Security is #1 concern for enterprise organizations when making a cloud decision. This issue has been aggravated in our post Snowden/PRISM world. Security is a serious topic. But it requires a sense of proportion over an emotional discussion.

The pressures along the security isobars of IT are high but require at least space for value and business oriented conversation about cloud – how to help business become more agile and insightful.

The SAP Cloud Strategy and Customer Co-Innovation team regularly meets customers and discuss expectations, opportunities and concerns. Many roundtables, discussions, forums and expert sessions with different organizations in many geographies, as well as user group meetings helped to shape the thoughts in this blog.

Let´s look into the 3 most important aspects of security.

1)     Location Matters

Cloud Conversations are dominated by one question: “How secure is the cloud”. This is a tip of the iceberg question which normally leads to questions around:

• Physical Security and Data Location
• Network Security
• Backup & Recovery
• Operational Compliance
• Confidentiality & Integrity
• Data Portability

However, According to Verizon Data Breach Investigations Report, 86% of all security breaches were accomplished by the use of stolen login credentials, making secure enforcement of employee passwords and single sign-on policies “a must”.

The location of a datacenter where the cloud solution and the respective data is handled fires up further discussions and IT definitively worry where the data is stored physically. The strictness of European regulations, and especially regulations in Germany (Germany’s Federal Data Protection Act which  is known as Bundesdatenschutzgesetz or BDSG. The laws were reformed significantly in 2009 to cover a range of data protection-related issues), can help build trust when  deciding on a geographical storage location for customers data.

And lets not forget, all of the above applies to on-premise as well as cloud solutions.

2) It is all about trust

With cloud computing the perception of security changed fundamentally. It makes trust the #1 asset and brand value in cloud computing. And this drives us here at SAP.

As it should any other vendor in this area.

SAP handles data with the utmost discretion and strives to deliver services and support that allow business-critical processes to run securely. 

We protect our customers against unauthorized data access and misuse, as well as confidential data disclosure, using various measures for employees, applications, organization, systems, and networks.

More details you find in a presentation about cloud security here.

SAP is the leading provider for Enterprise business software in the market for 4 decades and is transitioning rapidly into a Cloud Company with a comprehensive cloud portfolio. SAP is used to working with sensitive customer data. Data security and data privacy is part of the DNA – and to earn customer´s trust every day is the mission.

SAP runs cloud solutions and services at the same high level of security as its customers are used to for all other highly critical business processes.

SAP invests heavily in security, especially for the cloud, in most cases more than an IT Organization inside a large companies is able or willing to do. All companies, not only smaller ones without access to such resources definitely benefit.

Cloud computing with it´s different layers takes the burden of commodity task off the In-house IT to allow IT to concentrate on Value Add tasks. At the same time Cloud vendors concentrate on specific tasks and professionalize them to the maximum. This constant repetition and automation help eliminate manual steps and sources of errors.

Data encryption for user devices using SSL is another good example. You need to control every level of the cloud-computing stack, from datacenter to database to middleware and the applications layer.

In our Public Cloud model, every layer of the stack goes through rigorous security audits and adheres to most stringent security standards. We follow transparent security and auditing standards and adhere to the most stringent data privacy standards.

3) Manage the militarized and a de-militarized Zone on the Web

EU 95/46 EC, PCI-DSS, ISO 27002, BS7799, ASIO-4, FIPS Moderate, BS10012, SSAE-16/SOC2… Just to name the most important audit standards and certificates, which apply to datacenter and services, keeping  a customer´s data secure.

SAP has achieved all of these certifications. In addition, our network architecture is multi-tiered. End-user traffic is limited to the front Demilitarized Zone (DMZ) tier of Web servers only. Each single tier in the hosting environment is organized into a DMZ-like pattern. This allows a firewall or Virtual Local Area Networks (VLAN) separation between each tier. A request is individually validated before creating the next tier independent request.

These are just a few examples of a long list. To answer all these challenge, SAP frequently undergo a SSAE16-SOC2 Type II auditing, twice a year.

SAP is the leading provider for Enterprise business software – we invest heavily to stay on top for many years to come. We help customers and partners to move to the cloud, and we learn every day through co-innovation how to improve our solutions (see portfolio here) and services.

Security is a serious concern for SAP (itself, a business with 65.000 employees in 150 countries using our own cloud solutions) and its customers and partners – making security as simple as 1-2-3 is a top priority.

Looking forward to hear your thoughts,

Bert Schulze (@BeSchulze) and Sven Denecken (@SDenecken).