We're coming to the end of the summer vacation period. I hope you had a great time and had an opportunity to recharge. Cloud security didn't stop, though, so here is a list of recent SAP cloud security articles published during this period that you may have missed.

May 27: Cyber Resiliency instead of Cyber Nirvana

Perfect security is like a cyber nirvana - something that you aim for, but you are unlikely to achieve in your lifetime. Yet, infosec is filled with well-intended advice and policy requirements that require perfection: fix all the vulnerabilities, misconfigurations, and code dependencies, and configure everything with least-privilege. Instead, a "Swiss Cheese" model of defense-in-depth of imperfect layers is going to be more realistic and effective.

 

June: Keeping SAP Customers Safe Around the Globe. Taking a risk-based approach to protect customer data by implementing the National Institute and Standards and Technology Cybersecurity Framework

SAP and EY jointly published this brochure by Vanessa Barber, Hedayatollah Hosseini and Dr. Peter Westphal (EY) about SAP's NIST Cybersecurity Framework implementation journey, including insights and lessons learnt.

 

June 12: Demystifying Cyber Risk: Empowering SAP Organizations to Measure and Integrate Cyber Risks into Busi...

This blog by i353gfiata explores how the FAIR (Factor Analysis of Information Risk) methodology helps in quantifying cyber risk, particularly within the SAP realm. It emphasizes the importance of integrating cyber risks into the broader enterprise risk management framework, ensuring that cybersecurity is not treated in isolation but is considered alongside other strategic risks.

 

June 23: Cyber Physical Clouds: Cyber Risks and Resiliency in the Real World

Customer meetings in Australia made it very clear to me what the cyber physical impact was of security incidents and outages on their business operations. It is one thing to know this in the abstract, it is quite another to hear concrete examples from security leaders directly. These add a lot of meaning and context why we constantly look to improve our security practices.

 

June 27: Shared Responsibility, Shared Fate, and Shared Faith: An Evolution in Trust in Cloud Services

These customer discussions directly led to this article about "shared faith", as a further evolution in cloud security. Given what is at stake, cloud service providers do not just have a responsibility to help their customers run securely, they also have a responsibility to demonstrate they run their cloud services securely themselves.

 

July 5: Implementing the NIST Cybersecurity Framework During Rapid Cloud Transformation and a Complex Regula...

Managing cybersecurity risks is challenging in any climate. Doing it in the middle of rapid cloud transformation adds additional complexity and need for agility. Understanding the direction the company strategy was pointing the company in, to better manage the associated cybersecurity risks, SAP decided to implement the NIST Cybersecurity Framework (NIST CSF). In this article, I go deeper into how NIST CSF provides a stable structure to drive continuous improvement in our cloud security posture, while allowing the flexibility and agility for cloud transformation with ever-changing and evolving policies and compliance audit requirements.

 

August 7: Cloudy Threat Detection Fundamentals

While many attack patterns apply to applications running in the cloud as much as anywhere else, there are specific ones in the cloud that you should be aware of to not get caught out. You cannot detect what you don't know you should be looking for. In this article I hit on key threats and techniques threat detection and incident response teams who are new to the cloud should be aware of that are unique to public cloud infrastructure-as-service (IaaS) environments.

 

August 14: Why Finance Leaders In Midsize Businesses Are Stepping Up Cybersecurity Efforts

i353gfiata discusses cyber security risks that midsize Finance industry organizations face, and how a move to the cloud and cloud-native ERP can support them with the challenges in attracting and retaining skilled security professionals, keeping up with ever-changing cyber threats and privacy regulations, and managing and budgeting for infrastructure, platforms and services themselves.

 

August 20: Avoid Undermining Your Security Program Through Hostile User Experience

If we want effective security outcomes, we need to make it as easy as possible for teams to meet security and compliance requirements as they are the only ones who can do that. We can be a "Department of Yes, but Securely". Carrots work better than sticks. In this article, I give five recommendations how to improve the user experience for those impacted by our security programs and processes.

 

August 30: The Durian Model of Effective Cyber Resilience

Following on from the previous article on user experience, in this blog I attempt to answer the question where must we be strict and where can we be accommodating to concerns and feedback from within our organization.The challenge is that we have hard boundaries we can’t compromise on. We have to manage real security risks in a constantly changing threat landscape. We’re under audits and regulatory requirements that we can’t argue with. There are things that we must do, whether we or the organization like it or not, to identify, protect, detect, respond, and recover. How we choose to do those things, though, should be up for debate and dialogue.

 

August 31: Security Safeguards for SAP Cloud Services: Addressing the Threats to Cloud Computing

Last but not least, jana.subramanian published this extensive overview of the security safeguards SAP has put in place to the eleven threats described in Top Threats to Cloud Computing Pandemic Eleven released by the Cloud Security Alliance (CSA). This is an 18 minute read, but if you want a deep overview of the various security controls SAP has in place to mitigate against these threats, this is for you.

We have more interesting content coming in September. Stay tuned!