The SAP Controlled Cloud
When I talk to customers, especially those who are evaluating SAP cloud solutions, I frequently discuss the various types of cloud solutions available. But not just the typical public versus private cloud discussion, the conversation is more along the lines of what the customer controls and what SAP controls.
Now, there are many cloud offerings that have subtle differences between the solutions, and SAP cloud solutions are located in numerous data centers, not just one. A solution may be hosted among the various data centers and not every data center hosts all solutions. The first thing one has to understand is that there are, indeed, a number of different “flavors” to what I call, the SAP Cloud, by the way, that generalizes all SAP cloud-based solutions as if they were a single, homogenous product.
The SAP Cloud is not, however, a single product. Instead, it is somewhat a consortium of many solutions hosted over various hosting models in numerous data centers, with subtle differences in hosting practices. Those differences are mostly due to the nature of the applications, the solutions’ data classifications, and whether it is single or multi-tenant.
For kicks, I created a spreadsheet by application of the various hosting parameters. The spreadsheet contained 67 lines across 17 solutions. That’s 1,139 different hosting elements, quite a bit to process during a solution evaluation. While the differences in hosting practices vary by solution, the hosting practices across most SAP Cloud solutions are now fully harmonized at the core.
While one could easily argue this is too complicated and ask why can’t you just use one hosting model, I could argue back that each solution is different, has considerable cost implications, and that the data classification for say, an HR application is quite different from a collaboration tool or procurement solution and therefore justifies the differences. As a security professional, overall I think SAP has done a great job of making each application’s hosting model efficient, effective, and relevant for data classification, despite the added complexity. SAP’s auditors, KPMG, by way of SOC report attestation tend to concur with my assessment.
SAP has some 168 organizations identified as having unique security elements. There are about 800 controls with 1200 variations. These are the major categories of SAP solutions as identified on SAP.com:
Then, within each major solution category listed above, there are several unique modules within each major brand. A module would be defined as a specific application solution.
SuccessFactors, for example, includes modules such as Employee Central, its core HR (Human Resources) solution. Then there is also Learning Management, Performance Management, Compensation Management, Succession Management, Recruiting, Onboarding, Workforce Planning, Workforce Analytics, and employee engagement tools such as Jam and Social Media. There is also SAP Payroll, which is not part of SuccessFactors but is frequently offered as a sidecar to SuccessFactors. All of the modules together constitute a suite of products, such as the SuccessFactors HCM (Human Capital Management) Suite. So even within the context of an HR/HCM solution, each application has a unique purpose, and data classifications drive the hosting model and associated hosting elements as well.
But some applications such as S4/HANA running in ECS (Enterprise Cloud Services) are branded by their hosting model, and ECS is actually a hosting model and not a product itself. ECS is in fact, SAP’s Managed Services cloud offering, and typically is used to host S4/HANA as a single-tenant hosting model. Yet, other solutions that may have been offered as an on-premise offering can be hosted in ECS, making ECS the hosting model it is.
Cloud Provider versus Managed Service
There is a subtle distinction between the two terms to which many are confused. I’ll offer some history and some clarifications. The main difference between the two is the degree of control that the customer has.
First, a Cloud Provider – which is an industry term – is an entity that provides the cloud service as fully defined and functional. In services offered by a Cloud Provider, the provider dictates both the technology and the hosting procedures. Contrast that to a Managed Services offering, where the customer dictates the technology and operating procedures. Therein lies the distinction.
Note that while a Managed Services provider is also a Cloud Services provider, a cloud services provider is not necessarily a managed services provider.
Cloud Offerings, a Comparison
SAP offers both Cloud Services and has a Managed Services offering in ECS, but not all cloud offerings are managed services. Most of the offerings have different forms, and they vary by solution. With the exception of S4/HANA, SAP Cloud solutions are offered either in a full SaaS (software-as-a-service) model or as a Managed Service; but not both. S4/HANA is offered in both models, commonly referred to S4/HANA Public Cloud (noting that it is not a public cloud like LinkedIn, Facebook or Instagram).
By definition, SAP is a Cloud Provider, offering a number of solutions hosted as SaaS offerings in the cloud. Most of the solutions offered in this hosting model have full-suite applications and fully defined services, where SAP provides the infrastructure, hosting, and the application itself, making the solutions a comprehensive cloud offering to which customers can simply subscribe.
SAP also offers a Managed Services offering called Enterprise Cloud Services, or ECS for short. ECS is actually a hosting model, and not a solution, although SAP associates often use the two terms interchangeably. SAP employees also use the terms “public cloud” or “private cloud,” which is not necessarily accurate.
The terms “Cloud Provider” and “Managed Services” are frequently confused. Even more so, they really refer to two different things and there are numerous characteristics unique to both.
With cloud computing offerings, customers subscribe to the service but do not purchase hardware or software — including the source code of the application. Hardware and service infrastructure are provided by SAP. The application is running within the service, and only the running application is offered, in a subscription-based model. The source code is not included in the subscription.
Further, source code, if not provided, cannot be modified. In most cases, a single instance of an application executable exists. This also means that all customers are on the same release, and releases are made periodically to update and upgrade the application. When an update or upgrade is applied, all customers in the offering are updated/upgraded at the same time.
Managed Services Providers (MSP) – such as Amazon (AWS), Microsoft Azure, or Google Cloud (all SAP partners too, by the way) – provide the infrastructure and other technology, some with applications. But with an MSP providing cloud services directly to the customer (and not as any SAP SaaS solution) will dictate the technology and the hosting procedures, often choosing a la carte capabilities.
ECS as a managed service offering has options too – like backup, failover, update and upgrade policies and much more – that allow the customers to control or manage the application.
SAP as a Solution Provider
Unlike other cloud providers such as Amazon, Microsoft, and Google, SAP tends to accentuate the subscriptions to the application and not the hosting itself. This is no surprise here, as SAP is well-known and branded as a global leader in enterprise resource planning software. While Amazon, Microsoft, and Google may offer applications along with application hosting, SAP’s hosting underscores the applications they develop, while the others tend to stress their cloud services.
Given the popularity of these three cloud providers, customers frequently compare – and confuse – their hosting models with SAP’s cloud offerings.
Customer Confusion in Hosting Models
Of course, cloud computing is both old and new. It’s old because it’s been around since the 1960s, but wasn’t prevalent until the mid-2000s. Because it is new, it is frequently misunderstood. My role at SAP as a Cloud Architect is to provide education – and clarification.
Customers frequently come to the table with preconceived notions and don’t understand which SAP solutions are managed services and which are SaaS models. The big confusion comes when they express their requirements on SaaS offerings as if they were managed services.
This happens a lot.
Cloud SaaS Services are Fully Defined
A SaaS offering by a cloud provider is already fully defined, top to bottom in both the technology stack and the hosting practices. Frankly, while there may be some options available, customization is constrained and very limited. Changes that are simple, such as controlling hosting locations, or specifying clarifications to already existing services are permissible.
For example, if a customer requires hosting to remain in the U.S., or in another region, that is something we can accommodate. But changing something like backup frequency or recovery SLA’s are not easy. SAP has an enormous customer base in the cloud that is growing monthly. Changing the service for one would actually mean changing the service for all customers, and the other customers may not like that.
Customers can’t negotiate an SLA that is specific to them, because SAP Cloud Operations cannot execute on a customer-by-customer basis. And, we have no method to track customer-specific requirements. During a disaster, for example, we’d have to review all customer contracts for a single data center to see who goes first based on a guaranteed, customer-specific SLA. That’s not feasible. So SAP has a single policy and a single SLA that is applied to all customers.
It’s important to understand that the customer is subscribing to an existing service; they are not creating or defining the service. This is true for all SaaS solutions.
Here’s an example.
For fun, imagine if I tried to do this with an airline when buying a plane ticket – which is a fully defined service.
Suppose I called an airline and said “I need a ride to Philadelphia from Phoenix next Tuesday. Have the plane pick me up at 10:30 am and I need to get there slightly after noon. Yes, you’ll have to fly fast and burn extra fuel, but that’s what I require. I want a large, first-class aisle seat in coach, but I only want to pay for a coach ticket. I want Lingui in a light Pomodoro sauce with chicken and fresh vegetables for dinner, served with a nice, imported, world-class Italian Chianti, and brownies with ice cream for dessert. When the plane lands, I want to be the first person allowed to get off, because I’m a Gold Level frequent flyer. Oh, and make sure you valet my bag so that when I deplane, it’s available for me at the door. I hate going to the bag claim area.”
I’m sure I’d get a good laugh from the airline. Likely, the customer service folks would just hang up on me.
Customization of a Cloud SaaS Service
Customers frequently confuse our position as if we had some power in a SaaS offering to customize services for each of our customers. We don’t; it is not the architectural design of the service.
And so, customers often compare and confuse SAP to its partners and other cloud providers who provide managed services, and to offerings that are not SaaS solutions. I typically hear things like, “other cloud competitors agree to the change, why can’t you?” That’s an apples-to-oranges comparison. The managed services providers are only providing infrastructure in a virtualized technology stack (which, by the way, is more expensive). Customers provide the application, and the database, and in some cases, even may choose the operating system.
As much as cloud computing has been around, it’s still misunderstood. There are bunches of service offerings, but it’s important to understand the difference between a fully defined, SaaS solution offered by a cloud service provider and a managed services offering, which only provides infrastructure hosting and has more flexibility.
SAP has many offerings, and will help customers completely understand the differences in the offerings, hosting practices, and of course, security and data privacy concerns.
For me, helping customers understand our offerings is my full-time role at SAP.
Mark Ciminello is Vice President, Chief Architect with SAP Global Security (SGS), having expertise in cloud, information security, and data privacy. He holds numerous certifications including CISSP (security), CCSP (cloud security) and PMP (project management), has an MBA in Management, a BA in General Studies with an emphasis in accounting, and has some 30+ years of business experience. Recently, he has attended advanced courses at Harvard University.
The information in this article is confidential and proprietary to SAP and may not be disclosed without the permission of SAP. Except for your obligation to protect confidential information, this article is not subject to your license agreement or any other service or subscription agreement with SAP. SAP has no obligation to include any functionality or pursue any course of business outlined in this presentation or any related document, or to develop or release any functionality mentioned therein.
This article or any related document and SAP’s strategy and possible future developments, products, and or platforms directions and functionality are all subject to change and may be changed by SAP at any time for any reason without notice. The information in this article is not a commitment, promise, or legal obligation to deliver any material, code, or functionality. This article is provided without a warranty of any kind, either express or implied, including but not limited to, the implied warranties of merchantability, fitness for a particular purpose, or non-infringement. This article is for informational purposes and may not be incorporated into a contract. SAP assumes no responsibility for errors or omissions in this article.
All forward-looking statements are subject to various risks and uncertainties that could cause actual results to differ materially from expectations. Readers are cautioned not to place undue reliance on any statements and they should not be relied upon in making purchasing decisions.
Very well written. Great job Mark!