However, companies with technical data that falls under US export controls — regulations that control how aerospace and defense contractors share weapons systems schematics, or how industrial companies share controlled manufacturing technical data, for instance (see the sidebar "What Are Export Control Regulations?") — are faced with a unique set of compliance challenges when it comes to choosing a cloud provider for their computing and data storage needs. And failure to address these challenges is not an option — the consequences for violating the law can be dire.
The Challenge of Export-Controlled Data in the Cloud
Beyond privacy and security issues, US companies need to know where their export-controlled data will physically reside in the cloud, and who will have physical or virtual access to that data.
If the data will ultimately be stored in a foreign location or accessed by foreign nationals, whether abroad or in the US, a violation of relevant export laws may occur, even if the export was unintentional or unknown by the company. Running afoul of US export controls can result in civil and criminal penalties, a loss of export privileges, or even suspension or debarment from government contracting.
To date, the US government has provided no written guidance on how to apply these regulations to cloud computing or cloud storage. While export control personnel may be hoping that strong encryption of data in the cloud will be sufficient to negate export control concerns, the debate continues within governmental agencies on the best approach. In the meantime, under the law, if a company transmits data to a cloud provider in the US and that provider transmits the data to another hosting site or cloud-based location outside the US, an export has taken place. Further, if a foreign national inside or outside the US accesses export-controlled data in the cloud, an export has taken place. Unless such exports are authorized by the agency with jurisdiction, one or more violations of law will occur, with potentially serious consequences for the business.
Securing Export-Controlled Data in the Cloud with SAP NS2
SAP National Security Services (SAP NS2) — an independent US-based subsidiary of SAP — is uniquely positioned to provide solutions and support that address the export control challenges facing companies that are seeking a cloud provider. SAP NS2 provides enterprise applications, analytics, database, cyber security, cloud, and mobility software solutions from SAP, enhanced with specialized levels of security and services for customers in the US, including a US-based staff of US citizens to comply with requirements for support and maintenance activities.1
Leveraging the capabilities of SAP’s cloud offerings — including SAP HANA Enterprise Cloud and its cloud solution portfolio — and SAP NS2’s expertise in serving US customers with unique security requirements, SAP and SAP NS2 have built a US federal secure cloud offering, an export-controlled node that is hosted by SAP NS2, separate from SAP’s data center, and is supported exclusively by US citizens on US soil. This node is a secure, private managed cloud environment for running SAP business applications and includes the services and support from SAP NS2 that are needed to implement, maintain, and operate the solutions with the required levels of security and regulatory compliance.
The US federal secure cloud offering was announced in October 2014 and became generally available in December 2014. To learn more about this offering and how it can help you securely host your SAP business applications in the cloud, reach out to your SAP account executive.
Secure Services and Support for the Cloud
The US federal secure cloud offering enables customers to prepare, transition, and operate their SAP solutions in a secure cloud infrastructure, with the aid of a full end-to-end service and support portfolio to smooth the transformation.
SAP NS2’s secure services and support for the cloud offering include:
- An assessment service that provides technical screening of the as-is solution in scope and provides a target architecture and transition plan for onboarding and migration
- Onboarding and migration services that ensure the physical transition from an on-premise environment to the SAP NS2 data center, with all relevant steps in the transition plan performed with the guidance of SAP NS2 services
- A subscription-based productive hosting service that ensures continuous operation of the customer solution with infrastructure managed services, ensuring promised service level agreements (SLAs) are met
- An application management service for SAP solutions that is also available in a subscription-based model to provide SLA-based monitoring and solution maintenance support
In addition to these secure services and support, SAP NS2 offers security-enhanced implementation services and maintenance support for all SAP solutions and technologies, including advanced, on-site support programs for the entire solution life cycle. All of these services can be customized to specific customer needs, and are provided by SAP NS2 personnel who, in addition to holding deep industry and product expertise, are trained in security compliance and understand both the sensitivities associated with export-controlled data and the needs of SAP customers that are required to meet or exceed compliance or certification for technical data.
Export-Control Compliance in the Cloud
A primary issue faced by cloud service providers is the requirement that export-controlled data remain at all times within the US, and that the data be stored in an environment that is physically and logically accessible to US persons only.
To maintain the highest levels of security across all of its offerings for US customers, SAP NS2 employs only US citizens and maintains a secure IT infrastructure and facilities that are completely isolated from the rest of SAP. If co-locations and third-party contractors are involved in SAP NS2 service and support activities, all US citizen and US soil requirements are passed down and appropriate mechanisms are put in place to ensure compliance, including employee and visitor controls and access logs.
In addition, to ensure that the US federal secure cloud environment maintains strict adherence to export control regulations, SAP NS2 is a registered munitions manufacturer with the US Department of State, and maintains an Export Control Policy as well as a Technology Control Plan for ongoing compliance.
Your Cloud, Your Way
Backed by SAP NS2’s service and support expertise, the US federal secure cloud offering can help ensure you are meeting regulatory requirements for your export-controlled data while enabling you to take advantage of the benefits of cloud computing. The combination of SAP’s cloud technology and SAP NS2’s enhanced security offerings lays the groundwork for using innovation to deliver on your business objectives with speed and efficiency without sacrificing compliance and security. Learn more at www.sapns2.com/solutions/cloud-solutions.
1 For an overview of SAP NS2 and its support offerings, see the article “High-Security Support for SAP Solutions” in the January-March 2015 issue of SAPinsider. [back]