Embed Size (px)
Citation preview
Crypto toCSO
Brian McKenna
Perimeter security is like putting a
medieval castle in a modern city", says
Sachar Paulus, chief security officer at SAP.
The thirty-three-year old German security
professional has risen impressively in his
career, following his entry to the corporate
world from academia in 1998. The chief
security officer at the biggest technology
company Germany has produced - the
Microsoft of enterprise software, with
54% of the global application market - is
something to be. And the former
cryptographer can now take a more
synoptic view of the security of IT.
SAP is Germany's most successful IT
company, but Paulus is keen to stress that it
is global in its reach. "We have developers
in India and China, as well as in the US and
Canada, and integrating these different
development cultures has been more of a
challenge than dealing with different
security and privacy cultures outside
beyond Germany".
"A big portion of our customers are in
the US, and we actually get more feedback
from there than from Germany. The
Germans are very conservative in terms of
the communication of their security
c o v e r s t o r y
22In
fosecu
rity Tod
ayJuly/A
ugust 2004
Paulus: CSOs lackthe right supportfrom governments
Sachar Paulus is the Chief Security Officerat SAP. He says that much IT security isstill in the grip of a perimeter mentalitythat ill suits the web-based security needsof today's collaborative enterprises.
requirements. They tend to feel they can
solve their own problems whereas in the US
they will call the vendors in more readily".
Border-free securityIn terms of the producer end of security, he
maintains that while Germany has "high
expertise in cryptography and in high end
security, we have some difficulties in
getting it into everyday tools, and the
Americans are better at that. In Germany
we always feel we need to think about
what's going to happen in 10 years time".
He also thinks, however, that American
security is currently too determined by a
fortress mentality. "Since 9/11, the US has
clung much more tightly to a perimeter
paradigm in security than is the case in the
EU. Long term, if you really want cross-
company business processes you need deal
in concepts that don't take borders into
account. Perimeter security is like putting a
medieval castle in a modern city!"
Paulus studied computer science at the
University of Saarland, and followed that
with a PhD in number theory at Essen.
Contrary to those who see crypto as a
superannuated discipline that is over-
represented in the
information security field
as a whole, he argues that
"none of the real problems
within cryptography have
been solved. We do not
have any provably secure
algorithms. RSA, elliptic
curve cryptography, and so
on, are based on
mathematical problems
whose difficulty has not
been proven. Also, in
terms of day to day usage,
there is enough to do. More people should
implement available cryptographic
solutions than do. There is still a lack of
understanding where crypto could be used
efficiently for making work life better".
Paulus's trajectory has been from crypto
through smart cards - he worked at Kobil
Systems for two years - to business cases
for security applications and IT risk
management.
"At SAP, we have been building up the
perception that there is indeed a security
story regarding reducing total cost of
ownership. But now, keeping the whole
picture is the main thing; understanding
the real threats and doing the right things
at the right time, in other words. And, in
this regard Bruce Schneier's latest book,
Beyond Fear, is one I am in accord with".
Paradigm shiftHenning Kagermann, SAP's physicist
CEO, is, on Paulus's account, trying to
drive the company from one paradigm to
another.
"The overall culture he is creating is one
where we are made aware of a need to get
from one software era to another, but to do
so smoothly - in a way that allows our
customers to migrate without a
heightening in their TCO.
"Security-wise, the main thing is that
our software is more and more web-based,
enabling more collaborative relationships
between companies. This requires a new
approach to security, putting it much
higher on the agenda".
Inside the company, SAP's business poses
certain challenges which, though hardly
unique, are salient. "Our business is to
develop software. That makes things a bit
different.
"We need to think of measures and
processes that keep the users’ productivity
high, but security high too.
"Secondly, our company's key asset
really is our people's knowledge, so it is
important that we protect our design
documents, and so on."
He reports that three to five times a year
SAP revisits the security of any new
component of its software. "We get our
developers to avoid buffer overflows, and
so on, and we look to minimize testing
periods for customers when they have to
apply new patches”.
He reports that getting developers to
buy in to coding securely has not proved a
huge problem. "We run awareness
campaigns among the developers, but the
only thing that really helps within
development cycles is mandatory quality
checks, for which middle management
buy in is required, and that more difficult
to get".
23In
fosecu
rity Tod
ayJuly/A
ugust 2004c
ov
er
st
or
y
Curriculum Vitae1988 - 1992 Studies Computer Science at the
University of Saarland, Germany. Focus: Cryptography
1992 - 1996 Studies Mathematics at the Institute of Experimental Mathematics, Essen, Germany. PhD in Number Theory
1996 - 1998 Researcher at the Technical University of Darmstadt, Department of Theoretical Computer Science, Germany.
1998 - 1999 Product Manager at KOBIL Systems,Smart
Card Manufacturer, Worms, Germany
1999 - 2000 Consultant at SECUDE, Cryptographic Software Manufacturer, Darmstadt, Germany
2000 - 2002 Product Manager Security at SAP AG
2002 - 2004 Additional responsibility for the security standard for secure software development at SAP
2004 - Chief Security Officer, SAP
“The Germans are veryconservative .... they tend to feel
they can solve their own problemswhereas in the US they will call
the vendors in more readily".
Mirror in the bathroomIn an opinion piece for CNET, Paulus once
wrote that making security a priority for
each employee begins with a company
culture that stresses individual
responsibility. But suppose you work for a
Parmalat or an Enron? Why should
individual employees do all the right
security things when their bosses are lining
their pockets?
"That is a good question! For SAP, I will
say that we try to get across to employees
that when they protect the company's
knowledge they are protecting themselves.
And so we are going to run an awareness
campaign, with posters in the mirrors in
the toilets that say: 'you are looking at this
company's most important security
officer'. But we do need to stress that this
starts at the top. And so might make a
video about one day in the life of one of
our executives from a security standpoint".
Paulus, and security professionals at his
level, are fond of saying that security is a
strategic issue for the business - any
business. But is it, really?
"Security can't just be about hygiene. If
you take that perspective you will never
take your security investments into account
with your business processes. It will always
be an after the fact thing, and while that
makes sense in a perimeter paradigm,
when you move to a world of web services,
and interacting companies you need to
take security into account from the
beginning".
Both sides of the medalPaulus considers this a challenge that
security managers need to meet with a
change in mind set. "It is a different way of
thinking. A business person thinks 'how
can I implement a specific business process
as fast and as efficiently as possible, with
the lowest cost, the best impact, the
smoothest integration?” But a security
person thinks about what could happen.
You need to see both sides of the medal".
SAP hit the headlines recently with the
disclosure, during the ongoing Oracle
anti-trust trial, that Microsoft had
approached the Heidelberg company with
the idea of a merger. Paulus confirms that
Microsoft, as a partner, has had a
significant influence over SAP’s
technology. "We are educating each other",
he says. “But we also partner with IBM,
Accenture, and even Oracle”.
He compliments SAP's possible suitor on
security. "Theirs is the right approach. It is
amazing that they are able to produce a fix
in five days. The problems they have are to
do with their huge development capacity;
they have so many innovative people, and
they still have to find a way to get things
working in innovation phase. For example,
with the NGSCB they stopped in the
middle because the security they were
imposing was slowing things".
As for the IT security industry, which
mops up after Microsoft et al., Paulus is
less sanguine. He sees three trends.
"All the main vendors - Microsoft, SAP,
Oracle, IBM, and so on, are more and
more providing tools for running business
securely. Second, there is more convergence
between security management and
management software — for example with
Tivoli and CA’s product suite. Third, there
is vertical integration among firewall
vendors, now moving up to application
level protection. And you also have Cisco,
signally, adding security functionality".
"There will continue to be some niche
vendors but the mainstream security
market in the mid term will be owned by
the major IT companies", he says.
And so SAP adds its voice to an ever-
loudening catchcry: the security industry
needs to adapt or, well, struggle as the IT
big fish evolve.
Sachar Paulus is a member of the steering
committee of TeleTrust, and serves on the
programme committee of the ISSE
conference.
24In
fosecu
rity Tod
ayJuly/A
ugust 2004c
ov
er
st
or
y
Big questionsIf you were a CSO elsewhere, where would you like to be?
Ten years from now I would be like to be operating at a political level. Companies andCSOs lack the right support from governments and officials on a multinational level — atan EU level. I feel I could contribute to that.
What advice would you give to a security manager early in their career?
Understand the business processes. Knowledge of the business is what sets apart securitypeople who can have an impact — who can change things.
Paulus: none of thereal crypto problems
have been solved
The JobAs the Chief Security Officer of SAPAG, Dr. Sachar Paulus reports directlyto the board, and is responsible forSAP's strategy for product and supportsecurity, information and IT security aswell as physical and organizationalsecurity. Before this, he was Head ofthe Product Management Team forSecurity at SAP AG, coordinatingsecurity technology, securedevelopment processes and securityresponse for all SAP applications.
Of his 15-person security group hesays: “We are the voice of security atSAP”.
