SAP Data Custodian in a Multi-Cloud Environment
*** Article Update ***
Authors Note (Nov 2018): Apparently Data Custodian is actually a Data Leak PreventIon and Data Transparency product that allows users of this SaaS product to monitor and manage access to cloud solutions. Very similar to Cloud Access Service Broker (CASB), but according to SAP is a far more powerful with more features.
“Today, I’m excited to announce that SAP Data Custodian, a SaaS offering from SAP, will soon become available on Azure. SAP Data Custodian combines Azure’s built-in compliance controls and the deep expertise of SAP to provide customers end-to-end visibility of their SAP data on Azure and an easy to use set of data governance controls. This will help customers to fulfill their responsibility for data governance, segregation of oversight duties, and achieve independent verification.”
Update on SAPPHIRE 2017: Link below:
“Google and SAP have collaborated on an innovative approach to address enterprise concerns around data protection and privacy while continuing to offer enterprises the flexibility and power of Google’s cloud platform. In the Google booth, at SAPPHIRE NOW, we have demos showcasing our vision around how enterprises can leverage SAP’s expertise and partnership with Google to gain significantly greater visibility into how their data is managed, accessed and protected on GCP”
*** Original Article (March 2017) ***
When SAP announced its strategic partnership with Google Cloud Platform, Diane Green (Google Cloud Chief) said that they are working on how SAP can become “data custodian of customer data that’s stored in GCP.” This is a interesting comment, and leads me to make some predictions here.
Firstly, we would need to define what is a data custodian. ISACA simply just says “The individual(s) and department(s) responsible for the storage and safeguarding of computerized data”.
However, this definition is much clearer here:
“Many data custodians are essentially database administrators. They focus on the “how” rather than the “why” of data storage. They may do things like structure or restructure a relational database system, work with middleware to serve a central data warehouse, or provide schemes or workflows that show how databases are structured. They are the IT people of the data government governance team, the people that are asked questions about the implementation of a business plan to store data..”
The other important role is the Data Owner. For example, the typical enterprise customer that subscribes to SAP’s SaaS offering S/4 HANA Public Cloud, Successfactors, Concur, Ariba or Fieldglass would be considered the Data Owner. They would have complete legal rights to the data. They would create, modify, delete or control access to it. The customer could also assign, share or give privileges to third-parties as required.
Currently, GCP is just offering the HANA database on BYOL today. This does not include the SaaS offerings as above. But with this strategic partnership, it is entirely possible that SAP may decide to run its whole SaaS offering there. Markus Riedinger from SAP has said in a Openstack Day presentation that its private cloud operations are totally stretched and are having difficulties to scale with increasing demands.
From a perspective of hyper-scale public cloud providers like Amazon AWS, Microsoft Azure, and Google Cloud, SAP will not go head-on-head with them. Rather, it will be beneficial for it to partner with them. SAP and HANA software can run today on AWS and Azure on a BYOL basis, but this strategic partnership with Google seems more interesting.
In fact, during SAPPHIRE 2016, SAP had announced it was embracing Cloud Foundry and mentioned that SAP Cloud Platform could be running on other data-centers other than SAP’s own. This is what SAP calls “multi-cloud enabled”. And correspondingly, GCP joined Cloud Foundry Foundation on December 2016
Let’s peel the layers here in a hypothetical model of cloud service model before we delve into the data custodian impacts with GCP (please feedback your views)
Google Cloud Platform will be the IaaS provider, taking care of physical security at the datacentre to encryption at the storage level. In the middle (purple), there will other Google Cloud platform services like Big Data and Machine Learning while API integration and IDM services can be with SAP Cloud Platform providing security identity authentication and single-sign on services.
Security at the operating system , database and middleware layers will likely reside with SAP. If assuming SAP can containerize their applications, then likely the application binaries and libraries will encapsulated within Kubernetes or Cloud Foundry Container. Not sure where SAP and GCP will jointly go on this in the future.
What major considerations would enterprise customers will need to think about when migrating to these SAP’s SaaS cloud offerings on GCP from the data perspective?
- Legal and Regulatory: Failure to comply to requirements as specified could result significant penalties from relevant authorities. The issue here is that there are two third-party providers instead of one. SAP for software layer – SaaS (business logic, runtime libraries and databases) since it operates the SaaS service, while Google is responsible for infrastructure – IaaS (compute, storage, network and datacenter)
- Contractual: Likewise, the terms of agreement in the SaaS contract will need to spell out whose responsibilities are for data privacy, security, separation, encryption and disposal for the different layers of service.
- Data Breach/Loss: Who would cover responsibilities and liabilities in the event of an information security incident occurs? This would definitely be a point of contention.
I am sure that SAP being part of the Cloud Security Alliance would be adhering to the cloud security standards, guidelines and frameworks.
My guess is as good as yours until SAPPHIRE 2017 : 16-18 May 2017 where more details are expected to surface.
Other Relevant Articles on SAP Technical Community
Other Relevant Articles on SAP Technical Community
This post was originally posted on Linkedin
I blog this article to share information that is intended as a general resource and personal insights. Errors or omissions are not intentional. Products and services mentioned in this article are not endorsements. Opinions are my own and not the views of my employers (past, present or future) or any organization that I may be affiliated with. Your comments to my posts are your views.Content from third party websites, SAP and other sources reproduced in accordance with Fair Use criticism, comment, news reporting, teaching, scholarship, and research.