SAP dismisses HANA security concerns, acknowledges need for better S/4 messaging

Company execs say security vulnerabilities have been addressed and fixed, but admit there are gaps in customer understand about the business value of S/4 HANA.

FRANKFURT, GERMANY--SAP has dismissed concerns about security flaws in its HANA platform, but acknowledges there are gaps in customers' understanding about how they can benefit from S/4 HANA.

Senior executives from the German software vendor gathered at the SAP HANA Forum held here Tuesday, where they provided an update on user adoption of the in-memory database.

The number of customers on HANA was approaching 10,000, while live customers on the HANA Cloud Platform--introduced 18 months ago--clocked at 2,000, according to Steve Lucas, president of SAP's platforms and analytics. In addition, there were more than 1,000 developers currently on HANA Cloud, he added.

While SAP did not break down customer figures by region, Asia-Pacific excluding China typically accounted for some 20 percent of its global numbers, said SAP's Asia-Pacific Japan senior vice president of platform solutions, Paul Marriott.

He further noted that apps built on HANA Cloud Platform already were in production in the region, mainly in China and Japan. "So we're in the first phase of adoption and, as we move into 2016, we're looking to significantly invest and expand resources in this segment," Marriott added.

A report published last month, however, threatened to impact the inroads it had made. IT security vendor, Onapsis, said it had uncovered 21 vulnerabilities in the HANA platform including flaws that enabled hackers to remotely control affected machines.

Asked about this, Lucas said SAP already had resolved the vulnerabilities six months earlier when Onapsis first disclosed the flaws to the software vendor.

Questioning the publication of the report despite SAP having fixed the holes, he said he met with Onapsis just last week. "They felt that our customers weren't advised aggressively enough to patch the vulnerabilities. We had resolved them, but what we missed was not pushing all the fixes upon our customers, he explained, stressing that the vendor had advertised the required patches as part of its efforts to make these known to its users.

He added that all security vulnerabilities, once identified, would be immediately escalated, resolved, published, and made available to all customers.

A report published last month, however, threatened to slow down this progress. IT security vendor, Onapsis, said it had uncovered 21 vulnerabilities in the HANA platform including flaws that enabled hackers to remotely control affected machines.

Asked about this, Lucas said SAP already had resolved the vulnerabilities six months earlier when Onapsis first disclosed the flaws to the software vendor.

Questioning the publication of the report despite these fixes, he said he met with Onapsis just last week: "They felt that our customers weren't advised aggressively enough to patch the vulnerabilities. We had resolved them, but what we missed was not pushing all the fixes upon our customers." He further stressed that SAP had advertised the required patches as part of its efforts to make these known to its users.

All security vulnerabilities, once identified, would be immediately escalated, resolved, published, and made available to all customers, he added.

And with its strong focus on the healthcare industry, Lucas noted, SAP also was mindful about government regulations concerning data privacy and security, such as HIPPA in the US. To ensure compliance, it built its own data centres for the HANA Cloud Platform so it could host medical data, for instance, instead of putting this on a platform such as Amazon Web Services that might not adhere to the different local laws, he said.

To this end, SAP would be expanding its datacentre footprint for the HANA Cloud Platform in Japan within the first half of next year, he added.

One of its healthcare customers is the American Society of Clinical Oncology (ASCO), which runs its medical IT system CancerLinQ on HANA and HANA Cloud Platform.

Greg Parekh, ASCO's chairman of CancerLinQ business and strategy committee, described the healthcare platform as a "rapid cancer-learning system" to improve understanding of the disease based on real-time analysis of millions of patient and genomic data points and records. It also allowed doctors to provide relevant up-to-date information to patients in the clinic, Parekh said. The society's collaboration with SAP was first announced in January and CancerLinQ went live with several beta doctors nine months later.

With the platform, the 40,000 oncologists in ASCO could potentially glean valuable insights about the disease, he said, adding that the aim was to have 80 percent of these doctors using the CancerLinQ over time.

However, ingesting data and ensuring datasets were interoperable proved challenging, especially since there had been various iterations of electronic medical record implementation and different customisation of these platforms. Feeding unstructured data such as doctors' personal notes, which offered valuable insights, into the system also was not a simple exercise and one that had yet to be resolved within the wider industry, Parekh said.

"We should have foreseen this, but we didn't anticipate how difficult it would be to pull in the data. We thought it would be a little easier than it had been," he noted. "The upside, though, was that we were surprised at how quickly we could make observations even with limited datasets."

The assumption was that 1 million patient records would be needed before interesting insights about the disease could be gleaned. "We have been surprised at what we could get from less than that," he added.

Clarity needed around HANA messaging

This need for better analytics has been a primary driver for HANA adoption in Asia-Pacific, where customers typically would migrate SAP Business Warehouse applications from a traditional database management system to HANA for faster data ingestion and analytical processing.

Massimi Pezzini, Gartner Fellow and vice president, told ZDNet the research firm did not have Asia-Pacific figures on HANA client base, but noted that adoption of the in-memory platform was "growing fast" across the region, particularly in South Korea, Japan, India, and some Southeast Asian markets.

In countries such as Japan and Australia, HANA deployment also was fuelled by the adoption of S/4, Pezzini said, This, however, was only recently a consideration among enterprises since the enterprise application suite was a relatively new offering, he said.

Interest in S/4 took off in the region from the third quarter, though the number of businesses that had deployed HANA was still relatively small, he noted.

Asked what SAP needed to include in its Asia-Pacific growth strategy for 2016, the Gartner analyst said enterprises were still confused about the impact of S/4 HANA as well as its business value and roadmap.

While the software vendor had clarified several of these issues at its recent TechEd event in Barcelona, Pezzini said SAP would need to focus on extending this message to customers in Asia-Pacific in the new year.

Speaking to ZDNet on the sidelines of the forum, SAP's executive board member responsible for product development and delivery, Bernd Leukert, refuted suggestions S/4 HANA adoption was sluggish.

He said some 1,300 customers had deployed the business suite since its launch in February and this figure was expected to surpass 2,000 by the end of the year, making it one of the fastest adoption curves the software vendor had seen.

SAP's Asia-Pacific Japan president, Adaire Fox-Martin, added in an e-mail: "Since its launch, S/4 HANA adoption has been growing at record speed globally and in the region...[with] over 1,300 customers after just eight months in the market." In the region, these included Dutch Mill in Thailand, Net One Systems and Sangetsu in Japan, as well as INOX Leisure in India.

Fox-Martin said India's Asian Paints also had gone live with Simple Finance and S/4 HANA, alongside La Trobe University in Australia, Siam City Cement in Thailand, PT Delami Garment Industries in Indonesia, and COSMAX in Korea.

Leukert, though, acknowledged a need for SAP to better address questions enterprise customers might have about the product. Pointing to a recent visit to the UK where there had been feedback, too, about the lack of clarity regarding S/4's business value, he said there clearly was opportunity that remained untapped.

SAP would be looking to plug this in 2016, when the vendor would embark on a global S/4 HANA campaign across major cities and run dedicated events to highlight its business value and customer success stories.

Pezzini also pointed to the PaaS (platform-as-a-service) as another area in which SAP would need to provide a clearer growth path, describing the HANA Cloud Platform PaaS offering as a "well-kept secret".

"It is critical for SAP to aggressively promote the offering in Asia-Pacific in order to win the hearts and minds of developers, especially in countries that are build-oriented such as Japan and India," he explained, pointing to markets where enterprises preferred customised applications.

On this, Leukert concurred with the analyst. "Our technical ability is far better than the market perception, which means we can certainly significantly improve the articulation of our PaaS strategy, its value as well as benefits.

"What differentiates us is that many others in the cloud market don't provide a web developer environment, which we have and want to further support," he said. "We want to expose our apps and technology assets with service APIs, so every developer that builds on HANA Cloud can benefit across the platform, whether it's mobile as-a-service or e-commerce as-a-service. We already have all these capabilities on our portfolio, but haven't done a good job articulating this to the market. I see huge opportunities for us here going forward."

Fox-Martin said: "Today, our strategy is to transform SAP to become the cloud company powered by SAP HANA. Businesses in Asia are making the shift to digital and are increasingly leveraging cloud as the platform for digital innovation."

SMB strategy in APAC "fragmented"

With strong interest in cloud, Pezzini said SAP's HANA Enterprise Cloud was seeing growth in the Asia-Pacific region.

He added that the software vendor also had been successful among SMBs (small and midsize businesses) with its low-end, on-premise ERP product BusinessOne. However, its Business ByDesign SaaS offering seemed to be "struggling", the Gartner analyst noted.

"Also, the new SAP Anywhere offering, developed in China, is intended to be the flagship SAP's SMB cloud offering for a range of application use cases, such as CRM, e-commerce, and ERP," he said. "While it already has a reasonable number of clients in China, it is not yet available in every country across the region and, at the moment, provides only a limited set of functionalities. Therefore, its impact is still limited,"

However, he noted that SAP had said it would be pushing this offering in the SMB cloud services market from next year.

He added that the vendor should clarify its SMB strategy, which would prove critical to its success in the region. Pezzini said SAP's approach in this space currently was "very fragmented", encompassing various offerings such as BusinessOne, All-in-One, Business ByDesign, and Anywhere.

Leukert, though, said the vendor was "happy" with its progress in the SMB market. Noting that SAP currently had 50,000 SMB customers globally, he said this enterprise segment was its fastest-growing in terms of customer numbers, with 5,000 net new names added year-on-year.

He explained that the software vendor made the decision to first go into markets where the appetite for cloud and the number of SMB businesses were significant. This meant the availability for Anywhere in Asia was, for now, focused on the China market.

"This is simply a matter of intelligently allocating our resources based on the market opportunities," he added, noting that SAP already had thousands of Anywhere customers in China, with dozens signing service contracts at the end of the launch day alone.

Based in Singapore, Eileen Yu reported for ZDNet from the SAP HANA Forum in Frankfurt, Germany, on the invitation of SAP.