Outlining Cloud Security

Objective

After completing this lesson, you will be able to outline cloud security

Cloud Security Overview

Security risks can be clustered into three categories:

  • Confidentiality: Unauthorized users may access data

  • Integrity: Data is manipulated

  • Availability: Services are not sufficiently available

If an IT service is put into the cloud, it will generally result in an increased attack surface, but it will also lower the on-premise complexity. An on-premise organization may gain security if the rise of an attack surface is under control as a scalable foundation in the cloud. It results in a hybrid cloud that is more secure than an on-premise environment. However, in most solution landscapes of average complexity, the risks are irrespective of whether the system is on-premise or in the cloud.

Cloud Services Stack

Overview of Cloud Services Stack

Confidentiality

List of secure Global data centers

As shown in the figure, Secure Global Data Centers SAP Cloud including IBP, SAP runs a few main data centers and contracts with other cloud providers to extend our cloud network. All data centers are Tier 3 or 4 data centers and meet the highest security standards including SSAE16, ISAE3402, ISO27001, and BS25999.

Note

Network of Secure Global Data Centers can change, as more centers are added over time.

Security Certification

Reason for security certification

All of the data centers provide the following:

  • Physical security of the buildings

    • Hundreds of surveillance cameras with digital recording

    • Fully-monitored doors

    • Tens of thousands of environmental sensors

    • Security and facility support teams that are onsite at all time

    • Biometric access to secured areas

  • Power supply

    Redundant power sources

  • Fire and flood protection

    • Environmentally-friendly Inergen fire extinguisher system

    • Thousands of fire and flood surveillance sensors

  • Cooling

    • 100% air conditioning

    • Auxiliary cooling capacity

SAP delivers from an environment that is subject to external audits. Delivery is according to industry best practices, for example, ISO 27001. This compliance certificate regulates how security information is managed in a data center.

Identity and Access Management

Security through which an end user request passes

The figure, Identity and Access Management, shows the security that an end user request goes through. The Secure Sockets Layer (SSL) firewall encrypts requests. SSL is the standard security technology used for establishing an encrypted link between a web server and a browser. This is followed by the authentication process, which does the following:

  • SAP HANA Cloud applications use SAP HANA User Management.

  • SAP HANA Cloud applications use SAP HANA Access Controls.

  • A web tier captures SAP HANA user credentials, and HTTPS sends them for validation with the SAP HANA user store.

  • When the user credentials are validated, a secure session is created for the user.

  • The application registers the user identity stored in SAP HANA as a mapping.

  • When the mapping is created, any Security Assertion Markup Language 2.0 (SAML2) compliant support package can access SAP HANA data using the SAML assertions in the Password field. The User field is left empty. SAML is an XML-based, open-standard data format for exchanging authentication and authorization data between parties, in particular, between an identity provider and a service provider.

Backup and Recovery

SAP offers backup, recovery, and data center protection, which is outlined in the following figure.

Outline of the backup, recovery, and data center protection that SAP offers

Integrity

Three Main Areas in SAP Cloud Application Management

  • Central Cockpit or Service Provider Cockpit:

    This ensures high automation, for example, tenant lifecycle management, maintenance and upgrade management, which provides high quality.

  • Application Management: Security Compliance:

    This performs daily backups. An incremental log file backup is created on a regular basis during the day. There are automatic checks to see if a backup has been successfully executed. The system is automatically checked on a tenant level and overall.

  • System Security:

    User access is highly restricted.

Access to SAP Cloud application management is only possible due to an incident occurring, either a system or customer incident. A support user has a limited access profile. A password is generated when it is required to solve an incident.

The activities of a support user are traced in a security audit log, which is stored for 200 days and provided to customers only if requested. There is no regular reading of entries.

Application Software Upgrades and Change Management

During staging, development is allowed to implement fixes and create required documentation. During development, functional, and performance scripts are run and a report is delivered after every change, which confirms there is no regression.

SAP Dev Pre-Prod is the landscape that is closest to the production version. Development tests the transport tool and other steps in this landscape.

Pre-production is treated as the first production system. SAP Cloud managed services apply the changes in the pre-production system. Any changes must be tested in the Quality Assurance (QA) landscape and approved by Quality Management (QM). This is followed by Pilot/Staging in the SAP Cloud. A request is sent as an internal ticket on the component <Application Component - MS>.

Change Management Process

The following are the main features of the change management process:

  • All the upgrades, support packages, and hot fixes follow the change management process. Support packages are a collection of one or more patches, and they are released according to a set schedule.

  • There is no customer specific downtime. A weekly patch or hot fixing cycle is performed, and all of the systems are maintained as the same code line, version, support package, and hot fix.

  • Functional and performance testing is performed to evaluate regression and performance issues before the change is moved into production.

  • The standard weekly hot fixing downtime maintenance windows are based on application activities.

  • Standard quarterly downtime windows are based on infrastructure activities and are communicated to the customer in advance.

Infrastructure

Outline of the Customer Support Process

When a customer has been set up with a user in the SAP Service Marketplace, they can report issues using the following components:

  • SCM-SOP for S&OP3.0 on premise and IBP4.0 S&OP functions

  • SCM-IBP for all subsequent releases

The SAP Launchpad is the interface used by the customer. The user requires an S-User to address incidents, and the incidents are linked to the application. If a solution for the incident is available to the customer, they will get a notification through the portal.

Access to the Production Systems for SAP Technical Users

Outline: Access to the Production Systems for Technical Users

SAP provides the support of a number of application managers and a number of database administrators.

You can only access the production landscape from the internal SAP network using a Microsoft Windows terminal server. A user, password, and SecurID card are required for logon.

The actions on the production system are recorded in log files.

SAP Cloud Deployment Summary

The following list provides a summary of the functionality provided by SAP Cloud Deployment:

  • Certified operators

  • World-class data centers

  • Advanced network security

  • Reliable data backup

  • Built-in integrity and confidentiality

  • Dedicated SAP HANA servers

Log in to track your progress & complete quizzes

Learning

SAP FacebookSAP YoutubeSAP LinkedIn