How SAP Keeps its Infrastructure and Software Secure

VIDEO: Justin Somaini, Chief Security Officer at SAP discusses his role and what it takes to secure SAP's infrastructure, employees and software.

Download the authoritative guide: The Ultimate Guide to IT Security Vendors

Justin Somaini became the first Chief Security Officer (CSO) at enterprise software vendor SAP on January 1, 2016, in a bid to help further improve security. As the first CSO ever at SAP, Somaini has helped to define his own role and the role of security within multiple aspects of SAP's global organization, including both infrastructure and product security.

In a video interview with eWEEK Somaini said that the role of the CSO at SAP is to own security end-to-end within the organization, which also includes making sure that employees and end-user devices are secured.

Somaini explained that SAP uses a long list of security technologies to protect employees, including end-point protection, forensic analysis capabilities, network segmentation, network access control and vulnerability scanners among other tools.

"Where we really find the interesting challenge is where the solutions have weaknesses that can be augmented by some of the more innovative solutions in the market," Somaini said.

To that end, Somaini noted that he does take interest in emerging technologies from security startups that include Endpoint Detection and Response (EDR) and protocol inspection approaches.

Somaini is also making use of SAP technology extensively to help secure the organization, including SAP's GRC (Governance Risk and Compliance) platform. He explained that with SAP GRC he's able to pull in all the signals and feeds from the various security tools and processes in use across the company, to continuously report on the company's security posture.

There are several key security metrics and regulatory compliance directives that SAP's security efforts track. Somaini said that when reporting on security, he really wants to provide visibility into the company's Key Performance Indicators (KPIs). That is, what is the impact of security to SAP's revenue stream, reputation and business operations.

SAP also tracks metrics on vulnerability reporting and how fast new issues are detected and fixed. Among the key issues that Somaini tracks is whether SAP is actually getting better at reducing the number of vulnerabilities over time.

"One of the benefits of actually working at SAP, which creates products that help to manage businesses, is we can actually hook into the general ledger," Somaini said.

As such, Somaini's team can identify what a given system is running and how it relates to the overall business operations of SAP. With that insight, Somaini can forecast what impact a potential compromise of a specific system might have on SAP's revenue.

"Pulling in the end-to-end model on the revenue chain is one example of how you take a security related topic in a business context," Somaini said.

From a software development perspective, SAP also embraces a secure software development model that is based on the ISO 27034 application security guidelines. From a developer lifecycle perspective, Somaini said that SAP runs many different tools to help improve code security.

Watch the full video interview with Justin Somaini, CSO at SAP, below:

Sean Michael Kerner is a senior editor at eWEEK and Follow him on Twitter @TechJournalist

Sean Michael Kerner

Sean Michael Kerner

Sean Michael Kerner is an Internet consultant, strategist, and contributor to several leading IT business web sites.