What You Need to Know About Cloud Security for SAP Solutions

SAPinsiderMatt: Welcome to today’s Q&A on cloud security for SAP solutions. I am pleased to be joined by cloud security experts from IBM. Please give Madhuri Chawla, Tony Petta, Mark McNair, and Michael P Daniels a warm welcome!

There are already a number of questions posted on several topics including security for SAP Fiori and SAP S/4HANA. Please enter your questions into the module below to ensure the experts have a chance to answer it during the hour.

Comment From Guest: How should we approach security for our cloud deployment of SAP S/4HANA?

Michael P Daniels: Matt, thanks for the question. Initially, I like to tell folks to try to answer a couple of questions and go from there to a larger degree of detail:

• Who is responsible for security at what portion of my cloud stack, operating system (OS), database (DB), middleware (MW), and application?
• Where will my data specifically be?
• How extensive are the security measures of the provider?
• How will I know if those controls are adequate?
• How much experience does the provider have in security for my platform?
• What happens if something goes wrong?

Comment From Darrin: Do you recommend a private cloud vs a public cloud? Are there criteria for considering either?

Michael P Daniels: Darrin, that’s a tough question. I try not to recommend either, however some key attributes to consider from a security perspective really is the level of control you or your company has in assigning workload and data. In private clouds, generally speaking, you are the data controller and the cloud provider may only control a network / VM provisioning layer. You may even build this in your data center where you can control the physical layer of security. In a public cloud, you may be looking for the cloud service provider to control the physical security / hardware / VM provisioning, even additional layers such as managed OS, DB, and MW. So generally speaking, it’s about the level of control you are willing to hand off.

Comment From Alex: What do you see as the needs of local and state governments in terms of cybersecurity, particularly those that have not entirely gravitated to the cloud? How does the public sector compare to the private sector in being prepared for and responding to cyberattacks?

Michael P Daniels: Alex, I can’t speak directly to any particular preparedness of an individual public or private entity. What I would tell you is to become familiar with local, state, and federal regulations or standards related to cybersecurity and cloud. A decent starting point for public organizations is NIST Cloud Computing Security Reference Architecture.

Comment From Greg: How can we identify security gaps in our system architecture?

Michael P Daniels: Greg, my best advice is to periodically utilize a set of commercial security testing tools and independent testers; this can help you scan the systems in your environment and identify configurations and vulnerabilities across the logical deployment from OSs through DB/MW and applications.

Comment From Mike: What are the most common types of attacks to prepare for?

Mark McNair: Hi Mike. DDoS attacks are most common, however we have infrastructure services in place to “black hole” this type of traffic and help protect customer systems. We also implement Internet IPS services as an additional measure.

Comment From Renato Cendretti: How can we protect our SAP Fiori environment and where we can find best practices to protect enterprise cloud environments against cyberattacks?

Madhuri Chawla: You should consider looking at multiple dimensions including following SAP best practices for SAP Fiori and also using certified SAP cloud providers. Security is a key part of the SAP certification for cloud providers and several measures are taken to protect against cyberattacks.

Comment From Jeff: Are there any best practices or recommendations for working with auditors on cloud security?

Tony Petta: First, I view it as very important to ensure the auditors understand the differences between cloud and traditional IT environments in terms of changeability and flexibility. This also includes acquainting them completely with your processes during initial process reviews with them. Second, if you are using an external service provider for cloud services, make sure to explain all relevant contract terms to the auditors especially related to shared responsibilities between provider and the company receiving services. Last, review data requests from auditors carefully to filter out as many assumptions as possible — you might notice that they are traditionally oriented to legacy IT as opposed to cloud. Clarify these up front.

Comment From Frank: What advice do you give for customizing SAP HANA security?

Michael P Daniels: Initially, I recommend utilizing SAP-certified cloud platforms, and utilizing the standard configuration documentation from SAP. Look for technically reviewed SAP partner software as well.

Comment From Christina: What are key risks for hybrid environments?

Mark McNair: Hi Christina. I believe one of the most significant risks in this area is connecting environments with different data security classifications. One should carefully consider how to securely connect infrastructure-as-a-service (IaaS), platform-as-a-service (PaaS), and other environments in terms of data classification, production/non-production, and so on.

Comment From Kevin: How can we prepare for the Internet of Things (IoT) security challenges?

Michael P Daniels: Kevin, that is a very tough question as IoT security is still maturing. Basic principles still apply, such as understanding your security and risk appetite and the classification of data in your environment. Of course, monitoring for events and risk is critical.

Comment From Guest: What, if any, changes should we consider to segregation of duties (SoD) when we move to the cloud?

Tony Petta: The main change would be to segregate between above and below hypervisor support personnel if the support teams are large enough to divide functions that way. Otherwise, the traditional separation between development, test, and production support personnel remains in the cloud, but often proves more difficult to enforce with access controls. Access to separate VMs by different teams needs to be enforced to keep that separation effective.

Comment From Alan: After selecting a provider, what are the most important tests to run on a private cloud environment?

Mark McNair: Hi Alan, great question. It is always a good idea to perform vulnerability scanning and/or application vulnerability scanning against systems. These types of scans will reveal insecure configurations, missing security patches, errors in web application coding, and more.

Madhuri Chawla: Alan, you would need to run tests that simulate your production workloads and see the performance, end user acceptance tests, and end to integration tests.

Comment From Kev: What emerging technologies can we anticipate will cause security challenges?

Michael P Daniels: Kev, thanks for this question. As always, I think the ever-evolving use of big data, data encryption technologies, and security-as-a-service vendors will challenge the status quo for traditional providers. The ability for your vendors to adapt to new usage models around data storage and sharing in a multi-tenant environment will continue to evolve.

Comment From John: What vulnerabilities should we focus on to protect against data breaches?

Mark McNair: Hi John. You should first understand what services you are exposing from a network point of view, such as ports exposed to Internet, intranet, and extranet. Make sure you implement a default deny-all firewall configuration and only open ports necessary for the services you intend to expose. In addition, make sure the application services exposed are fully patched and securely configured. Finally, any services which expose confidential data should likely include additional security services to protect it, such as host or network intrusion prevention services.

Comment From Guest: What is the biggest misconception you’ve encountered from customers? How do you dispel skepticism?

Michael P Daniels: In my experience, it seems that clients do not understand the detailed roles and responsibilities specific to the activities of the cloud provider. Most often, because cloud provider services vary greatly, they also do not understand the activities related to the IaaS, database-as-a-service, PaaS, software-as-a-service (SaaS), and how those services may complement or complicate a customer’s application environment. In order to dispel the skepticism, be sure that the provider has detailed documentation they can share with you about the services and the architecture. Good documentation is a sign of a thoughtful provider. Additionally, look for vendor security certifications from independent reviewers.

Comment From Josh: What cloud security measures should we and partners prioritize?

Mark McNair: Hi Josh. It really depends on what you are hosting in the cloud. Are you hosting test/proof of concept systems with no sensitive data? Are you hosting production systems with sensitive data that will be accessed from the Internet? The answers to these questions will help us identify the proper security measures.

Comment From Todd: What questions will we hear from auditors about SAP and the cloud?

Tony Petta: SAP has a strong security framework internally as well as in the policies it sets for its own service providers. You can expect that auditors may ask about a business or service provider’s compliance to that framework or any alterations that may have been made to it and agreed upon by SAP and the provider. If a business is using an SAP-certified cloud service provider, the provider will be able to provide extensive reporting capabilities to auditors during a review. If third-party applications are being integrated with SAP applications, auditors may ask about whether SAP has evaluated the third-party software for use with SAP. That point is not necessarily cloud specific, but more prevalent in cloud.

Comment From Guest: For an SAP S/4HANA cloud install, are there any security challenges we should prepare for?

Michael P Daniels: Clearly, first and foremost is obviously ensuring your cloud provider can support a robust set of certified platforms for SAP HANA. Second, as with any SAP installation, ensure there is proper understanding of the workload, data classification, and proper access control to the environment. And as usual, periodically test to identify things like patch currency and DB and application configuration vulnerabilities.

Comment From Guest: How can we best manage SAP’s security notes?

Madhuri Chawla: The cloud provider would review the security notes being issued by SAP and work with the client to deploy. Some are mandatory updates and will be deployed but for some client concurrence is needed. If you are running workloads on-premise then you have to put a governance structure in place to manage the process within your organization.

Comment From Mike: When should we first conduct a vulnerability assessment for our cloud environment (and how often after that)?

Michael P Daniels: Traditionally speaking, best practices tell you to assess your environment for vulnerabilities before going live / GA, and at least annually. Additionally, you should test upon any core change to your environment. Usually this would be things such as an application code change, OS update, or large-scale upgrade of a platform.

Comment From Guest: Are there any special considerations for transferring protected health information (PHI) to cloud applications?

Michael P Daniels: Great question — there are a variety of regional, governmental, and national regulations for the handling of PHI around the world, and not all of them have the same rules. I would definitely recommend that you consult with your corporate legal and privacy office to ensure you have a clear understanding of the rules by which your company is bound. Generally speaking, most regulations call for some level of data encryption for this type of data both in transit and at rest. Look to see if your provider offers an array of methods, such as secure channels or even physical transfer. Review their security processes for shipping said data.

Comment From Guest: What are best practices for creating cloud test data?

Madhuri Chawla: Best practices for creating test date should be followed whether running the workloads on-premise or on the cloud. Live production data or a representative subset should be used to create the test data. It is important to run regression and stress testing to ensure that the environment can support the workloads. If you plan to run a hybrid cloud environment, then you do have to run tests to ensure network latency is tested.

Comment From SEAN: What do you recommend for connecting mobile devices to the cloud?

Michael P Daniels: Sean, that’s a tough question without knowing your specific needs. In my mind, there are a couple of basic use case scenarios:

1. Using mobile devices to connect to the cloud management platform
2. Enabling your applications for mobile device interfaces

For the first scenario, I would tell you to rely heavily on your organization’s specific mobile device security policies. This may involve VPNs or standard OS builds to minimize risk of wireless connectivity.

For the second scenario, follow the published best practices from SAP to ensure you have appropriately enabled the correct configurations

SAPinsiderMatt: Thank you Madhuri, Tony, Mark, and Michael for all your insightful answers! And thank you to everyone who participated in today’s Q&A!

SAPinsiderMatt: Welcome to today’s Q&A on cloud security for SAP solutions. I am pleased to be joined by cloud security experts from IBM. Please give Madhuri Chawla, Tony Petta, Mark McNair, and Michael P Daniels a warm welcome!

There are already a number of questions posted on several topics including security for SAP Fiori and SAP S/4HANA. Please enter your questions into the module below to ensure the experts have a chance to answer it during the hour.

Comment From Guest: How should we approach security for our cloud deployment of SAP S/4HANA?

Michael P Daniels: Matt, thanks for the question. Initially, I like to tell folks to try to answer a couple of questions and go from there to a larger degree of detail:

• Who is responsible for security at what portion of my cloud stack, operating system (OS), database (DB), middleware (MW), and application?
• Where will my data specifically be?
• How extensive are the security measures of the provider?
• How will I know if those controls are adequate?
• How much experience does the provider have in security for my platform?
• What happens if something goes wrong?

Comment From Darrin: Do you recommend a private cloud vs a public cloud? Are there criteria for considering either?

Michael P Daniels: Darrin, that’s a tough question. I try not to recommend either, however some key attributes to consider from a security perspective really is the level of control you or your company has in assigning workload and data. In private clouds, generally speaking, you are the data controller and the cloud provider may only control a network / VM provisioning layer. You may even build this in your data center where you can control the physical layer of security. In a public cloud, you may be looking for the cloud service provider to control the physical security / hardware / VM provisioning, even additional layers such as managed OS, DB, and MW. So generally speaking, it’s about the level of control you are willing to hand off.

Comment From Alex: What do you see as the needs of local and state governments in terms of cybersecurity, particularly those that have not entirely gravitated to the cloud? How does the public sector compare to the private sector in being prepared for and responding to cyberattacks?

Michael P Daniels: Alex, I can’t speak directly to any particular preparedness of an individual public or private entity. What I would tell you is to become familiar with local, state, and federal regulations or standards related to cybersecurity and cloud. A decent starting point for public organizations is NIST Cloud Computing Security Reference Architecture.

Comment From Greg: How can we identify security gaps in our system architecture?

Michael P Daniels: Greg, my best advice is to periodically utilize a set of commercial security testing tools and independent testers; this can help you scan the systems in your environment and identify configurations and vulnerabilities across the logical deployment from OSs through DB/MW and applications.

Comment From Mike: What are the most common types of attacks to prepare for?

Mark McNair: Hi Mike. DDoS attacks are most common, however we have infrastructure services in place to “black hole” this type of traffic and help protect customer systems. We also implement Internet IPS services as an additional measure.

Comment From Renato Cendretti: How can we protect our SAP Fiori environment and where we can find best practices to protect enterprise cloud environments against cyberattacks?

Madhuri Chawla: You should consider looking at multiple dimensions including following SAP best practices for SAP Fiori and also using certified SAP cloud providers. Security is a key part of the SAP certification for cloud providers and several measures are taken to protect against cyberattacks.

Comment From Jeff: Are there any best practices or recommendations for working with auditors on cloud security?

Tony Petta: First, I view it as very important to ensure the auditors understand the differences between cloud and traditional IT environments in terms of changeability and flexibility. This also includes acquainting them completely with your processes during initial process reviews with them. Second, if you are using an external service provider for cloud services, make sure to explain all relevant contract terms to the auditors especially related to shared responsibilities between provider and the company receiving services. Last, review data requests from auditors carefully to filter out as many assumptions as possible — you might notice that they are traditionally oriented to legacy IT as opposed to cloud. Clarify these up front.

Comment From Frank: What advice do you give for customizing SAP HANA security?

Michael P Daniels: Initially, I recommend utilizing SAP-certified cloud platforms, and utilizing the standard configuration documentation from SAP. Look for technically reviewed SAP partner software as well.

Comment From Christina: What are key risks for hybrid environments?

Mark McNair: Hi Christina. I believe one of the most significant risks in this area is connecting environments with different data security classifications. One should carefully consider how to securely connect infrastructure-as-a-service (IaaS), platform-as-a-service (PaaS), and other environments in terms of data classification, production/non-production, and so on.

Comment From Kevin: How can we prepare for the Internet of Things (IoT) security challenges?

Michael P Daniels: Kevin, that is a very tough question as IoT security is still maturing. Basic principles still apply, such as understanding your security and risk appetite and the classification of data in your environment. Of course, monitoring for events and risk is critical.

Comment From Guest: What, if any, changes should we consider to segregation of duties (SoD) when we move to the cloud?

Tony Petta: The main change would be to segregate between above and below hypervisor support personnel if the support teams are large enough to divide functions that way. Otherwise, the traditional separation between development, test, and production support personnel remains in the cloud, but often proves more difficult to enforce with access controls. Access to separate VMs by different teams needs to be enforced to keep that separation effective.

Comment From Alan: After selecting a provider, what are the most important tests to run on a private cloud environment?

Mark McNair: Hi Alan, great question. It is always a good idea to perform vulnerability scanning and/or application vulnerability scanning against systems. These types of scans will reveal insecure configurations, missing security patches, errors in web application coding, and more.

Madhuri Chawla: Alan, you would need to run tests that simulate your production workloads and see the performance, end user acceptance tests, and end to integration tests.

Comment From Kev: What emerging technologies can we anticipate will cause security challenges?

Michael P Daniels: Kev, thanks for this question. As always, I think the ever-evolving use of big data, data encryption technologies, and security-as-a-service vendors will challenge the status quo for traditional providers. The ability for your vendors to adapt to new usage models around data storage and sharing in a multi-tenant environment will continue to evolve.

Comment From John: What vulnerabilities should we focus on to protect against data breaches?

Mark McNair: Hi John. You should first understand what services you are exposing from a network point of view, such as ports exposed to Internet, intranet, and extranet. Make sure you implement a default deny-all firewall configuration and only open ports necessary for the services you intend to expose. In addition, make sure the application services exposed are fully patched and securely configured. Finally, any services which expose confidential data should likely include additional security services to protect it, such as host or network intrusion prevention services.

Comment From Guest: What is the biggest misconception you’ve encountered from customers? How do you dispel skepticism?

Michael P Daniels: In my experience, it seems that clients do not understand the detailed roles and responsibilities specific to the activities of the cloud provider. Most often, because cloud provider services vary greatly, they also do not understand the activities related to the IaaS, database-as-a-service, PaaS, software-as-a-service (SaaS), and how those services may complement or complicate a customer’s application environment. In order to dispel the skepticism, be sure that the provider has detailed documentation they can share with you about the services and the architecture. Good documentation is a sign of a thoughtful provider. Additionally, look for vendor security certifications from independent reviewers.

Comment From Josh: What cloud security measures should we and partners prioritize?

Mark McNair: Hi Josh. It really depends on what you are hosting in the cloud. Are you hosting test/proof of concept systems with no sensitive data? Are you hosting production systems with sensitive data that will be accessed from the Internet? The answers to these questions will help us identify the proper security measures.

Comment From Todd: What questions will we hear from auditors about SAP and the cloud?

Tony Petta: SAP has a strong security framework internally as well as in the policies it sets for its own service providers. You can expect that auditors may ask about a business or service provider’s compliance to that framework or any alterations that may have been made to it and agreed upon by SAP and the provider. If a business is using an SAP-certified cloud service provider, the provider will be able to provide extensive reporting capabilities to auditors during a review. If third-party applications are being integrated with SAP applications, auditors may ask about whether SAP has evaluated the third-party software for use with SAP. That point is not necessarily cloud specific, but more prevalent in cloud.

Comment From Guest: For an SAP S/4HANA cloud install, are there any security challenges we should prepare for?

Michael P Daniels: Clearly, first and foremost is obviously ensuring your cloud provider can support a robust set of certified platforms for SAP HANA. Second, as with any SAP installation, ensure there is proper understanding of the workload, data classification, and proper access control to the environment. And as usual, periodically test to identify things like patch currency and DB and application configuration vulnerabilities.

Comment From Guest: How can we best manage SAP’s security notes?

Madhuri Chawla: The cloud provider would review the security notes being issued by SAP and work with the client to deploy. Some are mandatory updates and will be deployed but for some client concurrence is needed. If you are running workloads on-premise then you have to put a governance structure in place to manage the process within your organization.

Comment From Mike: When should we first conduct a vulnerability assessment for our cloud environment (and how often after that)?

Michael P Daniels: Traditionally speaking, best practices tell you to assess your environment for vulnerabilities before going live / GA, and at least annually. Additionally, you should test upon any core change to your environment. Usually this would be things such as an application code change, OS update, or large-scale upgrade of a platform.

Comment From Guest: Are there any special considerations for transferring protected health information (PHI) to cloud applications?

Michael P Daniels: Great question — there are a variety of regional, governmental, and national regulations for the handling of PHI around the world, and not all of them have the same rules. I would definitely recommend that you consult with your corporate legal and privacy office to ensure you have a clear understanding of the rules by which your company is bound. Generally speaking, most regulations call for some level of data encryption for this type of data both in transit and at rest. Look to see if your provider offers an array of methods, such as secure channels or even physical transfer. Review their security processes for shipping said data.

Comment From Guest: What are best practices for creating cloud test data?

Madhuri Chawla: Best practices for creating test date should be followed whether running the workloads on-premise or on the cloud. Live production data or a representative subset should be used to create the test data. It is important to run regression and stress testing to ensure that the environment can support the workloads. If you plan to run a hybrid cloud environment, then you do have to run tests to ensure network latency is tested.

Comment From SEAN: What do you recommend for connecting mobile devices to the cloud?

Michael P Daniels: Sean, that’s a tough question without knowing your specific needs. In my mind, there are a couple of basic use case scenarios:

1. Using mobile devices to connect to the cloud management platform
2. Enabling your applications for mobile device interfaces

For the first scenario, I would tell you to rely heavily on your organization’s specific mobile device security policies. This may involve VPNs or standard OS builds to minimize risk of wireless connectivity.

For the second scenario, follow the published best practices from SAP to ensure you have appropriately enabled the correct configurations

SAPinsiderMatt: Thank you Madhuri, Tony, Mark, and Michael for all your insightful answers! And thank you to everyone who participated in today’s Q&A!