Security concepts in SAP S/4HANA Cloud
Security is a broad topic that can span physically securing buildings and computing infrastructure all the way to a user performing business tasks from a mobile device on public wi-fi. Security entails padlocks, PINs for the printer, software on devices like routers and software on user desktops. Overarching these measures are processes and governance that are also crucial to security and may entail meeting various laws from governments such as GDPR or embracing guidelines from organizations like NIST.
This article will make some basic distinctions in security responsibilities for cloud customers and cloud providers such as SAP Enterprise Cloud Services and provide you with further resources and interesting reads on the subject.
Let me briefly explain the foundational cloud security concept known as a “shared responsibility model”. Under a traditional on-premise or data center hosting operation, a business organization can be responsible for everything starting with blinking lights on the system. Pause and remember some organizations once had a server room or on-site data center housing servers, switches, storage, racks and cables merely steps away from where workers executed business functions from their cubicles. In this scenario security means someone in the building had to manage keys to unlock the server vault doors, authorize personnel, maintain power and generators, store data backups etc. Fast forward to today or in a large enterprise setting and you may find “as-a-service” models heavily utilized via partner organizations like SAP and hyperscalers such as AWS and Azure. This is where the share responsibility comes into play. The organizations mentioned above are cloud providers and due to the acceleration to the cloud (think COVID-19 era and supporting remote workers, extending or creating businesses) must offer some included value or an extended managed service experience so that customers can focus on their business activities. This means dividing up the security responsibility and documenting agreement via service levels, responsibility matrices and other contracts terms.
The shared responsibility model is commonly defined across many cloud providers and indeed SAP Enterprise Cloud Services outlines its own model. SAP S/4HANA Cloud editions outline security, backups, patching etc and distinguish the customer responsibilities and tasks via a cloud order form and a roles and responsibilities document.
One popular idea that effectively communicates the share responsibility is that the cloud provider is responsible for security “of” the cloud and the customer is responsible for security “in” the cloud. Bearing this in mind the cloud provider secures the IaaS and PaaS layers and the customer is responsible for the application layer where users are defined and authorized, transactions are carried out and data is created and consumed. Both parties have enormous responsibilities and customers must carefully understand and weigh what they are responsible for and in the case of SAP Enterprise Cloud Services consider that there are managed service offerings and other resources to help secure their S/4HANA Cloud. For example Cloud Application Services from SAP offers an outcome based service to review and address application security risks. In this case the service outcomes dovetail with prevailing security and compliance concepts such as controls audits and GRC.
The cloud is very dynamic and constantly gaining popularity. Cloud service providers have been forced to ensure that their security scope is robust and understood. Absent of this and these enormous companies and public cloud adoption in general would be weakened.
During my research for this blog post I found an often referenced prediction from Gartner that I will also summon to drive home the crucial customer responsibilities in a shared responsibility model. Gartner predicts that “through 2025 99% of cloud security failures will be the customer’s fault”.
Fortunately, there are many resources and services available to help cloud customers deal with security threats and gain an understanding about policies and governance related to their respective cloud portfolio and partner arrangements.
Roland Costea, Chief Security Officer for SAP Enterprise Cloud Services summed up the expectation that must be set regarding cloud security strategies:
“Like gardening, security and risk management needs constant upkeeping as cyber criminals continue to look for loopholes”.
For more cloud security insights from SAP check out the entire Forbes article written by Roland Costea 5 Cybersecurity Tactics to Protect The Cloud.
Also visit the SAP Trust Center to learn about various aspects of security including data protection, privacy, compliance, cloud services and other ways SAP implements cloud security.