SAP Cybersecurity Lessons: A Q&A with Joerg Schneider-Simon, Co-Founder and CTO of bowbridge
Aug 22, '19 by Krista Elliott
In 2005, YouTube was unleashed upon the world, Hurricane Katrina battered the Louisiana coastline, and Tom Cruise jumped on Oprah’s couch.
During that year, bowbridge Software GmbH was founded.
Since then, the cybersecurity battle has become a world war. In 2005, there were approximately 200 successful data breaches worldwide. By 2017 there were over 1,300 – and the number continues to climb. Kaspersky reported approximately 18,000 malicious programs per quarter at the end of 2005. For Q1 of 2019? They detected 247,907,593 “unique malicious and potentially unwanted objects”.
We sat down with bowbridge co-founder and CTO Joerg Schneider-Simon to talk about how the cybersecurity landscape has changed and what lessons he’s learned since founding bowbridge.
Tell your readers about when and why you founded bowbridge.
JSS: We founded the company in 2005 and we launched the first product in 2006. Back in the day, it was really just the very beginning of SAP systems being exposed to external parties. Most of the systems back then were strictly internal and so SAP security focused almost exclusively on internal security. There was no SAP cybersecurity aspect. That external element was virtually unknown.
Most of the companies we see in the SAP cybersecurity arena today—companies like ERPscan, Onapsis, ERP-Sec—all started around that time: between 2005 and 2010. That was really the birth of SAP cybersecurity.
As far as the “why,” having been in security for a couple of years before that, it was obvious to me that with SAP systems being more open and more exposed to external parties, vendors, resellers, and business partners, there would be a big benefit in streamlining business processes – but that this would also come with a major increase in risk.
To streamline a business process, companies were making their SAP system available on the internet. This would then make their system visible to a potential attacker for the first time ever, because typically those systems were well hidden inside corporate networks. Unless someone had compromised the corporate network, it was impossible for hackers to even reach that system. Now that system was reachable. Considering the immense value of the information stored in these systems, and the potential impact hackers could have if they broke into these systems, well, it was clear to me this was something the bad guys would immediately jump on.
Do SAP systems face the same kind of cybersecurity risk as other systems?
No, because it’s a much more complex system. To use an analogy, SAP is like the safe in a Las Vegas casino, while your average home system is more like the safe in a small business. Thieves don’t break into the Bellagio with a baseball bat. Breaching an SAP system is extremely complicated and requires an almost unimaginable level of preparation and sophistication, which makes such attacks incredibly difficult for an organization to fend off.
Most hackers go for the lower-hanging fruit and are content to attack the relatively easy-to-crack small businesses. But for the elite criminals, an SAP system is an irresistible challenge due to the extremely high potential return on investment.
Has anything surprised you since you’ve started bowbridge?
The thing that still gets me to this day is how slow businesses are in deploying security patches. We've seen systems out there that haven't been patched for years. This is tremendously risky.
As soon as SAP issues a patch, attackers reverse-engineer the patch to figure out what security gap it fixed. From there, now that they know precisely where and what the vulnerability is, it’s that much easier to launch a successful attack on any business that has not implemented the patch.
There’s really no way to keep attackers from weaponizing these vulnerabilities. And by not applying the patch, you’re leaving that weak spot wide open. Fortunately, companies like Protect4S are offering solutions that automate the implementation of SAP security patches, making it easier for busy teams, or teams that aren’t familiar with SAP cybersecurity, to keep their patches updated.
Do customers typically grasp the risks to SAP cybersecurity?
One thing we’ve experienced over and over is that our customers are just starting to think beyond roles and permissions. They typically approach us for a fairly narrow project, such as securing their e-recruiting system. Once we speak to them and say, "Okay, so for the e-recruiting system, you have to do this, and this, and this," they often have a lightbulb moment and will reply, "Wait a minute. Does that mean that my CRM, my SRM, my enterprise portal, my PI, all of those are vulnerable to the same attacks?"
When I say “yes,” that’s when they get this look of horror, finally realizing how exposed they’ve been all this time.
Do you have any SAP cybersecurity predictions?
I think this entire movement to the cloud, specifically with regards to SAP, will create a whole set of new challenges from a security perspective. Customers are not going to simply “flip the switch,” move all SAP systems to the cloud, and pass on all of the responsibilities to the cloud provider. Instead, at least for the next 10 years or so, we will see hybrid installations where some SAP systems will remain internal and others will be cloud-based.
Because these systems will still need to interact, there will be a link between the cloud and the internal networks. I predict these links will be major targets for hackers. Just one weak link in the cloud infrastructure will enable hackers to use that secure connection to gain access to the whole network and compromise the entire landscape.
If someone on the inside – say, a disgruntled employee – compromises an internal system, they might be able to use that connection and then compromise all the systems that are in the cloud.
In a pure on-premise installation, the company owns everything. They own the hardware. They own the OS. They own the network. They own the entire stack, and they are in charge of securing the entire stack. In a cloud scenario, depending on whether you purchase a platform as a service, or a software as a service, you only get to see a small layer of that stack.
That's not an SAP-specific problem. That's a universal challenge with the cloud: making sure that there are no gaps between the layers where someone can slip through, because ultimately if someone compromises that cloud system, which has a trust connection back into your network, this can have a catastrophic effect on anything that's on premise.
bowbridge has shared a lot of SAP cybersecurity information with its readers over the years. What’s one thing you want everybody to know?
It's always worth reiterating that security is not a product you purchase. You cannot buy something, deploy it, and then say, "Now we're secure." You’re not.
Cybersecurity, whether it’s SAP-related or otherwise, is not a one-time thing. You must constantly review, refine, adjust, update, and patch. It's a continuous process companies must implement, with procedures in place to make sure these security iterations keep happening, because something that protected you yesterday might not do the job today.
There are always new malware and new attack techniques coming out, so it's critical to stay on top of security and not fall into the thinking that, "Well, we bought XYZ product and we deployed it, so we're good."