Security in the HANA Enterprise Cloud: Evidence of just another managed cloud?
A recently published document entitled “HEC IT Security & Compliance” provides some interesting details on SAP’s HANA-focused Managed Cloud offering – HANA Enterprise Cloud (HEC).
What was strange is that a more general SCN blog about security in the cloud received over 11,000 hits – yet the more detailed HEC blog + presentation only received 349 hits. This discrepancy didn’t seem justified, so I wanted to surface this HEC blog and suggest that people take a look at it.
Although the presentation focuses on security in a general fashion, it also provides details on the infrastructure / architecture of the HEC.
What is interesting (but should be obvious when you think about it) is the distinctions between the physical servers for HANA boxes vs. the virtual machines for other types of servers.
HEC Security: The interesting bits
Much of the presentation contains proof points (network intrusion detection tools, regular internal and external audits, state-of-the-art Malware/Anti-Virus scanners, etc) that are present in many private cloud hosting solutions. There were several more interesting paragraphs that I’d like to surface:
Within a private cloud only logical separation between tiers is available. Stronger separation requirements (e.g. production private cloud, non-production private cloud) have to be discussed and agreed between SAP and the customer.
I didn’t understand why other network functionality (firewalls, etc) couldn’t be used to deal with this potential problem.
User Management for HEC is controlled using the SAP Cloud Access Manager (CAM). SAP CAM is integrated with the central SAP HR system which maintains the user record and information regarding employee will be automatically replicated to the SAP CAM.
I have never heard of CAM – I wonder if it is used in other SAP cloud solutions (HANA Cloud Platform, Cloud for Travel, etc).
Regional data centers
There were various paragraphs that reflect the global aspects of the HEC:
When customer data needs to be moved from one site to another, SAP uses data replication between data centers in a region (e.g. replication between data centers in Europe). The HANA Enterprise Cloud system itself will remain in its primary location in the region.
Customers can choose which region they want to use – data is stored regionally for EU- and US-Cloud.
SAP requires that outsourced providers / partners comply to the EU data protection laws and to the SAP Security Policy and SAP Security Standards. Safe Harbor is also implemented if applicable.
We provide customers with geographically resilient hosting options (Regional only. Cross region hosting is not possible due to legal and technical constraints.)
Requests for tenant data from governments or third parties will be reviewed by SAP Legal, SAP Data Protection Office, SAP HEC Management and SAP Security. Our response will also depend on the regulations and locations (EU, US) in scope and our customer agreement.
I’ve read many cloud-related legal documents from SAP but this presentation contains more references to such location-related matters – perhaps it is a reflection of the recent revelations about NSA spying in the USA.
As I read the presentation, I kept waiting for those spicy details that might bring out the particular characteristics of the involvement in HANA in the HEC. Yet, as I read the document, I came to the realization that the HEC is largely just another managed cloud and HANA is just a database in this environment. A few of policies are HANA-specific but many of the resulting policies will be present in the offerings of others (for example, AWS).
It would also be interesting to see similar documentation from other HEC partners. Then it would be possible to figure out what is specific for SAP and what is broader and applicable to all HEC offerings.
Note: Many of SAP’s SaaS applications also provide such security-related material (though not in the depth provided by this document) – for example, Ariba, Success Factors, Cloud for Financials, etc).