Security/Network Design to enable Connectivity from Cloud to SAP
Author : Jaspreet is a Senior Consultant with expertise in Service Delivery, Resource Management, Account Management, Project Delivery, Value Creation, Business Development and devising Strategic Road-Maps. Jaspreet has a range of cross industry IT experience with specialization in System Integration, SaaS, Cloud, Cyber Security, Data Science. He is seasoned in designing, developing, documenting, coding, modifying, testing and implementing business technology solutions.
Lots of customers are nowadays on boarding their business processes on cloud applications like Concur, AWS, Salesforce, Success Factors, Ariba etc.There is no doubt that Cloud applications enable customers with standardized business process, a pleasant user experience ‘UX’, Omni-channel capabilities and of course reduced cost of ownership over a prolong period of time.
As I perceive, leveraging full blown cloud application capabilities is more of a journey rather than a destination. Businesses do see value in making investments on cloud application however the key enabler of business process running on cloud application is mostly “Data”. The Data here we are talking about is of great value to businesses which they have collected, tabulated, mined, secured ever since before the term data became a buzz word to follow up with the next revolution in Technology “Data Science” or business analytics/decisions driven by Data. It is pretty simple to guess by now, for some Industry verticals “Data” is the key and they must enable seamless secure Data exchange between their existing on premise/data center hosted applications and newly scoped Cloud Applications.
This opens up an interesting and imperative subject of discussion – “System Integration”. With customers taking on this journey to leverage cloud application capabilities, the very first step of this planned migration is usually achieving “Hybrid Business processes” where the end user facing application are being scoped under Cloud contenders but the data enabling secured applications are still held in its as-is setup of being on premise/data center hosted applications.
Businesses need to integrate On-Premise applications with Cloud applications. With that inevitable requirement in place, the next phase is to iron out the deliverable. Often in my experience, I have seen that Security/Networks team are not that confident in exposing their most secured back-end system of records applications directly over the internet. General direction from most of the Cloud providers is to white-list the Cloud application domain’s IP address range at Firewall/Network level. Though it seems logical, but many customer’s Security offices are reluctant to go with this design approach.
- Cloud Application’s domain IP addresses are too many to ignore, sometimes in hundreds of thousands of IP address pool.
- IT Security departments do not encourage exposing application servers to internet or via DMZs. Directly opening the front door of the house doesn’t seem to be the right idea and that too when the number of visitors is too high “jokes”, also building a separate door (firewall IP white-listing) for each separate visitor (cloud applications) does not make sense from governance perspective.
- Customers question on “what if” the cloud service provider network is compromised. Customers look for security policies and disaster recovery or risk mitigation practices in place at Cloud Providers Infrastructure end. Cloud providers can earn customers confidence by securing compliance certifications like Fed RAMP, ISO 27001, and DIACAP etc.
Some of the customers go ahead with straightforward IP white-listing as the quickest and logical way of addressing the integration requirements, however few resist.
For those few customers that resist and want to go ahead with their reasoning, below is a diagrammatic synopsis of one of the many possible designs to handle the Security/Network piece of “Systems Integrations”.