SAP customers have a responsibility when it comes to threat detection and incident response for their systems, whether their applications are running on-premise or in the cloud. These responsibilities are clearer in an on-premise environment where the customer manages secure configuration and operations including the servers on which the solution runs, databases that are in use, and the networking infrastructure. Responsibilities are less clear for cloud operations, which is why a shared responsibility model that includes privacy, compliance management, business continuity planning, and threat detection is essential. This is the case with the Shared Responsibility Model that SAP has published for RISE with SAP S/4HANA Cloud Private Edition.
A specific example is that, when an organization moves SAP workloads to the cloud, SAP manages protecting, monitoring, and responding to threats impacting the cloud infrastructure, networking, data stores, and cloud operations. These are the parts of the environment that the customer cannot access directly. Similarly, SAP has no access to the secure configuration and transactions within an application running in an on-premise infrastructure, for example, where customers are responsible for tasks like user provisioning and authorizations, business process configuration, and deciding who can access data and functionality in the system. Even for responding to tickets, SAP cannot access a customer system unless allowed.
Understanding these responsibilities is crucial for customers because unclear roles can lead to oversight of critical elements. This is particularly important because cybersecurity attacks continue to increase in volume and impact. Even if an attack doesn’t directly impact SAP systems, it may indirectly affect these systems through cross-contamination, which can force organizations to shut down SAP systems to prevent them from being impacted.
Explore related questions
However, even with a clear understanding of roles, customers may be unsure how to proceed in the event of a cybersecurity incident. SAPinsider research has highlighted that when it comes to threat detection and incident response, organizations still need assistance. The research reveals that 37% of surveyed organizations require guidance on handling detected threats, 34% require guidance on identifying potential threats, and 33% need help understanding how to best use threat detection tools.
Organizations can address these challenges by reporting new security issues to SAP. However, what SAP can achieve will be limited by the access that they have to the system, and a security incident may exceed the expertise or capacity of in-house teams. To support organizations in addressing this, Onapsis has partnered with SAP to provide faster investigation and incident response assistance to SAP customers. Onapsis’ SAP Incident Response enables organizations to use an SAP-endorsed incident response when faced with an attack. Having access to expertise, support, and technology when managing a security incident can help hasten investigations and accelerate recovery.
What this means for ERP users
Security is one of the most important topics for insiders today with, for example, 66% of organizations citing it as a key factor when choosing a cloud provider for RISE with SAP. This is because cybersecurity incidents are increasingly impacting SAP systems either directly or indirectly. Ensuring that systems are secure is top of mind for both SAP and IT organizations. But recognizing security as a priority does not equate having the capabilities or expertise to respond to a security incident. This makes solutions like Onapsis’ SAP Incident Response, a big advantage for organizations as it enables them to use the knowledge and resources that may not be available internally. Given the security challenges faced by organizations today, what should ERP users do to be prepared?
- Ensure that there is a clear understanding of roles and responsibilities when it comes to securing SAP solutions. SAP has published guides such as the Shared Responsibility Model for RISE with SAP, but such detailed documents do not exist for all SAP solutions. This is why it is critical to ensure that SAP teams and the customer’s security and IT teams they work with have a clear understanding of their responsibilities when it comes to securing SAP systems. Creating RACI charts can be a starting point, but it is also imperative to understand what SAP will secure and not secure when it comes to cloud-based solutions.
- Follow security trends and put in place response plans that can be activated when threats or vulnerabilities are detected. Having a detailed response plan in place can be critical when a new threat or breach occurs. Ensuring that team members know where and how to access this plan, and have practiced doing so, can be the difference between something that is quickly stopped and a major breach. While response plans should include the steps that internal teams need to perform immediately after detecting a security incident, this can also include the ability to reach out to SAP or security partners to receive assistance in dealing with such situations.
- Ensure that SAP teams collaborate closely with customers’ IT teams or dedicated security teams when it comes to managing the security of SAP systems. Historically, SAP teams were responsible for managing the security of SAP systems. This not only included managing system and data access but also patching and reacting to security incidents. However, it also meant that the customer’s IT and security teams had little insight into the way these systems were managed and secured. While this has evolved, it is still vital to ensure that SAP teams collaborate closely with the customer’s IT or dedicated security teams to ensure that SAP systems are properly secured.