It won’t be long until the extended 2027 deadline for S/4HANA migration arrives, and it already feels like it’s starting to approach very quickly. Many organisations are therefore planning their migration already, in order to minimise the risk of any costly delays or disruption along the way.
We’re finding that many systems integrators are downplaying the process as a ‘brownfield migration’: that is to say, a simple ‘lift and shift’ that’s designed to be as hassle-free as possible. However, the S/4HANA migration could - and should - be so much more than that, especially from a security perspective.
Anyone who has used SAP for any length of time will know that it’s a constantly evolving platform, and that this is especially the case in a world where workforces are increasingly remote, global and hybrid. Because of this, the old approach to access provisioning is no longer fit for purpose, as data and users are spread across multiple different systems and locations.
So, a new approach to controls is required instead, and the switch to S/4HANA therefore needs to be taken very seriously. Only by taking the opportunity to thoughtfully redesign your controls can you realise all the benefits available, and ensure that systems, processes, and your wider business continue to run as smoothly as they do at present.
Security has a big part to play in this, and should be considered an enabler rather than a blocker. For example, effective role design enables people to do their jobs and seamlessly maximise their productivity, while also managing risk to an appropriate level. The standard templated roles in S/4 aren’t sufficient for this purpose, and migrating roles over from ECC isn’t advised as they’re not compatible with Fiori, S/4’s improved user interface.
So, if you don’t revise your roles and authorisations within your S/4 environment, the value of your migration will be limited, and you’ll also be exposed to SoD risks if you stick with the templated S/4 roles.
It might take a bit of a change in philosophy, but it really is possible to think of security in a positive, enabling light rather than a protective and defensive one. With the right controls, roles, and authorisations in place, employees can have the confidence to use the systems and data they need to do their jobs, wherever and whenever they’re working.
When employees are happy with the controls that are in place, they don’t feel the need to try and bypass them inadvertently, and don’t have the capacity to try and do so maliciously. It also simultaneously reduces the risk of a security incident happening, as technologies like single sign-on help strike the right balance between accessibility and access control.
Perhaps the best way to think of risk and security controls is to liken them to the tyres on a car. With the right levels of grip, and tyres in good condition, you’ll stay on the road and won’t keep having to stop for repairs and replacements. Right-sized controls are the same: helping an organisation continue to move forward quickly, without the risk of sliding off course, or being slowed down by restrictive performance.
The key advice we can give you around the S/4HANA migration is that this is your chance to turn security into a force for good by not repeating the sins of the past. Starting off on the front foot, with security as a business enabler, gives you the best opportunity to unlock business potential and empower your teams. And with those right-sized controls in place, you can monitor and reinforce your security; furthermore, you can build confidence that however your business operates, it’s doing so in a secure and compliant way that doesn’t compromise productivity.