When SAP announced its strategic partnership with Google Cloud Platform, Diane Green (Google Cloud Chief) said that they are working on how SAP can become “data custodian of customer data that’s stored in GCP.” This is a interesting comment, and leads me to make some predictions here.
Firstly, we would need to define what is a data custodian. ISACA simply just says “The individual(s) and department(s) responsible for the storage and safeguarding of computerized data”.
However, this definition is much clearer here:
“Many data custodians are essentially database administrators. They focus on the “how” rather than the “why” of data storage. They may do things like structure or restructure a relational database system, work with middleware to serve a central data warehouse, or provide schemes or workflows that show how databases are structured. They are the IT people of the data government governance team, the people that are asked questions about the implementation of a business plan to store data..”
The other important role is the Data Owner. For example, the typical enterprise customer that subscribes to SAP’s SaaS offering S/4 HANA Public Cloud, Successfactors, Concur, Ariba or Fieldglass would be considered the Data Owner. They would have complete legal rights to the data. They would create, modify, delete or control access to it. The customer could also assign, share or give privileges to third-parties as required.
Currently, GCP is just offering the HANA database on BYOL today. This does not include the SaaS offerings as above. But with this strategic partnership, it is entirely possible that SAP may decide to run its whole SaaS offering there. Markus Riedinger from SAP has said in a Openstack Day presentation that its private cloud operations are totally stretched and are having difficulties to scale with increasing demands.
From a perspective of hyper-scale public cloud providers like Amazon AWS, Microsoft Azure, and Google Cloud, SAP will not go head-on-head with them. Rather, it will be beneficial for it to partner with them. SAP and HANA software can run today on AWS and Azure on a BYOL basis, but this strategic partnership with Google seems more interesting.
In fact, during SAPPHIRE 2016, SAP had announced it was embracing Cloud Foundry and mentioned that SAP Cloud Platform could be running on other data-centers other than SAP’s own. This is what SAP calls “multi-cloud enabled”. And correspondingly, GCP joined Cloud Foundry Foundation on December 2016
Let’s peel the layers here in a hypothetical model of cloud service model before we delve into the data custodian impacts with GCP (please feedback your views)
Google Cloud Platform will be the IaaS provider, taking care of physical security at the datacentre to encryption at the storage level. In the middle (purple), there will other Google Cloud platform services like Big Data and Machine Learning while API integration and IDM services can be with SAP Cloud Platform providing security identity authentication and single-sign on services.
Security at the operating system , database and middleware layers will likely reside with SAP. If assuming SAP can containerize their applications, then likely the application binaries and libraries will encapsulated within Kubernetes or Cloud Foundry Container. Not sure where SAP and GCP will jointly go on this in the future.
What major considerations would enterprise customers will need to think about when migrating to these SAP’s SaaS cloud offerings on GCP from the data perspective?
- Legal and Regulatory: Failure to comply to requirements as specified could result significant penalties from relevant authorities. The issue here is that there are two third-party providers instead of one. SAP for software layer – SaaS (business logic, runtime libraries and databases) since it operates the SaaS service, while Google is responsible for infrastructure – IaaS (compute, storage, network and datacenter)
- Contractual: Likewise, the terms of agreement in the SaaS contract will need to spell out whose responsibilities are for data privacy, security, separation, encryption and disposal for the different layers of service.
- Data Breach/Loss: Who would cover responsibilities and liabilities in the event of an information security incident occurs? This would definitely be a point of contention.
I am sure that SAP being part of the Cloud Security Alliance would be adhering to the cloud security standards, guidelines and frameworks.
My guess is as good as yours until SAPPHIRE 2017 : 16-18 May 2017 where more details are expected to surface.