Can You Trust SAP with Your System Security?

Can you trust SAP with your system security? The question is worth pondering, not least since it is one of the key arguments used by third party software vendors to support the use of their security tools over SAP-delivered solutions. Although the argument is usually made in the context of vulnerability management for cybersecurity, the logical extension of this point of view is that SAP shouldn’t be trusted for any security domain, including access control, identity management, program development, and security patching. In this article, we discuss whether SAP has earned the right to your trust and the implications of a low-trust and a high-trust relationship with SAP for your security needs. The discussion will be driven by the notions of trust taxes and trust dividends which can either constrain or multiply your organization’s performance.

But, firstly, what is trust? There are many definitions but they all boil down to a single concept: confidence. Trust is confidence in the integrity, strength or ability of someone or something. By this definition, most economies and societies are low-trust. According to one of the most widely-known studies of global perspectives on trust, confidence in governments, leaders, and organizations has never been lower. The Edelman Trust Barometer has charted the worldwide decline in trust levels over 14 years. In 2014, the study surveyed 33,000 people in 27 countries. Although it revealed a general level of mistrust in people and institutions, it’s important to note that trust is impacted by many factors including geography and industry. Interestingly, companies based in Germany or operating in the technology sector tend to command the highest levels of trust.

Security is driven by mistrust. Therefore, it’s not surprising that organizations are investing in resources, training and technologies to strengthen information security in environments with declining levels of trust. The reaction is understandable and necessary given the dramatic rise in cybercrime, commercial espionage and insider threats. Improved security measures can realize substantial, tangible benefits but there is a cost. This includes not only the direct costs associated with investing in further resources, training programs and security tools, but indirect costs arising from the organizational impact of security measures. Mistrust can be very expensive.

Performance is often measured as the outcome of an organization’s strategy and its ability to execute on the strategy. In other words, strategy + execution = results. However, there are hidden variables that can undermine this equation. The results of a great strategy combined with flawless execution can be undone by low levels of trust which push up costs and reduce the speed of execution. This is known as the so-called Trust Tax. On the other hand, results can be amplified in high trust scenarios since costs are held down and the pace of execution is higher. This is called the Trust Dividend.[1]

Based on this model, organizations that trust SAP-delivered solutions for vulnerability management should be able to realize a trust dividend by minimizing the cost side of the equation: vulnerability management can be performed using standard components in SAP Solution Manager over licensing third party solutions. However, the question remains: can SAP be trusted to provide sound and independent security guidance?

Trust requires creditability. Credibility is based on integrity, intent, capabilities and results. Therefore, to answer this question, we must ask another: is there any reason to doubt the integrity or intent of SAP or question its capabilities and results? I can think of none. SAP’s commitment to educate and empower customers with insight and tools to manage the security of its solutions is undeniable. Its difficult to imagine any benefit SAP could derive from anything other than an honest and transparent approach to security. SAP has demonstrated its commitment to improving software quality by strengthening development procedures to detect and remove program vulnerabilities before general availability. It has also established a robust security response process to deal with vulnerabilities identified by internal teams and external researchers. Finally, SAP continues to deliver innovative solutions to enable customers to deal with today’s threat landscape. This includes tools designed to:

Discover data leaks (Read Access Logging)
Detect system vulnerabilities (Configuration Validation)
Manage security patches (System Recommendations)
Control access to sensitive function modules (Unified Connectivity)
Analyze security-relevant changes (Change Analysis)
Remove redundant custom code (Coverage Analyzer)
Secure custom code (Code Vulnerability Analyzer)
Detect attacks in real-time (Enterprise Threat Detection)

So, can you trust SAP with your system security? The answer is, why not?

[1] The Speed of Trust, Stephen Covey (2008)