The ERP Security Challenge

Until June, Paulus was CSO, responsible for IT, physical and organizational security at the $12 billion German company known for its enterprise resource planning (ERP) software. Now, he’s SVP of product and security governance, and as such is responsible for security strategy for all products. New threats, increasing complexity and emerging regulations have increased the importance of security on all fronts. Despite the high stakes, though, Paulus is not in the spotlight in the United States and does few interviews. CSO’s Katherine Walsh recently talked with him about SAP’s security strategy, global compliance issues, and how he stays on top of it all.

More on ERP security and related issues

• Separation of duties and IT security
• The art of the compensating control
• How to prevent and detect fraud

CSO: What is the current state of IT security in businesses and organizations?

Sachar Paulus: The weakest link is still people. As good as IT measures and technologies can be, the biggest problems occur wherever technology comes into contact with people who need to administer, manage or even use IT security functionality. One of the best examples is related to protecting confidential information over the Internet using e-mail encryption. Existing tools are still too cumbersome for people to actually use it the right way. Many people use encryption but then send the password for the encryption in the same e-mail, so what’s the use?

CSO: Can you elaborate on how the security function at SAP has transformed, and how it continues to evolve?

Paulus: From a corporate standpoint there are two things happening at SAP: One is to extend the use of IT security competencies into other areas of the business. IT security is moving away from being mainly driven by the IT organization where the availability of the network and the information were top priorities in terms of security. Now, largely due to compliance requirements like Sarbanes-Oxley, integrity of information and confidentiality is more relevant and important. The CFO is looking into these types of activities, and in most cases he is the one responsible for managing the compliance activities of the organization.

From a product perspective, security is a little more difficult. Years ago at SAP we had ways of managing complex authorizations for complex business systems. That’s something that requires additional expertise beyond the ERP system itself. There were few companies under the IT security label with that kind of expertise, but there was no big demand for it. But now with Sarbanes Oxley, there is more demand to prevent critical combinations of authorization for the same people, so Sarbanes Oxley has changed what people are looking for in terms of security. The technology hasn’t changed, but the demand has.  

CSO: What’s the regulatory landscape for SAP?

Paulus: As multinational company selling software all over the world, we have to deal with many different kinds of regulations. The main challenge for large organizations is to find the right balance. Sometimes you may have conflicting legal requirements to fulfill in different areas of the world. For example, in the United States you may need to control the content of the e-mail of employees to meet compliance regulations. But if you do this in Europe, you would be violating privacy laws. So you have to make a business decision about which is less risky for the company overall.

CSO: How do you reconcile those differences?

We have decided to go for a global security policy, with a globally uniform requirement. Additional, stronger requirements could be put in place by a local subsidiary. We use a “least common denominator” framework for the overall organization and more stringent regulations in the individual countries. We have similar rules for the product organization. When a product goes out into the different countries for sale, we make sure additional requirements for the local markets are reflected in the product, whether that be specific add-ons or restrictions for the specific markets.

CSO: What are some of the biggest ERP security threats? What are SAP’s biggest software security challenges?

Paulus: The biggest risk is the insider threat–people who have access to the system who are using it in the wrong way or with the wrong authorizations, and there is not enough control installed within the company. You need to find the right balance between how much trust you put into people in your organization and how many controls you employ.

The other threat comes from people connecting their ERP systems to the Internet, either to extend the supply chain support of the system or to expose specific functionalities in order to make life easier for the employees. The problem with this is that the classical, well understood Internet threats are often not understood by the ERP people. The people who are responsible for ERP understand the insider threat because they have dealt with it for years, but when there is a demand from the business to extend systems to the Internet, they don’t think about threats like cross-site-scripting. Viruses or worms using the ERP platform may come into play, and they don’t sufficiently understand the importance of security patches. This is a huge challenge to the organization. It needs to bring together people who understand ERP security, and people who understand Internet, e-mail and Web services security.

CSO: What security controls are built into the software, and how do customers use those controls?

Paulus: One basic control is a variable authorization system for addressing the insider threat. SAP also provides options for strong authentication, as well as an interface for antivirus. We also offer a set of services. Some are part of our maintenance package for checking security configurations of the system, and customers can pay for remote services for other activities.

CSO: How often do you assess the security of your software? What kinds of things do you look for when evaluating that kind of thing?

Paulus: We do that on a regular basis. Since we no longer offer just one product with one version (we have many different products with different releases) we employ four, five or sometimes six providers of assessment specialists for security of products. We first look at things like internal runtime so we can make sure there is no buffer overflow. We also test authorization management, and in the last few years we have started to mostly look into Web vulnerabilities.

CSO: How does security in an SAP environment differ from other business environments?

Paulus: The difference with ERP is that the size of the bucket becomes much larger. When you have access to a system that size, security becomes more critical. But major security concerns– like attack vectors and the difficulty of raising employee awareness, the completeness of the controls, the maturity of the IT security methods and technologies–they are all very much the same in all environments, ERP or other.

Associate Staff Writer Katherine Walsh can be reached at kwalsh@cxo.com.