This is a new model to strive for. Definitely not easy as of today to implement. Unfortunately, it cannot be purchased!
But how could it be in SAP?
- There is no such thing as perimeter security anymore
- Aiming to have any communication encrypted, every service must include authentications and authorizations
- Unfortunately, not everything in the enterprise is ready to be "migrated" to this new concept. In fact, there are many legacy applications that need to be overhauled, and this may not be simple at all
Basically, it is an approach, including application and physical security, where anyone can pose a threat at any time. There are no whitelists or trusted actors. Every actor (network, devices, application, user etcc) has the same potential level of risk.
In publication SP 800-207, the NIST defines the details
Why could this be not that simple?
It is not always possible in the enterprise to get your hands on legacy services or systems. Many of these while not updated to the latest security standards still represent important processes.
Therefore, going to overhaul them can be risky.
In the case of SAP, one opportunity may be to take advantage of migration projects to S/4HANA.
SAP has included in this momentous change a major transition, where many processes can be revised. Clearly there are different paths to migration (read here migrate to SAP S/4HANA), some of these are purely technological others also application-related.
However, this can be an opportunity to review and rethink third-party systems as well.
By integrating/replacing them with SAP where possible, or by making upgrades or further implementations to bring them up to the required standards.
Where can you start?
What can be the drivers? Some systems that could facilitate this transition include the following:
- Access centralization (e.g., IDM)
- Authentication management (e.g., Single Sing On)
- Use of systems for behavior control (e.g., SAP ETD or SIEM)
- Management and protection of communications to SAP e.g., through the UCON (Unified Connectivity) tool.
Which are the pillars of this model?
There are basically five:
- Device
- User
- Transport and session
- Application
- Data
Regarding devices, it is basically required to have an inventory of all devices in the enterprise, ensuring that they are monitored and controlled. In the case of SAP, this could be done through the standard functionality of the SAP Solution Manager.
While for end points (PCs, users' phones), by using Microsoft Cloud technology, for example, through the Microsoft Intune features (for software deployment and control) and through the Inventory function and control of installed applications features of Microsoft Defender Advanced Threat Protection as well as also in this case the control of the machines themselves
User. Prioritize robust authentication methods, thus 2FA or MFA (two factor authentication or multiple factor authentication).
In this case, the most comprehensive solution is that of the SAP Single Sing On product, which allows managing the encryption aspects of communications and also multiple factor authentication.
Transport and session. In this case we are actually talking about the principle of least privilege. So the data segregation aspects within SAP applications. Read the part of SAP Security Authorization here.
Application. Perform and enable Single Sing On logics, so again the SAP SSO product is useful to cover two aspects of the Zero Trust Security approach
Data. One of the most important aspects, data protection. In this case, avoid exporting data in an unauthorized way, then enable Data Loss Prevention logics.
In SAP there are several methodologies and tools. Starting for example with the SAP Security Audit Log, going through the SAP Data Protection products then UI Masking and UI Logging.
These tools are also useful for GDPR management.
What are you waiting for to assess whether your organization is ready?