SAP supply chains need zero trust to reach enterprise cybersecurity

Did you miss a session from the Future of Work Summit? Visit our Future of Work Summit on-demand library to stream.

SAP, one of the world’s leading manufacturers of software for conducting business processes, takes the approach of securing tech stacks of supply chains using SAP Data Custodian, Cloud Identity Access Governance and the recently launched Enterprise Threat Detection. SAP- Trust only for infrastructure, the main thing is that it is less than what the enterprise wants in different supply chain environment.

Together, SAP’s cyber security, protection, and privacy are not sufficient to provide a zero-confidence-based approach to the heterogeneous cloud infrastructure environment that dominates the enterprise’s supply chain tech stacks today. The most recent NIST Zero Trust Architecture Standard states that “assets and workflows moving between enterprise and non-enterprise infrastructure should have a consistent security policy and currency,” although the SAP- Not at all.

The latest range of SAP product announcements in cybersecurity, protection and privacy as well as identity and access governance, provides a baseline zero-trust support level for a SAP-centric environment. However, taken together, they do not go far enough to secure the entire enterprise’s supply chain.

SAP Data Custodian is a case in point. It is possible to secure endpoints, protect hazardous surfaces, define authentication levels, and configure networks with microsegmentation. Missing Factor is a secure endpoint platform that can secure related hardware endpoints distributed across non-SAP SaaS-based business applications and supply chains. SAP Data Custodian does not protect third-party applications or the entire suite of SAP applications, either – it is still working.

Unless SAP has a data custodian integrated with every SAP application suite in their supply chain suite, it is prudent not to bring zero trust as a unique differential for the supply chain. It lacks endpoint management that is capable of securing every endpoint and treats each identity as a new security perimeter – the core of the zero-confidence framework capable of securing various supply chains globally.

SAP Cloud Identity Access Governance scales well to provide role management, access requests, reviews and analytics and privileged access management (PAM) with SAP, GRC and IAM (Identity and Access Management) solutions on the same tech stack. It has also proven effective in securing SAP supply chains integrated with S4 / HANA implementations. However, SAP deviates from the tech stack, and does not scale IAM and PAM – or, in some cases, cannot secure a third-party enterprise application. To its credit, Cloud Identity Access Governance includes pre-configured policies and regulations for access management. However, SAP also requires its customers to purchase SAP access control to customize the workflow and ensure that it includes endpoints and a microsegmentation-based network configuration that is a key component of anyone with a zero-trust framework.

The truth about zero trust with SAP

The Shared Responsibility model aims to assign responsibility for the security of cloud tech stacks by cloud service providers, infrastructure and cloud customers. The SAP version of the Shared Responsibility model shown below demonstrates how the company defines the various configurations of data protection, platform management, applications and how they are accessed, and customer responsibility:

SAP Community, RISE with SAP: Shared Security Responsibility for SAP Cloud Services

Above: SAP Community, RISE with SAP: Shared Security Responsibility for SAP Cloud Services

While SAP provides basic IAM support, it does not defend against the root cause of security breaches, including the misuse of privileged credentials. Forrester reports that 80% of data breaches are initiated using compromised privileged credentials. According to CISO interviewed evaluating SAP’s zero-confidence capabilities, the following vendors are often included in the comparison: SailPoint Identity Platform, Oracle Identity Manager, Okta Lifecycle Management, Saviynt Security Manager, IBM Security Verify Governance, Director Ivanti Active Directory and Micro Focus NetIQ Identity Manager. The enterprise often compares these IAM providers to their integration, deployment, service and support levels, these factors emphasizing purchasing decisions more than facilities alone.

SAP’s supply chain lacks the variety it offers

SAP’s approach to IAM does not protect privileged-access credentials or protect every endpoint from third-party applications, which is required to create a framework for zero-trust security. As the Shared Responsibility model explains, SAP secures services, leaving IAM to customers. While their PAM and IAM applications are useful in all-SAP environments, they do not reflect how diverse and complex SAP supply chain stacks can be in almost every enterprise today.


VentureBeat’s mission is to become a digital town square for technical decision makers to gain knowledge about transformative technology and practices. Our site delivers essential information on data technologies and strategies so you can lead your organizations. We invite you to access, to become a member of our community:

  • Up-to-date information on topics of interest to you
  • Our newsletters
  • Gated idea-leader content and discounted access to our precious events, such as Transform 2021: Learn more
  • Networking features and more

Become a member

Similar Posts

Leave a Reply

Your email address will not be published.