Decoding the “work in progress”. Impressions of an SAP security intruder
From 22 to 23 March 2023, I had the opportunity to visit the latest DSAG Technologietage 2023 in Mannheim, Germany, this year under the motto “Work in Progress”. Although this motto may make us think of a kind of indeterminate pause, I believe this last event exposed a series of decisions, which, although they are not new, but together seem to add consistency, a sensation of a fixed course, a kind of technology convergence. In this blog, we refer to some relevant aspects and raise questions about what is behind this “work in progress.”
There are so many perspectives exposed and discussed in this type of event that synthesizing it in a few lines will always keep us superficial. Administrators, developers, data analysts, and security people. All with different perspectives and interests. One way to get closer to a summary would be to look for their similarities. That would be the word Hybrid. And I say a word, not a concept because it has recently evolved qualitatively and become practically a declaration of strategic decisions.
A few years ago, Hybrid used to refer to an On-Premise system connected to an On-Demand Solution such as SuccessFactors, Concur, or Ariba. Quite far from the present. RISE, Azure, BTP, SAC, DWC, ALM, AWS, Jupyter, Jira, Confluence, Delos, Workday, ServiceNow, just to mention a few SaaSs. There are and will be for many years users maintaining SAP systems in the classic DEV-QAS-PRD configuration, but today we also find maintenance and development scenarios more similar to this:
But it’s more than this architecture of a stable On-Premise central core connected to many services. It is also the consolidation of this Core. SAP continues investing actively in the Core. First, it was FI, then HCM, EWM, and most likely to continue. The change in the communication strategy is evident. There is no longer any insistence on a transition to the cloud. Today, the Hybrid concept is accepted without discussion. But, be careful, and here is the “Haken” (Hook): these business-critical application systems, these central systems, perhaps still on-Premise, will no longer be an open and freely configurable system. This new S/4 Core will be a Cloud-Kompatibel core.
Let me explain: SAP has not given up against all these specialized SaaS by limiting its offer to the Core and integrations. But to compete with the multitude of services, to innovate at this speed, to exploit, for example, the entire universe of IoT or AI, it is simply impossible with a traditional ABAP stack. For this Core to behave as a service, it must become one. It must transmute. And here is the thing: it doesn´t matter where the server is; it’s about its architecture, a cloud architecture. This rate of innovation is only possible if there is a fully controlled system where the extension possibilities are strictly limited and defined by the provider and with a cloud standardized technology: ABAP Cloud.
Years ago, SAP rewrote the standard code. It is the turn of the custom code. The day will come when companies activate the ABAP Cloud development mode in their environments. Then the custom code, written in ABAP OO, won’t be able to be compiled anymore. Not even a single SELECT will be allowed. The entire extensibility framework will be determined by the public interfaces that SAP defines. Then your Core will be “Cloud-Kompatibel“, updates won’t be a problem, and these heavy cargo ships will be able to behave like any other SaaS, regardless of whether the server is at home, hosted, or in a data center. This new cloud-compatible Core will always be ready to migrate specific services (RISE), integrate with others SaaS, or simply migrate entirely to the public domain.
There are hundreds of companies already in the public cloud. Others probably never will. But, at least in technical matters, administrators, developers, and data analysts, they all share the same direction, in fact, the unique alternative, a kind of common “work in progress”: the cloud-compatibility movement. Today, the Hybrid concept is a mere courtesy. The client does not have to migrate to the public cloud if they don´t want to, but even those on-premises servers that remain in their facilities, even that protected Core, will inevitably become a cloud entity.
If all these SAP experts are aligned, what about the security people? Of course, they will be dragged, and probably not only they. The cloud-compatible direction will require a transformation of the current SAP security tools in a radical way. In this new scenario, there is an obvious transposition of the attack surface, but this is the subject of an upcoming post.
For more SAP security-related news, articles, and whitepapers, please follow us on LinkedIn and our YouTube channel!