As organizations accelerate the migration of their SAP systems to the cloud, the importance of embedding security into every phase of the process can no longer be overlooked. With SAP at the core of business-critical operations, even a small oversight can result in significant data breaches or compliance violations. Despite the growing emphasis on cloud security, less than half of organizations have adopted Zero Trust controls in their cloud infrastructure, and only 38% have extended these protections to their cloud networks (Thales Cloud Security Study, 2023). These gaps underscore the need for comprehensive security measures to effectively safeguard sensitive data and maintain cybersecurity resilience while migrating to the cloud.
Addressing this gap, Andreas Kirchebner, Senior Security Delivery Manager at Accenture, shares expert insights on Building Security into SAP Cloud Migrations. He covers the importance of embedding security in every phase of cloud migration for SAP systems, addressing key challenges when moving to cloud environments. He also outlines the best practices for secure data transfers, implementing effective access control, and aligning cloud security measures with compliance standards and emerging threat landscapes.   Â
Andreas Kirchebner is a Senior Security Delivery Manager at Accenture with a career spanning over 15 years in SAP. He began as an SAP Basis Administrator in 2008 and transitioned to an SAP Security Manager role, where he spent 4.5 years in Information Security. Currently, he is the Global Topic Lead for SAP Security Strategy, Governance, and Enablement, and SAP System Security at Accenture. Since 2019, Andreas has also served as the spokesperson for the cloud security working group in the German Speaking User Group, DSAG.
Get the full insights: read his perspective below or watch the Q&A video.
Why is it critical to embed security into every phase of cloud migration, especially when dealing with complex systems like SAP?
Well, there are several reasons for this. But first, I would like to emphasize that SAP Security is often still misunderstood. Even though it has already changed, I still observe that many customers perceive SAP security mainly as roles and authorizations or GRC. Â
However, if we look at the full range of SAP security topics, we need to approach the topics in different steps. Let me give you some concrete examples:
If you start defining an SAP security concept or an SAP security baseline in the implementation phase, it might already be too late. This can result in situations where the Basis and Authorization teams set up the environment in an insecure way, or the network team has not yet segmented the network sufficiently, simply because the colleagues do not know what needs to be considered. Once the systems are set up, additional internal and external efforts are usually required to close the gaps, which of course leads to additional costs. Â
It is therefore crucial to support, train and advise the project teams in all areas and phases to ensure that security is implemented by design. Not forgetting that at the end of the day, it needs to be checked that the environment has been implemented securely. Â
In other words, you already need to start in the preparation phase with defining the rules, support and advise during the implementation phase, and finally ensure with monitoring that the requirements are met. Â
That might sound easy but considering that a usual SAP environment has many different systems, stages, technologies, products and interfaces to other solutions, this can be incredible huge as you need to check every single component for necessary security controls. So, you might end up with hundreds of components in huge landscapes. And we’ve not started to talk about the different security domains.
That’s a great insight. So, what security challenges should organizations anticipate when moving their SAP systems to cloud environments such as AWS, Azure, or Google Cloud?
That’s a really good question; there are numerous challenges for organizations. Usually, it’s barely a simple cloud migration or transformation. And as already mentioned, the hundreds of potential components present the very first challenge. Â
What follows is the usual mix of different deployment scenarios and contracts that need to be coordinated. And in many security areas, it is necessary to go into detail to understand whether the expected level of security can or will be met. And since every company has its own requirements, there is no one size fits all.  Â
If a company lacks a holistic SAP security concept and an SAP security baseline, it is very likely that the systems will have a low level of security, which is exacerbated by the fact that SAP systems are only secure to a limited extent by default, especially older release versions. As you can imagine, it will take a while to check all vectors, which is why I see a lift-and-shift approach with a few security improvements as the only viable way forward if you don’t want project costs to explode. But it’s very important to identify all the gaps during the project and start remediating the gaps afterwards. Â
Having a look at the shared responsibilities, it is very important to have a close look at the Security-related RISE services provided by SAP, to understand who is responsible and to which extend. It’s also important to compare the different hosting providers as AWS, Azure or Google Cloud Services are offering different services and service levels.
Speaking of which, how can organizations ensure their cloud providers meet the security and compliance requirements specific to SAP data and applications?
There are some key elements that a company needs to address. First of all, a company needs to know its assets and the level of protection they require. It also needs to know how it wants to protect them, and that also means translating policies and standards into SAP-specific controls. Â
Once the baseline is defined, it is important to start implementing and monitoring the controls. At this stage, it is important to also cover the process-related controls. And not all processes can be monitored in an automated way, which is why an internal control system should cover SAP specific controls as well, which is especially important for the SAP Cloud environment. This has a nice side effect; you can support and prepare the audit upfront and reduce the efforts during the audit.  Â
Another important key element is clear roles and responsibilities, which must be actively communicated so that employees know their rights and obligations. This brings me to the points of training, awareness and corporate culture. Blue- and white-collar workers generally have a different approach to security. Everyone knows the stories with passwords on a post it, but I’ve also seen a whole list of users with passwords as barcodes ready for the barcode scanner. Which emphasizes that physical checks need to be executed as well.
Building on that, what are some best practices for ensuring secure data transfers and maintaining access control between on-premises and cloud-based SAP systems?
A starting point should always be the SAP security concepts and an SAP security baseline to know what and how to secure the environment. This is usually a mix of a strong authorization and authentication concept. Additionally, clear standards and guidelines for interface hardening such as encryption, web application firewalls, block and allow lists or SAP routers and web dispatchers, should be included. Or to name a few buzzwords: Zero Trust and Privilege Access Management, which is of course strongly related to the customer’s security maturity. Â
However, one of the most important components for an SAP environment is the SAP Cloud Connector. It is the central communication channel between SAP On-Premises and the SAP Business Technology Platform (BTP), which offers various settings for the aforementioned topics. And considering that BTP is the central platform for the SAP cloud environment, which offers around 90 different services, this can provide quite a large attack surface. Another important topic to consider is the SAP Integration Suite, which offers some nice functionalities to protect the interfaces.
But if someone doesn’t know where or how to start, I highly recommend starting with the SAP Security Baseline Template and the SAP Cloud Security Recommendations. They provide a whole lot of very important information that should be considered state of the art, which is becoming more and more important in the European Union due to the recent and upcoming cybersecurity regulations such as the Network Information Security Directive (NIS2) and the Digital Operational Resilience Act for the financial sector. And last but not least, documentation. It is important to have an overview of your landscape and your expected target status, which is the basis for your system hardening and reporting.Â
That’s really insightful. What steps can organizations take to align their cloud security practices with regulatory compliance and to future-proof their SAP environments against emerging threats?
A tricky question, especially considering that many customers still have some on-premises systems that they should not forget, in order to avoid having backdoors in the environment. Many security controls that apply to on-premises systems also apply to the SAP Private Cloud Edition and, to a certain extent, to the public cloud. Â
However, with regulatory requirements in mind, we should not forget that the origin of SAP security is often the SAP Basis team, which means that many of the administrators like to configure their SAP systems and are often not interested in all the paperwork that comes with general governance and regulatory requirements. With the move to the cloud, more attention needs to be paid to this aspect. Every basis administrator has a natural conflict of interest, he has to keep the systems running and, in some cases, this leads to security being ignored or given a lower level of attention and mostly seen as a hobby alongside the day job. Also, the skills required are changing. Information security involves a lot of governance and control activities that are often not in the mind of a traditional system administrator. Â
In view of the topics mentioned and to come back to your question, I highly recommend appointing a dedicated SAP security officer to take care of all SAP security topics. However, this does not mean that this person is a superhero who can handle all issues alone. In the end, it’s a team sport where you must break down all the silos in an organization. But the SAP security officer can dig into the details, reconcile all the requirements and pass them on to the appropriate stakeholders such as the information security team, the legal department, the various IT departments, corporate communications and many other stakeholders. And this is exactly what will become increasingly important in view of the many regulations and the fact that you must get ahead of the attackers.
Thank you so much for sharing these valuable insights, Andreas.
Discover more from NextLabs’ Expert Series, featuring industry experts in educational and thought-provoking conversations on Data-Centric Security, Zero Trust Architecture, Safeguarding AI, and more.
To comment on this post
Login to NextLabs Community
NextLabs seeks to provide helpful resources and easy to digest information on data-centric security related topics. To discuss and share insights on this resource with peers in the data security field, join the NextLabs community.
Don't have a NextLabs ID? Create an account.