Interview With Paul Laudanski - Director of Security Research at Onapsis

Shauli Zacks
Published on: December 12, 2024 Content Editor

In a recent SafetyDetectives interview, Paul Laudanski, Director of Security Research at Onapsis, sheds light on the critical role of security in SAP cloud migrations. With over two decades of experience in threat research, intelligence, and counterintelligence, Laudanski now leads the Onapsis Research Labs team, which has helped identify and remediate over 1,000 zero-day vulnerabilities in SAP and Oracle applications.

During the conversation, he shares insights on the challenges of migrating to RISE with SAP, how organizations can avoid common pitfalls, and the role automation plaays in ensuring smooth, secure, and compliant cloud transitions. He also highlights the importance of shared responsibility between SAP and its customers in safeguarding critical business data.

Can you introduce yourself and talk about your role at Onapsis?

Absolutely. I am the director of security research at Onapsis and a member of the Onapsis Research Labs team, which is dedicated to hunting down vulnerabilities within business-critical applications. At Onapsis, my team is responsible for finding and reporting vulnerabilities to SAP. Since the company’s founding, the team has helped to remediate over 1,000 zero-day vulnerabilities within SAP and Oracle applications.

Prior to Onapsis, I spent the last twenty years focused on cybersecurity – specifically threat research and engineering, threat intelligence, and counterintelligence for a number of different leading technology companies. This includes CastleCops, where I was the founder and owner, and we delivered and supported solutions in a public community setting to make the internet safe and secure for consumers.

At the end of the day, the most important thing to me is making the world a safer place. We can do this by making cybersecurity processes and products more accessible for everyone.

How does Onapsis help organizations balance the need for robust security with the pressure to meet go-live deadlines?

With the business world moving faster than ever before, organizations need a solution that embeds security and compliance standards seamlessly without slowing down the implementation process.

We launched the Onapsis Secure RISE Accelerator to take the guesswork out of implementing security elements of modern SAP deployments, automate manual processes and future-proof the RISE with SAP transformation.

Onapsis is eliminating security and compliance obstacles with a structured, bundled solution that simplifies and accelerates an organization’s project planning and execution with SAP-endorsed technology, threat insights and comprehensive SAP cybersecurity expertise and best practices. This ensures no vulnerabilities in the code or data are migrating, saving organizations time and money.

What is the significance of RISE with SAP and why is it a critical shift for SAP customers?

RISE with SAP is all about bringing organizations with on-premises SAP enterprise resource planning (ERP) systems to the cloud by December 2027. In the next few years, security leaders will be making massive investments in make-or-break projects that will affect their companies. Delivering the RISE with SAP transformation project on time and on budget is the number one focus, which is where security can frequently be seen as a challenge to that ultimate outcome.

What are the biggest security challenges organizations face when migrating to RISE with SAP?

Enterprises are dealing with one of the most complex threat landscapes while also ensuring their most business-critical data is secured. When migrating to the cloud securely and efficiently, security teams need to take a lot of factors into consideration, including new technologies bringing new attack vectors, which can lead to unplanned impact of downtimes. Another challenge is the management of multiple environments, which leads to consistent patching, plus the ongoing concern of the cybersecurity skills shortage. While these obstacles are not uncommon in the security industry, managing them while ensuring all deadlines are met and nothing falls through the cracks is no easy feat.

There are several very specific challenges that organizations face when migrating to RISE with SAP, including:

• Confusion around RISE security roles and responsibilities and challenges with proper alignment, funding and governance
• Identifying critical issues before migration and scoping security properly in their areas of responsibility to improve their risk posture in RISE from legacy
• Understanding potential risks and compliance roadblocks while avoiding delays from having the wrong skills, poor security scope or unplanned business issues
• Building a secure-by-design model and verifying the security/compliance of third parties
• Proper validation of security controls for areas of responsibility and ensuring landscape is free of code issues to ensure an accurate and timely go-live

With SAP securing the infrastructure, what specific responsibilities do organizations have regarding the security of their data and applications in the cloud?

Moving to the cloud requires a collaborative approach from everyone across the security team. What most organizations need to understand is that RISE is no different from other cloud offerings. This is why SAP and each organization have a shared responsibility model to reduce risk.

Organizations are responsible for:

• Quality and security of all migrated or new code, all transports and change management
• The responsibility of requesting the application of “non-HotNews” Security Notes
• All users, including third parties, access and behaviors
• Owning security audit logging and related issues, as well as incident response
• All compliance and compensating controls

This is a shift from what SAP customers are used to, as when this data was stored on-premises- they were responsible for everything. Now, SAP takes ownership of cloud maintenance, backup management tools, automatically patching from HotNews Security Notes and securing the platform’s infrastructure 24/7.

What role does automation play in addressing the compliance requirements of a cloud ERP migration?

One of the biggest benefits RISE for SAP provides for security is speed, and automation is a key element of this. Automating previously manual processes in the transformation ensures that organizations remain compliant and can conduct audits more efficiently. Many companies have legacy environments, and automation helps enhance these environments and the future of the cloud ERP landscape by providing users with a comprehensive security framework and mitigating any future compliance issues. This allows security teams to focus on the data itself and makes the security process much more efficient as they conduct internal and external audits regularly throughout the year.

This results in more accurate results for compliance audits, frees up resources, reduces employee fatigue and helps organizations take a forward-looking approach.

Can you share examples of common missteps organizations make during their SAP cloud migration and how they can be avoided?

Our goal with Secure RISE Accelerator is to help make RISE with SAP more efficient for all organizations. However, we often see the following missteps when helping companies make their SAP cloud migration:

• Miscommunication: When migrating to the cloud, it’s pertinent that the security team is in lockstep with other business units to ensure the right and relevant data is being transferred
• Lack of understanding of scope: The cloud needs to contain not only the business’ most valuable data but also the data that needs to be transferred to ensure compliance and security
• Misconfigurations: With years of data held on premises, there are often several vulnerabilities sitting on the network and, if not properly taken care of, could be added to the new cloud environment
• Improper security practices and settings: Security is constantly evolving, and therefore, we see outdated security policies and postures that are at risk of migrating those practices to the cloud
• Sufficient talent and skills gap: The cybersecurity skills gap and lack of resources are something that many organizations are facing, leading to many security teams not having the time or staff to conduct the migration effectively.

While there is no perfect answer on how to avoid these common mistakes, it is important to adopt solutions that can help identify these errors and streamline critical elements of the transformation process.