Explaining the Security Responsibilities Across Various Delivery Models

Objective

After completing this lesson, you will be able to explain SAP's shared responsibility model and its implications for security.

Shared Responsibility Model

What Is the Shared Responsibility Model?

When using SAP Cloud services, the responsibility for various aspects of security and operations is shared between SAP and the customer. Here's how the responsibilities change: 

  1. Infrastructure and System Management: 
    • SAP takes responsibility for managing hardware, infrastructure resources, and protecting IT assets from unauthorized physical access. 
    • SAP handles provisioning of resources and systems according to ordered packages and subscriptions. 
  2. Application and Data Management: 
    • Customers remain responsible for managing their business process logic, workflows, and data. 
    • Customers must secure their data through security settings like configuring authentication, authorizations, and role-based access control. 
  3. User Management: 
    • Customers are responsible for managing user identities, authentications, and authorizations to application functions. 
    • Customers must handle consent management and enter data related to their users. 
  4. Security Monitoring: 
    • Customers are responsible for reviewing security audit logs such as user logins and failed authentications. 
    • SAP provides security assurance through independent third-party audit reports like ISO27001, ISO22301, SOC1, and SOC2. 
  5. Communication and Updates: 
    • Customers must appoint an English-speaking contact person for efficient communication with SAP. 
    • Customers should subscribe to SAP's communication channels to receive information about service disruptions and maintenance activities. 
    • SAP is responsible for informing customers about service disruptions and critical maintenance activities. 
  6. Change Management: 
    • SAP applies regular product increments and corrections to infrastructure, systems, and services. 
    • SAP performs updates in a biweekly cycle and ensures prompt delivery of security patches. 

By understanding this shared responsibility model, organizations can ensure they maintain appropriate control over their cloud environment while benefiting from SAP's management of the underlying infrastructure and systems. 

Different Responsibilities for PaaS, IaaS, and SaaS

The figure shows the shared responsibility model in different cloud service models.

The diagram illustrates the shared responsibility model in different cloud service models: Infrastructure as a Service (IaaS), Platform as a Service (PaaS), and Software as a Service (SaaS). It compares these with traditional IT management across different components of the solution stack, including processes, data, applications, middleware/platform, database, runtime, operating system (OS), virtualization, servers, storage, and networking. In traditional IT, the customer manages all components. In IaaS, the customer manages processes through OS, while cloud providers manage virtualization, servers, storage, and networking. In PaaS, customers manage processes, data, and applications, while cloud providers handle the remaining components. In SaaS, the customer is responsible for processes and data; cloud providers manage all other aspects. An arrow indicates the progression from traditional IT to SaaS as the most common cloud service models.

There are significant differences in shared responsibilities between Infrastructure as a Service (IaaS), Platform as a Service (PaaS) and Software as a Service (SaaS) models: 

  1. IaaS: 
    • Customers are responsible for managing business processes, applications, middleware, platform, system, and database.
    • The service provider manages the operating system with a defined Service Level Agreement (SLA), allowing customer transparency for critical events.
    • The service provider is fully responsible for virtualization, servers, storage, and networking.
  2. PaaS: 
    • Customers manage business processes and applications.
    • The service provider handles middleware and platform with a defined SLA, allowing customer transparency for critical events. 
    • The service provider is fully responsible for system, database, operating system, virtualization, servers, storage, and networking.
  3. SaaS: 
    • Customers are responsible for managing business processes. 
    • The service provider manages applications with a defined SLA, allowing customer transparency for critical events.
    • The service provider is fully responsible for middleware, platform, system, database, operating system, virtualization, servers, storage, and networking.

Key differences: 

  1. In IaaS, customers have more control and responsibility over the software stack, while in PaaS and SaaS, these responsibilities shift increasingly to the service provider.
  2. PaaS offers a middle ground, where customers focus on application development and business processes, while the provider handles more of the underlying infrastructure. 
  3. SaaS provides the least amount of customer responsibility, with the provider managing almost all aspects of the service except for business processes. 

These differences in shared responsibilities affect how organizations approach cloud adoption, management, and governance for each model.

Shared Responsibility Model and Its Implications for Security

The shared responsibility model for cloud services has several important implications for security: 

  1. Division of Security Tasks: 
    • Cloud service providers (CSPs) like SAP are responsible for securing the underlying infrastructure, including physical data centers, hardware, and network. 
    • Customers remain responsible for securing their data, managing user access, and configuring application-level security controls. 
  2. Increased Complexity: 
    • Security becomes more complex as responsibilities are split between multiple parties. 
    • Organizations must clearly understand where their responsibilities begin and end to avoid security gaps. 
  3. Need for Collaboration: 
    • Effective security requires close collaboration between customers and CSPs. 
    • Regular communication about security updates, incidents, and best practices is essential. 
  4. Tailored Security Approaches: 
    • Different cloud models (IaaS, PaaS, SaaS) require different security approaches. 
    • Customers must adapt their security strategies based on the specific cloud service model they are using. 
  5. Compliance Challenges: 
    • Customers remain ultimately responsible for regulatory compliance, even when using cloud services. 
    • Organizations must ensure their CSP can meet relevant compliance requirements and provide necessary documentation. 
  6. Expanded Attack Surface: 
    • Cloud environments can introduce new security risks and expand the potential attack surface. 
    • Customers need to implement additional security measures to protect against cloud-specific threats. 
  7. Importance of Cloud Security Expertise: 
    • Organizations often need to develop or acquire new security skills specific to cloud environments. 
    • Understanding cloud security best practices becomes crucial for effective risk management. 
  8. Continuous Monitoring and Auditing: 
    • Regular security assessments and audits become more important to ensure both the CSP and customer are fulfilling their security responsibilities. 
    • Customers should review CSP security reports and certifications, such as SOC 2 reports. 

By understanding and addressing these implications, organizations can better navigate the shared responsibility model and maintain a strong security posture in cloud environments. 

Learning

SAP FacebookSAP YoutubeSAP LinkedIn