Exploring Cloud Computing (part 2) – Understanding Cloud Security
Until 2014, CIOs were asking “Why should we adopt Cloud computing?” Along with the maturity of Cloud over the past couple of years, understanding its benefits has grown as well. CIOs are now more open to the idea of exploring Cloud technology. They are curious to find out how other companies are adopting Cloud as part of their IT strategy. They are now asking “What does Cloud mean for our organization and how can we formulate a Cloud strategy?
Many organizations considering Cloud computing have questions around its security, availability and integration. According to KPMG’s 2014 Cloud Computing Survey, enterprises are now evaluating cloud-based applications and service providers on security first (82%), followed by data privacy (81%) and cost (78%). In the article “Five Cloud Computing Trends Affecting Cloud Strategy Through 2015“1 Gartner says: “The cloud promises to deliver a range of benefits, including a shift from capital-intensive to operational cost models, lower overall cost, greater agility and reduced complexity. It can also be used to shift the focus of IT resources to higher-value-added activities for the business, or to support business innovation and, potentially, lower risks. However, these prospective benefits need to be examined carefully and mapped against a number of challenges, including security, lack of transparency, concerns about performance and availability, the potential for vendor lock-in, licensing constraints and integration needs. These issues create a complex environment in which to evaluate individual cloud offerings.” Enterprise architects can help organizations create a “decision framework” for cloud adoption. In this article, I will try to look at cloud security, the most important factor for cloud adoption, and explore the specific security features of SAP’s IaaS and PaaS cloud solutions.
SAP’s Hana Enterprise Cloud Security
Hana Enterprise Cloud (HEC) is SAP’s IaaS (Infrastructure as a Service) cloud solution, located in SAP datacenters. SAP’s datacenters are certified to internationally recognized standards such as ISO 9001 for Quality Management or ISO 27001 for Information Security. They are also in compliance with industry accepted best practices such as COBIT or the ISF Standard of Good Practice for Information Security to assure the best possible security and risk management approach. You can find details about HEC security certificates here . Security compliance and effectiveness of HEC datacenters are closely monitored and audited by ISO/SOC auditors.
HEC customers receive an isolated, logical grouping of several Virtual Machines and physical systems. All customer networks are completely isolated from each other. Customer Landscapes can be connected to HEC using IPSEC VPN and MPLS. IPSEC stands for Internet Protocol Security which is a protocol suite for securing Internet Protocol (IP) communications using authentication and encryption. IPSEC VPN uses the tunnel mode where it wraps the original packet, encrypts it, adds a new IP header and sends it to the other side of the VPN. IPSEC helps provide defense against 1) Network-based attacks from untrusted computers, attacks that can result in the denial-of-service of applications, services, or the network, 2) Data corruption, 3) Data theft, 4) User-credential theft and 5) Administrative control of servers, other computers, and the network. MPLS stands for Multiprotocol Label Switching. It is a scalable, protocol-independent transport mechanism where data packets are assigned labels and packet-forwarding decisions are made solely on the contents of this label. MPLS protocol provides end-to-end high availability and consistent performance, protection against denial of Service attacks and unauthorized network access. SAP provides encryption facilities for customer data that traverses public networks, including Internet, dedicated VPN, and MPLS lines3. They also have the capability for unique encryption keys per customer or customer-managed encryption keys along with documented encryption key management procedures3.
SAP has enhanced HEC datacenters with attack detection and prevention capabilities for customers. This has been done by2 integrating multiple tier firewalls, IDS (Intrusion detection system)/IPS (intrusion prevention system) appliances and Web Application Firewall (WAF) services. IDS and IPS work together to provide a network security solution. An IDS works using the promiscuous mode by capturing packets in real time and processing them. This way IDS can respond to threats and work on copies of data traffic to detect suspicious activity by using signatures. An IPS works inline in the data stream to provide protection from malicious attacks in real time. This is called inline mode. Unlike an IDS, an IPS does not allow packets to enter the trusted side of the network. An IPS monitors traffic to ensure that their headers, states, and so on are those specified in the protocol suite. IPS sensor analyzes the payload of the packets for more sophisticated embedded attacks that might include malicious data. This deeper analysis lets the IPS identify, stop, and block attacks that would normally pass through a traditional firewall device.
All detective/preventive services and devices, that are part of HEC datacenters, are hooked to a 24×7 security monitoring center where SAP personnel can perform analysis, plan mitigating activities and take respective actions. IT security knows that there is no “perfect security” – it is more of a constant race to be ahead of trouble. Keeping this fact in mind, SAP is constantly striving for improving the security of HEC and their customers. Following this line, SAP has taken up the following activities to improve the security around HEC2:
- Implement ongoing automated regular penetration tests externally over the Internet
- Perform internal vulnerability scanning of systems
- Organize black-box / white-box security challenges and technical security validations where third party security experts try to deliberately circumvent our security controls and measures.
Last but not the least, SAP datacenters are supported by a backup power grid that can take charge of the power supply in case of main power grid failure. As an added precaution, datacenters have diesel generators that can provide enough electricity for datacenter operations. To make sure a natural calamity cannot disrupt a customer’s system operation, datacenters are spread out in multiple locations across the USA and Europe.
Hana Cloud Platform Security
Hybrid cloud deployment option is most popular in today’s IT world. The Zdnet article9 titled “The Age of the Hybrid Cloud is Upon Us” states “A report from managed services provider Avanade said that 73 percent of large enterprises agree that adopting a hybrid cloud solution will give them an edge over competitors, with 75 percent agreeing that a hybrid cloud strategy should be one of their main priorities next year.” Hana Cloud Platform (HCP) is SAP’s PaaS (Platform as a Service) cloud solution. Customers can use HCP to run SAP’s cloud applications, develop & run extensions for SAP cloud applications or custom developed cloud applications. Before customers decide to use HCP to run and extend their business processes, they may want to know how secure is this platform, specifically its integration capability with on-premise systems. HCP runs in SAP-hosted data centers. So, the network and physical security provided by SAP datacenters, as described in the above paragraphs, are also applicable to HCP. In the following paragraphs I will try to shed light on the security aspects of integration between HCP and on-premise system.
HCP consists of four services: AppServices, DBServices, Infrastructure Services and Connectivity Services. As a part of the connectivity services, SAP offers a product called “Cloud Connector” that enables integration between HCP and on-premise systems. Cloud connector can be installed inside customer’s DMZ zone or its internal network. The best practice is to restrict the access to the operating system where the cloud connecter is installed, to only a set of users who will administer the cloud connector. The communication from HCP to on-premise systems happens using a SSL tunnel that uses TSL (Transport Layer Security), encryption of the communication, and mutual authentication of both sides (cloud connector and HCP) using X.509 certificates. Communication protocol used for communication form cloud (HCP) to the cloud connector can be either HTTPS with system certificate or RFC over SNC.
The tunnel between cloud and cloud connector can be established only by the administrator of the cloud connector using a valid cloud account. The administrator can configure when this tunnel will stay open or closed. Having an established tunnel does not expose on-premise systems and resources to the connected cloud account. The administrator needs to configure explicit access for each system and resource that will be accessed on connected cloud account. In the scenario where you have multiple applications running in HCP, you can configure to enable access for only specific cloud applications. The customer can have multiple cloud accounts in HCP which are always isolated from each other. One cloud connector can be used to connect to multiple cloud accounts. However, each cloud account needs to have its own tunnel to communicate with on-premise systems. A tunnel cannot be shared across cloud accounts. Audit log feature in the cloud connector gives a list of all records exchanged between the cloud connector and the cloud and can be used as a part of a risk management strategy. An alert mechanism can be set-up to alert the administrator in case of fraudulent or malicious network activity. Cloud connector can also be used to support communication from on-premise systems to the HCP. This is done using database channel to connect local database tools via JDBC or ODBC to the SAP HANA DB or other databases on HCP.
I hope this blog helps you understand the importance of cloud security and the security features offered by SAP’s Cloud solutions. I hope that an enterprise architect or a CIO can utilize the information laid out in this blog to talk to the Line of Business owners, help remove their doubts or concerns about cloud security and create a positive atmosphere for Cloud adoption.