20 years of Security Research at SAP

In October 2021, SAP Security Research celebrates its 20th anniversary! What started with three researchers and a working student looking into mobile security innovations, has matured to a research group comprising 35 researchers and PhD students and just as many intern and thesis students. The growth of the group has been stimulated by security and privacy climbing higher and higher on the priority list of SAP and its customers, due to technology paradigm shifts as well as societal changes.

Driven by the digital transformation of businesses and its demand for flexible computing resources, the cloud has become the prevalent deployment model for enterprise services and applications introducing complex stakeholder relations and extended attack surfaces. Web technologies dominate service consumption, asking for mitigation of their specific vulnerabilities. Software development became a distributed task of a large ecosystem with its specific attack vectors. Hyperconnectivity facilitates the collection of vast amounts of data, which in turn fuel the AI-based Intelligent Enterprise but are highly sensitive at the same time. The ubiquity of new and intelligent technologies offers unprecedented opportunities, but also leads to new or reinforced risks. Society and policy makers react to those risks by introducing security and privacy regulations and prioritizing the debate about responsible use of technology.

Inventing the future of security means to identify and understand the new risks and continuously innovate to mitigate them. The core of SAP Research’s mission is to anticipate both evolutionary and disruptive developments in technology and business, to assess their security and privacy impact and to design and prototype novel security and privacy solutions that unlock new business opportunities. Based on solid scientific foundations, we aim at advancing the state of the art for the benefit of SAP and its customers.

Looking back: how mobile security evolved to IoT and edge security

The history of what started as mobile security research at SAP reflects the influence factors over time. In the early and mid-2000s, mobility largely meant connectivity, with security requirements focusing on authentication and the confidentiality and integrity of data transmission. This focus didn’t change much with the integration of communicating sensors in application scenarios, but they introduced challenges of scale (“billions of devices”) and required to cope with their limited computational and storage capabilities asking for the design of specific light-weight security protocols. Sensor integration offered new opportunities for application scenarios, for instance, in distributed supply chains. Equipping products or warehouses with sensors allowed to monitor goods and optimize supply chains by sharing data. New security protocols needed to be designed to meet new requirements on distributed supply chain integrity and access control to sensor data.

At about this time, the Internet of Things developed into a business, and SAP Security Research’s advanced prototypes for IoT end-to-end security (i.e., from device to cloud backend) could be integrated into the IoT platform and IoT applications. This has been demonstrated, for instance, in a predictive maintenance application for the water distribution system of the City of Antibes.

But this is not the end of the story: increased capabilities of sensors and gateways now allow to move business logic to the edge, removing the backend bottleneck for performance. But when, for instance, distributed cameras perform AI-assisted pre-processing of video streams and are provided by different vendors and operators, we research solutions to protect the machine learning models deployed on the camera as well as to sanitize the sensitive data captured in the video streams.

Continuous research and innovation

In IoT and mobile security, we have seen the security and privacy research challenges developing from securing data transmission to protecting ML models. In fact, the mobile security story is a typical example of successful applied research. When we started the research, the IoT was a vison far ahead in the future. Anticipating its disruptive potential and business impact and investigating at an early stage allowed to have research results ready for innovation when the time was right, i.e., when the business recognized IoT as a game changer and needed security innovations to satisfy customer needs. Not stopping there, but continuing applied research aiming at solving the next challenges in the field, is key to facilitate continuous innovation and maintain thought leadership.

Others of our focus areas in research show similar characteristics: for instance, in open-source software security analysis, we moved from the assessment of known vulnerabilities to protection from new threats using OS software and distribution mechanisms to launch new types of attacks. In Web Security, results in vulnerability detection led to protective mechanisms and methods to optimize security testing.

How to choose the right challenges?

While in hindsight the stories of mobile / IoT security research and others of our research areas sound simple and straightforward, it turns out to be challenging in reality. Choosing the right challenges, i.e., those which solution will counter an existential threat or unlock a significant business opportunity for SAP, requires expertise and the willingness to take a risk, informed by business strategies and customer expectations.

It is a bet on the future – it is too late to start innovating only when the future has already materialized. Being ahead of time is essential. Security and privacy challenges are inherently complex, and their solutions are far from obvious. Solid scientific foundations and methodologies are required to come up with results that stand the test of time. Continuity in building up expertise, conducting excellent research, evaluating and adapting to business and technology trends and stakeholder interaction (including the scientific community) is key to sustained organic innovation going beyond single occasions.

Applied research

In the quest for inventing the future of security at SAP, the application focus of our research – meaning business orientation and technology that scales to industrial level – is key. For instance, hitting performance bottlenecks and scaling issues when targeting the integration of research prototypes in SAP platforms and applications lead to new research directions and related innovations in very different research fields: combining advanced cryptographic mechanisms like homomorphic encryption with the security promises of trusted execution environments now allows processing over encrypted data for larger data volumes, and allowing to instrument code while maintaining compiler optimizations for data flow tracking lead to a novel approach targeting byte code instead of source code. These examples show that our research needs to go beyond what academia typically can provide and underline our commitment to invest in security and privacy research.

Today’s big challenges

What is today’s equivalent to the likes of IoT security of its early days? It is certainly Machine Learning that has the most significant impact on the security and privacy roadmap these days, both providing the power of data to design novel security mechanisms as well as requiring new security and privacy paradigms to counter Machine Learning specific threats. We use Machine Learning insights to better understand security properties of code and to find and classify sensitive data in unstructured data sets, ranging from leaked credentials to personal data. Machine learning helps to create synthetic data that resembles real data and that can be used to distract attackers or to replace sensitive data for analysis.

Recently, the responsible design and use of AI technology has received increased attention by society and business. Commitments to trustworthiness principles such as privacy, fairness, explainability, and resilience require innovative technologies to support them. But since there is typically no one-size-fits-all solution for principles that are largely determined by societal consensus, research into technical enforcement of the principles needs to be complemented by tools to capture their dependencies and to support context-specific decisions. Our research on anonymization and trustworthy AI aims at finding an optimal balance between the desired properties. In general, we aim at systematically exploring the multiple facets of both machine learning for security and security for machine learning to continuously transfer innovations into business.

What’s next?

Our history tells us that the domains of security and privacy research have a long-term life span, tackling new challenges one after the other, from one intermediate step to the next, following customer needs and guided by the vision of a secure future at SAP. Our approach of maturing research domains incrementally, aiming at impactful outcomes at each step, is based on insights into the key success factors: building and maintaining expertise, early investigations, anticipating developments and needs, and taking informed risks. Not all of our anticipations will lead to sustainable success but focusing on low-hanging fruits only will certainly lead to missing important future developments and disruptive changes.

The last 20 years have shown the validity of our approach to applied research in security and privacy for SAP and its customers. And looking into the developments in our domains of research, we are not afraid to run out of challenges for the coming 20 years, too.

The Security Research team is part of SAP’s Innovation Center Network (ICN), a unit within SAP that has the mandate to shape the future of enterprise software. For more information, please visit the ICN web page.