Let’s Talk Transformations Podcast: Key Takeaways on SAP Transformation and Cybersecurity
Chapters
Share Article
Let's Talk SAP Security
Have questions about SAP Security? We’re here to help. Contact Us
In a recent episode of Sana Asher‘s Let’s Talk Transformations podcast, I discussed the critical intersection of SAP transformations and cybersecurity. One concept that resonated throughout our conversation was “Phase Zero,” a term introduced to me by Sana. I emphasized that Cybersecurity should be part of Phase Zero for every SAP transformation initiative.
Here are the other topics that we covered in this podcast:
Understanding SAP Transformation
Today’s SAP transformations are not just one-time upgrades but continuous evolutions. Organizations are constantly under pressure to modernize their SAP footprint by adding new modules and features, integrating cloud offerings like RISE with SAP, and jumping into the new frontier of SAP BTP (Business Technology Platform), all while maintaining on-premises legacy extensions and interfaces, alongside new cloud services. Unfortunately, many projects still treat security as an afterthought, which can leave a transformation initiative vulnerable to cybersecurity exploits.
The Importance of Cybersecurity in Transformations
I highlighted that while the S/4HANA Transformation is the most recognized or talked about, many other transformations, migrations, and upgrades are also happening. Amid all this busyness, it’s tempting to allow cybersecurity to get overlooked. I introduced the concept of SAP Cybersecurity to stress its importance in SAP transformation initiatives. By adopting SAP Cybersecurity into their Phase Zero approach, organizations can establish a solid foundation for security in the Project Charter and include SAP Cybersecurity in the Project Scope.
Cybersecurity in the Cloud Era
As we discussed the shift to cloud platforms, I emphasized that while cloud providers like AWS, Google Cloud, and Azure manage security at lower technology stack layers, organizations must remain vigilant about application layer security. By adhering to the concept of “shared responsibility”, organizations can rest assured that hyperscalers will protect their infrastructure. However, the organizations themselves remain fully accountable for application security and in some cases, database security, data encryption, identity, and access management. Ultimately, all of that culminates in regular vulnerability scanning and continuous threat monitoring.
Navigating Complexities in Transformations
In answer to the question, “What gets overlooked?”, I pointed out that legacy systems must remain secure and operational until they are decommissioned. Using the analogy of the Pony Express, I explained that organizations must continue to operate and secure their legacy ERP systems until they fully transition to the new systems.
Practical Advice for Clients
To help organizations navigate these complexities, I recommended utilizing established frameworks like DMAIC (Define, Measure, Analyze, Improve, Control) and the NIST Cybersecurity Framework. These methodologies provide a structured approach to assessing cybersecurity posture and defining security needs. In Phase Zero, organizations should Plan and Budget to conduct comprehensive initial scans of all SAP systems, catalog vulnerabilities, prioritize remediation tasks, and implement continuous monitoring to detect any unauthorized changes in real-time.
Career Insights in SAP Cybersecurity
We also touched on career pathways in SAP cybersecurity, a field that sits at the intersection of deep SAP knowledge and core cybersecurity principles. For those entering this career space, I advised considering whether they want to focus on an offensive role, adopting a hacker/penetration tester mindset, or a defensive role, sharpening their defensive strategies with a tool, such as the SecurityBridge Platform. Regardless of the direction they choose, committing to lifelong learning to stay current with SAP’s evolving landscape is essential.
Conclusion: Security Can’t Wait Until Tomorrow
The topics we discussed during the podcast underscore a reality we can no longer ignore: SAP transformations without embedded cybersecurity are a gamble with sensitive data, financial integrity, and regulatory compliance. By prioritizing #SAPCyberSecurity into Phase Zero, organizations can build not just faster processes, but resilient and secure platforms ready for the future.
Thank you to Sana Asher for hosting me on Let’s Talk Transformations. I encourage you to listen to the full discussion here, or find below the full transcript of the episode:
Full Transcript of the Episode:
Sana: Hello Barry, and a very good afternoon for coming to my podcast today on Let’s Talk Transformations. I am excited to chat with you. How are you today?
Barry: Sana, hey, doing well. I appreciate the invite. It’s a great honor.
Sana: Thank you. It is my pleasure. It is my pleasure, yeah. Awesome. I love it. I love it. Okay. So, Barry, as you know, I run these podcasts once a week. I chat with people like yourself, and the goal is to understand how each of us in the SAP community… in the ecosystem, help each other to kind of get forward through the transformations and all the things that we’re coming at us at lightning speed, right? From SAP, from our clients, and this podcast is kind of meant for people to get a sense of what is happening in the community, what is happening in the industry, and hence I kind of run these podcasts every week.
Barry: Yeah, that’s really great. It’s a great asset for the community. I appreciate it.
Sana: Thank you. My pleasure. All right. So, we’re going to start off with my favorite question of all time, which I ask everyone — and believe it or not, Barry, I get a different answer on every different podcast… from your perspective, how do you see an SAP transformation?
Barry: Okay. Well, I guess I would ask one qualifier, right? So, I think the most common transformation is the S/4HANA Transformation. Yes, but I think there are also so many multiple transformations that are going on right now as SAP seems to be announcing so many new things, licensing models, you know, RISE this, GROW that… BTP, even the more recent BDC… business what is it?
Sana: Yes, the Business Data Cloud.
Barry: Yes, and the new partnership with Databricks with SAP Databricks being part of that. So, from my perspective, [focusing] on cybersecurity in SAP, I coined a phrase, #SAPCyberSecurity. You might see that hashtag out there [on Linkedin].
So, my perspective is looking at all these transformations, and the “selfish question” is, did they include [SAP] Cybersecurity in the scope?
Sana: True. So sometimes cybersecurity is an afterthought. Yes, 100%. I’ve seen it many, many times.
Barry: And then I think the ‘middle’ is they [customers]. . . have an “aha” moment somewhere during the project and they go, “Oh, wait, we need to include this [SAPCyberSecurity].” And then it’s added to the scope.
So, you know, I see all three – [but the BEST is] where cybersecurity gets added at the beginning. I think maybe I could borrow your phrase, #PhaseZero, right?
Sana: Yes, absolutely!
Barry: So, if #SAPCyberSecurity is part of #PhaseZero, they’re thinking about it from the very beginning… they’re bringing it forward [on the project timeline]… they’re baselining their scans prior to the start of the transformation and then they’re running some scans all the way through. And at the end, they’re re-running the scans, and they can compare it back to say, hey, did we improve our security posture through all of this?
But yes, wherever a customer decides to plug in with SecurityBridge. . . or wherever they decide to do [SAP] cybersecurity, we’re always willing to jump in and help, but we love it when they include us from #PhaseZero forward.
Sana: Makes sense. Now, that absolutely makes sense. And very near opinion, right? As you’ve mentioned that cybersecurity becomes an afterthought, or they kind of just think about it as they’re in the project, especially now that a lot of these clients are moving to cloud platforms, right?
Can you talk a little bit about how important cybersecurity becomes at that point?
Barry: Yeah, sure. Now, keep in mind, that some of the cloud providers, such as AWS, Google Cloud Platform, Azure from Microsoft, those are the big three, but then there are other cloud platforms as well.
Sorry if you’re a fan of one of the other ones, but I’m just [using these three], for example.
Sana: Yeah, no, I am just completely advised, Barry, as you know, so it doesn’t matter to me.
Barry: Right. So, they’re going to be doing some monitoring, right? Cybersecurity, you know, what we would think of if you were just running a desktop; you would think of the hardware sitting on your desktop and the operating system… and the network…
So, in a cloud, we have to remember, that the cloud is… just somebody else’s computer or somebody else’s computer array.
Sana: Correct.
Barry: So, it’s a data center somewhere else that they’re hosting, and we [wrap] this word cloud around it. So, it still has hardware, [and] it still has operating systems. It could even be [the] mainframe, or this massive bank of Linux systems underneath, with other virtual systems on top of that.
So those cloud providers, they’re doing the cybersecurity at those lower [technology] stack layers.
Sana: Okay.
Barry: But then someone needs to… look at something at maybe the OS level… or you have some vendors that specialize at the database level. And then, you have other vendors that will specialize in the application layer.
Sana: Correct.
Barry: So even if it’s in the cloud, you still have some semblance of the old technology stack, or what we used to call the OSI model.
Sana: OSI model. Correct.
Barry: Yes, so the technology stack still exists, but now a lot of it is sort of virtualized in a cloud architecture. So, once you get to SAP, you still have that application layer.
The difference is for traditional SAP, you’re thinking:
- What does an ABAP vulnerability look like?
- What does a Java vulnerability look like?
And then we have the HANA database, [come on the scene] right? So, then we’re able to go down and look in the HANA database and say, well, what does a vulnerability look like in the HANA database?
Sana: Makes sense. Right.
Barry: And then… we might have hundreds of things that we can scan for in ABAP.
Then… SAP acquires Business Objects… and… Concur, etc. And now it’s a different technology. It’s not based on ABAP.
So, then we have maybe a more targeted [limited] set of things that we can scan for in those environments.
Then once you get to BTP, it’s almost like everything that used to be a SID (SAP System ID) besides S4HANA and BW4HANA is getting its technology or its architecture migrated over into, some BTP-equivalent [service].
Sana: That’s right.
Barry: So, for example, think of Process Orchestration (PO) or Process Integration (PI)… you know, it was XI, and then it was PI, and then it was PO, and then it’s Integration Suite, right? So now we’re in BTP with Integration Suite.
So, we have to think about what the vulnerabilities are as they move the technology across.
You know, first they moved it from ABAP and then they went to dual stack (on PI), ABAP + Java.
And then the PO was only Java.
And then it’s like, scrap all that. . .and now we’re going to the BTP cloud (Integration Suite).
So now we have to adjust the scanning and monitoring process based on the technological changes!
You know, you have to scan it, you know, it’s about wow. Yeah, yeah.
Yeah, so, you know, then if you go into the cloud (for BTP), you have ... Neo and Cloud Foundry… you have different technologies inside of BTP.
So, the MAIN POINT about #SAPCyberSecurity [is that] you have to adjust based on the technology that’s underlying the architecture there.
Sana: Okay, so that’s awesome. And you were so knowledgeable, Barry. So, thank you. Thank you for sharing your insights with that.
You know, obviously you’ve been in this space for a very long time. You understand, you know, Cybersecurity. You understand SAP. . . as you see clients who are going through transformations, what are some of the complexities that you have seen that clients don’t even think of?
Barry: Yes, one thing is to remember that your old SIDs (SAP Systems) are still there until they’re [decommissioned]. If you’re running an SAP transformation and all of this focus gets… put on the SAP system for S/4HANA… still in the background, you might have the ECC system that has to run… maybe your industry requires you to keep that system available, at least in archive mode, or read-only mode, right? You might have to keep it up online for either external statutes or internal policies.
Right, so even though you moved to S/4HANA, ECC might still be running back in the background for about two to three, four, or five years.
Sana: Right, okay.
Barry: Because maybe it’s needed as a reference system.
Sana: So that creates complexity in your mind?
Barry: Yes, my point for cybersecurity is: don’t forget it’s there, right? [The tendency might be to] put all your cyber focus on the new system and forget the [still running legacy systems].
The same would be true for BW, maybe you have an old BW system.
Sana: Got it.
Barry: Although you have a newer BW/4HANA or Datasphere system, you might still have an old BW7 system [not yet decommissioned] that you need to be thinking about.
[Another example] Solution Manager is going to be around, at least through 2027… probably 2030 for a lot of customers…
PO, I mentioned that earlier. You might have the integration suite up and running, but [some legacy] interfaces might still be serviced through PO.
It’s like the pony express where the riders would be riding one horse and they would ride the horse a certain distance to the next outpost, and then they would be given a fresh horse and then they would ride on with the mail on the next horse.
And it’s almost like, for just this little bit of time, they start the other horse riding alongside… and you’re riding the old horse and then you jump over to the new horse riding to the next outpost.
Yeah, so we’re doing this a lot with these older. . . systems. . .a s we [#cutover to the new systems, we’re still running the legacy systems in parallel for a while.]
Sana: yeah, it makes sense. You’ve definitely nailed down a lot of complexity, Barry. Obviously, I’m not a cybersecurity expert, but the way you’re explaining it… m akes me realize that there is so much clients need to think about.
What are some of the advice you would give to clients to start even thinking about the complexities of these risks, right? But what do they need to do to start mitigating these things?
Barry: The best thing you can do is you can use some of the tried-and-true models.
Sana: Okay.
Barry: So, there’s one called DMAIC.
- D – Define
- M – Measure
- A – Analyze
- I – Improve
- C – Control
…if you apply that to cybersecurity, it’s. . . how do I MEASURE?
And then there’s a newer standard Cybersecurity Framework.
Sana: Okay.
Barry: It’s produced by the National Institute of Standards and Technology (NIST). [NIST CSF has a cycle that closely resembles DMAIC. Look up NIST CSF 2.0]
Sana: Okay.
Barry: The early step is Inventory (NIST CFT) or Define (DMAIC)… Think of these firefighters that jump from a plane to fight forest fires. They parachute into an environment, and they land, and they start thinking, “Okay, I’m on the ground. Where do I need to start digging that clear line.”
[Similarly in SAPCybersecurity you have to land and perform an initial assessment with a Scan of the Targeted environments.]
Sana: Okay.
Barry: So, you’re going to go into maybe just a sandbox or a dev system and say for example, “I know my sandbox system got copied back from production 30 days ago. So, if I run a scan there, it will roughly look like what production looks like.”
All right, it’s just, you know, run a scan… see what the results are.
And then that gives you your initial inventory… in project management terms, you would say that’s helping us define the scope.
Sana: Right. And then the initial scan that you’re running through. . . or the initial thing you talked about in cybersecurity, that piece could be through tools. . . through frameworks.
Is that what you would recommend someone doing?
Barry: Right. I mean, of course, I’m biased in that, you know,
Sana: SecurityBridge scanning tool, right?
Barry: Right. But yes, CSF is out there for all IT, not just SAP. And I would argue that DMAIC is even like a life principle.
It’s not just IT. Some of these things that you learn even from like a [home security analogy]. In your house, you go around [the outside] your house and you say, “Can this door withstand the pressure of a hurricane wind force?” Okay. Well, that would be a vulnerability if it would blow in.
But then you think about, well, that’s like scanning. . . scanning your house and then if you go inside, you can say, well, how can I do [the equivalent of] Event monitoring in my house?
And that would be like a motion sensor, right? So, the motion sensor says, someone walked through this room. Okay, that’s fine. It was me. I was going to the kitchen to get. . .milk and cookies for Santa Claus.
Sana: Right. Well, I like that track because I was so hungry.
Barry: Yes, right! But if it’s 2 a.m. and the back door opens, and that event monitor goes off, then that would be someone, oh, someone forgot to lock the door.
So, the Vulnerability says your doors unlocked.
Sana: Correct.
Barry: But then, the Event Monitor says someone went through the door.
So, then they’re Exploiting the Vulnerability.
So, there’s an analogy for how we do both Scanning and Monitoring in SecurityBridge.
And the scanning helps us determine the scope.
And then the monitoring helps us mitigate the risk, right?
So even if the door is left open, we can mitigate that risk by having a motion sensor in that room. And a sensor on the door to tell us the door got opened.
Sana: Fantastic. This is very, very good stuff, Barry. That’s awesome. So, Barry, can you give us, you know, the experience you’re carrying and obviously the transformations that we’re all going to see over the next 5, 10 years.
Barry: . . .it’s a really good time to be alive and bein the SAP space, right? There’s so much opportunity.
Sana: Would you please give everyone listening and some advice as to how they should start their cybersecurity endeavors within the organizations?
Barry: Yes, sure! I actually get asked this question relatively frequently, you know, through LinkedIn.
Sana: Yes.
Barry: And that’s my primary platform to reach out to the [#SAPCyberSecurity] community. But what I try to do is try to find out if they want an SAP lifetime career focus or if it’s more just like an IT career focus.
So, if it’s more of a standard IT career focus, they can still have a fruitful career with a focus on cybersecurity within standard IT.
But then #SAPCyberSecurity is a little bit of a mix of both of those worlds.
Sana: Correct.
So, you have to learn a little bit about cybersecurity.
But then even if you’re coming in from [the traditional view of] SAP security, (profiles & authorizations), once you get into cybersecurity, then you have to learn about what the Basis Team does because you’re looking at the architecture.
Sana: Correct.
Barry: So, if I have to help the person that’s asking me this question. I advise that they think about how a hacker would think about penetrating SAP differently than a standard IT system. Sometimes it’s the exact same way. Some standard IT techniques can work in SAP.
But then once they’re in the SAP application layer, they might be trying to exploit, where maybe we left off a parameter. . .failed to reset the password for some SAP provided user ID. Well, they won’t know that, unless they’re really SAP savvy about that particular capability. So, they might try. . .SAP* user and test four or five known, vendor-default passwords. . .something like that.
Or they might start to learn about the different hash techniques, using John the Ripper or some of these other hashing techniques where they can actually crack password encryption. Okay, yeah, that’s a spillover from cyber into SAP.
Sana: …where you’re using skills from both too, but that’s on the attack side.
Barry: Well, on the defense side, you know. . . Attack we call Red Team and Defend we call Blue Team. Well, the Blue Team needs to know about these attack techniques.
So, you know, this person, I would say, “hey, are you looking to be SAP Red Team/Penetration Tester/Ethical Hacker. . .or you’re looking to be like SAP Blue Team. . . somebody on the defense side of the equation.
[These two teams] need to war game. . . red team and blue team cooperate with each other and teach each other,
- Red Team – “here’s how I attack.”
- Blue Team – “here’s how I defend.”
But, for the new person, they need to see the whole table and then let them say, oh, well, I don’t feel like I’m. . . it’s sort of like asking somebody in America if they want to play football, what do you see yourself being on the offense or the defense?
“Oh, I like to tackle people.” Okay, you’re on defense.
Sana: You’re on defense.
Barry: I like to throw the ball. Okay, yeah. You’re on offense.
Sana: A lot of thinking has to go into doing this, right? It’s not just you wake up and you start it, but you have to start, you know, planning, you go to start thinking about it and you start to go implementing all of these pieces.
Barry: Yes, you may just be like a project manager. So, for a lot of my career in cybersecurity space, the last close to seven years. . .a lot of that has been helping customers implement a tool like this for scanning and monitoring.
Sana: Okay.
So, then you’re taking an SAP-certified add-on and you’re adding it into the equation.
But for that integration project, a lot of times, I’ll have to wear the hat of [a] project manager.
Sana: Project management.
Barry That might help somebody go, oh, I like cyber, but I like project management.
Sana: Boy, you’re just kind of having them help.
Barry: Yeah, help them, you know, play to their best passions in the best skills.
Sana: Fantastic. No, that’s, that’s very good advice. Barry, if someone had to reach you, how would they do that?
Barry: I would say the best way is just on LinkedIn. You can reach out.
Sana: Okay, got it. So, people can reach you through LinkedIn. Barry, so, thank you so very much for your time today. Really enjoyed chatting with you. I actually did learn a little bit more about cybersecurity and how things work. And thank you for coming. Appreciate your insights and your wisdom. And I’m sure you’ll have a lot of people reaching out to you.
Barry: Thanks, Sana. It was my pleasure.
Are you interested in learning more about SAP Cybersecurity?
Contact us and we will be happy to tell you more about our guided approach to SAP Security excellence. For more SAP security-related news, articles, and whitepapers, please follow us on LinkedIn!
