you know, nearly two thirds of respondents are running at least six cloud-based solutions in the cloud or cloud-based solutions. If they’re software as a service, they could be cloud-based solutions, um, you know, or they’re running on cloud infrastructure, um, whereas, uh, only 35% are running, um, you know, less than five, um, cloud solutions.
(00:23:21):
So there’s cloud-based solutions are certainly more and more a part of the way organizations are doing business. And if we sort of look at how many cloud offerings or which cloud offerings are potentially part of their s a P security strategy, you can sort of see, or at least the, the cloud security strategy. There’s a lot of different variation here. I mean, you know, um, people are obviously running on Microsoft Azure as an infrastructure as a service platform. Office 365, uh, is potentially part of their cloud security strategy. Uh, a w s um, those are ahead of s SAP solutions like Concur. Uh, a quarter of say, SAPs for HANA cloud comes into the picture somewhere, but Salesforce is, is right up there. Google apps, um, many organizations leverage Google Mail or Google, uh, office Suite, um, for, you know, the collaborative efforts, uh, with the cloud.
(00:24:21):
Um, S A P a, Reba success factors, Workday, NetSuite. So this certainly indicates that these, the, the, as people manage their security strategies, it’s more than just worrying about the SAP solutions they have in the cloud. Other cloud offerings have to be a part of that security strategy, um, because those offerings are, those, those solutions are potentially integrated with their s a P offerings or they’re, um, they’re just a, a core part of the way that they do business. Um, so, you know, there’s a, there’s a, when you build a cloud security strategy, it, it’s not just strategy for a specific product. Um, you know, it, it might be, uh, it could well be something that is for multiple products and is very likely something that’s for multiple products and multiple types of products. And this is where, you know, the changing size of the security perimeter, your potential attack surface, because I mean, if you’re leveraging Office 365, if you’re using, you know, Google Suite, uh, Google applications for your, um, you know, for your email, for your, uh, word process or what word processor, your, um, spreadsheets, you know, whatever, there’s a potential vulnerability in there, uh, as, as you’re sharing across the organization, then obviously a Salesforce, a Workday and NetSuite plus whatever s a p applications are running, um, the SuccessFactor, uh, Han Cloud, there’s a lot of different potential points of integration between those solutions and offerings.
(00:26:07):
And there’s also a potential for, um, different, uh, exploitations. So very, very broad, um, attack surface as organizations are moving to the cloud. Now, what I sort of wanted to see is how many security invent, sorry, let me say that again.
(00:26:32):
How many security vendors are organizations engaging with to meet their SAP and cloud security needs? So, um, you know, and part of this does make sense because there are some solutions, like for example, you may be dealing with a vendor that simply has a, um, single sign-on offering or a multi-factor authentication offering, you know, that isn’t necessarily the same vendor that’s providing continuous monitoring or zero, uh, zero trust or least, um, lease privilege authentication, you know, on your network. Um, you know, so there’s, there’s multiple vendors and their solutions may have overlap, but they also may not. And that may explain why organizations are running. As you can see now, uh, nearly half the respondent say they’re running four to six, they’re using four to six different security vendors, um, and 25% are running seven to 10. Um, which as makes a complex security landscape, um, because it’s, it’s, you know, while the sort of focus of business is often on making things easier for the users so that, you know, for example, they’re not being prompted to enter a multifactor authentication key or a sign on for every single solution, or every time they, they open up a webpage or go to a go to a solution that the organization is using, trying to streamline that process and make it easier for them to do their jobs, uh, and to work on a day-to-day basis.
(00:28:14):
But at the same time, you also want to ensure that you are providing a secure environment, and only the people who are supposed to be getting in can get in, and you’re not leaving systems potentially exposed to attacks. So it’s, it’s a complex landscape and there’s multiple vendors that are being engaged with that are providing solutions across that landscape, um, doing different things from everything from networking, security, all the way to authentication and monitoring and et cetera. So, uh, it is, it is a complex landscape. Now, as a follow up to that, we sort of asked the question, is your organization looking to consolidate the number of vendors that you work with? And based on the complexity of that landscape and the fact that, uh, significant proportion of respondents are running, um, at least a, a fair number of vendors at least. So if you look at, uh, nearly 70% are running at least, or 80% are running at least 75%.
(00:29:18):
Prada, I can’t add up, um, a 75% are running at least four, four different using at least four different security vendors. It’s not really a surprise that half of the respondents here say that they’re, um, looking to consolidate the number of security vendors that they work with. Uh, and although, uh, about another half. And then, and those numbers don’t quite add up, I think because of rounding. Um, so, you know, they, they simply, either they’re not or, or they don’t know, um, you know, what’s being planned at the moment. But it, it is a complex landscape. And if you sort of look at those who sort of, we ask the question, so if you’re thinking of consolidating, what are the primary reasons for that consolidation? The simplified security management. I mean, if you have multiple solutions from multiple vendors, you’ve got different interfaces, you’ve got different administrative tools, admin, you know, management that you’re having to, you know, um, train people to use effectively.
(00:30:18):
So it, it can be complex. Um, they want to have an improved security posture, increase their efficiency, uh, reduce the complexity. Um, and there certainly were, and what, what is surprising here is the numbers are all very close, but there was a significant number of respondents for, you know, selecting each of these choices, um, 50 or more. So it, it wasn’t like, excuse me. Um, you know, there was a, just a small number of respondents answering this question. It, it really is, there’s a lot of different reasons why people are, are consolidating. Um, now, you know, some other, um, potential points is that 79% of respondents said that they’re using moving infrastructure and solutions to the cloud as an opportunity to reevaluate the security plans policies and solutions. And I think that’s very important for organizations because as you move to the cloud, your, your integration points change, your attack surface changes, your security perimeter extends.
(00:31:21):
So it is a very important time to, um, reevaluate your security plans and policies and, and ensure that they’re going to work for your new environment. Um, 61% of respondents said that their organization had been subject, or they were aware at least that their organization had been subject to an attack on one of their cloud providers. Um, you know, I think that that’s, you know, and they’re not necessarily saying that that attack was successful, simply that, um, nearly, you know, over 50, over half, you know, getting on towards, uh, two thirds of respondents are sort of saying that they’re aware of an attack on one of their cloud providers. And I think that what that really sort of tells us is the extent of cyber-attacks across, um, you know, across the landscape today. I mean, I’m sure that a provider like Google, Microsoft, a w s, um, you know, any big cloud provider experiences attacks on a regular basis, you know, they’re pretty good at, um, repelling those attacks. Um, but there’s, they’re, they’re, they’re happening. Um, now, you know, uh, we do have a data point here, and it is a bit of an isolated data point because we just sort of asked, their organizations asked respondents about their organization’s ability to secure cloud-based applications, uh, with 7.4 out of 10. Um, I didn’t ask a similar question on their ability to secure on-premise applications because it, uh, it would’ve been, uh, a bit more of an interesting comparison point, but, uh, thought about that afterwards.
(00:33:05):
So what do we sort of recommend here? I mean, if you are moving to the cloud, then I, I think it’s a time for you to, to leverage moving your solutions and infrastructure as part of, as an opportunity to thoroughly evaluate your security plans, policies and solutions, right? There’s a lot of change going on when you move to the cloud. While most respondent organizations in this research already using that opportunity, it’s critical that any organization moving, working to the workloads to the cloud takes the time to thoroughly evaluate their security landscape. Now that can ensure that the solutions and systems you plan to run under the cloud fit your existing security plans. Um, new security solutions or updated versions of existing solutions may need to be deployed in order to ensure that your cloud solutions are secure. But this is also where reevaluating security plans, policies and solutions might allow you to sort of consolidate some of the mix of security solutions, uh, you’re running today, rather.
(00:34:08):
Um, secondly, educate your security teams about the cloud service provider offers and what they must support. Because not every cloud environment is the same as I sort of stated little earlier. If you’re running a software as a service solution like cloud are success factors that has different security needs than running an infrastructure as a service environment in the private or public cloud or running, um, a platform as a service environment like SAP. So ensuring that you thoroughly understand what the cloud service provider will secure and what your security or SAP teams need to secure is a crucial step in making any cloud security plan successful. So dedicate time to educate teams on those areas and avoid potential vulnerabilities developing in your attack surface. And that should also include ensuring that security teams have the knowledge to customize security configurations to meet your specific needs. And then lastly, uh, put security plans in place at the start of your cloud journey, and that will help ensure that business IT and security teams are aligned on those plans. Um, a lot of organizations start there, those cloud journeys somewhat unintentionally, um, when business teams start using cloud-based solutions to meet specific needs or challenges. Now, I think we’re probably well past that for most organizations now, there’s not many who aren’t running at least some solutions in the cloud. But while
Speaker 2 (00:35:37):
The use of cloud solutions might address this critical need scenarios like that can lead to security vulnerabilities. And the most important step to address these challenges is to ensure alignment between business IT and security teams. So one of the biggest challenges today is ensuring that an organization’s security objectives are aligned with their business objectives. And building that alignment into cloud plans is key to your success. So if in addition to moving to aligning IT and business teams, it is also important that you include security planning at the beginning of your cloud journey. That means that you won’t be trying to retrofit security after deployments have started, um, because that can consi, that can get, that can significantly delay the project and result in overlooking potential vulnerabilities. But having security included from the start will ensure that you have a much better security in place for your cloud-based systems.
(00:36:40):
So we’re going to move on to running through the DART methodology. Um, those of you who aren’t familiar with dart, um, D is the drivers A and those are sort of really the, the macro level events that are impacting an organization. They might be internal, they might be external, but they require the implementation of some sort of strategic plan to address, um, actions are the strategies that companies can implement and to address the drivers. Um, they sort of will involve people, process and technology to sort of achieve those strategies or, or actions that businesses are taking, requirements of the business and process level requirements that support the strategies. And then the technologies are the systems and technologies that the business is using to support those, enable those requirements and support the overall strategies.
(00:37:35):
So if we look at what’s driving cloud security strategy, um, you know, securing data as a moves and is integrated between systems and environments, that was 37%. Um, pressure to keep systems secure from growing ransomware and malware attacks was, was 36%. Uh, changing regulations around data privacy was 32%. But I mean, there were others that were not far behind this. These, these are sort of the ones I focused on. I mean, excuse me. Securing data as it moves and is integrated between systems is I think a very important part of today’s security challenge, um, and is sometimes overlooked that might by organizations that might place a greater emphasis on securing the systems, which has sort of been historical SAP security and not the integration points between them. Um, and, and I think the fact that this was chosen as the most important factor in driving cloud security suggests that organizations are recognizing, uh, the importance of this weakness in their attack surface and are adapting their cloud security strategies to address this vulnerability before it can be exploited.
(00:38:43):
Um, pressure to keep systems secure from growing ransomware and malware attacks. Uh, that was the most important factor in driving strategy and plans for cyber security for a p systems in research we published, um, earlier this year, and it’s the second biggest factor behind cloud security strategy in this report. Now, we all know that we’re seeing new reports of ransomware and malware attacks in the media every day, even though those may not directly be impacting s a p systems. So it’s no surprise that it’s one of the biggest drivers behind the cloud security strategy. However, I think it’s important for organizations to be aware that even though these types of attacks can often receive the most attention, they’re not always the biggest threats to s a P systems. Um, so, you know, that is something that it’s important to, uh, important to remember. Um, and then the last nature factor driving cloud security strategy is changing regulations around data privacy.
(00:39:48):
Um, this is a particularly challenging area for organizations operating in EMEA where PR data privacy and data rev residency requirements can vary from country to country, and where even the ownership status of a cloud service provider, um, can have an impact on what data can be stored on that provider, as is the case in France. Um, and those regulations, even though they may not make up the majority of an organization’s cloud security strategy, are an important part of the consideration process when formulating that cloud strategy. And I think, you know, data privacy regulations are changing here in the US as well. I mean, I think, uh, two major laws came into effect, um, here in the US at the beginning of the year. I think the California law and maybe the Colorado one, and then the Virginia law around data privacy is going into effect middle of the year.
(00:40:39):
Uh, I might have those mixed up, but it’s changing here too. Uh, and there, there’s obviously a, a reason why, um, you know, these are, they’re changing cloud, how people approach cloud security in terms of the actions that organizations are putting into place. Um, you know, the number one is, is hybrid and multi-cloud environments are important for overall resiliency in cloud applications. Um, or at least, sorry, hybrid and multi-cloud environments for redundancy. Now, even though those are important for overall resiliency, it doesn’t necessarily support any of the factors impacting cloud security strategy. However, that sort of plays into this whole area of having redundant systems that can be very important in the event of a ransomware or malware attack so that an organization can quickly recover, uh, if their primary system is compromised. And the fact that organizations are looking at hybrid and multi-cloud environments to sort of provide that redundancy suggests that they are continuing to maintain some systems on premise as well as running them either on at least two or more public clouds.
(00:41:48):
Um, and that provides greater resilience in the event of a ransomware or other cyber-attack. Um, now not everyone is doing it, um, but that is something that, uh, that some organizations are potentially pursuing. We also saw that, uh, a strategy that organizations are putting in place is, um, that of regularly implementing patches and updates based on, on platform as a service hosted apps. Now, beyond having redundant application environments, organizations are regularly implementing patches and updates on their platform as a service application. Now, while operating system and platform related patches are typically applied by the vendor organizations using platform as a service, applications need to manage their deployment of patches to the software they have installed. So that’s different than a software as a service environment because the vendor is going to manage that. But I think many SAP and teams struggle in general to keep up with patches.
(00:42:46):
And that is why implementing and following a strategy can significantly help, um, reduce the risk of cyber tanks. A patching strategy, um, integrating new cloud systems with this existing security processes is the third most important action that respondents are taking. Um, having this integration ensures that the newly deployed cloud environments protected from the start, uh, which will help with in protecting systems from ransomware and malware attacks and in securing data as it moves between environments. Um, but organizations must ensure that they integrate their cloud systems with existing security processes that, um, I don’t know what I’m saying here. Um, the data exchange is protected as well as the solutions, uh, themselves as, so as you’re doing that integration here, you’ve got to ensure that your data exchange is protected. Um, and then lastly, implementing a zero trust security model. Um, you know, that’s, I think, something we are seeing more and more of.
(00:43:47):
And when we start look at the technologies, we sort of see that something that’s being implemented more, it’s not necessarily hugely in use now, but having a zero trust security model, um, requires that every device and user, whether inside or outside the network, verify and authenticate their connection. So zero trust models can provide added security against ransomware and cybersecurity threats because they assign the least required access needed to perform specific task. And they also help with protecting data is between systems and environments by ensuring that every device connected to the network is authenticated, which limits the presence of untrusted devices now happened there. Um, you know, some other things that, you know, were very close behind this. We’re framing internal teams on cloud security features and responsibilities. 27% of respondent selected that as a, as an action. They’re taking and conducting regular audits and security sys assessments, which 25% of respondents selected.
(00:44:54):
So there’s a lot of closed stuff here, and I think this sort of, um, and I’ll talk about that more in a second, but in terms of recommending recommendations around drivers and actions, ensure that you’re securing data as it moves across secure enterprise. Um, most SAP security historically focused on securing data in systems using a combination of access and process control. While organizations have adapted today’s security challenges as a, and are, and are ensuring, um, that their security strategy does more than just, um, authorize users securing data as it moves between systems, it’s still sometimes overlooked. Um, as you develop your cloud strategy, ensure that it secures data and as it moves and is integrated between systems and environments, because that’s often, uh, a potential point of compromise, keep your teams up to date about data privacy regulations and how they impact infrastructure choices.
(00:45:54):
Now, data residency is the most commonly considered guideline when it comes to how regulations for data privacy impact the way data can flow across borders. But while organizations might be aware of where their data must be stored geographically, data sovereignty can impact whether there’s a governmental right of access to data stored within their borders. And data localization ensures the data created within certain borders remains within those borders. So keeping up with those regulations and which providers can be used for what data types, um, can be challenging and expensive from an infrastructure perspective. So ensuring that security and compliance teams are continually updated on changing data privacy regulations and how that might impact cloud environments and cloud security strategy, i i is super important for organization and then create a regular patching schedule for both on-premise and cloud-based systems. You know, one of the biggest challenges we identified back in March this last year was keeping up with patches and updates.
(00:46:59):
When deploying cloud-based systems, this can become even more complex because some patches are managed by cloud service providers, others need to be maintained by the organization. Um, and that sort of creates, uh, uh, some confusion at times. So when an organization is running a combination of different cloud environments, it can be easy to overlook deploying patches for systems deployed in infrastructure as a service or platform as a service environments, because the responsibility for deploying those patches can vary across environments. So creating and implementing a regular patching schedule as well as understanding criteria for reacting the critical updates is key to ensuring security of your cloud-based systems.
(00:47:45):
Now, when we look at requirements, we ask respondents to rank the importance of different requirements to the cloud security strategies. And, and it was very consistent in the way they responded to these. There was no requirement that we listed that had more than 15% of respondents say that it was not important or only slightly important, and only two requirements had less than 25% of respondents select them as being very important. And that led to this sort of, I mean, outside of improved endpoint security, um, very closely ranked set of requirements. Uh, but it also means that all these requirements are important for a successful cloud security strategy. Um, I mean, endpoint security obviously is about ensuring that your end user devices such as laptops, desktops, and mobile devices are secure. Um, given that users increasingly want access to data regardless of their location, it is no surprise that that’s the top requirement of any cloud security strategy, and that can often be part of a zero trust model. Um, strengthened access governance helps support changing regulations around data privacy as it ensures that users only have access to the data they’re supposed to see and, and in the region they’re supposed to see it. Uh, but access governance goes beyond access control to verify who has data, has access to what data, when they have access to that data and how they access it.
(00:49:22):
Once again, that can be part of a zero trust model where every device and user must verify access when connecting to the network. Um, you know, threat intelligence, I think increased adoption of threat intelligence is something we observed in our March report. And that threat intelligence allows organizations to access data that has been collected, processed and analyzed, understand potential target attacks and, uh, targets and attack behaviors. And sort of by monitoring threat intelligence feeds, organizations can learn about potential vulnerabilities and address them in real time before they can be exploited. And that really helps to reduce the risk of ransomware and malware attacks because it helps make systems more secure in general. Um, I mean, I think we’ve sort of talked about fully patched and updated hosted systems, real time monitoring and logging, um, effective management of cloud-based security controls. You know, those are all, those three requirements are all important for keeping systems patched, integrating new systems with existing security strap processes and keeping systems secure from cyber-attacks and securing data as it moves between environments.
(00:50:32):
But I mean, beyond this, I mean, I think there was a also at, at 70, 72% with secured APIs at 71% with safe password practices, 70% with compliance with data management requirements, and at also at 70% with alignment between SAP cloud security and IT teams. So getting that alignment between your SAP center of excellence, your security and your IT teams is also super important to ensuring an effective cloud security strategy. Now, if we look at the technologies that are used today, and the way we, we ask people to respond to this sort of question on technology is we say, what are you currently using? What are you implementing? Uh, what are you evaluating? So, you know, right now, no real surprise, access control and identity management is one of the most used technologies, encrypted and secure connectivity. So encrypting your, your connection with your vendor, uh, with your cloud provider, vulnerability management. So that’s sort of identifying vulnerabilities or potential vulnerabilities before they’ve actually become vulnerabilities and addressing them early in the pl early in the place. Um, continuous monitoring, data encryption. So this sort of speaks to what people are running today and leveraging today from a technology perspective. And you can see that at the bottom of this list is, is zero trust model, uh, and not far above it is dynamic authorization and least privilege.
(00:52:08):
But if we move up to see what is being implemented over the next 12 to 24 months and, you know, access, more people are implementing access control on identity management over the next 12 months, but you know, much higher number are implementing behavioral analytics and zero trust models. This sort of speaks to where people are going from a security standpoint. Behavioral analytics is interesting because it allows organizations to analyze the behavior of, um, users within their systems. Um, and so that way you can potentially identify, um, a credentials compromise because you can see that a user is doing something different than they might have done in the past. You know, it’s like if this user has never run report X and suddenly they start trying to, then that might be something that is a potential, something might have happened. And it’s worth checking in with the user to sort of see why are they doing this now?
(00:53:11):
Why has their behavior changed? Does zero trust model, we’ve, we already talked about code vulnerability analysis, very important for SAP customers that have large numbers of systems that have, uh, extensive custom coding, uh, in place. Um, some organizations are trying to remove that as they move to S A P S for HANA as they move to the cloud because it’s expensive to do that move that custom code. Um, vulnerability management, uh, continuous monitoring and, and threat intelligence feeds are sort of at the bottom of this list, but that’s something that organizations are starting to implement, but they’re not necessarily there yet. Um, but this is, this is sort of even above and beyond threat intelligence in general, which is threat intelligence is just sort of a lot of data. Whereas a threat intelligence feed can specifically say, you know, a particular attack was detected. This is, this is the exploit they’re using.
(00:54:07):
Or if you have this particular problem, there’s a cve now a patch it immediately. Um, very specific actionable intelligence, which is more sometimes easier to address than the, the sort of broader general threat intelligence can provide. Um, and then in terms of, you know, what people, technology people are evaluating for the future, um, similar sort of things. Threat intelligence feeds top of that list, dynamic authorization, lease privilege, security driven networking, all important things for organizations to be considering for the future. So what about recommendations? First, determine how you can improve security around endpoints and where users access your system. I mean, we sort of saw that endpoint security was, uh, a big requirement. Um, but a part of this process should be focused on continuing education of users around threats like social engineering and how to ensure they do not inadvertently compromise their credentials. I mean, if you listen to, um, you know, or you read about what’s been going on with some of the bigger exploits on companies like, um, Uber, um, a lot of that was done through, uh, social engineering, right?
(00:55:19):
So it’s very important that your users understand how those threats can, uh, eventuate. Many people think that, you know, hacking is, is, is, is a bunch of hooded individuals sitting in a room, um, typing code, and that really isn’t how the majority of hacking works and how the majority of attacks work. So other steps might include hardening and improving authorization, evaluating zero trust models to ensure unauthorized devices are not able to access, um, you know, more traditional authorization methods, like two-factor authentication and multi-factor authentication should be part of that discussion as well, uh, as they can be used for accessing endpoints. And when logging into a system or solution, explore adopting threat intelligence in your cloud security strategy so you can quickly react to newly discovered weaknesses. Uh, threat intelligence and threat intelligence feeds as to technology, as a technology are crucial for learning about when you discovered weaknesses and ensuring they can be addressed before they become vulnerabilities.
(00:56:23):
Uh, threat intelligence feeds, I think should be part of your cloud security strategy as they help distill the volume of data that can be generated in broader threat intelligence into actionable tasks that security teams can immediately initiate. And that can be very crucial when a newly common vulnerability and exposure is discovered that impacts cloud infrastructure or cloud-based systems and then evaluate behavioral analytics and the benefits they can bring to your cloud security strategy. Understanding what’s normally in your environment and when something is anomalous can be a complex task. Um, when that environment consists of multiple systems in different landscapes with dozens of connection points and thousands of users. But leveraging the capabilities of machine learning, um, to help build a picture of normal system behavior will make discovering something unusual, easier should that occur. Uh, with cyber-attacks showing no sign of decreasing in a majority of organizations globally, having experienced some form of cyber-attack over the past year, it’s only a matter of time until you need a technology like behavioral analytics to help reveal when a breach has occurred.
(00:57:31):
Um, overall recommendations, um, evaluate, use the deployment of cloud-based solutions as an opportunity to evaluate and update your security strategies. We’ve already sort of talked about this. New vulnerabilities are regularly being discovered or revealed, uh, and businesses are constantly playing catch up to address them. So when an organization starts deploying cloud-based applications, your attack surface is increasing. It makes it more important to have an effective and up-to-date cloud security strategy. Um, build security into any new application development deployment from the start of the process. It has to be there at the beginning. If it’s not there at the beginning, you can often delay the project as you have to go back and retrofit it. It’s easier to adjust plans for a new solution to ensure it fits into existing security strategy at the start than having to retrofit that later. Um, and it’s never been more important to secure data and systems and making security central to any plans is, is sort of essential for success.
(00:58:34):
Um, include data movement and integration points in cloud security strategies in addition to not SAP and non SAP solutions. SAP teams might put the applications they manage first, but they don’t exist in a vacuum manage as you sure in the list of of, um, systems being covered. Um, most s SAP P systems are connected to multiple other systems in the enterprise, right? Any effective security strategy must include not just s SAP systems, but the other solutions they’re integrated with. And that’s why it’s essential to include data movement integration as part of your strategy and then evaluate and deploy technologies that will expand the capabilities of a cloud security strategies. So many new technologies will then help enhance your security stance. Those being evaluated or implemented by respondents include behavioral analytics, a zero trust model, threat intelligence feeds, dynamic authorization. All of those technologies can significantly enhance your security capabilities as an organization. But they must be worked into budgets, vendor relationships and security strategies. And your organization may restrict their focus to making the most of existing solutions, but you should continue to evaluate and explore technologies that will reduce your vulnerabilities. And unfortunately that is all the time we have. Um, apologies for running a little long here. Um, if you do have any questions, please feel free to follow up with me. Uh, thank you for attending today’s webinar. Shortly after the event, you will receive an email reminder to access the present.
Webinar Sponsor: