Demystifying the Cloud Part 3: “Above the clouds, security seems to be an indomitable beast” or “how to train your dragon”
A famous German songwriter, Rheinhard Mey, once wrote a song about flying. “Above the clouds, freedom seems to be unlimited”. This does not seem to apply to cloud solutions. Once an Enterprise organization has their head in the cloud, they will find security immediately the #1 concern and the indomitable beast.
Don´t get me wrong, this is a serious topic but I prefer to see it with the eyes of Hicks, the young Viking from the Dreamworks movie “How to train your dragon”. It is a question of knowledge, it´s a question of awareness of the risks. And you finally need to question how well the vendors did the homework to domesticate the beast and unlock the value of the cloud in your Enterprise.
Working in the strategy and customer Co-Innovation space, this is a perfect chance to regularly meet customers and discuss expectations, opportunities and concerns about cloud. Many roundtables, discussion forums and expert sessions from different organizations and customers, as well as user group meetings fueled these thoughts. Let´s share some of them.
1) European perception is different than US, security itself is not
European conferences are dominated by one question: “How secure is the cloud”. This is the tip of the iceberg questions which needs clarification around
- Physical data location
- Unauthorized data access
- Data steal from insiders
- Firewalls to prevent 3rd party attacks
- Operational compliance
- Shallow security
- Data Portability
- Business Continuity
According to Verizon Data Breach Investigations Report, 86% of all security breaches were accomplished by the use of stolen login credentials, making secure enforcement of employee passwords and single sign-on policies a must. For multinational companies compliance with different local codes was another top concern. No wonder Security is top of mind on the list of concerns with SaaS vendors. Though we would argue that the question applies to any on premise solution as well if you can get physical access.
The location of a datacenter (e.g. especially in light of US regulations and access to data from 3rd party) fires up further discussions and IT responsible people should definitively ask where the data is stored physically. Interesting enough we also see many US and Canada based companies asking to be hosted in an European data center.
This is an important topic where strictness of European regulations can help build trust, and where Enterprise usage of data differs from consumer cloud services. Take an example “Google”. The nature of their business makes it valuable to immediately duplicate each search pattern and result to all global server farms. This ensures repeatable results. But it does not apply to Enterprise data and a determinable geographical storage location is a must.
The pressure along the isobars of US based IT decision makers is security affine as well but often leaves enough room for a value and business oriented conversation, while many European conferences often remain too long at this point. Because security is – after all – only the vehicle to come to better results, help business become more agile and insightful, and also to complement processes that run today.
2) It is all about trust
With cloud computing the perception of security changed fundamentally. Security, data protection, and data privacy became more important.
This makes trust the #1 asset in cloud business and drives us, so it should any other vendor in this area, handle data with the utmost discretion and strives to deliver software solutions and support that allow business-critical processes to run securely. We do protect customers against unauthorized data access and misuse, as well as confidential data disclosure, using various measures for employees, applications, organization, systems, and networks.
Now, if you compare the investment a company like SAP can make in this area, sometimes much more than an IT Organization inside other large companies is able or willing to do, not even thinking about mid size or smaller companies. Just do the math with a couple of examples:
You can expect an average ~20.000 attacks/day (active and passive) from the web, it is a business imperative to run all Apache server at the battlefront of the web (we talk about a militarized zone) any time on latest patches. Just compare this with a bank. Even if banks might have slightly different perception since the economic crisis, most people would consider them as safe regarding the physical storage of cash (and other things). The latest patches on all online servers are comparable to locking all doors in a bank. Keeping development systems for test purpose online and forget to update them later is like keeping the back door of the bank building open for the smokers to easier get out and back into the building. This is not fictive, it happens much too often.
Data encryption for user devices using SSL is another good example. You need to control every level of the cloud-computing stack, from datacenter to database to middleware and the applications layer.
In our Public Cloud model, every layer of the stack goes through rigorous security audits and adheres to most stringent security standards. We follow transparent security and auditing standards and adhere to the most stringent data privacy standards.
Back to our bank example: Store data unencrypted or not using encryption tools between device and backend is comparable to put the cash “next to the safe” instead of “into the safe”.
The combination of this laxness is an inexcusable negligence and results in a thief who entered the bank via the open backdoor. Once in, he can´t believe that the cash is beside the safe, ready to be taken. Sounds absurd, happened in reality.
3) How to Train Your Dragon
EU 95/46 EC, PCI-DSS, ISO 27002, BS7799, ASIO-4, FIPS Moderate, BS10012, SSAE-16/SOC2… this is some of what it takes to train your Dragon. Just to name the most important audit standards and certificates, which you should apply to our datacenter and services.
Integration between cloud and on premise or 3rd party cloud is another area where we experience every single day lack of knowledge and risk assessment. B2B and partner integration is tough, a tribute to the disparate integration technology. And the number of technologies continues to grow. This is a challenge day in day out, but for each chosen technology you definitively need an adequate new set of best practices and design patterns to secure the solution.
At SAP, we provide several integration methods to meet different business needs: Packaged Integrations via integration platform with pre-packaged connectors, community driven process maps and last but not least user interfaces for developing and deploying file-based, events and process integrations from scratch.
Our Network Architecture is multi-tiered. End-user traffic is limited to thefront Demilitarized Zone (DMZ) tier of Web servers only. Each single tier in the hosting environment is organized into a DMZ-like pattern. This allows a firewall or Virtual Local Area Networks (VLAN) separation between each tier. A request is individually validated before creating the next tier independent request.
These are just a few examples of an endless list. To answer all challenge, we frequently are undergoing a SSAE16-SOC2 Type II auditing, twice a year.
SAP is the leading provider for Enterprise business software – in the market for 4 decades, and may to go. We are used to work with customer data for our entire life. Together with SuccessFactors, an SAP company, and Ariba, an SAP company we are now running the most comprehensive portfolio in the cloud as well. Data security and data privacy is part of our DNA – and to earn your trust every day is our utmost mission.
We are helping customers and partners to do the right thing in cloud and we have done all our homework to secure your data and processes in the cloud. There is more to come for sure to keep the dragon trained.