How Global Pharmaceutical Company Sanofi Overhauled Its SAP Security

By Fred Donovan, Senior Editor, SAPinsider 

Global pharmaceutical firm Sanofi operates a large and complex SAP environment containing more than 500 systems and landscapes that include sandbox developments, consolidations, pipelines, and production. In addition, each landscape has as many as 10 systems, and many are running different SAP versions — from Advanced Business Application Programming (ABAP) to Java to NetWeaver and SAP S/4HANA.  

Stéphane Peteytas, Head of SAP Cybersecurity at Sanofi, explains that his company decided to overhaul its SAP security to detect cyberattacks more effectively and secure its mission-critical business applications, reduce the effort involved in deploying security software, and monitor the security of its systems in real-time. Peteytas is on a small team that oversees security for Sanofi’s systems around the world. “It was a huge challenge for us to find the right solution,” he says. “Sanofi has so many technical SAP components, and we really wanted to be able to monitor them to ensure security.”  

Sanofi identified core areas for security improvement and developed a strategy to improve its enterprise resource planning (ERP) cybersecurity and compliance while accommodating future growth in an increasingly complex and challenging environment.  

Sanofi’s requirements included a holistic security solution that supported application security, centrally analyzed its systems, and automated the security process. “If we have to rely on many people, we know it will take time to remediate the system, so the idea was to manage it centrally,” he says.  

Finding the Right Partner 

Sanofi sent out requests for proposals at the beginning of the COVID-19 crisis, selected SecurityBridge as a partner in May or June, and started a pilot during the summer. SecurityBridge was built as a unified solution from the start. Unlike traditional tools that bolt on modules, the open architecture of SecurityBridge has allowed for the seamless integration of all the functionality. Once the pilot proved successful, Sanofi and SecurityBridge built out the production environment and connected the first SAP system in mid-September of 2020. In the six months between mid-September 2020 and mid-March 2021, Sanofi connected more than 300 systems and is on a path to connect the remaining 200-plus.  

Compliance issues added time to the implementation, as Sanofi had to prove that its SAP systems were complying with the U.S. Sarbanes-Oxley Act (SOX) and the E.U.’s General Data Protection Regulation. “That was complicated in the beginning,” says Peteytas, but Sanofi hasn’t faced any regulatory issues with the more than 300 systems it has connected. The company’s leaders “are reassured” about compliance, he says.  

Centralizing for Efficiency 

Today, Sanofi has one security solution that connects all of its technology. “We have all of the critical activities for us on one tool,” says Peteytas. “We have real-time control for SAP systems that are scanned to check their configurations and ensure that security parameters are defined. This advancement in SAP security is critical to defend against the sophistication and maliciousness of recent high profile cyberattacks and evolution of ransomware.” 

With the SecurityBridge platform, Sanofi now has event-based monitoring, which collects information on every system and correlates events in real-time. “SAP generates many, many logs,” says Peteytas, “and it’s not always easy to understand each event document. SecurityBridge is helping us to define the right severity for each event so that we can focus on the right priorities.”  

The platform also includes a tool dedicated to patch management. Using the tool, Sanofi can list all of the missing security notes in each SAP system. When Sanofi upgrades a system, it uses the opportunity to implement those security notes.  

Sanofi has the same kind of centralized tool for every security area, such as user management. “We are able to follow all the user accounts on every SAP system. If we want to know what system a user has access to, we can find that out,” he says. This information is critical for adhering to regulations. SecurityBridge provides “many powerful tools that are very useful for us, and we’re spending so much less time to get information,” Peteytas concludes. 

What Does This Mean for SAPInsiders? 

For global enterprises, the security platform needs to be comprehensive and in real-time. Securing an international organization can be a nightmare. So centralizing security in one dashboard and automating processes are essential features in selecting an SAP security solution. Real-time monitoring ensures consistent security so that threats can be remediated before harm is done.  

Don’t forget the security basics, like patch management. While deploying the latest security technology might impress corporate leaders, it won’t be successful if you don’t ensure basic security practices are followed. Make sure the security platform you choose includes the basics as well as the latest bells and whistles.  

To get C-suite buy-in, make sure your security solution passes regulatory muster. In a global regulatory environment, it’s important to test your security solution to ensure compliance. This will boost the confidence of corporate leaders in your security team and your choice of platforms. 

Company Snapshot 

Sanofi 

  • Engages in the research and development, manufacturing, and marketing of pharmaceuticals in the prescription and over-the-counter markets. 
  • Headquarters: Paris, France 
  • Employs 100,000 people located in 100 countries. 
  • Revenue: $43,503m (2020)