Integrated Risk Management
Through the application of technology and automation, we'll help you manage your risks efficiently and effectively across the entire enterprise.
Identity and Access Management
We'll help you ensure everybody within your organisation has access to the right systems and data, for the right reasons, and at the right time.
Cyber & Application Security
Our experts will uncover security weaknesses within your security design and business-critical applications. Helping you protect your organisation from both internal and external threats.
About us
A group of passionate individuals with a shared purpose to help the world's leading companies embrace best practices for GRC and risk management.
Turnkey's strategic partner network consists of selected organisations that complement our capabilities.
Corporate Social ResponsibilityCSR
We are committed to being agents for change through our Climate Action Plan, championing diversity in our workplaces, and more.
Get in touch
We have operations in all corners of the globe, so see which office is nearest to you and connect with them.
We have operations in all corners of the globe, so see which office is nearest to you and connect with them.
Webinars & eBooks
All of Turnkey's webinars, guides and other insights available in one place.
Read the latest insights from our experts on GRC and risk management, covering the latest industry topics.
Press Coverage
See all the publications where Turnkey, our experts and our successes have been noted.
Key events
See the key industry conferences on GRC, SAP security and risk management which we are attending.
Case Studies
Client satisfaction is of the utmost importance to us, and we strive to constantly deliver above expectations, going the extra mile at every opportunity.
We've put together a comprehensive list of frequently asked questions - along with our responses - to the most common GRC and SAP security issues.
21 March 2022

Deploying a “zero-trust” approach to SAP Security

Zero-trust is a concept that marks a significant change in how IT security frameworks operate. Instead of assuming that everything within an organization’s network has to be trusted, within a zero-trust model, it’s presumed that everything starts as a risk, and only user identity and context can then establish trust for certain things and in certain areas.

The sensitive nature of the data and information stored within your SAP systems means that a zero-trust approach is always the best course of action. However, this approach isn’t as common as it should be, and this was highlighted in the recent SAP Security Survey Report, compiled jointly by Turnkey Consulting, Onapsis and Legion Star. A worrying 53% of respondents said they either didn’t review third-party code for security or quality issues, or weren’t sure whether they did or not.

This blog will explore why this is such an area for concern, and explore the practicalities of deploying zero-trust security in your SAP estate.

The risks of not checking third-party code specifically
If you don’t check third-party code before you implement it, then you may be introducing vulnerabilities or gaps into your SAP estate without you even realizing it. This applies even if you trust the source of the code because you’ve used it before. Without checking all code for potential discrepancies, you may unwittingly give cyber-criminals a clear path of entry to your SAP system and data.

Ultimately, an approach prioritized around risk is important to the detection of a breach, and critical to its containment.

A wider zero-trust approach
Zero-trust does more than give you a defensive, safety-first approach to your SAP Security. Under zero-trust, devices and users have to be authenticated every time they use any asset, environment or application, rather than trust being taken for granted. This means threat actors can’t access valuable data, even if they manage to get into the network.

The same principles apply to third parties and remote employees: they can only access applications that they are authorized to, meaning they are shut off as a potential route for cyber-criminals to gain access themselves.

It comes down to the difference between being proactive and reactive: organizations using zero-trust are actively looking for threats that may infiltrate their systems, not reacting to them after they’ve started to have an impact.

How to deploy zero-trust with SAP Security
According to Microsoft, 94% of security leaders have ‘embarked on their zero-trust journey’. This is encouraging, but there’s still work to do to make this aspiration an implemented reality across applications and systems, including SAP.

Alongside reviewing third-party code, there are many other actions you can take to make zero-trust possible, including:

  • Specify surfaces for protection: locate the surface, ensure all applications and data are isolated and classified, and increase contextual and visibility awareness

  • Set out transaction flows: use automated tools to map data, assess the interaction of applications, data and systems, and categorize all traffic

  • Define the trust policy: develop automated application rules, use a multi-layered approach to scanning and mitigating threats, and ensure the policy covers who access what, when, where and how, including what they need access for

  • Adjust response processes: use all the data available to put incidents into context, and automation to rapidly contain attacks with network segmentation, then learn from the experience to improve trust policies

  • Keep SAP secure: maintain security through environment monitoring, regular updates and enhancements to the environment, and a fast threat detection and response strategy (ideally utilizing AI-based tools)

Find out more detail on the state of play in SAP security with our SAP Security Survey Report. Download your copy here.