For organizations using SAP, migrating to S/4 HANA is a project that’s either in the works or on the horizon as the 2027 deadline for completion looms. The new generation of SAP Business Suite promises simplifications, massively increased efficiency and compelling features. It’s also a crucial next step in modernizing SAP platforms and moving to the cloud.
Today, organizations can deploy SAP S/4 HANA on-premise or in the cloud – with the latter option gaining popularity. In fact, nearly 50 percent of SAP customers moving to S/4HANA are choosing a cloud model, according to the independent Americas’ SAP Users Group.
Despite all the benefits companies can obtain from SAP S/4HANA, there are specific considerations every customer needs to consider to ensure a smooth migration – regardless of their deployment model.
Start Your SAP S/4 HANA Migration ASAP
Companies often feel they have ample time to plan, especially since SAP extended the deadline of support for SAP Business Suite software until 2027. However, experts say a full migration of legacy systems for large enterprises typically takes a minimum of 18 months. Moreover, it can take longer if the core applications have been heavily customized. So while 2027 might seem far off, when dealing with mission-critical enterprise software, it’s a lot closer than organizations may realize.
Timing will always be a challenge, but there are several steps organizations can take to ease the move. For instance, companies can use SAP S/4 HANA evaluations and pilot programs to preview changes. Alternatively, companies can start with small projects to minimize disruption and build on the successes and lessons learned. Before organizations consider a full-scale migration, businesses need to ensure they’re not taking any past problems into the future.
Eliminate Unused Code
Research shows that there is more than one critical security/compliance issue per 1,000 lines of custom ABAP code, and a typical SAP system has 2,150 security/compliance issues in custom code.
Customization in SAP code can lead to unwanted complexities if left unmanaged. These types of complications can hamper migrations and cloud deployments and become costly down the road. That’s why businesses should take the time to analyze custom SAP code, perform hygiene on unused code and check for vulnerabilities or integration issues. This process ensures that companies reduce the likelihood of bringing poorly designed code and vulnerability issues into new SAP S/4 HANA environments.
Consider Security Early
Another critical success factor for migrations is prioritizing security early. According to the December 2019 SAPinsider Benchmark Report, 81 percent of respondents indicated that certified and guaranteed security was very critical or critical to their cloud-migration strategy.
While security isn’t an excuse to delay migrations to modernized platforms or the cloud, organizations should emphasize how to protect sensitive data. Preventing and mitigating security issues is far less expensive and risky than being reactive and implementing fixes after the SAP applications are production-ready. Not only that but bringing security upfront in the migration process helps accelerate projects due to the early detection and coordination of potential issues in the security and compliance areas. Leading application testing and security software provides the visibility businesses need to discover and address vulnerabilities, misconfigurations and authorization issues within their systems.
Increasing Cloud Options
With a modernized platform in S/4 HANA, SAP organizations now have an increased amount of available cloud options. Businesses can choose between hybrid, public, private and SAP S/4 HANA’s Enterprise Cloud (HEC) – a service that accelerates the path to cloud readiness and into an intelligent enterprise.
For organizations that choose the latter, SAP HEC pushes SAP processes and associated information outside of an organization’s data center with a completely managed offering, decreasing costs and increasing scalability.
However, while SAP delivers patching and protection benefits in this cloud deployment, to take full advantage of this offering, organizations must rely on a “trust but verify” security model. Businesses need to verify their instance is being secured according to policies and security baselines. This visibility and proactive risk monitoring helps reduce business disruptions, protect supply chain integrity and uncover potential security threats, so businesses can rely on HEC with confidence.
To highlight this example, we hosted a session in June with LEVI Strauss Deputy CISO Steve Zalewski. The session, explains how to ensure security and compliance is provided in a hosted cloud environment such as SAP HEC.
Whether companies believe it or not, the S/4 HANA decade is here – and 2027 is going to arrive before we know it. For any system, migrations can present difficulties and S/4 HANA is no different. To succeed, organizations need to start migration plans ASAP, eliminate unused code and prioritize security early on. By following these steps and leveraging necessary tools, businesses can modernize their SAP environments, capitalize on increased cloud options and securely take advantage of the benefits the S/4 HANA Enterprise Cloud offers.
By Juan Etchegoyen
As CTO, JP leads the innovation team that keeps Onapsis on the cutting edge of the Business-Critical Application Security market, addressing some of the most complex problems that organizations are currently facing while managing and securing their ERP landscapes. JP helps manage the development of new products as well as support the ERP cybersecurity research efforts that have garnered critical acclaim for the Onapsis Research Labs.
JP is regularly invited to speak and host trainings at global industry conferences, including Black Hat, HackInTheBox, AppSec, Troopers, Oracle OpenWorld and SAP TechEd, and is a founding member of the Cloud Security Alliance (CSA) Cloud ERP Working Group. Over his professional career, JP has led many Information Security consultancy projects for some of the world’s biggest companies around the globe in the fields of penetration and web application testing, vulnerability research, cybersecurity infosec auditing/standards, vulnerability research and more.