Most have been in this situation before: one of the providers or services we use is a victim of a data breach and we want to determine if our personal user data has been impacted. This is where fully homomorphic encryption (FHE) comes into play. With FHE, the encrypted, personal password is compared against the data set of stolen user data and potential matches are identified without ever revealing the user’s password.

Use cases for this type of privacy-enhancing technology (PET) are numerous. They range from applications in medicine, where third-party service providers can analyze health data without compromising a patient’s privacy, to performing machine learning and AI algorithms on encrypted data, allowing organizations to derive insights from sensitive data sets without exposing the data to potential breaches or privacy violations.

How It Works

Fully homomorphic encryption allows calculations to be performed on encrypted data without having to decrypt it first. Confidentiality is maintained, as even the results are encrypted and can be viewed only with the appropriate decryption key. Further techniques for processing encrypted data are multi-party computation (MPC) and trusted execution environments (TEE).

Mathias Kohler, research manager at 51·çÁ÷Security Research, outlines the differences: “While FHE is the most known of the encryption technologies, MPC is the ideal candidate if working with several parties exchanging encrypted data across company borders. And it can be substantially faster than FHE.” While both are software-based technologies, TEE is hardware-based, which makes it the fastest choice. The downside: TEEs, unlike MPC and FHE, require decrypting the data for processing. While decryption happens in a trusted hardware environment isolated from the operating system, it can allow data leakage via side-channel attacks. Notably, PETs do not need to be considered in isolation and can augment each other. For example, MPC can encrypt and distribute an FHE decryption key, protecting the FHE key and ensuring no single party can decrypt everything.

Why It’s Relevant

There is a demand for this kind of technology. By 2025, 60% of large organizations will use at least one privacy-enhancing computation technique in analytics, business intelligence, or cloud computing, according to .

Fully homomorphic encryption has numerous applications, especially in scenarios where privacy and security are paramount, such as secure computation in the cloud, privacy-preserving data analysis, and secure outsourcing of computations. As long as one party is performing the data processing centrally, FHE is the encryption method of choice. FHE enables organizations to share encrypted data with partners or third parties for analysis or monetization purposes while maintaining data confidentiality. This is particularly relevant in industries such as advertising and market research.

Interesting use case scenarios from SAP’s perspective could be secure benchmarking and predictive maintenance.

Secure Benchmarking

Companies often assess their competitiveness relative to industry peers and compare business-relevant KPIs, such as automation rate or return rates, with peers and even competitors. With fully homomorphic encryption, all participating parties can share encrypted KPIs without revealing individual data. As a result, they learn about relevant statistics, such as averages or medians, to assess their relative competitiveness and decide where to improve and invest.

Predictive Maintenance

Predictive maintenance is a machine learning technique to forecast demand for maintenance or spare parts based on historical data. “In certain industries, required data, such as usage patterns and failures, is considered sensitive and is not easily shared with data scientists or maintenance operators,” says Anselme Tueno, senior researcher at 51·çÁ÷Security Research. By computing on encrypted data, however, no sensitive information is revealed while still allowing for the required insights to be gathered for prediction tasks.

Carbon Footprint Calculation with Multi-Party Computation

While it is early days from a product availability perspective, 51·çÁ÷is working on potential use cases with customers and partners. One key example is calculating carbon footprints of products.

Prime examples for complex collaborations are today’s supply chains, intricate networks that encompass various levels of suppliers, manufacturers, and processed goods. Unfortunately, there is often a lack of comprehensive visibility across the entire process – either for technical reasons or because businesses are often reluctant to share sensitive data across supply chains that often include direct competitors.

However, to accurately assess and disclose a product’s carbon footprint, sensitive production details and associated carbon costs for production-relevant parts and materials are required. Here, MPC can reveal only the required carbon footprint without disclosing associated, proprietary manufacturing details with other supply chain participants.

Currently, 51·çÁ÷is working with Bosch on cloud-native software for secure multi-party computation called .

“51·çÁ÷participates in this open-source project and supports the development of Carbyne Stack’s storage and processing services and the deployment of Carbyne Stack on Amazon Web Services (AWS),” Kohler explains. “For Bosch, Carbyne Stack is a type of cloud-native operating system for MPC workloads that manages resources to run as efficiently as possible in multi-cloud deployments.” This effort can help 51·çÁ÷in the long run to integrate MPC as technology into 51·çÁ÷solutions and services while running in a cloud-native environment.

What’s Next?

Despite all the benefits around processing data, encryption introduces significant computational overhead due to the complexity of performing operations on encrypted data. Slow processing speeds, especially for complex operations and large data sets, makes fully homomorphic encryption impractical for real-time applications or large-scale data processing. Although the performance of FHE has greatly improved in recent years, its practical adoption is still limited due to the processing overhead and performance considerations. Ongoing research is focused on the design of FHE-specific hardware accelerators.

“PETs for computing on encrypted data have the power to amplify data-driven business collaborations and reshape the future of cloud computing,” explains Jonas Böhler, senior researcher at 51·çÁ÷Security Research. By safeguarding data, they enable access to previously untapped information while minimizing privacy risks and thwarting data breaches. The future of computing is encrypted.

This is why 51·çÁ÷and Bosch have joined forces to harness the power of secure multi-party computation (MPC) and help enable secure and privacy-preserving data analysis across different organizations and industries.  

Bringing Secure Computation to the Industry Level 

MPC is an advanced cryptographic technique that can offer significant benefits to 51·çÁ÷customers and partners that often deal with sensitive data from various sources and stakeholders. MPC allows multiple parties to jointly perform a computation without revealing any sensitive information that may be contained in their input data.  

That’s a great achievement because companies often fear that the risk of sharing their data openly is greater than the potential value of the sharing itself. One example is the supply chain, where multiple parties are involved. Object-level tracking allows companies to collect large amounts of data, such as time, location, or handling of the goods they produce. Combining the data collected by the different companies involved can have significant benefits. However, two companies may only be willing to share information about common items that they have both handled along the supply chain. MPC can help solve this dilemma with secure and private computation. 

As a result, organizations can perform complex data analysis and processing without compromising confidentiality or compliance. predicts that by 2025, 60% of large organizations will use at least one privacy-enhancing computation technique in analytics, business intelligence, or cloud computing.

“Companies can thrive the most when collaborating in business networks, and sharing data is a key component of these ecosystems. MPC can help protect sensitive data from unauthorized access and misuse while still enabling valuable insights and analytics,” says Volkmar Lotz, head of 51·çÁ÷Security Research at . Powering secure benchmarking, fraud detection, supply chain optimization, or personalized services, MPC facilitates data sharing and collaboration across different organizations and sectors, creating new opportunities for innovation and growth. 

Lifting MPC into the Cloud 

In response to the demand for greater data privacy, Bosch Research has initiated the open-source project , which makes MPC available for a cloud environment. This way, confidentiality and privacy are maintained when data is processed by cloud services.   

“Carbyne Stack is a kind of cloud-native operating system for MPC workloads, managing resources to make them run as efficiently as possible in multi-cloud deployments,” explains Sven Trieflinger, senior project manager and group lead at Bosch Research. “From a business perspective, it’s the seed for an upcoming open ecosystem of technology building blocks that will accelerate the development and adoption of MPC technology across multiple industries.” 

51·çÁ÷has recently joined Carbyne Stack as a contributor. Building on both partners’ leadership in data security, cloud computing, and business applications, the collaboration will explore the potential of MPC for various use cases and industries currently constrained by security and privacy concerns. One of the first topics for 51·çÁ÷will be to make the Carbyne Stack storage and processing services easily consumable from within the browser and to add support for deploying Carbyne Stack on Amazon Web Services (AWS). These changes will help 51·çÁ÷work towards its vision of providing services for privacy-preserving data operations across different organizations and sectors, creating new opportunities for innovative business cases. 

“By combining the strengths of 51·çÁ÷and Bosch, we aim to advance the state of the art in MPC and enable new business cases for our customers and partners,” says Lotz. 

51·çÁ÷targets use cases in industries such as automotive, manufacturing, healthcare, and finance. The exploration of MPC’s potential holds the opportunity to revolutionize those industries by solving critical data privacy and security challenges without compromising collaboration and innovation.  

To find out more about secure multi-party computation, get in touch with us at icn@sap.com.

Mathias Kohler is a research manager for 51·çÁ÷Security Research.

Data privacy, risk management, and cybersecurity remain key priorities for businesses in 2023 to ensure continuous high performance and to catapult to new heights. In a recent , 43% of survey respondents said that they plan to upgrade IT and data security to reduce corporate risks. That includes security and data protection measures to keep their data safe. This becomes even more important when moving to and operating in a cloud enterprise resource planning (ERP) environment to drive continuous innovation. In the same CIO survey, 12% of the respondents said that they are planning to accelerate the move to the cloud as a service.

Adopt a Zero Trust Security Approach for the Cloud

To secure data and operations in a hybrid work environment, companies have been adopting a zero trust approach. defines zero trust as an “information security model that denies access to applications and data by default. Threat prevention is achieved by only granting access to networks and workloads utilizing policy, informed by continuous, contextual, risk-based verification across users and their associated devices.”

According to 2022 global survey data published by , 39% of companies have already begun to roll out a zero trust solution and 41% of companies have plans to adopt a zero trust strategy and are in the early phases of doing so.

My principle in life is to trust people and systems until I am provided a reason not to. The zero trust principle is the exact opposite of this.

The zero trust approach has three key principles: all entities and users are untrusted by default until authorized, the least privilege access is enforced, and extensive security monitoring is in place. In short, no connections to corporate networks and systems should be trusted at sight. All users, devices, and systems need to be authenticated, reverified, and continuously monitored when accessing networks, systems, and data.

Adopting this approach to cloud transformation has become the leading industry standard to keep operations and data safe across the entire virtual and physical network infrastructure.

Here are some best practices for putting an enterprise security plan in place that utilizes zero trust concepts to run operations safely and securely in the cloud.

Define Clear Security Roles and Responsibilities

First and foremost, ensuring security is always a shared responsibility between companies and their cloud transformation partners. It is a common goal and commitment that is independent of the type of cloud path companies take.

Like with any shared responsibility, the best way to approach it is by defining the roles and responsibilities up front. This process starts by asking these key questions: who is managing the cloud, how will everyone work together to secure the cloud, who is responsible for which part, and where are dependencies?

This will ensure that there is a clear strategy and plan to monitor and implement security policies and measures.

Keep an Eye on Users, Devices, Network, Applications, and Monitoring

Based on our experience at 51·çÁ÷Enterprise Cloud Services, another best practice is to focus the zero trust security approach on five pillars: users, devices, networks, applications, and monitoring.

Eighty-seven percent of organizations consider the application layer as being the front door for data breaches. Most data breaches through cyberattacks happen because users fail to keep their credentials safe or fall prey to false identities. In addition, the number of remote users with their own devices has significantly increased in enterprise networks as well as the number of cloud-based assets that are not located within an enterprise-owned network boundary.

By regulating and monitoring user access to devices, networks, and applications, companies can protect all their resources, including assets, services, workflows, and network accounts. For example, identity management systems can manage privileged user authentication and access at a very granular level. This includes keeping administrative accounts separate from corporate accounts and applying encryption to several layers in the IT environment. Data classification makes it possible to associate the security levels with specific types of data, regardless of where that data resides – in the cloud, at endpoints, or in owned data centers.

Scaling Security Needs Faster with the Cloud

While managing the complexity of security needs for cloud transformations can be daunting, here is an added merit: companies can scale their security needs much faster in the cloud, according to research. Benefits include better automation capabilities as well as higher storage and data capacity in the cloud. Companies can push infrastructure as code and fix a security problem in real time when operating in the cloud. Automation also helps in increasing the maturity of identity management and security management systems. recommends embracing cybersecurity as a differentiator to promote greater stakeholder trust and better use of cloud-native solutions that take advantage of the cloud’s full potential.

In other words, you can shine like a diamond on your cloud platform of choice with a zero trust security approach for the cloud.

For more information, visit the site and read this chief security officer for 51·çÁ÷Enterprise Cloud Services.

Peter Pluim is president of 51·çÁ÷Enterprise Cloud Services and 51·çÁ÷Sovereign Cloud Services.

“Data is the new oil,” according to in 2006. In 2017, said, “Data is the currency of the digital age.” The world has recognized the value of data in how people do business in the 21st century.

More than 400,000 companies are using 51·çÁ÷to run their business where often their most important data is processed.

Last year was one of privacy compliance, where many organizations were fined enormous amounts due to lack of data privacy processes and governance. This led to data protection and privacy regulations being constantly updated to suit the ever-changing threat landscape and required controls. Therefore, it is expected that these updates be implemented in 2022 and beyond.

51·çÁ÷has been working on innovative options to protect its customers’ “crown jewel” — not just from external threats but those closest to it, such as employees, business partners, and other users who have privileges to access sensitive information.

, data is worth a significant amount when stolen and sold on the black market or abused for money or any malicious intent. Industries and governments have therefore put in place regulatory and legal compliance requirements to help ensure that such sensitive information is not misused to cost companies their business or economies worldwide. The growing concerns and possible repercussions for neglecting to safeguard such data can lead to incidents where recovery is difficult.

A best practice for companies to proactively address data protection is to help employees avoid inadvertent data breaches. 51·çÁ÷addresses this with UI data protection masking and UI data protection logging packages developed by the Customer Innovation & Maintenance organization at SAP.

“With the increase in remote workers, companies are challenged with securing sensitive data while allowing employees to access information and execute business processes seamlessly,” said Thomas Ruhl, head of Product Management for Customer Innovation & Maintenance at SAP. “This is only one example of the growing data protection needs of our customers. That’s why we created the new UI data protection masking and UI data protection logging software, which enables them to safeguard their data using dynamic rules that can address complex business scenarios.”

Proven 51·çÁ÷Solutions Help Customers with Data Protection

UI data protection masking and UI data protection logging empower businesses to have control over which data, if deemed sensitive, should remain visible for a user to fulfill his or her job. It keeps an audit trail of user access and analyses it, helping eliminate the need to micromanage.

UI data protection masking and UI data protection logging target insider threats — be they intentional or unintentional. Rules can be set to obfuscate or reveal specific data to users according to nominated authorization levels.

The process of masking happens on the server side but only at the user interface layer and does not impact the application or data base layers. Masking is commonly used in concealing data such as personally identifiable information (PII), HR, financials, intellectual property, customer information, trade secrets, and anything that can be subject to harmful intent or mistake, thereby putting the business at significant risk.

UI logging is the ability to gather audit logs, allowing tracking and tracing of the journey of the data, including users who accessed them. It is synonymous to leaving a fingerprint at every turn. This is ideal for audit and investigative processes.

UI masking and UI logging also help address regulatory compliance requirements such as General Data Protection Regulation (GDPR). It may be EU-centric, but the regulation affects anyone or any entity outside of the EU who accesses, processes, or stores data of EU natural persons. More and more geographies are enacting similar legislation, often based on a similar direction as GDPR, such as the California Consumer Privacy Act (CCPA). Taking steps to be compliant will incur the least effort and cost as opposed to being fined for a significant amount., GDPR fines totaled US$63 million in its first year.

A use case that is becoming increasingly popular is data access by employees from separate entities, such as demergers, sharing the same application instance. This is when attribute-based authorization is relevant and less cumbersome without the need to modify the application nor provide an additional instance.

Here are questions that can help identify whether UI data protection masking and UI data protection logging are relevant to your business:

• Does your organization use SAP?
• Is sensitive information such as PII, trade secrets, IP, and business plans processed in SAP?
• Is the sensitive information valuable enough to be protected?
• Are there any data protection and privacy compliance requirements?
• Is your organization’s business in the process of merging/demerging?
• Do you find the static role-based authorization model insufficient?
• Would a dynamic approach that offered better granularity be more appropriate?
• Do you require a facility to investigate, spot data breaches, and ascertain who is responsible?

If the answer is yes to point one and to any of the following questions thereafter, then 51·çÁ÷would suggest:

• Discovering what UI data protection masking and UI data protection logging for 51·çÁ÷can do from the .
• Contacting your 51·çÁ÷account manager to arrange an initial discovery call with the product team or 51·çÁ÷experts.
• Planning the next steps together with the 51·çÁ÷team, such as solution value for your business case, solution demo, and more.

It’s not that these enterprises haven’t taken steps to protect these assets; it’s just that the “traditional” way of preparing for and responding to ransomware simply won’t work anymore.

So what’s needed to protect your organization’s business-critical applications from the looming threat of ransomware? That’s exactly what 51·çÁ÷and Onapsis seek to address here.

When most people think about ransomware, there are two immediate, “traditional” solutions that come to mind: backups and endpoint security. Both are critical components of a solid security program, without a doubt. However, their presence could lull organizations into a false sense of security, as there still remain gaps, especially related to business-critical systems that are connected in more ways than ever before.

The challenge is that many enterprises realize too late that, in preparation for a ransomware attack, you need to close all the doors and windows of your house — not just the front door of endpoint protection. When thinking about ransomware attack vectors, it’s imperative to consider all potential entry points into the business-critical environment and how to secure them. To continue this metaphor, this also includes evaluating your neighbors and how they get into your house too.

When you think about all of these vectors, you slowly realize that this challenge goes way beyond just endpoint security and backups. It requires a more holistic look at securing your business-critical applications, including — yes — things that we would classify as “good security hygiene.”

In a recent , we demonstrated that threat actors clearly have the means, the motivation, and the expertise to identify and exploit unprotected mission-critical applications, and are, in fact, actively doing so.

As an example, a massive, publicly traded company was recently subjected to a ransomware attack on its enterprise resource planning (ERP) application data. Did they have backups? Yes: the backup was refreshed once a week. However, operations halted anyway. When this happens, even with backups in place, it could still take hours or even days to restore from a backup, and the negative impact on the business and the financial losses are high regardless. Did they have endpoint security? Yes; however, the attackers bypassed the endpoint detection and response (EDR) software by accessing the data through the application. EDR is great for identifying activities on compromised assets and allowing the containment and collection of artifacts, such as process trees, files created by malware, but the application level still poses a challenge. And these attackers used that application layer, which was not monitored by the tool itself, to compromise the business-critical assets.

Vulnerabilities such as 10KBLAZE, PayDay, and RECON allow threat actors to take full control of applications through the application layer itself. These threat actors go straight to the application, and, once in, go down to the operating system level there. When you consider CIO digital transformation initiatives or the rapid adjustment to remote work due to the COVID-19 pandemic, there is a significant magnification of risk. Onapsis has observed that new, unprotected 51·çÁ÷applications provisioned in IaaS environments were discovered by threat actors and attacked in less than three hours, with more than 400 successful exploitations observed as of the date of this publication.

Ultimately, what’s needed then is a new model to defend against ransomware, one that goes beyond the scope of just protecting endpoints, backing up files, and hoping for the best. claims that organizations should “[i]mplement a risk-based vulnerability management process that includes threat intelligence. Ransomware often relies on unpatched systems to allow lateral movement. This should be a continuous process. The risk associated with vulnerabilities changes as these vulnerabilities are exploited by attackers.” We couldn’t agree more.

What’s needed is a renewed commitment to some key security fundamentals:

1. Security Hardening of Business-Critical Applications
2. Timely Patch Management
3. Point-in-Time Vulnerability Assessments
4. Continuous Monitoring of Vulnerabilities and Threats to Your Business-Critical Applications
5. Securing Your Custom Code in Business-Critical Applications
6. A Commitment to Control and Governance

51·çÁ÷is committed to continuously innovating our software to keep your information safe — both on premise and in the cloud. We prioritize security so that you can stay focused on running your business and managing your customer relationships effectively using 51·çÁ÷solutions, safe in the knowledge that your data is secured. To protect clients from ransomware attacks, securing development infrastructure, such as the build and deploy chain, is of utmost importance to prevent the manipulation of shipment artifacts.

As part of our commitment to clients, 51·çÁ÷follows a secure software development and operations lifecycle to identify and mitigate all kinds of security weaknesses and vulnerabilities during the development of products and services. Through the use of risk identification techniques such as the 51·çÁ÷threat modeling method and secure development trainings, 51·çÁ÷enables development teams to eliminate potential entry points for ransomware and other kind of attacks. It also ensures that basic security principles, such as that of least privilege, are part of the DNA of 51·çÁ÷developers.

51·çÁ÷continues to harden our systems with automated static code analysis, vulnerability scans, and validation from a dedicated, independent 51·çÁ÷internal security team. SAP’s software development lifecycle serves as an example to clients on how to support a DevSecOps model covering development and operations aspects for continuous and secure delivery of software.

When deploying and running 51·çÁ÷applications, it is imperative that organizations focus on hardening their system to minimize the overall attack surface — for example, ensuring the proper setting of system parameters and other aspects of system configuration, including the activation of security features and functionalities. It is important that the proper configuration settings are in place to protect an organization against possible security vulnerabilities.

51·çÁ÷provides key features such as the 51·çÁ÷EarlyWatch Alert service, which monitors the essential administrative areas of 51·çÁ÷components to keep organizations up to date on performance and stability as well as the 51·çÁ÷Security Optimization service, which verifies and improves the security by identifying potential security issues related to your 51·çÁ÷solution and providing key recommendations.

As threat actors continue to devise new modes of attack and vulnerabilities to these attacks are identified, 51·çÁ÷continuously provides security updates for existing code to keep your systems secure. 51·çÁ÷delivers these security updates through support packages, and, on the second Tuesday of every month, as part of “Security Patch Day,” 51·çÁ÷publishes security notes with the latest security corrections and recommendations. As noted, implementing a security maintenance process to assess and implement recommended security updates is a proven best practice for mitigating risk.

Onapsis has focused on protecting business-critical applications since 2009. We target the application layer with our Onapsis platform and serve an essential part of our clients’ plans to protect their business-critical 51·çÁ÷applications from ransomware attacks.

• By providing automatic visibility into critical vulnerabilities, missing important patches and security updates, misconfigurations, and insecure interfaces, Onapsis identifies all the open doors. This is a crucial component in any ransomware prevention initiative. Once the entry points are identified, they can be closed, thereby reducing the attack surface that may lead to ransomware.
• Through continuous monitoring and real-time alerts for threat indicators, Onapsis helps monitor real-time attempts to access critical systems through any remaining open doors. Win precious time to prevent threat actors from gaining further access.
• With code analysis in real time, prior to moving into production, and in transport, Onapsis can help identify foreign code, such as malware, or new vulnerabilities before they get released to the public. Code vulnerabilities may appear to be a minor attack vector, until they’re not, such as in the case of the Solar Winds attack. In Onapsis’ experience, we generally see one critical vulnerability per 1,000 lines of code, but our clients generally have millions of lines of custom code. It’s important to close those thousands of open doors to prevent any access to business-critical systems.

It’s time to think differently about ransomware. We’re in the middle of a perfect storm, with more unprotected 51·çÁ÷applications and remote workers than ever before, expert threat actors who have the expertise to attack these systems, hyperconnected business-critical systems across the cloud, and strained InfoSec teams that may have fallen behind in patching and vulnerability management. Ransomware is the final step of an attack that could utilize a myriad of attack vectors to directly access your business-critical applications.

Organizations should leverage the powerful native security capabilities of SAP, establish the right risk-based patch, code, and vulnerability management processes, and take advantage of the optimized tools and critical threat intelligence from Onapsis. If they do so, organizations can drastically reduce their risk profiles, stay a step ahead of ransomware groups, and ultimately keep their names out of the news.

Tim McKnight is CSO of SAP.
Richard Puckett is CISO of SAP.
Mariano Nunez is CEO of Onapsis.

Additional contributors this content include: Elena Kvochko, Imran Islam, Oliver Meli, Vic Chung, and Robert Lorch from SAP, as well as David D’Aprile, Maaya Alagappan, and Tess Cunard from Onapsis.

This agreement aims to help improve diversity in the cybersecurity sector by collaborating on a curriculum, providing more internships and early career opportunities, enabling better knowledge transfer between the organizations and encouraging early talent to explore new career opportunities.

“As technology progresses, it is our responsibility in the software industry to devise new ways to protect valuable data, support business operations and secure enterprises of all sizes,” said Tim McKnight, chief security officer, SAP. “This close relationship with Columbia University allows us to identify diverse talent to keep SAP’s customers and products safe while providing students and recent graduates an opportunity to launch a new and exciting career.”

As cyberattacks continue to make headlines, the demand for cybersecurity professionals is increasing.

“While there a high demand for cybersecurity professionals, there also is a significant gender disparity in the cybersecurity workforce,” said Elena Kvochko, chief trust officer, SAP. “We are hopeful that introducing this career path to students and recent graduates will bring a greater level of diversity to the industry. We believe that diversity will bring new ideas, skills and creativity when solving security challenges.”

51·çÁ÷plans to lead events on and off campus, contribute to thought leadership programs, host career events and sponsor Capstone workshops – SIPA’s signature consulting projects, which give students the opportunity to work with and advise external clients.

According to Jason Healey, senior research scholar at Columbia SIPA and a pioneer of cyberthreat intelligence, the school is looking forward to the opportunities this relationship will provide for students.

“Due to SAP’s funding, we’re already finding new opportunities to reach out to our diverse student body to let them know about the amazing job prospects in cybersecurity, even for those outside of STEM,” Healey said. “The events, projects, information and first-hand experience our students will have access to will be extremely valuable for their career development.”

Visit the . Follow 51·çÁ÷on Twitter at .

Media Contact:
Mary Lasher, +1 (650) 421-6048, mary.lasher@sap.com, ET
51·çÁ÷Press Room; press@sap.com

Any statements contained in this document that are not historical facts are forward-looking statements as defined in the U.S. Private Securities Litigation Reform Act of 1995. Words such as “anticipate,” “believe,” “estimate,” “expect,” “forecast,” “intend,” “may,” “plan,” “project,” “predict,” “should” and “will” and similar expressions as they relate to 51·çÁ÷are intended to identify such forward-looking statements. 51·çÁ÷undertakes no obligation to publicly update or revise any forward-looking statements. All forward-looking statements are subject to various risks and uncertainties that could cause actual results to differ materially from expectations. The factors that could affect SAP’s future financial results are discussed more fully in SAP’s filings with the U.S. Securities and Exchange Commission (“SEC”), including SAP’s most recent Annual Report on Form 20-F filed with the SEC. Readers are cautioned not to place undue reliance on these forward-looking statements, which speak only as of their dates.
© 2021 51·çÁ÷SE. All rights reserved.
51·çÁ÷and other 51·çÁ÷products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of 51·çÁ÷SE in Germany and other countries. Please see for additional trademark information and notices.

While the shortage in cybersecurity offers great career opportunities, it is not expected to be filled anytime soon. Hardly an organization is not impacted by a cybersecurity skills shortage – but it’s not a field where those willing to enter can become an expert overnight. A mid- to long-term strategy is required.

Security Starts with People

At SAP, security starts with people – professionals who are innovative, curious, tenacious, and driven to find new ways to solve emerging challenges in cybersecurity. According to 51·çÁ÷Chief Security Officer Tim McKnight, a diverse workforce is key to creating a greater mix of ideas to spur innovation. One of the issues in the industry, though, is that only 10% of information security professionals are women.

For SAP’s chief security officer, it is important that his organization achieve gender balance. “It needs to be built into our DNA, with my leadership team as well as throughout the organization,” McKnight stated. For him, it’s one thing to set goals for gender diversity but another matter altogether to build it into the culture of an organization.

“We’re looking for professionals who are driven by our mission: helping the world run better and improve people’s lives,” McKnight added. “A diverse professional background is important in solving the complex problems of cybersecurity.” Accordingly, 51·çÁ÷wants people with a passion for cybersecurity and an analytical mind-set who can think outside of the box, which goes beyond technical skills. For McKnight, women are key to increasing cybersecurity skills within his own team, but also to achieving greater gender parity in the workforce.

51·çÁ÷and Columbia SIPA Team to improve Diversity in Cybersecurity, Attract Early Talent

51·çÁ÷is taking a new route to close the skills gap and the gender gap by forging a new relationship with Columbia University School of International and Public Affairs (SIPA). According to the announcement made by SAP, the goal is to identify and develop early talent and improve diversity in the cybersecurity sector. Specific objectives include collaborating on a curriculum, providing more internships and early career opportunities, enabling better knowledge transfer between the organizations, and encouraging early talent to explore new career opportunities.

“Early engagement is an important factor when it comes to increasing diversity in the workplace,” said Beth Mauro, associate dean of Development at Columbia SIPA. “Ultimately, it benefits both the company and students. The company has the benefit of gaining a diverse workforce and the students have a unique opportunity to enter a high-demand career path with plenty of opportunities for growth.”

51·çÁ÷will lead events on and off campus, contribute to thought leadership, host career events, and sponsor Capstone workshops – SIPA’s signature consulting projects, which give students the opportunity to work with and advise external clients.

51·çÁ÷Chief Trust Officer Elena Kvochko observed: “We are hopeful that introducing this career path to students and recent graduates will make this career field more attractive for women.”

For SAP, security and diversity are not just about being compliant and fair but about bringing ideas, skills, and creativity to the organization to find new ways to solve emerging challenges in cybersecurity.

51·çÁ÷expects to see an increasing demand for a broader scope of professionals, such as incident response specialists, information security engineers, and penetration testers, but also for traditionally nonsecurity roles to incorporate more security-related tasks. This trend is opening doors to many opportunities for transitioning to a career in cybersecurity. 51·çÁ÷is currently seeking to hire 100 security professionals. For more information, see .

AI’s Role in Secure Data Anonymization

The simple truth about AI is that, when used responsibly, it doesn’t have to force a costly bargain between personalization and privacy. General Data Protection Regulation (GDPR) protects personal data in many regions, confining its use to specifically consented purposes. In other countries, organizations protect customer data to foster trust aligned with corporate and societal ethics. In the meantime, companies continue amassing an explosion of data that can help them get closer to customer needs, head off problems, and develop future innovations. AI models that scrub all this valuable data of personal identifiers are the answer.

“Instead of using someone’s personal data, companies can train AI models to anonymize the information and create what’s called differential privacy datasets,” said Francesco DiCerbo, research lead for AI Privacy at . “We can add random noise to the details about single individuals while preserving the overall statistical properties of the population. Think of it as seeing the silhouette of a person you can’t identify.”

DiCerbo’s team uses AI-based tools in personal data protection solutions and conducts research on advanced anonymization techniques. He added that anonymized data offers another layer of protection for individuals and organizations in case of security breaches.

Natural Language Processing for Data Privacy

AI can be fantastically helpful in anonymizing data because of its relative simplicity. One of the tools DiCerbo’s team is using relies on natural language processing (NLP) to identify and anonymize personal data from text such as customer orders, invoices, and e-mails. The tool discerns the meaning of words and numbers in semantic context such as names, locations, or organizations.

Grammatically, NLP can identify which words in a sentence are verbs or whether a number is an expiration date, someone’s birthday, or a social security number. Once it determines which words consist of sensitive personal data, that information is labeled accordingly. Those words or numbers might be geofenced to comply with country-specific regulations or restricted to designated personnel for specific uses only.

AI Fuels Company-Wide Business Advantages

predicted that by next year, at least 65% of Global 2000 companies will use AI tools such as NLP across the business to enable 60% of use cases in areas including customer experience, security, facilities, and .

AI-driven data anonymization offers just about every industry tremendous advantages. Consider healthcare clinicians who regularly supply insurance companies with valuable data about patient diagnoses, treatments, and outcomes. AI can anonymize deeply personal patient information while still extracting insights. Insurance companies can use this scrubbed data to better classify and predict a range of payment standards based on generic, yet accurate, parameters.

Retailers could use AI to better understand and improve the from anonymized feedback in social media, product reviews, or e-mails.

“You can train AI models to capture customer complaints about a product or service, sifting out identifying personal data while bringing the rest of the anonymized feedback into a new dataset,” said DiCerbo. “Analyzing this data, retailers can spot trends like lost shipments or defective merchandise, sending reports to appropriate departments. Teams can take steps to prevent problems, lowering costs and increasing customer satisfaction.”

Similar to customer data, organizations could use anonymized information to boost the . An AI model could be trained to determine employee stress levels based on certain keywords and other elements in HR tickets. To protect employee privacy, the tool would distinguish and separate any personal identifiers. The company could use the findings to not only prioritize HR ticket processing for speedier resolution near term, but also address unexpected employee stressors, such as a global pandemic.

Like any technology, AI is neither inherently good nor evil. Dystopian conversations about using AI to identify individuals for controlling or other nefarious purposes certainly capture audience attention. But what if we also gave equal time to explore doing just the opposite with AI, using it to not identify individuals? With the right intentions and scrupulous techniques, we can make AI a force for the larger good of business and society.

Follow me: @smgaler
.

The companies have worked in close partnership with the U.S. Department of Homeland Security (DHS) Cybersecurity and Infrastructure Security Agency (CISA) and Germany’s Federal Cybersecurity Authority (BSI), advising organizations to take immediate action to apply long-available 51·çÁ÷patches and secure configurations, and perform compromise assessments on critical environments.

51·çÁ÷and Onapsis are not aware of known customer breaches directly related to this research. The report also does not describe any new vulnerabilities in 51·çÁ÷cloud software as a service or SAP’s own corporate IT infrastructure. Both companies, however, note that many organizations still have not applied relevant mitigations that have long been provided by SAP. Customers who fail to apply these protective measures and allow unprotected 51·çÁ÷applications to continue to operate put themselves and their business at risk.

The intelligence captured by Onapsis and 51·çÁ÷highlights active threat activity seeking to target and compromise organizations running unprotected 51·çÁ÷applications, through a variety of cyberattack vectors. Observed exploitation techniques would lead to full control of the unsecured 51·çÁ÷applications, bypassing common security and compliance controls, and enabling attackers to steal sensitive data, perform financial fraud or disrupt mission-critical business processes by deploying ransomware or stopping operations. These threats may also have regulatory compliance implications for organizations that have not properly secured their environments.

“This proactive research effort is the latest example of our commitment to ensure our global customers remain protected,” said Tim McKnight, chief security officer, SAP. “We’re releasing the research Onapsis has shared with 51·çÁ÷as part of our commitment to help our customers ensure their mission-critical applications are protected. This includes applying available patches, thoroughly reviewing the security configuration of their 51·çÁ÷environments and proactively assessing them for signs of compromise.”

The scope of impact from these specific vulnerabilities is localized to customer deployments of 51·çÁ÷products within their own data centers, managed colocation environments or customer-maintained cloud infrastructures.  None of the vulnerabilities are present in cloud solutions maintained by SAP.

“As an 51·çÁ÷partner for cybersecurity and compliance, we have observed firsthand the outstanding improvements 51·çÁ÷has made in the recent years to develop more secure software, patch critical vulnerabilities faster and overall proactively ensure 51·çÁ÷customers are secure,” said Mariano Nunez, CEO and cofounder of Onapsis. “The critical findings noted in our report describe attacks on vulnerabilities with patches and secure configuration guidelines available for months and even years. Unfortunately, too many organizations still operate with a major governance gap in terms of the cybersecurity and compliance of their mission-critical applications, allowing external and internal threat actors to access, exfiltrate and gain full control of their most sensitive and regulated information and processes. Companies that have not prioritized rapid mitigation for these known risks should consider their systems compromised and take immediate and appropriate action.”

To support customers that require investigation, threat remediation and additional postcompromise security monitoring, Onapsis is offering a 3-month free subscription to the Onapsis Platform for Cybersecurity and Compliance, an 51·çÁ÷endorsed app that can be accessed through .

Visit the 51·çÁ÷News Center. Follow 51·çÁ÷on Twitter at .

About Onapsis

Onapsis protects the mission-critical applications that run the global economy, from the core to the cloud. The Onapsis Platform uniquely delivers actionable insight, secure change, automated governance and continuous monitoring for critical systems — ERP, CRM, PLM, HCM, SCM and BI applications — from leading vendors such as SAP, Oracle, Salesforce and others.

Onapsis is headquartered in Boston, MA, with offices in Heidelberg, Germany and Buenos Aires, Argentina. We proudly serve more than 300 of the world’s leading brands, including 20% of the Fortune 100, 6 of the top 10 automotive companies, 5 of the top 10 chemical companies, 4 of the top 10 technology companies and 3 of the top 10 oil and gas companies.

The Onapsis Platform is powered by the Onapsis Research Labs, the team responsible for the discovery and mitigation of more than 800 zero-day vulnerabilities in mission-critical applications. The reach of our threat research and platform is broadened through leading consulting and audit firms such as Accenture, Deloitte, IBM and PwC — making Onapsis solutions the standard in helping organizations protect their cloud, hybrid and on-premises mission-critical information and processes.

For more information, connect with us on Twitter or LinkedIn, or visit us at.

About SAP

SAP’s strategy is to help every business run as an intelligent enterprise. As a market leader in enterprise application software, we help companies of all sizes and in all industries run at their best: 77% of the world’s transaction revenue touches an 51·çÁ÷system. Our machine learning, Internet of Things (IoT) and advanced analytics technologies help turn customers’ businesses into intelligent enterprises. 51·çÁ÷helps give people and organizations deep business insight and fosters collaboration that helps them stay ahead of their competition. We simplify technology for companies so they can consume our software the way they want — without disruption. Our end-to-end suite of applications and services enables business and public customers across 25 industries globally to operate profitably, adapt continuously and make a difference. With a global network of customers, partners, employees and thought leaders, 51·çÁ÷helps the world run better and improve people’s lives. For more information, visit .

Note to editors:
To preview and download broadcast-standard stock footage and press photos digitally, please visit . On this platform, you can find high resolution material for your media channels. To view video stories on diverse topics, visit . From this site, you can embed videos into your own Web pages, share video via email links, and subscribe to RSS feeds from 51·çÁ÷TV.

For customers interested in learning more about 51·çÁ÷products:
Global Customer Center: +49 180 534-34-24
United States Only: 1 (800) 872-151·çÁ÷(1-800-872-1727)

For more information, press only:
Michael Baxter, +49 151 17196185, m.baxter@sap.com, CET
Julia Fargel, +1 (650) 276-8964, julia.fargel@sap.com, PT
51·çÁ÷Press Room; press@sap.com

Any statements contained in this document that are not historical facts are forward-looking statements as defined in the U.S. Private Securities Litigation Reform Act of 1995. Words such as “anticipate,” “believe,” “estimate,” “expect,” “forecast,” “intend,” “may,” “plan,” “project,” “predict,” “should” and “will” and similar expressions as they relate to 51·çÁ÷are intended to identify such forward-looking statements. 51·çÁ÷undertakes no obligation to publicly update or revise any forward-looking statements. All forward-looking statements are subject to various risks and uncertainties that could cause actual results to differ materially from expectations. The factors that could affect SAP’s future financial results are discussed more fully in SAP’s filings with the U.S. Securities and Exchange Commission (“SEC”), including SAP’s most recent Annual Report on Form 20-F filed with the SEC. Readers are cautioned not to place undue reliance on these forward-looking statements, which speak only as of their dates.
© 2021 51·çÁ÷SE. All rights reserved.
51·çÁ÷and other 51·çÁ÷products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of 51·çÁ÷SE in Germany and other countries. Please see for additional trademark information and notices.
Please consider our . If you received this press release in your e-mail and you wish to unsubscribe to our mailing list please contact press@sap.com and write Unsubscribe in the subject line.

Originally popular as fail-safe security for bitcoin enthusiasts, blockchain is making inroads across numerous industries, most notably as a track-and-trace tool proving the provenance of goods across vast supply chains. Blockchain-based security may be even more valuable in managing supply and demand shocks during and after the pandemic. However, as blockchain services grow and quantum computers begin to emerge, now is the time to start thinking about quantum-resistant blockchain.

“Once quantum computers can break the cryptography being used today, blockchain loses its immutability,” said Cedric Hebert, senior researcher at 51·çÁ÷Security Research. “We wouldn’t be able to trust new transactions on a blockchain that wasn’t meant to resist quantum-fueled attacks. Companies will need to adopt new protocols to resist quantum attacks.”

Right now, it is difficult to go backwards on a blockchain’s immutable ledger and change original information in each block of the chain. This is especially the case as blocks are added with more data. People cannot easily rewrite history on its immutable ledger because other nodes on the chain would automatically reject any changes. Also, traditional blockchains are based on asymmetric cryptography, which prevents fraudulent signing. Unfortunately, quantum computers could theoretically break the immutability of any block in the chain and falsify historical transactions.

“Companies can use blockchain technology if they incorporate quantum-resistant encryption protocols,” Hebert said. “You would need to freeze the blockchain at some point and migrate transactions to the new protocol.”

Prepare Now for Post-Quantum Security

Even if a fraction of the predictions about blockchain come true, the security stakes are high for consumers and businesses.

Blockchain made list of top 10 strategic technology trends for 2020 and was predicted to infiltrate everything from processing insurance claims, loans, and recalls to identity management for students, patients, and citizens. By 2022, analysts said 10 percent of the world’s adult population will register for a blockchain-based self-sovereign ID, creating an expanding market of 485 million people who want to own and control their digital identities. Whether it is verifying transactions for bitcoin mining or tracking food from farm-to-table, blockchain’s security horizon depends on the unique situation.

“Companies need to factor in the lifespan of their blockchains,” said Andrey Hoursanov, lead for Quantum Security at SAP. “If you’re using it to trace shipments from raw materials sourcing to delivery, maybe you’re looking at months, not years. In contrast, bitcoin investments typically take longer. That’s where you need to seriously consider how to protect the blockchain against quantum attacks likelier to happen further in the future.”

Re-Securing Cryptocurrency

Cryptocurrency is not necessarily just for consumers trading bitcoins. IDC analysts predicted that over 12 countries, mostly emerging economies, will begin issuing a digital currency using blockchain technologies to promote economic stability and encourage electronic commerce by 2023. As some governments begin using cryptocurrencies, Hoursanov said companies will need to begin looking at post-quantum blockchain technology for business-to-business (B2B) transactions such as procurement involving collaboration between buyers and suppliers.

Cross-border payments are another potential security risk. For example, researchers predicted that in just three years, 85 percent of global container shipping will be tracked by blockchain, with half of this volume using blockchain-enabled cross-border payments. They said that 40 percent of tier one financial institutions will use blockchain networks to process point-to-point cross-border payments, bypassing SWIFT and the correspondent or central banking infrastructure by 2024.

Embracing Cryptography Agility

It is impossible to dismiss the security implications around blockchain and quantum computers. High-profile blockchain examples tend to spotlight tracking the authenticity of exceptional transactions like rare artwork or diamonds. The truth is, blockchain could underpin many everyday activities, speeding up ownership recordkeeping, settlement payments, and even loyalty and rewards tracking for customers in many industries.

Smart cities that rely on Internet of Things (IoT) technology have tremendous potential to use blockchain as part of the infrastructure to trade energy, charge electrical vehicles, and manage smart grids. By 2023, Gartner analysts think blockchain will be scalable technically, and will support trusted private transactions with necessary data confidentiality.

Anselme Tueno, researcher and cryptography expert at 51·çÁ÷Security Research, is on one of the teams exploring how to make software applications safe in a world with quantum computers.

“51·çÁ÷is assessing post-quantum algorithms to determine how existing 51·çÁ÷applications can be made quantum-safe,” Tueno said. “Replacing broken cryptography or integrating a new one takes decades. Moreover, the security of post-quantum algorithms is not fully understood, which is why we have to prepare to replace them if they are broken. This is called cryptographic agility.”

COVID-19 has taught us that we cannot wait for a crisis to reveal the worst that could happen. Forewarned of blockchain’s eventual vulnerability, companies can be armed against the risks posed by quantum computers and take full advantage of the tremendous benefits of both technologies.

Follow me: @smgaler

.

Modern supply chains are ground zero for what many industry experts call the phase level of “hyperconnectivity.” We love getting the goods we want as quickly and inexpensively as possible, but it takes an awful lot of data sharing between totally separate companies to make it work. Organizations across the value chain – from farms and factories to shippers, wholesalers, and retailers – are engaged in a daily balancing act between sharing information and having control over it.

Collaboration Trends Reveal Benefits and Challenges

Hyperconnectivity figured into numerous industry analyst predictions this year. By 2024, saw 45 percent of consumer-facing businesses providing a fully seamless connectedness – with good reason. These analysts said that by 2025 “fully connected enterprises will realize at least twice the return on investment through gains in revenue customer retention, infrastructure longevity, and process and cost efficiencies.”

researchers found that enterprise data strategy continued to be a top initiative for executives, because “it’s critical in unlocking a firm’s digital transformation — and necessary to take advantage of AI and machine learning.” They predict advanced companies will double their data strategy budgets.

At the same time, Gartner analysts listed “transparency and traceability” in the firm’s “.” They said highly connected systems in smart spaces will increase opportunities for business transformation but also create new challenges in security and risk.

Encryption Could Balance Privacy Versus Value Equation

In this interview at the , Axel Schroepfer from the shared an example of how companies could use homomorphic encryption to share information with partners across a hyperconnected supply chain without compromising data control.

“Suppose you’re a tire manufacturer and a buyer needed 400,000 tires,” explained Schroepfer. “You could use a cloud-based service that calculated the best tire delivery lot size for cost-efficiency and planning for both parties. The beauty of homomorphic encryption is that the original data is never revealed – even within the service itself. This formula-based approach could help companies solve the conundrum of how to gain value from business-critical data without sharing private information between buyers and suppliers.”

A Formula for Collaborative Success

Homomorphic encryption is emblematic of the kind of innovation certain to emerge as hyperconnected business matures. In Schroepfer’s example, the service would use a mathematical formula on top of encrypted data to calculate results without ever seeing the actual data. He saw potential opportunities for this kind of encryption in other areas such as pool buying, where groups of companies collaborate for better prices without sharing internal data. It could also help prevent business fraud.

In a hyperconnected supply chain, partnerships are going broader and deeper, often forging new relationships and sparking business model disruption. While consumer fears and demands about personalization versus data privacy tend to dominate conversations, businesses will grapple with an equally daunting challenge: how to balance an information exchange between buyers and sellers while protecting security and control. The timely delivery of your package depends on it.

Follow me @smgaler