Is that the right scope for your SAP security assessment?

Security assessment
by: Carlos Chalico

Let’s think about SAP, a company founded in 1972, a company that offered the world a software that currently holds more than 250,000 customers in over 180 countries, and which is  related in some way to 86% of the companies that integrate the list of the Global Fortune 500 (according to their corporate fact sheet). Well, this is clearly a product that is widely deployed and every single company that uses it should be thinking of defining formal and robust internal security control measures to protect the information and the data that is processed by this application.

A lot of things can be said about information security related to SAP; my intention now is to talk a little bit about the mistake made when defining the scope for executing an information security assessment on an SAP environment.

This misconception comes from the definition of what an SAP environment is. Typically, SAP platforms are comprised, at least, of three different tiers: Development, Quality Assurance and Production; It is very common that, depending on your role inside your organization, you might be conceptualizing differently what an SAP environment is.

If you are a programmer, for example, you might be thinking of the Development tier, this is where you spend most of your time and, as a consequence, everything there is valuable for you, so that might be your environment. But wait… What if you are from the IT department? Then you might be thinking not only of the Development tier but also of the one for Quality Assurance and, maybe, you are even thinking of the Production tier, the one that constitutes the environment for the users, on which real life happens, where true transactions occur.

When you think of the SAP environment, you have to keep in mind ALL the different tiers that comprise it and even beyond that. Each one of the tiers, and also the IT infrastructure elements that support them, has to be considered as a component that can reinforce or fully compromise information security on an SAP landscape.

Due to different regulations, most SAP user-organizations need to execute security assessments on their SAP environments and, commonly, these are executed by teams that for different reasons (budget, scope and time, to mention some) develop a partial and infrequent focus on the review, covering only a section of the production environment and thus creating the misconception on the scope definition.

It is true that you can find real and serious risks at the production environment, however, we need to recognize that this tier is always connected to the others and also to more SAP or non-SAP systems where we can definitely find real risks too that can even be bigger.

Experience has showed me different situations where weaknesses in non-productive systems or non-SAP environments fully compromise the security effectiveness of productive tiers on SAP systems; I would even say that most of the attacks against an SAP environment become successful outside production and even on non-SAP components. I even remember a project where my team was engaged on practicing a penetration testing exercise on an SAP environment that was very well protected. We unsuccessfully tried to penetrate the SAP system until one of my consultants, that was still executing some discovery duties, found an interesting file publicly available in our client’s corporate internal network, the file included a list of SAP users and passwords in clear text that we finally used to get access to the system

Because of this I always recommend to expand the risk sight when executing a security assessment on SAP environments; we need to have a full approach here in order to identify all the possible risks that can affect the confidentiality, integrity and availability of the information supported by, in this case, an SAP environment.

Considering this, next time you need to execute an information security assessment for SAP, please make sure you fully understand and clearly define what your target SAP environment is, considering all of the elements that can pose risk to your SAP operation even if they are not part of the SAP production environment or if they are not even SAP products. Remember that big failures also come from small mistakes.

How have you faced this?

Could your business save money by moving to the cloud?

financial results

by: Anne Kilgour

There have been a few stories in the news this year about software companies like Microsoft and Adobe moving their software to being a subscription only model. My first thought on reading this was that these companies are trying to tie me in to paying them forever and ultimately costing me a lot more money. But is that really the case?

If you have ever looked into purchasing cloud based software (also known as SaaS – Software as a Service), you might be surprised by the monthly subscription fees. Some quick mental arithmetic will tell you that paying $2,000 per month for all your users adds up to $24,000 annually. If you are comparing this to the cost of buying traditional licences for $50,000, you might think that the subscription model is going to be much more expensive. After all you are going to keep that new system for more than 2 years, right?

It is easy to overlook all the other costs that come with a traditional, on premise, solution. The most obvious one is the hardware – you don’t need to buy or use any servers when you adopt an on-demand solution. The cost of buying servers is of course a part of this – but even if you already have them available, you still have to house them in an appropriate environment, back them up regularly, preferably to another physical location, provide power etc., and have someone monitor, maintain and fix them when necessary. Of course, that all comes at a cost.

Then there is also the software side – that solution that you have bought and implemented doesn’t stand still. Who will investigate and fix any bugs that you uncover? How often will you upgrade to a newer version? Who will install the PC portion of the system for new users? How easy is this to do?

This is of course where the SaaS model earns its bread and butter. All the server management is done for you, in state of the art facilities, with the highest levels of security, back up and redundancy to ensure you have the maximum availability of your system. On the software side, you have access to experts to help you with any bugs or problems at no additional cost. The system is regularly upgraded for you, and there is no PC software to install. In fact this in itself is one of the biggest advantages of the cloud  – you can truly access your system on demand, from any device, anywhere, anytime, so long as you are connected to the internet. On the beach, in the office, on the train home, wherever you have connectivity you can be working on your system.

I recently found a great tool to help you compare the total cost of ownership (TCO) of an on premise system and an on-demand, SaaS system, from the very helpful people at Nucleus Research. Through putting in a few figures for the costs of running your system locally or in the cloud, it will quickly analyse the TCO and present you with a clear comparison of the two options.

Here is an example of the comparison output:

financial results

So, if your senior management are nervous about moving to the cloud, show them the potential savings you could achieve. Then speak to Ouest to find out more about making your business a Best Run Business with SAP Business ByDesign.

NHL and SAP – Could it fit?

by: Ben Chen

 When you think of NHL and SAP, the first thing that probably comes to mind is the SAP Center. In the past month, SAP AG struck a $3.35 Million-a-year deal with the city of San Jose and Sharks Sports & Entertainment to receive the naming rights for the San Jose Sharks stadium. However it brings to question whether there’s more room for SAP and the National Hockey League than a stadium deal.

SAP’s involvement in other Major League Sports has already been exponentially growing. In the NFL, SAP partnered with the San Francisco 49ers on a custom software joint venture and then partnered with the NFL to power their Fantasy Football using cloud solutions. Even the NBA announced earlier this year that NBA.com/stats would be running SAP HANA. When Sr. Vice President of SAP Cloud Mike Morini was asked about SAP’s recent expansion into the sports and entertainment market he replied, “We spent forty years going business to business. Now, we want to go to customers and customers’ customers.”

The real question lies in how SAP could fit in with the National Hockey League. The simple answer?

Big. Data.

As with any of the other Major League Sports, the NHL has a bevy of data to work with. Moneyball references aside, a lot of the statistics could be used to build the fan experience. Here are a few ideas of how SAP could get involved:

NHL.com/Stats – similarly to how the NBA.com/stats was improved by SAP HANA, the NHL Stats could also do with a larger, faster, and more flexible database. With important stats like Goals, Assists, Plus/Minus, and Save Percentage constantly being looked at by fans, the system has to be able to run fast and be easy to navigate by all users. NHL.com/stats is also missing a large history of their team statistics which only go as far as the 1997/98 season.

Real-time – With the growth of Second-Screen experiences, being able to track real-time statistics can be a crucial part of building the hockey-consumer’s experience. Imagine being able to see exactly where the action happens on the ice when it happens, similar to EA’s NHL 13 Action Tracker mode below.

blog ben

*NOTE: The NHL offers NHL Gamecenter Live which offers similar real-time stats but for paid subscription.

Milestone Breaker – A potential system that could be built is an upcoming Milestone Breaker for NHL players and teams. This would be a system that could inform NHL fans of the records or milestones that could be broken within the next couple of days. For example, imagine being able to see that Henrik Sedin could be the Canucks all-time leading scorer within the next few games. The information alone would give fans the added incentive to watch the next few Canucks games in anticipation of the event.

In-house Fantasy Hockey – Similar to how SAP has worked with the NBA to bolster their Fantasy Football, it could work with the NHL as well. The NHL.com Fantasy could rival other competitors Yahoo! Hockey and ESPN and potentially include bonus statistics that NHL enthusiasts use such as a Salary Cap or a Team Lineup system.

There are limitless possibilities to a potential team-up with SAP and the NHL. Could this be a foreseeable fit for both parties? Yes. Here’s hoping that we see it!

Why is cloud the way of the future?

by: Chester Chavez

Have you ever wondered why cloud is the way of the future? Are you familiar with the cloud? I’m not talking of the clouds in the sky itself but more in line with the technological lingo that means data are stored by another provider in a remote location. This gives the company freedom from being tied to conventional in-house system infrastructures and the costs and maintenance that goes with it.  You can access the data from anywhere as long as you have an internet connection be it via desktop computers, laptops or even mobile devices. The advantages you get are greater financial flexibility, quicker reaction time, increased efficiency and immediate access. We have to admit that these are all vital components to run a successful business but let’s take a deeper dive into the last factor.

We are now in a time where technology is at its ascension. Everything we do is somehow connected to technology or the internet. Most headline making inventions or fads are either on the internet or caused by the internet. People now have become more dependent to it. Everywhere you look, you will see people busy reading, typing or playing with their mobile devices.

So why then is having immediate access to your business system important? Having a system that you can access anytime, anywhere does give you immense benefits. Before having real-time access to your data was a big thing but now, it’s a thing of the past. Nowadays, real-time data is not enough and it means nothing if you are not empowered to make decisions and changes based on it. But nothing seems to be bigger than the fact that having immediate access to your ERP system gives you the chance to be above or at least in line with your competitors. Let’s face it, one timing delay may cause a business to lose a considerable amount of money or be left out by the competition. The competitiveness of the business world now is very high that people are looking for ways to one-up the other in any way possible.

With this in mind, SAP utilized their industry leading expertise in creating real-time ERP systems and combined it with the cloud technology. Thus, it gave birth to SAP Business ByDesign. This ERP software is not really new, it has been in the industry since 2007 and have been through a roller-coaster ride. There was even talk about SAP Business ByDesign’s death but of course it was short-lived since ByDesign still exists up to this day. Somehow, the not so good way it started proved to be a blessing in disguise for SAP since they were able to identify the key challenges and is now bouncing back stronger than ever.

SAP Business ByDesign Integrates

SAP wanted to start a cloud solution that would cater to Small and Medium Enterprises (SME’s). They wanted to help businesses grow by providing their world-class ERP business software at a price better suited to SME’s pairing it with the cloud technology. What clients get is a full suite ERP business solution that is in the cloud. The user interface, navigation and help functions are better and easy to use and understand. The system has its own library that you can use as a reference and it even has a community center where people share their thoughts and questions about ByDesign. If that still won’t solve your problem, you can always log an incident (ticket) to SAP’s 24/7 support hotline.

 The system has most, if not all, of the common functions that SME’s needed and can be configured easily. There are also functionalities – known as apps – that you can buy which are customised for certain business processes that are created and/or developed by accredited SAP Partners only. You can also do changes post implementation and the system will be able to respond quickly without having downtimes. The system currently undergoes quarterly upgrades which update the system functionalities to better cater to the needs and concerns of the majority. These upgrades are based from the on-going collaboration between SAP and its clients through user feedbacks as to what improvements they want SAP to make in ByDesign. This is a good thing since it empowers the users to be proactive and to do their part in improving the system.

SAP Business ByDesign can be summarized in 3 words: Intuitive. Flexible. Accessible. ByDesign has done a lot of developments and growing up since its inception and surely, the best is yet to come. As the saying goes, “Success is not by chance, it’s ByDesign.”

Big Data Visualization: the simpler, the better

by: Daniel Duran

BIG DATA

Are you suffering from information overload? Don’t you know how to show your big data in a simpler and more attractive way? The good news is that there might exist an easy solution for processing and converting a lot of numbers into something fascinating and understandable. But, let’s start answering what big data is: it is the collection of large and complex datasets; so the storage, management, processing, analysis and visualization of data become difficult for the traditional relational database systems.

According to IDC, the amount of data stored is doubling every 18 months. We are facing to a major problem each day to store and to manage all data in a better and a simpler way, because the volume and detail of information is growing exponentially. Reuters Research predicts that big data market is estimated to grow 45% annually, so by year 2020 the growth of global data will be more than 30 zettabytes (1 Zettabyte = 1 million petabytes, 1 Petabyte = 1 million gigabytes), according to the graphic below.

big data

For that reason, it’s necessary to evolve to new technologies that take command for catching all data and provide new insights to the companies leading to faster, simpler, better decisions and quicker responses.

The need for data visualization for any organization is becoming more vital for the future. The importance of historical or trend reporting is decreasing, while data visualization (predictable data) continues to increase in importance.

intelligence

Thereby, data visualization helps us to contextualize numbers, statistics, datasets; it means accessibility and good look to all levels of your organization. The success of data visualization is based, among other variables, in the understanding of our data requiring a multidisciplinary profile, because it needs the skills combination of analysis, statistics and experience in data cleansing. Therefore, we can get the best presentation that meets what we want to visualize in a simple way to read and, as a consequence, better presented.

In the market, there are a lot of providers that are related to the concept of big data and data visualization. But, there are only a few of them moving strongly to the world of big data because they are in a good position for both terms: database (hardware) and, analytical and reporting tools (software). These companies are SAP, Oracle, Microsoft, IBM, Teradata, and EMC.

SAP HANA

Our focus will be SAP, which offers an in-memory solution for big data capable of holding all your data fully in-memory. This solution is feasible due to advances in hardware technology, making the impossible…possible. SAP called this solution HANA and it is optimized to take advantage of these technology advances.

SAP describes HANA as a flexible data source toolset that allows you to hold and analyze large (massive) volumes of data in real time, without the need to aggregate or create highly complex physical data models. The SAP HANA in-memory database solution is a combination of hardware and software that optimizes row-based, column-based, and object-based database technologies to exploit parallel processing capabilities.

SAP is working to make SAP HANA a better tool for the future, because it is thinking in giving more support to third-party applications and also it has a Business Suite working on HANA. Also, SAP has a wonderful data visualization toolset that you can combine with HANA technology that enables better business performance with high impact dashboards, rapid insights through agile visualization and self-service data exploration.

“This is the future of SAP. This was one of the best ideas in the last 10 years”, said Prof. Dr. h.c. Hasso Plattner placing SAP HANA as one of the biggest solutions for the future. Today, there are a lot of applications with the tag “powered by HANA”, that certificates the correct use of HANA. Therefore, from today to the future will be using more applications and services based in SAP HANA, giving us a new way to do a better interaction with our customers and providers in the market.

This is something we are now facing, because more SAP applications are being integrated with SAP HANA and they’ll be more in the next years. Recently SAP has announced the integration of SAP HANA with SAP Business ByDesign: an on-demand solution developed for small and midsize companies that require a full complete business management solution without a large infrastructure; moving this complete application to a new faster, simpler and better solution on the market.

Among the SAP tools that we can use for data visualization purposes in this new age of technology, we can talk about SAP BusinessObjects toolset and SAP Lumira.

SAP BUSINESS OBJECTS

SAP BusinessObjects is a full business solution designed for helping you to optimize your business performance with high impact dashboards tools, agile visualization applications and business analysis reporting that allow you to make better business decisions and based in business data. This solution is designed for the casual user instead for the business user.

Some characteristics of this solution include data exploration with beautiful visualizations, reporting of multiple data sources in friendly formats and templates and, also, you can develop data visualizations and mobile reporting from your SAP BW and SAP HANA data.

Some of the tools that are part of BusinessObjects portfolio are:

  • SAP BusinessObjects Explorer
  • SAP BusinessObjects Design Studio

Below, some pictures of how Business Objects tools look.

BO1

B01

SAP LUMIRA

SAP Lumira is a solution for data visualization oriented for business analyst instead of BusinessObjects casual user. This solution offers predictive reporting features such as segmentation, clustering, time series; all these known as predictive functions making an important difference with BusinessObjects.

SAP Lumira (called before SAP Visual Intelligence) is the next generation solution of big data, self-service and visual analytics tools that could be used in conjunction with SAP HANA making a powerful tool for visualizing a huge amount of data in real time with low time responses.

Also, you can modify any data structure without the help of the IT area, because it grows in a more basic way than other tools (e.g. BusinessObjects). In fact, you can increase the self-service data usage maximizing your business knowledge and accelerating the decision-making; so, you can answer complex business questions with business data.

Below, some pictures of how SAP Lumira looks.

Lumira

With this kind of SAP tools you can see your business with more clarity than ever, thanks to the global visualizations of your information and key measures, allowing the end-users to interact with visual representations of business process and data.

Introduce yourself in the beauty of data visualization, let us help you with this and remember that “the simpler, the better” could be the difference to have the key of success.