New SAP solutions like S/4HANA Cloud, SAP Business Technology Platform, SAP Business AI and SAP’s generative AI Joule leverage advanced capabilities like machine learning, robotic process automation, and cloud delivery models.
While this brings benefits in performance, insight and agility, it also raises valid concerns around security, privacy and regulatory compliance. SAP customers and services partners must take a proactive approach to governance as they adopt these innovations.
This week IgniteSAP looks at some strategies that SAP customers and SAP services providers can use, and best practices in data governance, so that they stay up to date with technological innovations and new data compliance standards.
Corporate governance strategies need to change to take into account new EU privacy laws like the GDPR and recent German regulations around IP addresses and cookies.
The EU General Data Protection Regulation went into effect in 2018 across all member states with expanded requirements for companies processing EU citizens’ personal data.
As part of this new legislation organizations must have a lawful basis for processing data. Consent requirements have been increased, and EU citizens also have a ‘right to be forgotten’. Companies must also inform customers of any security breaches that affect their data, and design data protection into their systems, as well as conducting privacy impact assessments.
The EU has also created new restrictions on cross-border data transfers, and brought into effect laws against non-compliance, including fines of up to 4% of a company’s global revenue.
German Data Protection Regulations revised the Federal Data Protection Act in 2021, and are built on top of EU legislation. Companies operating in Germany now have stricter cookie consent rules requiring customers to opt-in to data collection with consent rather than opt-out.
Data like IP addresses is now considered personal data, and there are restrictions on the use of personal data for profiling and tracking. Fines for infringement of these new regulations can reach as high as €50 million under certain conditions.
These new regulations will mean that companies collecting customer and partner data as part of their business operations need to adjust their customer data landscapes to ensure compliance.
SAP customers and partners need to carefully evaluate and take action to adjust their data practices to avoid substantial penalties. Those tasked with putting new AI systems and tools in place will also need to take account of this legislation so infringements instigated by AI behavior are avoided.
Previously companies running SAP would conduct reviews of cybersecurity threats, updating SAP security features and ensuring best practices like access control, encryption, monitoring, and security testing.
These practices have become far more important for those companies who have migrated their systems to the cloud. The importance of comprehensive identity and access management has massively increased as well, given the rise of remote working and connected AI components for ERP systems.
Adhering to compliance frameworks (like the International Standards Organization’s ISO 27001, and the NIST CSF in the North America) helps companies to see what needs to be done, and to create a common language and method to address corporate cybersecurity concerns.
The NIST CSF framework advocates a proactive, rather than reactive attitude towards cybersecurity. In 2020 SAP integrated NIST CSF across their governance and risk operations.
SAP systems also have security features like authorization management, encryption, and secure configuration. Partners should leverage these capabilities fully when implementing SAP solutions, along with several other methods for promoting IT security.
Access controls are a good way to maintain secure data and networks. Minimizing access by role, separation of duties, and limiting third-party and remote access with secure VPNs are also good practices.
Classifying data according to sensitivity, encrypting confidential data in transit and in databases and enabling data loss prevention are good habits for cyber security managers.
In the area of identity management, strong password policies should be enforced, and multi-factor authentication should be implemented and integrated with a central ID provider.
Companies should log and monitor all user activity for anomalies, conduct frequent vulnerability scans, and penetration testing. New risks to the system can be mitigated by staying up to date with security patches, testing, and prompt deployment of new security measures.
All implementers and business users of SAP should receive regular training on recognizing threats like phishing, and “social engineering” where employees with access can be manipulated in order to gain control over a system.
SAP customers with a third-party cloud provider should regularly review their own, and their provider’s responsibilities to ensure they are aligned with no gaps, and always aim to configure a secure network architecture in IaaS/PaaS environments.
New technologies and connectivity like AI, IoT and mobile access should be continuously reviewed by SAP security professionals to identify and mitigate risks.
By adhering to an established security framework and best practices, and working with SAP implementation partners customers can benefit from digital transformation and cloud migration while avoiding data breaches and other cyber threats.
New technologies are always inherently at risk as the industry has trouble keeping secure practices up to date with its own pace of innovation.
Cloud deployments of SAP systems create potential security and privacy risks, especially with multi-tenancy infrastructure. Cloud configurations and integration points should be designed with security in mind and monitored for data leaks.
Companies with SAP systems and databases that include cloud components should secure their SAP deployments using the standard practices shown above, and those organizations running SAP AI can mitigate risks associated with AI components in the following ways:
Maintaining thorough documentation of model logic, data sources, and governance policies.
Monitoring model performance with scheduled reviews, and establishing drift detection processes.
Auditing AI-driven decisions and providing explanations to ensure transparency.
Allowing business users of SAP AI with appropriate access levels to review any recommendations and override them as needed.
In order to take advantage of AI and cloud technology in a secure way, organizations need to go beyond basic compliance to create a culture that promotes system security, ethics and governance over data.
Companies should develop policies and training programs to align people, processes and technology towards a shared goal of responsible and secure cloud deployments whether they have AI components or not.
They need to take an architectural approach to embed governance into new solutions via frameworks like SAP Secure Engineering so that security best practices are designed into systems and processes.
Clear data governance policies and procedures should be implemented that align with business values and goals. Classify data by sensitivity level, and manage data access appropriately with security controls, retention rules, and restrictions.
Implement processes for managing data quality, integrity and lineage across systems. Create an inventory of data assets and a map of system architectures, including data flows. Maintain oversight of data flows with robust metadata management measures.
Executives in the organization must be selected to champion the need for investment in security and governance procedures. Data governance should be established at a managerial level.
A cross-functional data governance committee should be established with roles like Data Protection Officer, Stewards, Security, as well as Privacy and Compliance teams. These roles and teams should be given adequate training to understand and carry out their duties, and meet regularly to review security policies and governance reports.
The committee should also adjust policies and procedures when necessary to account for developments like new compliance regulations and innovations in related technologies like AI, and IoT.
Build organizational awareness through all departments with training and workshops on responsible data use, protection, and ethics. Staff and customers should also have clearly defined communication channels to report issues or complaints related to data processing.
Another way to raise awareness of data concerns in the organization is to recognize and reward staff behaviors that demonstrate accountability, transparency, and proactive stewardship of data.
Building a culture of governance takes time and investment, but this leads to increased levels of trust and compliance, and innovation is not held back. It requires careful oversight of both organizational structures and individual behaviors.
The SAP services industry is faced with ever increasing levels of responsibility in order to provide for both compliance with evolving legislation, and the changing IT landscape and technologies employed in the modern ERP system. Service providers must strike a balance so they and their customers are able to retain transparency and control over their data (and their customer’s data), and also avoid holding back innovation necessary to keep up with competitors.
The SAP services ecosystem understands this balance and is taking proactive steps to enable innovation while ensuring trust and compliance. With strong governance, leading companies are safely accelerating their digital transformations with SAP’s cutting-edge technologies.
As SAP’s portfolio grows, and more companies adopt cloud deployments of their IT landscapes, so too does the SAP services industry: as compliant and secure data networks must be implemented, calibrated and maintained by competent SAP security and governance specialists.
There are some specific challenges facing SAP services providers, including: a push in the EU government for companies to store data more locally, increased scrutiny of the way that AI and machine learning components utilize data, higher standards of customer consent for data usage, and risk-averse companies restricting their own technological development for fear of data breaches and breaking new laws on compliance.
Overall, companies will need to take a far more systematic approach to compliance and security to include people, processes and technology. But with proper planning and safeguards, and expert implementation teams, they can still benefit from SAP innovations while respecting regional regulations and values.
If you are an SAP consultant looking for a new role in the SAP ecosystem, or you are wondering what your options are, our team of dedicated recruitment consultants can connect you with your ideal employer so join our exclusive community at IgniteSAP.
