Dear Reader, let me introduce myself – I am Peter – one of the „techies“ in the Hana Enterprise Cloud (HEC) security team. We are a rather large international team of security experts working together to ensure that our customers‘ data, systems, business processes and compliance are safe and secure at all times with Hana Enterprise Cloud.
Apart from the techies like myself who mostly dig deep into security features of products,organize and perform penetration tests, advise on architectural and design decisions, etc. there are the colleagues dedicating their time to security monitoring and logging, technical compliance to our product standards and reporting. Now imagine the tremendous work behind simple words like reporting … or logging. Of course not to forget, there are the „process“ guys – these would be the guys who make sure that our IT processes are designed and live up to the highest industry standards expected by our SOC/ISO auditors as well as by our customers. Last but not least – our management – the guys who coordinate, support and plan the security future of HEC.
So where does HEC security start and where does it end?
I would say HEC security start at the fence of our data centers and ends somewhere at the „green“ security report provided to our customers containing no issues. In other words HEC security does not start with our team and in as well does not end with us – security seems to be much about coordination and collaborative work together with dozens of other departments and colleagues.
Starting at the fence – our HEC data centers meet highest security standards and certification requirements. Take for example the main european HEC data center in St. Leon-Rot ( http://www.sapdatacenter.com/). My last visit there was a really exciting experience (even we – the guys from security do not get to go in it that often). Apart from the data center certifications and impressive scale, I found the facts that the DC can withstand a small plane crash or that the diesel generators can provide enough electricity for the DC operations and the excess electricity can power the neighboring small towns and communities, rather amusing.
The HEC offering is designed, architectured and implemented with security in mind. The service is implemented as a private cloud solution which means customer‘s HEC systems are attached and seamlessly integrated with his existing infrastructure over MPLS, VPN, etc.
From the SAP HEC-standpoint we provide dedicated cloud-based environments (represented customer clouds below) where we take care of deploying, operating, managing, monitoring and all other tedious expensive activities and the customer can consume the benefits of our software and the Hana platform.
We have isolated customers from each other on different levels – staring on virtualization infrastructure level to communication protocol level. We have even isolated ourselves from HEC allowing only respective personnel to have access to the HEC environment.
Secure HEC IT operations from SAP side are supported by streamlined processes which are being closely monitored for compliance and effectiveness by our ISO/SOC auditors. Processes such as asset management, change management/patch management, incident management, anti-virus software management, backup and restore, identity and access/authorizations management, security vulnerability management, network management are all processes which customers can leave in our hands to take care of and he can enjoy only the benefits of our products.
But what about the provisioned systems themselves? Is the Hana database also securely deployed?
I am one of the „techies“ so that would be one of my specialties here 😉 … Customer systems deployed in HEC are additionally hardened by default according to our internal security hardening procedures which define and go deep into the individual security-related configuration parameters of the products supported in HEC – this includes not only the Hana database itself, or the SAP ERP or any other SAP-product where we logically have excellent proficiency and expertise, but also all other software components sitting on the customer’s systems such as operating systems, third party application servers and so on.
That all I think sounds like a reasonable load of work done only for the sake of the security of our customers, but is it enough? Well one could say it is, but we decided to enhance the attack detection and prevention capabilities for our customers. Therefore we have deployed and integrated:
- multiple tier firewalls
- IDS/IPS appliances
- We provide Web Application Firewall (WAF) services for the customer applications which can be applied out-of-the-box or trimmed down to the specific needs of the customer‘s application/service.
Detective and preventive controls and appliances are nice and often smart enough to reasonably respond to attacks by themselves, but in case of a serious attack, actions should be taken by people and these actions should be taken quickly – therefore all these detective/preventive services and devices are hooked to a 24×7 security monitoring center where SAP personnel can perform analysis, plan mitigating activities and take respective actions.
This all sounds like a nicely engineered secure environment. But is it perfectly secure? No! Anyone working long enough in the field of IT security knows that there is no perfect security – it is more of a constant race to be ahead of trouble. With that statement in mind we are constantly striving for improving the security of HEC and respectively of our customers. Therefore, we have taken actions and organized different activities and projects which help us improve ourselves:
- We have implemented ongoing automated regular penetration tests externally over the Internet
- We perform internal vulnerability scanning of systems
- We organize black-box / white-box security challenges and technical security validations where third party security experts try to deliberately circumvent our security controls and measures.
All these sources provide us valuable information which help us continuously improve the Hana Enterprise Cloud security and the security of our customers!
Hope you enjoyed the post – if you are more interested in HEC Security, please see also HEC IT Security & Compliance or contact us!