Re: Security's role within the new Cloud

mfallas · ‎03-07-2024

Hi everyone! Despite a lot of companies are still using on-premise applications like SAP Logon (a.k.a. SAP GUI), the truth is that, eventually, everything will be managed in the cloud. This is a good thing: simplification, effectiveness, more capabilities, and every other benefit that the cloud offers.

However, I've been meditating on whether back-end security will dramatically change as we know it (not to say, disappear). With the new capabilities of cloud-based Fiori and HANA, the need for SAP Logon is less relevant, and with it the need of things like role management in PFCG, users in SU01, traces, and so on.

What do you think? Shall we, Security experts, be prepared for a radical change on the way we do things?

ivan-ae · ‎03-07-2024

Let me state that nothing in SAP calls for a radical change, also not a shift in the technology stack. Remember when SAP Fiori was first introduced? Yes, 2013. 11 years later we still see a mass use of the SAP GUI. Adoption of new technologies may go faster nowadays, a full transition may very well take another 10 years.

Security experts must extend their knowledge to hybrid and cloud-native skills to secure the SAP technology and application stack.

mfallas · ‎03-08-2024

I agree. Adoption takes time, not only because of money, but because of expertise as well.

Maybe this gives us SAP Consultants a good opportunity to learn and grow while the technology we support gradually evolves. Time is crucial.

Fun fact: there are companies out there still using MaxDB. 😅

i353gfiata · ‎03-07-2024

Excellent question! I believe that security concepts are in a constant state of evolution, and as security professionals, we must evolve alongside them. I anticipate that security will adopt a more agile approach and be viewed increasingly as a business enabler rather than a blocker. However, this transformation will be gradual rather than immediate.

For instance, I foresee security transitioning from being perceived as a department of "No" to one that says "Yes - but securely." @JayThvV - quoting you on this one 🙂

As technologies advance, such as reveal-on-demand functionalities, dynamic access controls, and user activity monitoring, the need for complex role concepts requiring daily use of PFCG may diminish.

Likewise, tools like SU01 might see reduced usage as business and IT leaders become empowered with tools to make rapid and informed decisions about (permanent or temporary) user access provisioning and revocation.

Artificial intelligence may also play a crucial role in supporting these processes. For example, it could suggest appropriate access levels for users by assessing how such access enhances business efficiency, identifying associated risks, and determining whether existing controls can mitigate these risks or if new controls need to be established.

While this shift won't happen overnight, I believe it's already underway, particularly within the most innovative companies.

Overall, I find this transformation both exciting and promising. As security professionals, we have the privilege to witness and contribute to this evolution. I hope this perspective sparks some valuable insights for you!

mfallas · ‎03-08-2024

Thank you! Your insight is definitively valuable to me.

I like how you put these new tools (like AI) into a positive perspective. So, instead of taking away our purpose as consultants, they strengthen the way we work. They are tools, after all, but we are the brains. 😉

JayThvV · ‎03-07-2024

@mfallas to a large extent, this change has been ongoing for some time. I recently asked several colleagues within SAP whether they remembered when they last last needed SAP GUI for anything work related. Most of the responses were around 2009-2012.

Inevitably, with newer technologies and platforms, thinks change - but hopefully for the better, and in a simplified way, with more modern user experiences.

When it comes to security experts of SAP systems, it is important to understand that while the cloud provider takes care of infrastructure and system security and compliance, responsibilities on the user/customer-end remain. As @i353gfiata already refers to, you still need to take care of user provisioning and authorizations.

Where I think the promise lies for SAP security experts is in high-value activities, such as validate the security of the design and implementation of business processes, the security of integrations between solutions and associated identities and authorizations, and the secure use of BTP for extensions. Another aspect security experts previously may have had less time for is threat detection and hunting, and fast response and recovery.

More generally, we are all in some varying stage of digital transformation, whether done in the cloud or on-premise. Business requires us to be more flexible and agile to respond to new business-, geopolitical, cyber- and compliance risks. How to enable that agility and resilience is a key challenge for all of us securing SAP solutions, whether on the front-end or back-end.

mfallas · ‎03-08-2024

Well, I guess your point involves something very important: we need to evolve.

MichaelHealy779 · ‎03-07-2024

I am not sure I agree or fully understand "eventually, everything will be managed in the cloud". Do you mean that every business will eventually give over to hyperscalers to manage their infra, or allow to manage their SAP environments? Cloud is just someone else's server lets remember, so I think there is a lot more to discuss than to just land at this conclusion.

I have used both public cloud http based security management tools and on prem GUI/Launchpad and I can safely say GUI is still streets ahead. If something better comes along then I am all for it, but progress for the sake of progress is not progress.

mfallas · ‎03-08-2024

Hi Michael,

What I meant is that the use of cloud-based applications is having a prominence over the on-premise apps we know very well. For example, I have always worked with a Fiori setup in which the app and their authorizations are define in SAP GUI, while the apps are used in a web browser. Now, it turns out there is a full, cloud-based Fiori that doesn't need a back-end system. This was a game-changer for me, especially considering that this is the kind of development where we are all heading.

sinisa_medic · ‎03-19-2024

Even as SAP takes on a significant portion of the technical foundation with RISE, a closer look reveals that many traditional security activities still fall under the customer's responsibility. I believe it will take some time before it becomes increasingly expensive for on-prem customers to operate SAP themselves. SAP will never fully understand organizational specifics or need to manage fine-grained network configurations. The integration of solutions (cloud-to-cloud), namely the connection of various SAP SaaS with other SaaS, will become increasingly important. Thus, I think there will be less emphasis on RZ10, PFCG, and SU01, and more on key management, encryption, and API security.

Therefor I predict that when SAP moves to the cloud, your security technology stack should also be cloud-native, and your SAP Security team should arm themselves with cloud knowledge.