Home » Data Protection » Application Security

The ERP Security Challenge

In a rare interview, SAP’s Sachar Paulus talks about how the ERP software giant secures the software that may very well be your business’s backbone.

le, so Sarbanes Oxley has changed what people are looking for in terms of security. The technology hasn’t changed, but the demand has.

CSO: What’s the regulatory landscape for SAP?

Paulus: As multinational company selling software all over the world, we have to deal with many different kinds of regulations. The main challenge for large organizations is to find the right balance. Sometimes you may have conflicting legal requirements to fulfill in different areas of the world. For example, in the United States you may need to control the content of the e-mail of employees to meet compliance regulations. But if you do this in Europe, you would be violating privacy laws. So you have to make a business decision about which is less risky for the company overall.

CSO: How do you reconcile those differences?

We have decided to go for a global security policy, with a globally uniform requirement. Additional, stronger requirements could be put in place by a local subsidiary. We use a “least common denominator” framework for the overall organization and more stringent regulations in the individual countries. We have similar rules for the product organization. When a product goes out into the different countries for sale, we make sure additional requirements for the local markets are reflected in the product, whether that be specific add-ons or restrictions for the specific markets.

CSO: What are some of the biggest ERP security threats? What are SAP’s biggest software security challenges?

Paulus: The biggest risk is the insider threat--people who have access to the system who are using it in the wrong way or with the wrong authorizations, and there is not enough control installed within the company. You need to find the right balance between how much trust you put into people in your organization and how many controls you employ.

The other threat comes from people connecting their ERP systems to the Internet, either to extend the supply chain support of the system or to expose specific functionalities in order to make life easier for the employees. The problem with this is that the classical, well understood Internet threats are often not understood by the ERP people. The people who are responsible for ERP understand the insider threat because they have dealt with it for years, but when there is a demand from the business to extend systems to the Internet, they don’t think about threats like cross-site-scripting. Viruses or worms using t