Yesterday, in a blog post, Jeroen Thoden Van Velzen, the Strategic Advisor to the CSO of SAP, discussed the most powerful security control SAP has put in place and its impact on security processes and tools. SAP implemented federated control governance upstream from Security, with a specific focus on 24 guardrails. Their effort led to a more effective implementation of a CNAPP product (Orca) and what he says is “among the most effective measures to improve [their] cloud security and compliance posture.”
SAP needed a way to organize cloud control policies based on a variety of factors and not just a universal blanket. They also needed this to happen upstream of the security tool so that misconfigurations could be addressed immediately, rather than waiting for a security tool to assess the risks, prioritize the issues, and then create tickets. These guardrails needed to be in place for a security tool and process to even work. With their governance program in place, misconfigurations could not only be handled earlier, but the impact was felt in the vulnerability management program with the CNAPP as well: “99.6% of our open vulnerabilities were classified as “Informational” (instead of High, Medium or Low), indicating that they didn’t pose an immediate risk to be addressed. This percentage lined up directly with the compliance rates of our cloud network security controls enforced by these guardrails, ensuring that these vulnerabilities were not exposed to the internet.”
Customers who adopt Secberus will take advantage of the same benefits and then some. Where SAP built a process*, Secberus built a product. The Secberus Cloud Governance Platform is built on a data lake where users can easily build and adjust policies for any scope of cloud and associated products (IDP, CDN, WAF, etc.)- and Secberus is available to the market to solve this problem via self-management or managed services providers.
Reach out to us to become a Secberus Partner or if you are looking for a Channel Partner.
*SAP also built a CSPM to support this process, but it is being decommissioned. CSPMs are not designed to manage upstream governance.
