Businesses love the idea of the cloud. The ability to tap the power of enterprise software from a company like SAP without the cost, time and effort of implementing, managing and maintaining it on premises is quite appealing.
But SAP found that CIOs were more than a little worried about IT security and compliance. SAP customers want to be sure that systems in the cloud are secure enough for the confidential and sometimes highly sensitive data that resides in critical enterprise applications. And, of course, customers want to have rapid and easy access to documentation that demonstrates compliance of cloud-based systems at any time, especially when audit time rolls around.
At SAP, worrying about these issues is the job of Thorsten Herre. As cloud security architect, Thorsten focuses his efforts on security architecture, compliance and governance, not only for the internal IT environment but also for the SAP HANA® Enterprise Cloud service. We recently asked him for his insights into these customer concerns.
Thorsten tells us that customers are increasingly alarmed by the number of security incidents they are hearing about in the news. Data leakage, lock-in situations, loss of control, espionage and compliance with increasing governmental regulations have become top-of-mind concerns among CIOs. “Cloud providers have tried to overcome customer fears by focusing on compliance with international and industry-specific certifications like ISO27001, SSAE16/SOC and PCI/DSS,” he says. “And that’s a good baseline for building confidence that systems and data in the cloud are protected. But it’s not enough.”
What is enough? Thorsten says customers need providers to clearly demonstrate that they are delivering production-class security. SAP is doing that by constantly monitoring security, and by giving customers detailed reporting that provides insight into real-time security KPIs. “With the right kind of reporting, customers can monitor and control the security status of their systems and data in the cloud directly. That approach is helping us convince customers that they can use our cloud services even for their most critical and confidential business systems.”
How SAP Did It
To achieve security levels that instill customer confidence, SAP developed a detailed model that clearly defines secure configuration and operation of the network, the operating system, the SAP HANA database and the SAP® applications. To help ensure continuous compliance with the model, SAP has standardized on BladeLogic Server Automation for full compliance automation. SAP uses BladeLogic to execute 170 checks grouped in 11 templates — such as operating system and databases — on more than 3,000 servers around the world. In total, more than 200,000 checks run each week on a global basis without performance impacts.
Special checks enable BladeLogic to analyze the security situation at all levels of the cloud to detect a variety of issues, including:
- Improper deactivation of secure services
- Installation of blacklisted software
- Addition of unapproved software by local admin user accounts
- Compliance of the security configuration of certain software components and services with SAP’s security standards
- Failure to update anti-virus software
SAP’s security solution leverages metadata to intelligently detect noncompliance. BladeLogic compliance checks can execute certain functions based on such metadata as system status, customer groups and datacenter or network areas. Examples include executing scripts, reports and commands on the operating system and the database and at the ABAP® programming language level.
Automated detection of noncompliance is the first step, and Thorsten believes that SAP has done an excellent job of exceeding customer requirements in this area. “SAP is very pleased with the rapid deployment and fast development of the security checks and the compliance module,” Thorsten notes. “We saw results within two weeks. BladeLogic is very flexible, and it adapts to the unique needs of the installations and standards of SAP software. We’ve been using it for years very successfully for operating system patch scanning. It not only scans for and reports on missing security patches but it also performs mass rollouts of patches to our servers.”
Compliance validation reports are automatically transferred into the system running SAP HANA Enterprise Cloud and reporting analytics for further processing. This enables SAP to deliver data in an intuitive and familiar way for SAP customers. The reporting allows system administrators, security teams and managers to report on compliance in a variety of ways — by region, customer or security topic.
By the end of 2014, customers will be able to access their current security KPIs through a web portal, thereby gaining a consolidated view of SAP solutions and their security landscape. They will also be able to integrate this data with their security and event management software directly using web services.
Compliance and security validation occurs as frequently as necessary, including daily validation of some key configuration elements. This means near real-time feedback on compliance, which can dramatically enhance the safety and security of customer systems and data in the cloud. Using BladeLogic in this way helps reduce the effort and costs associated with detecting and remediating servers that are not in compliance. Additionally, early detection of drift can translate into faster remediation, which can help reduce risk by minimizing the time that a company is exposed to threats that might occur due to noncompliance. For example, with recent identifications of vulnerabilities like Heartbleed and ShellShock, IT could identify affected systems in minutes and fix them in hours, whereas in the past identification took days or weeks.
Reporting and analytics give customers deep visibility into their environments and enable them to directly monitor and control the security status of their systems and data. As a result, customers can fully exploit the benefits of cloud, which include greater agility and lower costs, while being assured of the highest levels of protection for their most critical and confidential business systems.
“Basically, you must have robust, reliable security in the cloud if you want to gain the trust of enterprise customers,” Thorsten concluded. “Our compliance approach, enabled by BladeLogic, is proving to be a strong differentiator for us when we talk to customers about trusting the cloud with critical business data.”
SAP, SAP HANA, ABAP and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP SE (or an SAP affiliate company) in Germany and other countries. See http://www.sap.com/corporate-en/legal/copyright/index.epx for additional trademark information and notices.
All other product and service names mentioned are the trademarks of their respective companies.
SAP Forward-looking Statement
Any statements contained in this document that are not historical facts are forward-looking statements as defined in the U.S. Private Securities Litigation Reform Act of 1995. Words such as “anticipate,” “believe,” “estimate,” “expect,” “forecast,” “intend,” “may,” “plan,” “project,” “predict,” “should” and “will” and similar expressions as they relate to SAP are intended to identify such forward-looking statements. SAP undertakes no obligation to publicly update or revise any forward-looking statements. All forward-looking statements are subject to various risks and uncertainties that could cause actual results to differ materially from expectations The factors that could affect SAP’s future financial results are discussed more fully in SAP’s filings with the U.S. Securities and Exchange Commission (“SEC”), including SAP’s most recent Annual Report on Form 20-F filed with the SEC. Readers are cautioned not to place undue reliance on these forward-looking statements, which speak only as of their dates.