SECURITYBRIDGE BROADENS U.S. REACH WITH NEW 1st BASIS GROUP PARTNERSHIP

Press Release

Ingolstadt, Germany, February 22, 2022 – SAP security provider SecurityBridge—now operating in the U.S.,—today announced a partnership with Wisconsin-based 1st Basis SAP Services Group, (1st Basis). The partnership enables 1st Basis to provide SecurityBridge’s integrated SAP Security platform and services—the most advanced cybersecurity to SAP managed services, and S4HANA migration projects—to their customer base.  

“It’s no secret that SAP often holds an organization’s crown jewels and needs to be given the utmost protection. However, according to the latest research 43% of data breaches are at the application layer and we are finding that this is the greatest area of weakness,” said Doug Pastrich, CEO of 1st Basis.

SecurityBridge provides the most advanced cyber-platform with real-time threat detection, vulnerability management, custom code scanning, and patch-management in a seamless one-stop-shop solution, built on a single technology layer. With real-time dashboards based on SAP Fiori, SecurityBridge provides actionable intelligence that can be relied upon to make critical security decisions.

“SecurityBridge provides the most comprehensive functionality and seamlessly integrates within the SAP technology stack. Its agile and holistic approach enables us to provide transformation and managed services very quickly and smoothly. 1st Basis will be building on our solid reputation of providing our clients with the utmost quality of managed services as security is becoming more urgent. With this partnership, we will provide significant speed to security in our ability to reduce the attack surface for our customers by utilizing the power of SecurityBridge,” added Pastrich.

“Threats against SAP systems are becoming more prevalent and more sophisticated. The most effective, proven approach is to combine constant real-time threat monitoring and vulnerability management into a holistic security process’’, said Christoph Nagy, CEO of SecurityBridge.

“The partnership with 1st Basis will be highly synergistic for both parties, as we see the increasing migration towards managed services for SAP clients. We value the expertise and excellent reputation that 1st Basis provides, and we look forward to an exciting year ahead.”

About Security Bridge

SecurityBridge is an SAP Security Platform provider, developing tools to extend the SAP ecosystem. The company takes a radically different approach to traditional security tools, believing SAP applications and custom code will be infiltrated no matter how diligently security hygiene is applied. In response to this belief, SecurityBridge created the world’s only natively integrated real-time solution for constant monitoring. Powered by anomaly detection, the SecurityBridge platform can differentiate between accurate results and false positives so that security teams can better focus on real issues. For more information, please visit securitybridge.com.

About 1st Basis

1st Basis Logo

Founded in 2006, 1st Basis provides affordable, high-quality SAP Basis managed services at SAP Best Practices standards. For over a decade, we have kept that promise. We leverage our unmatched expertise to keep our customers’ SAP systems secure, stable and highly available. For more information, please visit www.1stbasis.com.

Background

This is a companion piece to our other post on TikTok and potential security concerns with SAP. The geopolitical background issues are the same. China has a history of corporate and other espionage and a history of inserting its interests into the affairs of corporate entities, even technically private ones, at home. It is also the world’s most developed surveillance state, and recently, it and the United States have been increasingly at odds on a variety of issues.

Unlike TikTok, Zoom is not headquartered in China. Its owner, Eric Yuan is originally from China, but moved to the United States in 1997.

The Rise of Zoom

As most people now know, Zoom has been one of the greatest beneficiaries of CoVid lockdowns, seeing an almost twentyfold rise in usage over the past year. People isolating to slow the spread of ‘the virus’ have flocked to the platform for social and work purposes. The subsequent discovery by many workers (and some businesses) that much of what they do doesn’t depend on their being on-site has contributed to its continued expansion. Lots of educational institutions and social services and primary medical services have adapted to employ video as well.

The ease with which Zoom can be accessed and its full but intuitive feature set have spurred its widespread adoption, but that same broad suite of functionalities and ease of access have made it a broad target for hackers and other online bad actors.

The Problematic History

There have been a series of security issues with Zoom that are, perhaps, not surprising given the nature of the platform. Early on, many people using the platform were declining to use the password option, which gave an opening to bombers and grifters to bust in to meetings and wreak havoc. In one infamous example, a major university’s graduation, held online because of CoVid, was interrupted with racial invectives. The platform has been used for information scraping, malware injection, password stealing, and just about anything else a hacker might want to do. At one point, Zoom partnered with a Chinese firm to generate cryptographic keys, which threw up warning signs among politicians and security experts. Additionally, Zoom agreed to de-platform several well-known Chinese dissidents at the request of the Chinese Communist Party (CCP).

The list of exploits and possible vulnerabilities is very long, and you can read about them in depth in this excellent compilation at Tom’s Guide. The most problematic thing about Zoom, though, has been its lack of candor at times, for instance claiming to have inaugurated end-to-end encryption when it hadn’t done so. In response to various criticisms, Zoom has taken steps to mitigate its vulnerabilities, but very few of these steps seem, from an outside perspective, to have been taken proactively. A variety of alternatives to Zoom are available. If you share sensitive information on such a platform, you might be better off to look elsewhere until Zoom has established a more robust security track record, and this is probably more likely to be true of businesses that employ SAP services than those that do not. Zoom’s vulnerabilities make it not just problematic in view of the Chinese, but also corporate espionage, sabotage, and sundry black-hat exploits. As with TikTok, your vulnerability profile will depend entirely on the potential value of the information that you share to those who shouldn’t have it.

Geo-Political Background

Recently, the Trump administration has kicked around the possibility of banning the use of TikTok in the United States. This comes against a backdrop of increasing tensions between the United States and China due to China’s emergence as a military and economic rival superpower, and exacerbated by what some in the West view as China’s military and economic expansionism against a backdrop of long-time institutional infiltration, technological and other espionage, and unfair trade practices. Recently, relations have been further strained by internal Chinese crackdowns on civil dissent, reneging on the conditions of its treaty with Great Britain regarding the status of Hong Kong, and what some (though not all) view as blame for not having blown the whistle earlier about CoVid-19, which has had devastating health, social, and economic consequences around the globe.

India, which has recently clashed with China above the disputed Galwan Valley between China and Indian-administered Kashmir, has banned the popular short-form video plus sound application. There have been rumors, though denied, that Australia and the Philippines might also follow suit. Both of those nations have been alarmed by Chinese expansionism in the South China Sea.

Does TikTok Pose a Danger?

Does the application pose a danger? It’s hard to say. Like most such applications, new versions often are filled with security issues that need to be patched, and TikTok does a comparatively decent job of doing so. The company that owns TiKTok, ByteDance, is headquartered in China, but not ‘owned’ by the government per se. ByteDance swears up and down that it would never convey any user information to the Chinese government, but the rights and responsibilities of ‘private’ corporations in China vis-a-vis the government are more . . . negotiable, let us say, there than they are in the West.

At present, there’s no reason to believe that TikTok collects any more information than other ‘free’ social media applications, such as Facebook and Twitter, which monetize metadata from their users to target ads and such, but following revelations of what Cambridge Analytica was able to infer from access to Facebook’s information during the 2016 election, there is some concern about how China might use such information for similar purposes (or worse) such as: wargaming, propaganda/disinformation and election meddling. We have already seen that they take a very aggressive line against their own citizens at home and abroad who use online platforms to criticize the government, and like the Russians they seem to be cultivating their own troll farms.

With Regard to SAP Users . . .

The problem here is that many SAP users are companies whose information is not only valuable to themselves, but potentially also to others. One of the things that TikTok was criticized for was maintaining access to clipboard information. They were criticized, when found not to have fixed the problem. They excused the delay by saying that there was a conflict with the spam filter. Theoretically, a government with access to such information might leverage it either through simple data mining or blackmail. A surveillance state such as China might exploit or introduce backdoor methods of accessing data on devices with the TikTok application, as they are said to have done with Huawei, their 5G cellphone network.

So there is no clear-cut answer on whether to prevent employees from using TikTok on devices that also might be used for work purposes. As a precaution, and partly because of the conflict, India has banned certain Chinese apps (including TikTok). The State Department would like Microsoft or some other US-based company to buy it. They have given a deadline before it is banned. For the moment, we advise caution.

SAP Security is like an extraordinarily complex, multi-person juggling act. You may have seen performances where a couple people juggle several balls, throwing them between each other, while always keeping them in the air. Imagine if that were expanded to include every person in your business and all those balls represented every one of your customers, every item in your inventory, and, all of your financial information. With SAP Security in place, every person in your organization has access to the data needed to do their jobs, while restricting access to other areas. That means that there is limited possibility of accidentally damaging or deliberately misusing vital information. This post explores SAP Security, how it mitigates risk, best practices, and more.

Mitigating Risk

SAP Security works by analyzing the different kinds of information your company uses and the people who have access to them, and then building appropriate protections around them. In order to mitigate your risks, you need to establish a baseline. Review who has access to the company’s most sensitive information; what titles do they hold? Then examine your company’s standard operating procedure to determine where protections are most needed. This is where you create a Segregation of Duties (SoD) analysis. It’s also key to think about scenarios outside the norm and plan for those as well. It’s best to include SAP Security in the planning stage; it’s possible to do it after your SAP system is up and running, but security should be integrated from the start. Finally, SAP Security maintains its integrity by performing regular system-wide assessments which should also be included and planned for.

Best Practices – General

There are some basic best practices that should be employed with every SAP Security system, and some that apply to the different kinds of SAP systems and modules. With every SAP system, Admins create a standard role for a position (or title) and that can be assigned to anyone who fills it. For instance, your company may have account managers who deal with specific clients. There would be “keys” available for all account managers, and then more specific “keys” for each manager’s clients. That way, every account manager can access all the information necessary for their clients, but not for another account manager’s clients.

Best Practices – SAP HANA

SAP HANA security requires some adaptations from the standard SAP security system. Best practice here means that SAP HANA Security operates on a least access rights paradigm that diminishes the potential damage an employee could cause with access to more information. SAP HANA permissions work with different implementations than general SAP permissions, and it also handles objects differently, so it’s important to have someone with expertise in SAP HANA Security. If that is not part of your corporate structure, contracting with the professionals at 1st Basis is a wise choice.

Best Practices – SAP Fiori

Again, implementation of SAP Fiori varies from other SAP systems, and the most important best practice action you can take is to ensure that you are working with someone with a comprehensive understanding of SAP Fiori. There are 9 main security best practices that should be followed when using SAP Fiori. Most businesses are taken up with the actual work of the company, not the SAP system or its security. Employing the experts at 1st Basis is best practice.

 

When working correctly, SAP Security should be invisible, allowing each member of the company to access the needed information at the appropriate time so that productivity remains high. It’s a juggling act where the balls are always in the air or in the right person’s hands, never breaking the rhythm of the movement, never concealed in a juggler’s pocket, and never on the floor.

“An SAP system administrator ensures that the Basis components of every SAP system and their functions are working correctly during live operation.”
SAP Administration: Practical Guide, p. 17 Galileo Press, 2011.

SAP Basis

SAP Basis is landscape administration for all SAP environments. It is designed to keep all of the different systems in the landscape working at optimum efficiency— all the time. SAP Basis installs and configures all SAP systems and components, backs up and restores data, troubleshoots issues, and manages batch jobs. In addition, SAP Basis configures SAP’s transportation management system (TMS). Generally, it does everything from installing and configuring printers and other devices to running and managing the entire SAP ERP foundation.

SAP Security

SAP Security is user administration in SAP for all the modules and work areas. SAP Security governs what data and processes users can access inside an SAP landscape. It negotiates all the tools, processes, and controls that exist to restrict access to various places within the SAP landscape so that a user has precisely the information needed to do their job, no more and no less. SAP Security analyzes and anticipates what access is needed and disallows viewing or altering other data. By designating access via a role or a position rather than a person, it accommodates easier flow of information while maintaining security.

History – SOX

The functions of SAP Basis and SAP Security used to be combined into one role. However, in the early 2000s, they became decoupled. It became more and more apparent that a unique system was needed to focus exclusively on internal security. On July 30, 2002, a federal law called Sarbanes-Oxley (SOX) was enacted that made companies responsible for the information they reported. The most controversial element of this act was Section 404 that required management and external auditors to report on the adequacy of a company’s internal control over financial reporting.

History – Segregation of Duties

SAP stores and processes all kinds of data, including financial data, and segregation of duties (SoD) are crucial when dealing with different job positions and responsibilities within a company. SoD means that the set of roles/responsibilities should be assigned in such a way that no one individual should have end-to-end access rights over any function. An employee should not have responsibility for more than one of these three transactions components: authorizing transactions (approval), recording transactions (accounting), and handling the related asset (custody).

SAP Basis and SAP Security Now

Before 2006, SAP Security was a synonym for SOX and SoD, even though it was only a small part of SAP Security. Since then, SAP Security has developed into a complex and ever evolving system to guarantee the integrity of all the data within the SAP landscape. SAP Security can grant full access to particular sets of data to users without allowing them to view others. Alternatively, it can allow them full access to some sets of data, altering ability to other sets of data, and denying access to still other sets of data, and every combination thereof. SAP Security not only makes certain that your business is complying with all federal laws and regulations, it sets up the framework for your employees doing their jobs using the soundest business practices.

Just imagine SAP Basis as the President and his cabinet dealing with the large-scale issues facing the country. SAP Security works more like the Department of Homeland Security and the police forces throughout the country. They make sure we are all safe and can go about our day-to-day lives without fear.