Maslow, Serenity and SAP Cloud Security
Maslow, Serenity and SAP S/4HANA Cloud Security
by Dr Neil Patrick, Director Client Services @ Winterhawk
I was reading a great SAP document “Shared Responsibility in SAP S/4HANA Cloud” by Patrick Boch and my colleague from SAP days Arndt Lingscheid. It describes when the hyperscaler/SAP, SAP, and customer, is responsible for S/4HANA cloud security components.
Each layer (e.g. data centre; storage; security; application database; operational security; and application users), builds on the one below it. Each layer cannot be robust and safe if the one below it is not.
Security in each layer (e.g. data centre; storage; security; application database; operational security; and application users), builds on the one below it. Each layer cannot be robust and safe if the one below it is not.
This is what brought to mind Maslow’s hierarchy as an analogy. Maslow’s model is a layered needs & motivation model (a parallel!). As with security, low level needs of food, water and safety must be met before higher levels of love/belonging and esteem can be met (another parallel). Maybe the analogy breaks down at the top-level needs of self-actualization and transcendence. Though have you seen the delight and lightness of being when someone’s month/year-end checks pass?.
The document shows at what level a customer can get access to data in a fairly complex technology stack. This is important for customers for their S/4HANA enhancements (e.g. cannot access the S/4HANA database, unlike ECC). But as importantly customers can have confidence that other customers cannot get access to your data either in an S/4HANA public cloud environment.
This is where the Serenity prayer comes to mind: God, grant me the serenity to accept the things I cannot change, the courage to change the things I can, and the wisdom to know the difference. Security and management of who gets what access to which business systems, transactions, data, reports, and corporate network, is owned (can be changed) by the customer. Pretty much all the rest (for RISE & GROW) is up to ‘others’ and largely out of a customer’s hands. Though one must check the ‘others’ security measures are in place!
It sounds obvious because, well, it is. But like with the Serenity prayer, putting it into practice isn’t necessarily simple. Even with the most secure cloud services, unless users and access is intentionally managed, systems are unsafe.
In our modern digital, automated, distributed working world, frequently with global relationships, the characteristics of user are actually complex. Users are both human and non-human (I split again between transaction ‘users’ and IA/BOTs). And of course there are approved and not approved (i.e. hacking) users.
I’m pleased the document points out customers not only need to do this for their own business security, but they will be audited too!
Luckily there are solutions to manage this safely & consistently (proportional to risk), cost-effectively, and with automation and integration into SAP. Adding to S/4, top of the list would be SAP Access Control, Cloud Identity Access Governance, Enterprise Threat Detection, underpinned by Identity & Authentication services.
Feel free to reach out to me (info@winterhawk.com) if you want to know more about how Winterhawk can help in this area.