3
Crypto to CSO Brian McKenna P erimeter security is like putting a medieval castle in a modern city", says Sachar Paulus, chief security officer at SAP. The thirty-three-year old German security professional has risen impressively in his career, following his entry to the corporate world from academia in 1998. The chief security officer at the biggest technology company Germany has produced - the Microsoft of enterprise software, with 54% of the global application market - is something to be. And the former cryptographer can now take a more synoptic view of the security of IT. SAP is Germany's most successful IT company, but Paulus is keen to stress that it is global in its reach. "We have developers in India and China, as well as in the US and Canada, and integrating these different development cultures has been more of a challenge than dealing with different security and privacy cultures outside beyond Germany". "A big portion of our customers are in the US, and we actually get more feedback from there than from Germany. The Germans are very conservative in terms of the communication of their security c o v e r s t o r y 22 Infosecurity Today July/August 2004 Paulus: CSOs lack the right support from governments Sachar Paulus is the Chief Security Officer at SAP. He says that much IT security is still in the grip of a perimeter mentality that ill suits the web-based security needs of today's collaborative enterprises.

Crypto to CSO

Embed Size (px)

Citation preview

Crypto toCSO

Brian McKenna

Perimeter security is like putting a

medieval castle in a modern city", says

Sachar Paulus, chief security officer at SAP.

The thirty-three-year old German security

professional has risen impressively in his

career, following his entry to the corporate

world from academia in 1998. The chief

security officer at the biggest technology

company Germany has produced - the

Microsoft of enterprise software, with

54% of the global application market - is

something to be. And the former

cryptographer can now take a more

synoptic view of the security of IT.

SAP is Germany's most successful IT

company, but Paulus is keen to stress that it

is global in its reach. "We have developers

in India and China, as well as in the US and

Canada, and integrating these different

development cultures has been more of a

challenge than dealing with different

security and privacy cultures outside

beyond Germany".

"A big portion of our customers are in

the US, and we actually get more feedback

from there than from Germany. The

Germans are very conservative in terms of

the communication of their security

c o v e r s t o r y

22In

fosecu

rity Tod

ayJuly/A

ugust 2004

Paulus: CSOs lackthe right supportfrom governments

Sachar Paulus is the Chief Security Officerat SAP. He says that much IT security isstill in the grip of a perimeter mentalitythat ill suits the web-based security needsof today's collaborative enterprises.

requirements. They tend to feel they can

solve their own problems whereas in the US

they will call the vendors in more readily".

Border-free securityIn terms of the producer end of security, he

maintains that while Germany has "high

expertise in cryptography and in high end

security, we have some difficulties in

getting it into everyday tools, and the

Americans are better at that. In Germany

we always feel we need to think about

what's going to happen in 10 years time".

He also thinks, however, that American

security is currently too determined by a

fortress mentality. "Since 9/11, the US has

clung much more tightly to a perimeter

paradigm in security than is the case in the

EU. Long term, if you really want cross-

company business processes you need deal

in concepts that don't take borders into

account. Perimeter security is like putting a

medieval castle in a modern city!"

Paulus studied computer science at the

University of Saarland, and followed that

with a PhD in number theory at Essen.

Contrary to those who see crypto as a

superannuated discipline that is over-

represented in the

information security field

as a whole, he argues that

"none of the real problems

within cryptography have

been solved. We do not

have any provably secure

algorithms. RSA, elliptic

curve cryptography, and so

on, are based on

mathematical problems

whose difficulty has not

been proven. Also, in

terms of day to day usage,

there is enough to do. More people should

implement available cryptographic

solutions than do. There is still a lack of

understanding where crypto could be used

efficiently for making work life better".

Paulus's trajectory has been from crypto

through smart cards - he worked at Kobil

Systems for two years - to business cases

for security applications and IT risk

management.

"At SAP, we have been building up the

perception that there is indeed a security

story regarding reducing total cost of

ownership. But now, keeping the whole

picture is the main thing; understanding

the real threats and doing the right things

at the right time, in other words. And, in

this regard Bruce Schneier's latest book,

Beyond Fear, is one I am in accord with".

Paradigm shiftHenning Kagermann, SAP's physicist

CEO, is, on Paulus's account, trying to

drive the company from one paradigm to

another.

"The overall culture he is creating is one

where we are made aware of a need to get

from one software era to another, but to do

so smoothly - in a way that allows our

customers to migrate without a

heightening in their TCO.

"Security-wise, the main thing is that

our software is more and more web-based,

enabling more collaborative relationships

between companies. This requires a new

approach to security, putting it much

higher on the agenda".

Inside the company, SAP's business poses

certain challenges which, though hardly

unique, are salient. "Our business is to

develop software. That makes things a bit

different.

"We need to think of measures and

processes that keep the users’ productivity

high, but security high too.

"Secondly, our company's key asset

really is our people's knowledge, so it is

important that we protect our design

documents, and so on."

He reports that three to five times a year

SAP revisits the security of any new

component of its software. "We get our

developers to avoid buffer overflows, and

so on, and we look to minimize testing

periods for customers when they have to

apply new patches”.

He reports that getting developers to

buy in to coding securely has not proved a

huge problem. "We run awareness

campaigns among the developers, but the

only thing that really helps within

development cycles is mandatory quality

checks, for which middle management

buy in is required, and that more difficult

to get".

23In

fosecu

rity Tod

ayJuly/A

ugust 2004c

ov

er

st

or

y

Curriculum Vitae1988 - 1992 Studies Computer Science at the

University of Saarland, Germany. Focus: Cryptography

1992 - 1996 Studies Mathematics at the Institute of Experimental Mathematics, Essen, Germany. PhD in Number Theory

1996 - 1998 Researcher at the Technical University of Darmstadt, Department of Theoretical Computer Science, Germany.

1998 - 1999 Product Manager at KOBIL Systems,Smart

Card Manufacturer, Worms, Germany

1999 - 2000 Consultant at SECUDE, Cryptographic Software Manufacturer, Darmstadt, Germany

2000 - 2002 Product Manager Security at SAP AG

2002 - 2004 Additional responsibility for the security standard for secure software development at SAP

2004 - Chief Security Officer, SAP

“The Germans are veryconservative .... they tend to feel

they can solve their own problemswhereas in the US they will call

the vendors in more readily".

Mirror in the bathroomIn an opinion piece for CNET, Paulus once

wrote that making security a priority for

each employee begins with a company

culture that stresses individual

responsibility. But suppose you work for a

Parmalat or an Enron? Why should

individual employees do all the right

security things when their bosses are lining

their pockets?

"That is a good question! For SAP, I will

say that we try to get across to employees

that when they protect the company's

knowledge they are protecting themselves.

And so we are going to run an awareness

campaign, with posters in the mirrors in

the toilets that say: 'you are looking at this

company's most important security

officer'. But we do need to stress that this

starts at the top. And so might make a

video about one day in the life of one of

our executives from a security standpoint".

Paulus, and security professionals at his

level, are fond of saying that security is a

strategic issue for the business - any

business. But is it, really?

"Security can't just be about hygiene. If

you take that perspective you will never

take your security investments into account

with your business processes. It will always

be an after the fact thing, and while that

makes sense in a perimeter paradigm,

when you move to a world of web services,

and interacting companies you need to

take security into account from the

beginning".

Both sides of the medalPaulus considers this a challenge that

security managers need to meet with a

change in mind set. "It is a different way of

thinking. A business person thinks 'how

can I implement a specific business process

as fast and as efficiently as possible, with

the lowest cost, the best impact, the

smoothest integration?” But a security

person thinks about what could happen.

You need to see both sides of the medal".

SAP hit the headlines recently with the

disclosure, during the ongoing Oracle

anti-trust trial, that Microsoft had

approached the Heidelberg company with

the idea of a merger. Paulus confirms that

Microsoft, as a partner, has had a

significant influence over SAP’s

technology. "We are educating each other",

he says. “But we also partner with IBM,

Accenture, and even Oracle”.

He compliments SAP's possible suitor on

security. "Theirs is the right approach. It is

amazing that they are able to produce a fix

in five days. The problems they have are to

do with their huge development capacity;

they have so many innovative people, and

they still have to find a way to get things

working in innovation phase. For example,

with the NGSCB they stopped in the

middle because the security they were

imposing was slowing things".

As for the IT security industry, which

mops up after Microsoft et al., Paulus is

less sanguine. He sees three trends.

"All the main vendors - Microsoft, SAP,

Oracle, IBM, and so on, are more and

more providing tools for running business

securely. Second, there is more convergence

between security management and

management software — for example with

Tivoli and CA’s product suite. Third, there

is vertical integration among firewall

vendors, now moving up to application

level protection. And you also have Cisco,

signally, adding security functionality".

"There will continue to be some niche

vendors but the mainstream security

market in the mid term will be owned by

the major IT companies", he says.

And so SAP adds its voice to an ever-

loudening catchcry: the security industry

needs to adapt or, well, struggle as the IT

big fish evolve.

Sachar Paulus is a member of the steering

committee of TeleTrust, and serves on the

programme committee of the ISSE

conference.

24In

fosecu

rity Tod

ayJuly/A

ugust 2004c

ov

er

st

or

y

Big questionsIf you were a CSO elsewhere, where would you like to be?

Ten years from now I would be like to be operating at a political level. Companies andCSOs lack the right support from governments and officials on a multinational level — atan EU level. I feel I could contribute to that.

What advice would you give to a security manager early in their career?

Understand the business processes. Knowledge of the business is what sets apart securitypeople who can have an impact — who can change things.

Paulus: none of thereal crypto problems

have been solved

The JobAs the Chief Security Officer of SAPAG, Dr. Sachar Paulus reports directlyto the board, and is responsible forSAP's strategy for product and supportsecurity, information and IT security aswell as physical and organizationalsecurity. Before this, he was Head ofthe Product Management Team forSecurity at SAP AG, coordinatingsecurity technology, securedevelopment processes and securityresponse for all SAP applications.

Of his 15-person security group hesays: “We are the voice of security atSAP”.