SAP admits attempt to adapt on-prem security for its cloud flopped
Software giant learned the hard way that lift-and-shift isn’t easy
SAP has revealed that its attempts to create an Endpoint Detection and Response (EDR) tool for its cloud "was abandoned after a year and a half as a failure."
That admission came in a Wednesday post penned by Jay Thoden van Velzen – a strategic advisor to SAP chief security officer Sebastian Lange.
Thoden van Velzen's post is titled "Don't Lift & Shift Legacy: Securing Public Cloud Requires Cloud-Friendly Security Tooling" and explains SAP's own cloud migration efforts.
The theme of his post is that security tools and practices developed for applications written to run on-prem probably won't apply to the cloud.
"Legacy security tooling lifted & shifted from datacenters may still provide value higher up the stack," he wrote, adding "But without monitoring and detection that is cloud-aware you leave yourself vulnerable to common cloud threats that legacy tooling cannot see."
For example, he points out that corporate datacenters run stable large open networks that need threat monitoring, and that sort of tool is often agent-based. In public clouds, by contrast, networks mostly carry encrypted API calls, while VMs, containers, and the networks that connect them may not operate for long. Even if attackers get in, they can struggle to gain persistent access.
Attackers that do get in may try to create new VMs to do things like mine crypto. Those VMs will not use your templates and will not therefore run your security agents. Thus, you'll struggle to see them.
- SAP faces more accusations of breaching on-prem customers' trust
- SAP jumps on AI-assisted coding wagon, but uses its own ABAP language
- SAP barely moving needle to migrate users off ECC before support ends
- SAP customers on brink of ERPocalypse as 2025 support cliff looms for ECC
Developers are another factor that erodes the effectiveness of on-prem infosec regimes.
"Developers have more autonomy than ever in the cloud and can deploy resources at will," Thoden van Velzen observed. "Therefore, you need the active collaboration of those teams to install an agent on each of their end points." But developers expect friction-free access to resources – so asking them to test and deploy agents won't be well received,
He therefore recommends a cloud-native approach to implementing security – mostly using APIs, and done at an organizational level.
"That way onboarding can be done centrally and applied to all cloud accounts in the organization without any effort on the developer teams," he suggested.
SAP learned that the hard way.
"Our Cloud-native Application Protection Platform (CNAPP) was deployed and rolled out to most of the organization in about three months. Our first central agent-based EDR solution adoption was abandoned after a year and a half as a failure," he admitted.
Thoden van Velzen also worries about the complexities involved when using security tools designed for on-prem use in the cloud. He also observed that security software is licensed for on-prem use. "Many vendors use per-seat licensing," he noted, before asking "how do you calculate a seat when it only was around for a few hours?"
SAP, he wrote, creates "30,000 VMs every 24 hours. Do all 30,000 count as a seat? Do we average the number of VMs over a time period? This is not always clear."
The ERP emperor now runs an agent-less Cloud Native Application Protection Platform (CNAPP) that Thoden van Velzen wrote "monitors cloud-native infrastructure and managed services, as well as VMs and container-based workloads through side scanning.
"It contextualizes both findings into risk-based alerts for misconfigurations, vulnerabilities, IAM alerts and file-based malware that facilitate prioritization within the organization. The CNAPP even supports asset discovery, important in a fast-growing, dynamic environment."
SAP is so confident it's performing that in October 2023 the CNAPP tool replaced an in-house developed cloud security posture management solution, "and in early 2024 [it] will replace the existing network-based vulnerability scanner entirely for public cloud landscapes." ®