The 1-2-3 of Cloud Security at SAP
Security is #1 concern for enterprise organizations when making a cloud decision. This issue has been aggravated in our post Snowden/PRISM world. Security is a serious topic. But it requires a sense of proportion over an emotional discussion.
The pressures along the security isobars of IT are high but require at least space for value and business oriented conversation about cloud – how to help business become more agile and insightful.
The SAP Cloud Strategy and Customer Co-Innovation team regularly meets customers and discuss expectations, opportunities and concerns. Many roundtables, discussions, forums and expert sessions with different organizations in many geographies, as well as user group meetings helped to shape the thoughts in this blog.
Let´s look into the 3 most important aspects of security.
1) Location Matters
Cloud Conversations are dominated by one question: “How secure is the cloud”. This is a tip of the iceberg question which normally leads to questions around:
- Physical Security and Data Location
- Network Security
- Backup & Recovery
- Operational Compliance
- Confidentiality & Integrity
- Data Portability
However, According to Verizon Data Breach Investigations Report, 86% of all security breaches were accomplished by the use of stolen login credentials, making secure enforcement of employee passwords and single sign-on policies “a must”.
The location of a datacenter where the cloud solution and the respective data is handled fires up further discussions and IT definitively worry where the data is stored physically. The strictness of European regulations, and especially regulations in Germany (Germany’s Federal Data Protection Act which is known as Bundesdatenschutzgesetz or BDSG. The laws were reformed significantly in 2009 to cover a range of data protection-related issues), can help build trust when deciding on a geographical storage location for customers data.
And lets not forget, all of the above applies to on-premise as well as cloud solutions.
2) It is all about trust
With cloud computing the perception of security changed fundamentally. It makes trust the #1 asset and brand value in cloud computing. And this drives us here at SAP.
As it should any other vendor in this area.
SAP handles data with the utmost discretion and strives to deliver services and support that allow business-critical processes to run securely.
We protect our customers against unauthorized data access and misuse, as well as confidential data disclosure, using various measures for employees, applications, organization, systems, and networks.
More details you find in a presentation about cloud security here.
SAP is the leading provider for Enterprise business software in the market for 4 decades and is transitioning rapidly into a Cloud Company with a comprehensive cloud portfolio. SAP is used to working with sensitive customer data. Data security and data privacy is part of the DNA – and to earn customer´s trust every day is the mission.
SAP runs cloud solutions and services at the same high level of security as its customers are used to for all other highly critical business processes.
SAP invests heavily in security, especially for the cloud, in most cases more than an IT Organization inside a large companies is able or willing to do. All companies, not only smaller ones without access to such resources definitely benefit.
Cloud computing with it´s different layers takes the burden of commodity task off the In-house IT to allow IT to concentrate on Value Add tasks. At the same time Cloud vendors concentrate on specific tasks and professionalize them to the maximum. This constant repetition and automation help eliminate manual steps and sources of errors.
Data encryption for user devices using SSL is another good example. You need to control every level of the cloud-computing stack, from datacenter to database to middleware and the applications layer.
In our Public Cloud model, every layer of the stack goes through rigorous security audits and adheres to most stringent security standards. We follow transparent security and auditing standards and adhere to the most stringent data privacy standards.
3) Manage the militarized and a de-militarized Zone on the Web
EU 95/46 EC, PCI-DSS, ISO 27002, BS7799, ASIO-4, FIPS Moderate, BS10012, SSAE-16/SOC2… Just to name the most important audit standards and certificates, which apply to datacenter and services, keeping a customer´s data secure.
SAP has achieved all of these certifications. In addition, our network architecture is multi-tiered. End-user traffic is limited to the front Demilitarized Zone (DMZ) tier of Web servers only. Each single tier in the hosting environment is organized into a DMZ-like pattern. This allows a firewall or Virtual Local Area Networks (VLAN) separation between each tier. A request is individually validated before creating the next tier independent request.
These are just a few examples of a long list. To answer all these challenge, SAP frequently undergo a SSAE16-SOC2 Type II auditing, twice a year.
SAP is the leading provider for Enterprise business software – we invest heavily to stay on top for many years to come. We help customers and partners to move to the cloud, and we learn every day through co-innovation how to improve our solutions (see portfolio here) and services.
Security is a serious concern for SAP (itself, a business with 65.000 employees in 150 countries using our own cloud solutions) and its customers and partners – making security as simple as 1-2-3 is a top priority.
Looking forward to hear your thoughts,
Bert Schulze (@BeSchulze) and Sven Denecken (@SDenecken).
Read other relevant blogs:
Thanks for raising such an important and often overblown topic. Security in the Cloud is excellent and within my area (HCM) SuccessFactors has much better security than most customer's could dream of having. Having pooled resources gives Cloud companies a great budget for security than each customer could budget on their own and this means higher standards of compliance and protection.
One thing the Cloud can't protect is credential theft (as you mentioned) and organizations need to be aware of the continued risk they have when moving to the Cloud.
Agree - and as i stated: And lets not forget, all of the above applies to on-premise as well as cloud solutions.
Both on premise and cloud solutions would benefit from dual factor authentication solutions. It's the obvious way to prevent credential theft.
Given how easy/cheap this would be to implement in a cloud solution using things like Google Authenticator one would hope that this could be one thing where cloud could yet again prove itself to be more secure than on premise.
I'll be watching this space.
just found this article (and disappointingly little else)while searching for dual factor authentication in SuccessFactors.
We have customers asking for this as they want employees and managers to access their data e.g. from their home PCs and are looking for dual factor authentication solutions.
Have you had any news or experience with that questions since this post had been published?
dont know myself, but best would be to connect with SFSF support on this.
Thanks for the useful blog and presentation, Sven!
Security and privacy are main concerns today, aspecially after PRISM scandal.
I know prospect that would like to see official SAP validation that SAP/SuccessFactors
doesn't participate in such US government projects and SAP cloud data are safe from NSA/CSS.
Great blog, and Luke has a good point.
Credential theft is the weak point of any security approach, no matter how complex. It isn't enough (or perhaps not even useful) to force password changes every 6, or 3, or 2 months, nor requiring more and more complex combinations of caracters ("Sorry, but your password must contain an uppercase letter, a number, a haiku, a gang sign, a hieroglyph, and the blood of a virgin." Sounds familiar?).
IT need to educate users to what is a good password, how it can be remembered, how it should be differentiated across the multiplicity of platforms in use.
A good article I like to refer to is http://www.baekdal.com/insights/password-security-usability
Thanks for the useful blog
Very interesting and useful blog entry. Is there an official white paper describing in detail the SAP CLoud features and security differentiators ?
The technology is easy, the people aren't.
One of the issues I face when talking to individuals and organisations about any kind of cloud computing is this idea of data security being related to physical security ("we can lock our data up in our data centre and no one can get to it" - it's the non IT version of "if I can't hug my server then it doesn't exist'). What annoys me most about this are exactly the things you mention in the presentation...
how can these people compare a data centre that has occassional audits of physical and network security against something like the SAP / AWS / RackSpace / etc "warehouse computers" and the regular rigorous testing they go through for certification ?
What would be useful is some material on cloud security that is slanted much more to the non IT people (i.e the business, who after all, pay my mortgage). I feel a rant coming on (about the lack oif education / communication between the suits and the techos) that belongs in it's own blog, but the short version is - You're not stupid, but you are a specialist; I don't tell you how to sell to our customers, don't tell me how to protect our data.
PS regarding passwords Luke Marson and Chiara Bersano - Passwords are as much a UI problem as anything; see http://xato.net/passwords/analyzing-the-xkcd-comic/
That's a great link and a recommended read. I think password policies don't help too, so when in combination with UI or programmed rules it leads us to use passwords that seem hard to crack but really aren't.
Knowledgeable and worth reading. I will recommend the same for others to read.
Hi Sven, very nice blog demystifying several aspects of cloud security. I also looked at the presentation : " presentation about cloud security here " . I would like to know more about the following (Slide 11) :
Customer and System Support : One-time user with short- term password (1-4 hour)
My question is : Who is this one-time user and what's the scenario for using this feature?
Hi Sven, hi Bert,
thanks for your blog.
Good get an idea of what you as a cloud company are putting stress on.
While reading you blog i was touched by two parts and made my own thoughts in between.
(I'm highly interested to keep this discussion up and hear other opinions)
The daily news currently reduce the amount of trustful partners/companies/goverments and we are in the days of confusion.
I'm curious if the news of last 3 month (NSA/Snowden) and the ongoing details about possibly bypassed encryption standards will change the cloud trends.
Are all the audit standards / certificates worth anything when the digging the data is happening on a lower level?
Currently i see a good chance that all this will force "insourcing" to be the next trend.
The Private Cloud within your own IT may get/stay the only trustful partner you have.
And if i quote you out of the context this seems to be true:
For cloud companies it's easy to be on the safe side. 🙂
For all others it's a matter of trust.
Very good blog, Sven.
Our Cloud security efforts are top notch, building on a foundation of software that's being built with security in mind.
Anything we put in the cloud needs to follow security standards from idea to market: https://www54.sap.com/pc/tech/application-foundation-security/software/security-at-sap/index.html
@CBasis we're working on the trust issue on multiple levels: any third party component we use needs to go through an extensive evaluation process, our own source code is constantly being verified for security issues and/or backdoors before it gets released.
We're doing our best to make sure we can say "Trust" with confidence. On many levels security components have already been insourced - SNC libraries, SAP Cryptolib, our SAML implementation to name a few.
Regarding any software that we put in cloud , let it be actual product or supporting tools needed to operate that product in cloud e.g. software needed for metering, monitoring, infrastructure management, initial customer onboarding etc, I fully agree with you Frank, that they need to follow I2M security standards.
As per SAP's Security standards it is stated clearly here : https://portal.wdf.sap.corp/irj/go/km/docs/corporate_portal/Cross%20Services%20for%20SAP/Security/Security%20Policy%20and%20Standards/Security%20Standards/Special%20Groups/Internal_Applications_EN.pdf.
Would it be possible to encrypt the data and the only key is with the customer?
Lets do it
The other one is in a swiss bankvault, only to be opened bla bla
I´m searching for information about a special topic mentioned before: PCI-DSS. Are they any Information regarding this Topic and the SAP datacenters? I didn´t find anything.
I am working in SAP Security and GRC AC 10 since 2012. Please guide me if learning SAP Cloud security will add more value to my career ?
Many thanks in advance.