Keeping sensitive data on-premise with Edge Integration Cell
Regardless of how you build and run your integrations, it always takes careful consideration when sensitive data flows through them. Payloads containing social security numbers, medical records, payroll information etc. must be vigilantly protected. The advent of the cloud and the industry’s shift towards Integration Platform as a Service (iPaaS) solutions adds another layer of complexity to this already complicated area.
Data residency requirements, for instance, limit the data centers in which certain data can be hosted. And in some cases, the data cannot be hosted in the cloud at all. This restriction can be due to statutory or regulatory requirements or it can be imposed by individual customer contracts.
In this blog post, I will discuss how to solve the problem of keeping certain sensitive integrations on-premise, even as customers migrate to SAP Integration Suite in the cloud.
The story so far
For SAP customers, up until now the answer to the question of how to keep certain sensitive integrations on-premise has been straightforward: SAP Process Orchestration.
SAP Process Orchestration is an integration platform installed and operated by the customer on the customer’s own network. This architecture enables us by default to keep certain payloads completely out of the cloud.
The platform has been around in different versions for more than 20 years. However, this venerable and much-loved product is now approaching its end-of-life in 2027 (or 2030 with extended support).
The gap left by SAP Process Orchestration will be filled by a new product called Edge Integration Cell, which I will introduce you to next.
What is Edge Integration Cell?
Edge Integration Cell is one of the hottest topics in the SAP integration world at the moment. It is a locally installed SAP Integration Suite runtime, which is currently slated for release in Q4 of this year. With Edge Integration Cell, you design your integration flows in the cloud and can then choose to deploy them to a runtime on your own network rather than your tenant’s runtime in the cloud. This approach is also known as hybrid deployment.
Like SAP Process Orchestration, you can install and operate Edge Integration Cell entirely within your local network. Edge Integration Cell runs on Kubernetes and supports SUSE’s Rancher platform at launch, with support for Red Hat OpenShift planned for the end of this year.
The number one use case for a local SAP Integration Suite runtime is, of course, ground-to-ground integrations. This makes Edge Integration Cell an essential component for many customers in the coming years, as they migrate their ground-to-ground integrations from SAP Process Orchestration to SAP Integration Suite.
However, Edge Integration Cell will also be able to solve the problem of keeping certain sensitive integrations on-premise, even as the customer migrates to SAP Integration Suite in the cloud. I’ll cover the solution later, but let’s first take a look at how sensitive payloads are handled in SAP Cloud Integration.
Sensitive payloads in SAP Cloud Integration
Integration flows that are deployed to the cloud (which is, at the time of writing, still the only option) are also monitored in the cloud. When tracing an integration flow (that is, setting its log level to “Trace”), its payloads will be stored in your tenant’s database in the cloud. For non-sensitive payloads, this is what we want in, for instance, a debugging situation.
For sensitive payloads, we have the option of restricting who can view them via Access Policies. In many cases, this is probably good enough. But if the requirement is that certain sensitive payloads can not be stored in the cloud at all, deploying those integrations in the SAP Integration Suite tenant is currently not an option.
Before going into how this will be solved with Edge Integration Cell, let’s examine how monitoring integration flows running in Edge Integration Cell works.
Monitoring in Edge Integration Cell
When an integration flow executes in Edge Integration Cell, its log records are stored in a local database. You will still be able to monitor that integration flow in the cloud, though. The difference is, that you have to actively pull log records from the Edge Integration Cell. They are, in other words, not continuously pushed from your local network to the tenant in the cloud. This makes sense; avoiding having to move large amounts of data over the Internet is, after all, one of the main purposes of the Edge Integration Cell.
When you go to Monitor → Integrations in the SAP Integration Suite UI after installing at least one Edge Integration Cell, you will be able to choose which runtime, you want to monitor: a local Edge Integration Cell runtime or the tenant’s runtime in the cloud. Only when you choose an Edge Integration Cell, will its log records be requested and displayed.
This means that sensitive payloads of a locally running integration flow can still end up in the cloud. You can restrict access to those payloads with Access Policies, but you cannot prevent them entirely from entering the cloud. Or more precisely: You cannot do that yet.
Sensitive payloads in Edge Integration Cell
This brings us, finally, to how the problem I’ve outlined in the above will be solved in Edge Integration Cell. And fortunately, the solution is already on its way. Specifically, SAP is planning an option to not allow any log records to leave the local network. When this option is enabled, it will no longer be possible to monitor that particular Edge Integration Cell in the cloud. As a consequence, sensitive payloads will stay on-premise at all times.
Please note that this option will be for the entire Edge Integration Cell installation, not per integration flow. This means that you must dedicate a separate Edge Integration Cell installation to these particularly sensitive integrations. This is probably not an issue, though, since you are likely already required to apply stricter security safeguards around these integrations.
So once this option becomes available, customers who need to keep certain sensitive integrations and their payloads out of the cloud can safely choose to deploy them to Edge Integration Cell.