Q&A
The ERP Security Challenge
In a rare interview, SAP’s Sachar Paulus talks about how the ERP software giant secures the software that may very well be your business’s backbone.
By Katherine Walsh
he ERP platform may come into play, and they don’t sufficiently understand the importance of security patches. This is a huge challenge to the organization. It needs to bring together people who understand ERP security, and people who understand Internet, e-mail and Web services security.
CSO: What security controls are built into the software, and how do customers use those controls?
Paulus: One basic control is a variable authorization system for addressing the insider threat. SAP also provides options for strong authentication, as well as an interface for antivirus. We also offer a set of services. Some are part of our maintenance package for checking security configurations of the system, and customers can pay for remote services for other activities.
CSO: How often do you assess the security of your software? What kinds of things do you look for when evaluating that kind of thing?
Paulus: We do that on a regular basis. Since we no longer offer just one product with one version (we have many different products with different releases) we employ four, five or sometimes six providers of assessment specialists for security of products. We first look at things like internal runtime so we can make sure there is no buffer overflow. We also test authorization management, and in the last few years we have started to mostly look into Web vulnerabilities.
CSO: How does security in an SAP environment differ from other business environments?
Paulus: The difference with ERP is that the size of the bucket becomes much larger. When you have access to a system that size, security becomes more critical. But major security concerns-- like attack vectors and the difficulty of raising employee awareness, the completeness of the controls, the maturity of the IT security methods and technologies--they are all very much the same in all environments, ERP or other.
Associate Staff Writer Katherine Walsh can be reached at kwalsh@cxo.com.
Other stories by Katherine Walsh
$firstKeyword
Security Directions: A Virtual Conference
Available On Demand Sept. 30 - Dec. 30
Join us for a virtual event with candid, expert information on top security challenges and issues - all from the comfort of your desktop.
Protecting PII: How to Work with IT to Manage Risk
Understand the critical nature of the test data privacy problem and get tips on how to work with IT to implement a test data privacy program.
Get instant notifications when whitepapers, webcasts and case studies are added
to our library. Sign up for a Resource Alert now!
CSO Corporate Partners
CSO Perspectives
-
April 5-7, 2010Hyatt Regency Santa ClaraClick here for more information!
Santa Clara, California
(ISC)2 members can earn up to 24 CPE Credits!
