advertise here



Industry Comment Research   RSS Feed

Webinars Buyers' Guide Podcasts

Related Publications Foward Features




  In partnership with:

July/August issue

Crypto to CSO


Brian McKenna

Sachar Paulus is the Chief Security Officer at SAP. He says that much IT security is still in the grip of a perimeter mentality that ill suits the web-based security needs of today's collaborative enterprises.

Perimeter security is like putting a medieval castle in a modern city", says Sachar Paulus, chief security officer at SAP. The thirty-three-year old German security professional has risen impressively in his career, following his entry to the corporate world from academia in 1998. The chief security officer at the biggest technology company Germany has produced - the Microsoft of enterprise software, with 54% of the global application market - is something to be. And the former cryptographer can now take a more synoptic view of the security of IT.

Click here to view Sachar Paulus' Curriculum Vitae.

SAP is Germany's most successful IT company, but Paulus is keen to stress that it is global in its reach. "We have developers in India and China, as well as in the US and Canada, and integrating these different development cultures has been more of a challenge than dealing with different security and privacy cultures outside beyond Germany".

"A big portion of our customers are in the US, and we actually get more feedback from there than from Germany. The Germans are very conservative in terms of the communication of their security requirements. They tend to feel they can solve their own problems whereas in the US they will call the vendors in more readily".

Border-free security
In terms of the producer end of security, he maintains that while Germany has "high expertise in cryptography and in high end security, we have some difficulties in getting it into everyday tools, and the Americans are better at that. In Germany we always feel we need to think about what's going to happen in 10 years time".

Sachar Paulus

He also thinks, however, that American security is currently too determined by a fortress mentality. "Since 9/11, the US has clung much more tightly to a perimeter paradigm in security than is the case in the EU. Long term, if you really want cross-company business processes you need deal in concepts that don't take borders into account. Perimeter security is like putting a medieval castle in a modern city!"

Paulus studied computer science at the University of Saarland, and followed that with a PhD in number theory at Essen. Contrary to those who see crypto as a superannuated discipline that is over-represented in the information security field as a whole, he argues that "none of the real problems within cryptography have been solved. We do not have any provably secure algorithms. RSA, elliptic curve cryptography, and so on, are based on mathematical problems whose difficulty has not been proven. Also, in terms of day to day usage, there is enough to do. More people should implement available cryptographic solutions than do. There is still a lack of understanding where crypto could be used efficiently for making work life better".

Paulus's trajectory has been from crypto through smart cards - he worked at Kobil Systems for two years - to business cases for security applications and IT risk management.

"At SAP, we have been building up the perception that there is indeed a security story regarding reducing total cost of ownership. But now, keeping the whole picture is the main thing; understanding the real threats and doing the right things at the right time, in other words. And, in this regard Bruce Schneier's latest book, Beyond Fear, is one I am in accord with".

Paradigm shift
Henning Kagermann, SAP's physicist CEO, is, on Paulus's account, trying to drive the company from one paradigm to another.

"The overall culture he is creating is one where we are made aware of a need to get from one software era to another, but to do so smoothly - in a way that allows our customers to migrate without a heightening in their TCO.

"Security-wise, the main thing is that our software is more and more web-based, enabling more collaborative relationships between companies. This requires a new approach to security, putting it much higher on the agenda".

Inside the company, SAP's business poses certain challenges which, though hardly unique, are salient. "Our business is to develop software. That makes things a bit different.

"We need to think of measures and processes that keep the users’ productivity high, but security high too.

"Secondly, our company's key asset really is our people's knowledge, so it is important that we protect our design documents, and so on."

He reports that three to five times a year SAP revisits the security of any new component of its software. "We get our developers to avoid buffer overflows, and so on, and we look to minimize testing periods for customers when they have to apply new patches”.

He reports that getting developers to buy in to coding securely has not proved a huge problem. "We run awareness campaigns among the developers, but the only thing that really helps within development cycles is mandatory quality checks, for which middle management buy in is required, and that more difficult to get".

The Job

As the Chief Security Officer of SAP AG, Dr. Sachar Paulus reports directly to the board, and is responsible for SAP's strategy for product and support security, information and IT security as well as physical and organizational security. Before this, he was Head of the Product Management Team for Security at SAP AG, coordinating security technology, secure development processes and security response for all SAP applications.
Of his 15-person security group he says: “We are the voice of security at SAP”.

Mirror in the bathroom
In an opinion piece for CNET, Paulus once wrote that making security a priority for each employee begins with a company culture that stresses individual responsibility. But suppose you work for a Parmalat or an Enron? Why should individual employees do all the right security things when their bosses are lining their pockets?

"That is a good question! For SAP, I will say that we try to get across to employees that when they protect the company's knowledge they are protecting themselves. And so we are going to run an awareness campaign, with posters in the mirrors in the toilets that say: 'you are looking at this company's most important security officer'. But we do need to stress that this starts at the top. And so might make a video about one day in the life of one of our executives from a security standpoint".

Paulus, and security professionals at his level, are fond of saying that security is a strategic issue for the business - any business. But is it, really?

"Security can't just be about hygiene. If you take that perspective you will never take your security investments into account with your business processes. It will always be an after the fact thing, and while that makes sense in a perimeter paradigm, when you move to a world of web services, and interacting companies you need to take security into account from the beginning".

Both sides of the medal
Paulus considers this a challenge that security managers need to meet with a change in mind set. "It is a different way of thinking. A business person thinks 'how can I implement a specific business process as fast and as efficiently as possible, with the lowest cost, the best impact, the smoothest integration?” But a security person thinks about what could happen. You need to see both sides of the medal".

Big Questions

If you were a CSO elsewhere, where would you like to be?
Ten years from now I would be like to be operating at a political level. Companies and CSOs lack the right support from governments and officials on a multinational level — at an EU level. I feel I could contribute to that.

What advice would you give to a security manager early in their career?
Understand the business processes. Knowledge of the business is what sets apart security people who can have an impact — who can change things.

SAP hit the headlines recently with the disclosure, during the ongoing Oracle anti-trust trial, that Microsoft had approached the Heidelberg company with the idea of a merger. Paulus confirms that Microsoft, as a partner, has had a significant influence over SAP’s technology. "We are educating each other", he says. “But we also partner with IBM, Accenture, and even Oracle”.

He compliments SAP's possible suitor on security. "Theirs is the right approach. It is amazing that they are able to produce a fix in five days. The problems they have are to do with their huge development capacity; they have so many innovative people, and they still have to find a way to get things working in innovation phase. For example, with the NGSCB they stopped in the middle because the security they were imposing was slowing things".

As for the IT security industry, which mops up after Microsoft et al., Paulus is less sanguine. He sees three trends.

"All the main vendors - Microsoft, SAP, Oracle, IBM, and so on, are more and more providing tools for running business securely. Second, there is more convergence between security management and management software — for example with Tivoli and CA’s product suite. Third, there is vertical integration among firewall vendors, now moving up to application level protection. And you also have Cisco, signally, adding security functionality".

"There will continue to be some niche vendors but the mainstream security market in the mid term will be owned by the major IT companies", he says.

And so SAP adds its voice to an ever-loudening catchcry: the security industry needs to adapt or, well, struggle as the IT big fish evolve.

Sachar Paulus is a member of the steering committee of TeleTrust, and serves on the programme committee of the ISSE conference.

Back to features index



 

 
Search this Site:
Google Custom Search



Click here...