Companies that run SAP on-premises today are missing important security tools that a cloud-native version has.

SAP admits that the development of an endpoint detection and response (EDR) tool in the cloud has failed. This squat comes from Jay Thoden van Velzen, an SAP strategy consultant to CSO Sebastian Lange, in an official company blog post.

“Legacy security tools transferred from data centers can still provide value upstream,” he writes. “But without cloud-aware monitoring and detection, you are vulnerable to common cloud threats that legacy tools cannot detect.”

He points to an example where corporate data centers have large, stable networks that need to be monitored. Such a tool is often agent-based. The public cloud uses encrypted API calls and VMs and containers within these networks are not operational for long. An attacker who did gain access would have a harder time gaining permanent access.

“Those who get in often create VMs that do things like crypto. These VMs do not use templates and therefore do not run security agents. Result: You will find it very difficult.”

Why did it fail?

In his report, Thoden van Velzen also shows the developers why SAP’s plan didn’t work.

“Developers have more autonomy in the cloud than ever before and can deploy resources as they wish. “This requires the active collaboration of these teams to install an agent on each of their endpoints.” He points out that developers expect seamless access to resources. The call to test and deploy agents is not well received.

Thoden van Velzen therefore recommends SAP take a cloud-native approach to everything security-related, preferably through organization-level APIs. “In this way, onboarding can be done centrally and applied to all cloud accounts in the company without any effort on the part of development teams.”

He also points out the failure of all of SAP’s current efforts. “Our cloud-native Application Protection Platform (CNAPP) was rolled out to the majority of the company in approximately three months. Our first central agent-based EDR solution was abandoned after a year and a half.”

Excessive complexity

The consultant also points out the unnecessary complexity associated with moving on-premises tools to the cloud. “Many providers use per-seat licenses, but how do you charge for such a seat when it’s only online in the cloud for a few hours?”

According to him, SAP creates 30,000 VMs every 24 hours. “Do they all count as one seat? Are we looking at the average value over a certain period of time? Something like that requires problems.”

Today, SAP operates an agentless Cloud Native Application Protection Platform (CNAPP) that monitors cloud-native infrastructure and managed services as well as VMs and container-based workloads via side scanning.

SAP believes in this solution and the CNAPP tool has replaced the “old” internally developed tool. It also plans to replace the existing network-based vulnerability scanner for public cloud environments in early 2024.