In our first blog post of this series, we talked about S/4HANA as the path forward for organizations who are using traditional ERP applications or planning to move their non-SAP ERP applications to SAP. In our second post, we highlighted multiple paths to choose from for successful implementation of S/4HANA.
In this blog post, we will discuss how you can make security and compliance an enabler rather than see it as a roadblock for your move to S/4HANA.
Once your organization has decided on the path that best meets your business objectives, SAP recommends organizations use the SAP Activate methodology to perform complex digital transformation or cloud migration projects to SAP S/4HANA. SAP Activate combines best practices, proven implementation methodology, and guided configuration tools to fast-track the deployment of SAP S/4HANA.
SAP Activate consists of 6 different phases:
In this first phase, discover the solutions capabilities, understand the business value and benefits of the solution to customers' business, determine the adoption strategy.
In the prepare phase, you must create the project charter, plans, objectives and pool the resources required for the project. You must also understand SAP best practices around S/4HANA.
In this phase, organizations should have solution workshops and validate that the solution fits the business needs, as well as explore integration options.
In the realize phase, you will Iteratively and incrementally configure, build and test the solution to make sure it meets the business objectives.
During the deploy phase, you will determine go-live planning, create a go-live checklist, list cutover activities and switch business operations to the new system and final go-live of S/4HANA.
According to Murphy’s Law, “Anything that can go wrong, will go wrong.” In this phase, it is important to prepare for a hypercare period for post go-live.
Customers are committed to making huge investments as they move to S/4HANA, but the definition of a successful S/4HANA implementation changes depending on who you are speaking to within an organization.
Key User of the Application
- A business user is based on the business vertical they serve needs all his process up and running with minimal downtime
- A functional consultant is happy as long as the business user gets what they need
- A technical consultant is happy as long as they checks all the code into the S/4HANA app
- For a database administrator, it can be a huge change, but as long as they can perform capacity planning, installation, configuration, database design, migration, performance monitoring, and RBAC security, they are ok
- The administrator’s job is to make sure the servers are up running, printers are connected, backup and recovery and third party connections are maintained
- Security administrators are happy as long as end users are getting access to what they need and RBAC is implemented, GRC is setup and SoD policies are in place
A common security pitfall most large organizations completely miss out on is cybersecurity—security is a big umbrella and one of the critical vertical under it is cybersecurity. Who is responsible for this vertical?
SAP Security? Basis? IT security?
Without a strong cybersecurity strategy, organizations are at risk of compliance failures, data breaches, financial fraud and system downtime. According to Forbes, the cybersecurity talent gap is an industry crisis, and it is an even bigger project to hire a cybersecurity expert with an SAP background. This is a very niche role in the market, so the organization will tend to ignore the problem rather than work on solving the crisis.
Here is my suggested solution to embed cyber secure steps into the SAP Activate methodology.
Cyber Secure Discovery
Do a security assessment of existing SAP applications to check for vulnerabilities in the system, Custom Code, Transport and know your SAP application security posture. You will never be able to work on a solution if you don't see the problem.
Cyber Secure Prepare
While project owners must map the business needs and relate them to business scenarios, it is imperative to understand that security must be driven as a business strategy to be an enabler. When implementing the SAP Activate methodology, make sure security is understood and incorporated as part of the key business requirements, along with a measurable project objective. Ensure the team includes a representative from infosec or SAP security whose goal it is to secure these applications across the project implementation.
Cyber Secure Explore
In this phase, organizations should host solution workshops and validate the solution that best fits the existing security needs.
Cyber Secure Realize
Security assessments must be incorporated in your incremental build model and make sure they meet the cybersecurity objectives defined in the prepare phase.
Cyber Secure Deploy
Make sure the team that has been assigned to sign off on the Go-live checklist includes InfoSec and SAP security who are ultimately responsible for the security of the S/4HANA application.
Cyber Secure Run
If Murphy's Law always applies, make sure you have enabled continuous monitoring for any exploitation Internal/External and perform periodic assessments to find any new vulnerabilities and lock down sensitive parameters, so that they are not a victim of security drifts.
As an organization, if you are thinking of dealing with this problem later and go-live first to meet your business needs, I would suggest reading this article published by IBM security. Per IBM Security, research from the National Institute of Standards and Technology & the Ponemon Institute found that if vulnerabilities get detected early in the development process, they may cost around $80 on an average. But the same vulnerabilities may cost around $7,600 to fix if detected during the production phase.
'If you don't have the time to do it right, when will you have the time to do it over?"