SAP S/4HANA migration: Critical advice for moving off ECC
Hidden risks of a missed deadline
Opting not to undergo an S/4HANA migration Organizations that stay on ECC have to weigh the technology roadmap implications of foregoing the cloud — and future enhancements to their ERP systems, Lippman said.
“SAP’s investments will be earmarked for S/4HANA and not the legacy applications,” he said.
From a security perspective, staying on ECC is likely the riskiest option, particularly if companies choose third-party support, said JP Perez-Etchegoyan, CTO of Onapsis, a software company based in New York. Companies won’t have any support from SAP, including security patches, which will leave financial, HR and other regulated data at risk.
At least with any premium support they get from SAP after the deadline, they will have some security patching, he said. The best option, security-wise, is to buckle down on planning and move to S/4HANA Considering the continually-evolving threat landscape, combined with state-sponsored attacks that could weaponize ERP vulnerabilities, the security risks are profound. Any organization with an ERP system could be targeted because of the rich data stored there.
“It’s always important to put a security gate into the migration process and into overall operations, especially now,” Perez-Etchegoyan said.
While organizations might not stay on ECC intentionally, some will remain because they didn’t get their plans put together in time to meet the 2025 deadline, he said.
“We have five years, but it’s really a long process,” he said, noting that in addition to migrating business applications, organizations will need to consolidate multiple systems. It’s a considerable effort, but this is the best approach for SAP customers, especially since they have different deployment options for S/4HANA.
Ultimately, SAP customers can stay on ECC, but experts are hesitant to recommend this course of action. Unlike ECC, S/4HANA can be run in a public or private cloud, in a hybrid environment or on premises, which may make it more tenable to adopt. And with the security risks inherent in running unpatched software, staying on ECC may prove to be a serious financial blow to organizations who miss the deadline.