A lot of SAP customers and consultants look at SAP BW/4HANA as a “lower-class” SAP system. Something for “someone else” to worry about. They forget about all the work that went into setting up their company’s data warehouse in SAP BW/4HANA, or further back, like some of my early SAP consulting projects on BW7 and BW3.5.
And now, with the big push for S/4HANA migrations by 2027, the priority for anything related to BW seems to be going lower and lower. It sounds like the perfect place to attempt an exploit in a forgotten system. This is a reminder to protect your investment in SAP BW/4HANA. And if you are still running on BW7, most of this will still apply to you as well.
Why Protect BW/4HANA?
1) It contains your company’s most important data.
Think about “big picture” data flow. The most important system to protect is your S/4HANA since it is the “system of record” for so much data. Also, remember that BW/4HANA is a key “downstream” system which contains much of the same data. The Business Warehouse (BW) architecture is set up by design to extract important data from S/4HANA, stage it, and make it readily available in BW/4HANA. It is a data warehousing architecture, after all. So, the data protection policies and investments in place for the data in S/4HANA should carry over and be in place to protect the data on BW/4HANA as well.
Think logically. You have invested so much to protect your ECC and S/4HANA primary systems. Then, you set up approved data extractors to copy much of your most valuable IT assets (DATA) onto this BW system … But then you fail to protect that same valuable data on the BW system??
That doesn’t make sense, right? Think about public impact and the risk of damage to reputation. If your company’s BW/4HANA system is breached, the public will not care whether the sensitive data was obtained from an S/4HANA system versus a BW/4HANA system. The public perception will simply be that your company has a “data problem,” and trust in your company’s brand will go down. In a more extreme case, a business partner (customer, vendor, employee, or former employee) could pursue legal action if they can show harm from your company’s data breach.
2) It’s going to be around for many more years.
Recently, I have interacted with more than 100 BW/4HANA consultants. From those discussions, I have three top observations:
- There is some early movement to migrate (or, at least, integrate) to SAP Datasphere.
- Most customers are staying on BW/ 4HANA for the near future.
- Consultant interest in learning BW/ 4HANA and getting certified is still very high. Meanwhile, I am not seeing as much demand to learn and get certified on SAP Datasphere.
S/4HANA is the main reason for this delay in moving from BW/4HANA to SAP Datasphere. S/4HANA is taking more time, budget, and resources than previously anticipated.
The hyperfocus on S/4HANA will naturally occur during the ECC to S/4HANA initial migration. S/4HANA will also compete for focus in follow-on projects around optimizations and integrations.
Meanwhile, SAP has released two “Statements of Direction” for BW and SAP Analytics. These documents help SAP BW customers with road map planning:
The BW Statement of Direction
- BW covers BW, BW/4HANA, and SAP Datasphere
- SAP confirms support for BW/4HANA until 2040
The SAP Analytics Statement of Direction
- SAP Analytics covers Business Objects, Crystal Reports, Lumira, and SAP Analytics Cloud
- SAP Analytics Products are separated from BW, but certainly, the two groups of products are deeply connected. So, they should be considered together in the overall migration planning process.
If companies are already feeling the pressure to move from ECC and migrate to S/4HANA by 2027, and if BW/4HANA is supported until 2040, then in most cases, SAP BW customers will defer any migration from BW/4HANA to SAP Datasphere until after they are stabilized on S/4HANA.
Since BW/4HANA is going to be around for a while, you need to include it in your scope for SAP cybersecurity.
What Is the Top Cyber Risk for BW/4HANA? Data Exfiltration
Think like a hacker. If you wanted to exfiltrate data from a company and you knew it had the same data on two different servers, in thinking like a hacker, you would go after the data on the more vulnerable server.
But it gets worse. The more vulnerable server is also less likely to detect the exfiltration activity. This type of exploit is known as “silent exfiltration.”
Your company could lose data without even realizing it! The attack would never be detected until your company’s proprietary data was discovered accidentally “in the wild” outside of your company.
And then, maybe it could be traced back to a breach period on the BW system.
Think data sensitivity. Where does your BW/4HANA system get its data? S/4HANA is the major data source for BW/4HANA. The data that comes from S/4HANA to BW/4HANA has the same sensitivity and should have the same or similar protection as it had in S/4HANA.