Achieve Public Cloud Transparency and Control via SAP Data Custodian

Legal Disclaimer

SAP does not provide legal advice. The following information is only about technical features which might help a customer to become compliant with data protection regulations.

Following blog illustrates SAP Intelligent Delivery Group (IDG) proactive measures to protect our customers from huge fines imposed by new global data privacy and protection regulations.

“By 2021, organizations that bypass privacy requirements and are caught lacking in privacy protection will pay 100 % more in compliance costs.”  Gartner, Top 10 Technology Trends for 2019

To protect digital data, three types of laws are introduced into various Legislatures:

1. Data Sovereignty

Binary digital data is subject to the laws of the country where stored.

2. Data residency (or data localization)

Data about a country’s citizen must be collected, processed, and stored within that country and is subject to its laws before it is allowed to be transferred out.

3. Data privacy & protection

Laws protect personal, commercial, and governmental data from unauthorized access, alteration or corruption, destruction or use. Only if authorized by law or consent can a person’s information be disclosed.

As a result of evolving data protection laws and new security perspectives, challenges on Multi-cloud Era deployments are growing:

• Cybersecurity and data protection is a top priority with increasing threats and regulatory scrutiny
• Privacy/identity management and information security
• Organization’s culture may not encourage timely or early identification and escalation of risk issues
• Data Is Everywhere – Hyperscaler Deployments on The Rise
• Your Data Your Responsibility – Shared Responsibility Model
• New Governance Standards Regulations Are Driving Data Protection

SAP Data Custodian is a Multi-Cloud SaaS application designed to achieve the following business objectives:

• Cloud data insight and protection – Full stack (Infrastructure, HANA, S/4HANA) transparency
• Data governance, compliance and audit reporting
• Rapid identification and notification of data protection breaches
• Public Cloud Transparency and Control
• Create and enforce public-cloud data access, location, movement, and processing policies
• Monitor and report on data access, storage, movement, processing, and location in the public cloud
• Configure public-cloud data location, movement, processing, and access policies
• Enforce geolocation controls for data access, storage, processing, and movement
• Prevent unlawful transfer of business data
• Global Multi-Cloud Key Management as a Service
• Data Loss Prevention (DLP) to find & classify sensitive data                          

Data Custodian is built as a SaaS application based on a Kubernetes cluster with HANA as its data backend.

Achieving Transparency

Transparency is divided into two categories: Cloud Resource Transparency and Application Transparency. Whilst the former one deals with identification and illustrationof access of all available/used cloud resources in a system, the latter one shows application deployments and their access, e.g., SAP HANA or S4HANA systems.

Cloud Resource Transparency is accomplished firstly by identifying all resources that are in use for the system. This is done by querying the respective Hyperscaler Resource API and look up all involved/deployed resources, such as disks, storage groups, VMs and so on. This task is performed by the “Inventory Management” component of DC. It collects all required resource information from the Hyperscaler and enables a visual world map view of these resources in the DC UI.

Achieving Control:

Control is based on a Policy Management Point (PMP) and Policy Enforcement Point (PEP). A PMP is the software in which a customer defines a control policy to restrict or grant access to a resource or application. The PEP is the software (module) which acts on a policy decision based on a given set of policies and access information of this resource/application. In case of Cloud Resource Control, DC acts as the PMP. Once a customer has defined a set of policies for his resources, these policies are transformed into Hyperscaler-native policy definitions and are then put into action. The Hyperscaler, however, acts as the PEP to enforce the given policies. In case of Application Control, a DC plugin needs to be integrated into the application to be controlled. This DC plugin then acts as the PEP to enforce all defined policies and the decisions taken on it.

Control policies are not only restricted to access towards certain resources applications, but also handle the (geographic) placement of resources and their movement across zones.

Key Business Benefits with the SAP Data Custodian:

• Compliance
  • Help comply with global data protection regulations
• Help avoid fines and damage in reputation
  • Through enhanced data transparency and data access, storage, and movement controls
• Enhanced security awareness
  • Alert management to heightened risks and compliance breaches
• Reports
  • Obtain near-real-time reports on data protection compliance and risk
• Agility
  • Quickly identify and react to suspicious activity relating to sensitive customer data

SAP Data Custodian Use Cases: 

• Data Classification
• Data Localization and Residency
• Unauthorized Cloud Provider Access
• S/4HANA Application Transparency
• S/4HANA Application Control
• Encryption – Unauthorized Access
• Encryption – Data Breach Prevention

SAP MaxAttention Offering for Hyperscalers: PE Package for SAP Data Custodian Subscription

Following are some screenshots of SAP Data Custodian:

SAP Data Custodian Dashboard:

SAP Data Custodian Union Overview:

SAP Data Custodian Anomalies:

SAP Data Custodian Key Management:

Related Links:

SAP Data Custodian Product Documentation 

SAP Data Custodian Receives Prestigious International Recognition

SOC2 Report for SAP Data Custodian

SAP IDG Contacts: Rohit Dwivedi, Kiran Kola