Ask the CTO: Strong Business Application Security Starts With the Right Cybersecurity Foundation

Onapsis Chief Technology Officer JP Perez-Etchegoyen leads the Innovation and research teams that keeps Onapsis on the cutting edge of the Business-Critical Application Security market, addressing some of the most complex problems that organizations are currently facing while managing and securing their ERP landscapes. He explains why an enterprise security strategy for protecting business-critical applications should start with alignment to a strong security framework.

Watch Now: Building A Security Compliant Foundation for SAP 

What are cybersecurity frameworks and why are they important?

So, to start, I’ll say that there are a number of different cybersecurity frameworks used by organizations around the world. Each one of them is a foundational set of best practices, standards, and guidelines to follow in order to better manage risk in an organization’s environment.  These frameworks are important because they help organizations assess and improve their ability to prevent, detect, and respond to cyberattacks.  Building a comprehensive cybersecurity program – especially in a large complex multinational organization – can be challenging, so these approaches give organizations a nice blueprint to follow. Enterprise security leaders can use them before they embark on a cybersecurity project to understand best practices in implementing a phased approach for securing different components in their environment. They can also be used to benchmark against current security approaches to understand whether more action is needed to reduce risks in certain areas of  infrastructure. 

Which cybersecurity framework is best to consider when building enterprise security strategy for business-critical applications and why?

I would say it’s tough to say “best”. However, the National Institute of Standards and Technology (NIST) developed the NIST Cybersecurity Framework, , which is one of the most comprehensive and adaptable cybersecurity frameworks to date. The goal of the framework is to use business drivers to guide cybersecurity activities as well as consider and include cybersecurity risks as part of the organization’s overall risk management process. Ideally, it should be used by security leaders to identify and develop models appropriate for their own organizations. A key element of the NIST framework is identifying a set of functions and activities to achieve specific cybersecurity outcomes, including the ability to identify, protect, detect, and respond to threats. Interestingly enough, SAP ultimately adapted it to create the SAP Secure Operations Map, a best practices methodology for the security of an organization’s SAP environment.  

A key element of this approach is to focus on the application security layer, which has become an increasing target for attackers, especially business-critical applications or the “crown jewels” of an organization. Securing these applications (for example, SAP business-critical applications) is an essential component of implementing that larger strategy of defending against threats and better managing risk across an organization. These applications are the lifeblood of an organization, supporting the key processes such as finance, manufacturing, human resources as well as many other key processes a business needs to operate. A direct attack against any of these applications (e.g., HRM, supply chain, CRM, ERP) has the potential to have a huge impact on the entire enterprise.

How does Onapsis align with these cybersecurity frameworks?

Onapsis primarily focuses on the application layer found within these cybersecurity frameworks, but I will add that the threat intelligence provided from Onapsis Research Labs may have broader application across the framework – e.g., with network-exploitable vulnerabilities. Onapsis identifies risk, protects and safeguards these applications, and enables the implementation of appropriate action for response. Frequently, business-critical applications, like SAP, can be a blind spot within organizations. These applications are typically managed by IT teams, who are focused more on performance and availability than security. Security teams lack the visibility, knowledge, and context they need to identify vulnerabilities within these ecosystems and mitigate the risk they pose to the business. The Onapsis Platform directly addresses these challenges by delivering four pillars of business application security focused on vulnerability management, threat detection and response, application security testing, and continuous compliance for business-critical applications. With Onapsis and a solid cybersecurity framework, various corporate teams (e.g., Infrastructure, Network, Security, and SAP BASIS) can better align on a strategy to secure their business-critical applications and focus on the right tactics and technology to mitigate risk in their environment, with clear milestones and goals mapped at every phase.