In a Feb. 27 speech at Carnegie Mellon University Jen Easterly, Director of the U.S. Cybersecurity and Infrastructure Security Agency (CISA), called on technology companies to take greater responsibility when it comes to the design and security of their products. A few days later, the Biden administration released the long-anticipated National Cybersecurity Strategy (NCS), which confirms the US government’s intention to require the technology industry to shoulder more of the load for cyber risk.
Easterly said U.S. policymakers — as well as consumers and users of third-party products — have allowed software programs riddled with vulnerabilities or hardware that can be attacked at almost every level to become the norm.
“As we’ve integrated technology into nearly every facet in our lives, we’ve unwittingly come to accept as normal that such technology is dangerous by design,” she said. Easterly called for a transformative shift to put the onus on the technology industry to infuse security into their products during the design phase.
The CISA Director called the status quo in commercial cybersecurity today “unsustainable,” saying companies, consumers and government must collectively shift their expectations to make major software and hardware manufacturers – not users – responsible for insecure products.
Going forward, the Biden Administration will put a larger emphasis on regulating the security and safety design choices of technology manufacturers.
SAP is supportive of secure-by-design solutions and systems
Acting National Cyber Director Kemba Walden said the private sector is needed to step forward with the government. We agree. SAP has long recognized its responsibilities to offer secure-by-design products and services, given the significance of the workloads our portfolio supports.
The NCS explicitly mentions the role of CISA’s Joint Cyber Defense Collaborative (JCDC) as a vehicle for partnerships across the public and private sector to unify cyber defenders from organizations worldwide. SAP is one of the few European, non-US tech companies that has joined the JCDC as active participants to support this mission. I was pleased to be able to contribute personally at the industry exchange last week in Nashville, TN to share our experience in cloud security.
“SAP is supportive of CISA’s work to encourage secure-by-design products and systems. We support the secure-by-design philosophy, requiring secure development practices, and we will continue to partner with the government to discuss changing regulatory guidelines and what it will take to fill any gaps for the best defense possible”, says Tim McKnight, SAP Chief Security Officer.
SAP’s approach to security is based on three core pillars: Build Securely, Run Securely and Act Securely.
The first pillar addresses Easterly’s call to infuse security into the design phase.
Building secure-by-design solutions entails three components:
- How we develop and deploy software in the cloud with a security-first approach at every stage of the software development lifecycle
- How we partner with leading cloud service providers to build secure-by-design cloud environments
- Additional solutions we offer beyond the core security elements that customers can adopt to elevate their overall security posture.
Secure Software Development and Operations Lifecycle to build and deploy software in cloud environments
We follow the various phases of the Secure Software Development and Operations Lifecycle (SecSDOL).
This cycle is continuously repeated from development to deployment and involves continuous improvement and adjustments, informed and guided by leading standards and frameworks such as the NIST Cybersecurity Framework and the ISO 270xx Standards.
By employing these measures, we continuously seek to optimize our approach to security.
We partner to build secure-by-design environments
The second element to Building Securely is we partner to build secure-by-design environments based on a zero trust architecture. The concept of zero trust is based on the philosophy that companies should trust no one, inside or outside the network – treating users as an “unknown” until they prove their identity to gain access to the network.
Our cloud environment development relies on one standard, secure development, and an operations lifecycle. This approach allows our DevSecOps team to agree on and implement a consistent approach to security.
Supported cloud environments can be categorized into these three main areas:
- The first is SAP’s cloud environment called the SAP Converged Cloud.
- The second type of environment is SAP utilizing our partnerships with cloud service providers such as AWS, Microsoft Azure, and Google Cloud Platform to manage and deploy our customer’s assets.
- The third is a customer data center option involving technology partners Dell, Lenovo and HPE, where we deliver the speed and agility of the cloud to the customer’s data center. This allows them to meet ever-changing regulatory requirements and protect the sovereignty of their data, while benefitting from cloud economics and scalability.
Offering advanced solutions and services for secure applications and data
The third element of building securely are the advanced solutions and services SAP offers that help our customers meet their responsibilities to secure applications and data. These solutions are available in addition to our standard security features in our cloud offerings.
Our solutions help address challenges in the areas of:
- Identity and access management
- Data transparency and sovereignty
- Threat detection and code analysis
- Risk Management
- Privacy governance.
Shift-Left, Secure-by-Design and Collaboration to keep data secure
The origin of most cloud security breaches lies in infrastructure misconfigurations unintentionally exposing resources, known vulnerabilities in the software stack of the solution, and leaked credentials via source code repositories or configuration files.
The secure software development and operations lifecycle (SecSDOL) is central to SAP’s security approach, including security controls every step of the way in development. Ideally security issues are caught early and fixed within the development cycle (“shift left”).
Shared Fate
SAP can only meet this challenge by understanding that we have a shared destiny: The only way we can keep SAP’s cloud secure is by collaborating across organizational silos, enabling our developer teams to make security compliance easier, and to meet security policies as early as possible in the development lifecycle.
This circle of collaboration extends beyond our own internal processes to include our customers and partners in both public and private sectors with the understanding we depend on each other. Together we make the world run better, securely.
Editorial support: Michael Baxter