SAP supply chains need zero trust to reach enterprise cybersecurity

While SAP, one of the world’s leading producers of software for the management of business processes, takes an approach to secure supply chains’ tech stacks using SAP Data Custodian, Cloud Identity Access Governance, and the recently launched Enterprise Threat Detection provide the basics of zero trust for SAP-only infrastructure, the bottom line is they fall short of what enterprises need in diverse supply chain environments.

Taken together, SAP’s Cybersecurity, Protection, and Privacy don’t go far enough to provide a zero-trust-based approach in heterogeneous cloud infrastructure environments that dominate the enterprise’s supply chain tech stacks today. As the most recent  NIST Zero Trust Architecture standard states, “assets and workflows moving between enterprise and non-enterprise infrastructure should have a consistent security policy and posture,” yet that’s not possible with SAP-only cybersecurity components used to supply chains today.

SAP’s latest series of product announcements in cybersecurity, protection, and privacy, as well as identity and access governance, provide baseline zero-trust support levels for SAP-centric environments. Taken together, they don’t go far enough to secure an entire enterprise’s supply chains, however.

SAP Data Custodian is a case in point. It’s possible to secure endpoints, protect threat surfaces, define authentication levels, and organize networks with microsegmentation. The missing factor is a secure endpoint platform that can protect non-SAP SaaS-based business applications and related hardware endpoints distributed across supply chains. SAP Data Custodian doesn’t protect third-party applications or the entire suite of SAP applications, either – that’s still a work in progress.

Until SAP has Data Custodian integrated with every SAP application suite across their supply chain suite, it’s prudent not to bring up zero trust as a unique differentiator for supply chains. It lacks endpoint management that’s able to secure every endpoint and treat every identity as a new security perimeter – which is core to a zero-trust framework capable of securing globally diverse supply chains.

SAP Cloud Identity Access Governance scales well for providing role management, access requests, reviews and analytics, and privileged access management (PAM) with SAP, GRC, and IAM (identify and access management) solutions on the same tech stack. It’s also proven effective in protecting SAP supply chains that are integrating with S4/HANA implementations. However, deviating from an SAP tech stack, and IAM and PAM don’t scale – or, in some cases, can’t protect third-party enterprise applications. To its credit, Cloud Identity Access Governance includes pre-configured policies and rules for access management. However, SAP requires its customers also to buy SAP Access Control to customize workflows and ensure they include endpoints and microsegmentation-based network configurations that are a core component of any with the zero-trust framework.

The truth about zero trust with SAP

The goal of the Shared Responsibility Model is assigning responsibility for the security of cloud tech stacks by cloud service providers, infrastructure, and cloud customers. The SAP version of the Shared Responsibility Model shown below illustrates how the company has defined securing the data itself, management of the platform, applications and how they’re accessed, and various configurations as the customers’ responsibility:

Above: SAP Community, RISE with SAP: Shared Security Responsibility for SAP Cloud Services

Image Credit: SAP Community, RISE with SAP: Shared Security Responsibility for SAP Cloud Services

While SAP provides basic IAM support, it doesn’t defend against the leading cause of security breaches, including privileged credential abuse. Forrester reports that 80% of data breaches are initiated using compromised privileged credentials. According to interviewed CISOs who are evaluating SAP’s zero-trust capabilities, the following vendors are most often included in the comparisons: SailPoint Identity Platform, Oracle Identity Manager, Okta Lifecycle Management, Saviynt Security Manager, IBM Security Verify Governance, Ivanti Identity Director, Microsoft Azure Active Directory and Micro Focus NetIQ Identity Manager. Enterprises often compare these IAM providers on their integration, deployment, service, and support levels, with these factors weighing more on buying decisions than features alone.

SAP’s supply chain offerings lack diversity

SAP’s approach to IAM  doesn’t protect privileged-access credentials or protect every endpoint from third-party applications, which is essential for creating a framework for zero-trust security. As the Shared Responsibility Model illustrates, SAP secures services, leaving IAM to customers. While their PAM and IAM applications are useful in all-SAP environments, they don’t reflect how diverse and complex SAP supply chain stacks can be in nearly every enterprise today.