Expand +



Comply with US Export Regulations While Using Cloud Technology

How SAP National Security Services Protects Export-Controlled Data

by Dale Turza | SAPinsider, Volume 16, Issue 2

April 2, 2015

Security in the cloud should be a primary concern for all companies, regardless of industry or region. Companies with technical data that falls under US export controls, however, are faced with a unique set of compliance challenges that, if not handled correctly, could have dire consequences. Read this article to see how SAP NS2 can help address these challenges.


The cloud is becoming a necessity for many businesses, with opportunities for increased efficiency, cost savings, agility, scalability, and anytime, anywhere multi-user access that can mean the difference between success and failure. Organizations looking for a cloud provider to help them capitalize on these advantages must consider a range of security concerns before making a decision. What data protection measures are in place? How are breaches handled? What is the information privacy policy? Where is data stored?

However, companies with technical data that falls under US export controls — regulations that control how aerospace and defense contractors share weapons systems schematics, or how industrial companies share controlled manufacturing technical data, for instance (see the sidebar "What Are Export Control Regulations?") — are faced with a unique set of compliance challenges when it comes to choosing a cloud provider for their computing and data storage needs. And failure to address these challenges is not an option — the consequences for violating the law can be dire.


What Are Export Control Regulations?

The US government controls the export of sensitive equipment, software, and technology to meet national security and foreign policy objectives. Two primary US federal agencies have jurisdiction over exports from the US:

  • For civilian and dual-use items — such as global positioning systems, cameras, and optical devices — the Bureau of Industry and Security (BIS) of the US Department of Commerce, which administers the Export Administration Regulations (EAR), has jurisdiction
  • For defense articles and services — such as electronic equipment, systems, and software used for military, security, and intelligence purposes — the Directorate of Defense Trade Controls (DDTC) of the US Department of State, which administers the International Traffic in Arms Regulations (ITAR), has jurisdiction

Other agencies also may be become involved if, for example, government contract requirements restrict access by foreign nationals or exports involving countries or persons subject to US economic sanctions.

Generally speaking, under both EAR and ITAR, unless otherwise authorized by the relevant agency, an export occurs when commodities or technical data are sent or transmitted out of the US or when technical data is disclosed or released to a foreign national, whether in the US or abroad. Under the regulations, a foreign person is defined as anyone other than a US citizen, US permanent resident alien (i.e., green card holder), or protected person (i.e., political refugee or political asylum holder). If technical data is released to a foreign national in the US, it is deemed to be an export to the foreign national’s home country.


The Challenge of Export-Controlled Data in the Cloud

Beyond privacy and security issues, US companies need to know where their export-controlled data will physically reside in the cloud, and who will have physical or virtual access to that data.

If the data will ultimately be stored in a foreign location or accessed by foreign nationals, whether abroad or in the US, a violation of relevant export laws may occur, even if the export was unintentional or unknown by the company. Running afoul of US export controls can result in civil and criminal penalties, a loss of export privileges, or even suspension or debarment from government contracting.   

To date, the US government has provided no written guidance on how to apply these regulations to cloud computing or cloud storage. While export control personnel may be hoping that strong encryption of data in the cloud will be sufficient to negate export control concerns, the debate continues within governmental agencies on the best approach. In the meantime, under the law, if a company transmits data to a cloud provider in the US and that provider transmits the data to another hosting site or cloud-based location outside the US, an export has taken place. Further, if a foreign national inside or outside the US accesses export-controlled data in the cloud, an export has taken place. Unless such exports are authorized by the agency with jurisdiction, one or more violations of law will occur, with potentially serious consequences for the business.

Securing Export-Controlled Data in the Cloud with SAP NS2

SAP National Security Services (SAP NS2) — an independent US-based subsidiary of SAP — is uniquely positioned to provide solutions and support that address the export control challenges facing companies that are seeking a cloud provider. SAP NS2 provides enterprise applications, analytics, database, cyber security, cloud, and mobility software solutions from SAP, enhanced with specialized levels of security and services for customers in the US, including a US-based staff of US citizens to comply with requirements for support and maintenance activities.1

Leveraging the capabilities of SAP’s cloud offerings — including SAP HANA Enterprise Cloud and its cloud solution portfolio — and SAP NS2’s expertise in serving US customers with unique security requirements, SAP and SAP NS2 have built a US federal secure cloud offering, an export-controlled node that is hosted by SAP NS2, separate from SAP’s data center, and is supported exclusively by US citizens on US soil. This node is a secure, private managed cloud environment for running SAP business applications and includes the services and support from SAP NS2 that are needed to implement, maintain, and operate the solutions with the required levels of security and regulatory compliance.

The US federal secure cloud offering was announced in October 2014 and became generally available in December 2014. To learn more about this offering and how it can help you securely host your SAP business applications in the cloud, reach out to your SAP account executive.

Secure Services and Support for the Cloud

The US federal secure cloud offering enables customers to prepare, transition, and operate their SAP solutions in a secure cloud infrastructure, with the aid of a full end-to-end service and support portfolio to smooth the transformation.

SAP NS2’s secure services and support for the cloud offering include:

  • An assessment service that provides technical screening of the as-is solution in scope and provides a target architecture and transition plan for onboarding and migration
  • Onboarding and migration services that ensure the physical transition from an on-premise environment to the SAP NS2 data center, with all relevant steps in the transition plan performed with the guidance of SAP NS2 services
  • A subscription-based productive hosting service that ensures continuous operation of the customer solution with infrastructure managed services, ensuring promised service level agreements (SLAs) are met
  • An application management service for SAP solutions that is also available in a subscription-based model to provide SLA-based monitoring and solution maintenance support

In addition to these secure services and support, SAP NS2 offers security-enhanced implementation services and maintenance support for all SAP solutions and technologies, including advanced, on-site support programs for the entire solution life cycle. All of these services can be customized to specific customer needs, and are provided by SAP NS2 personnel who, in addition to holding deep industry and product expertise, are trained in security compliance and understand both the sensitivities associated with export-controlled data and the needs of SAP customers that are required to meet or exceed compliance or certification for technical data.

Export-Control Compliance in the Cloud

A primary issue faced by cloud service providers is the requirement that export-controlled data remain at all times within the US, and that the data be stored in an environment that is physically and logically accessible to US persons only.

To maintain the highest levels of security across all of its offerings for US customers, SAP NS2 employs only US citizens and maintains a secure IT infrastructure and facilities that are completely isolated from the rest of SAP. If co-locations and third-party contractors are involved in SAP NS2 service and support activities, all US citizen and US soil requirements are passed down and appropriate mechanisms are put in place to ensure compliance, including employee and visitor controls and access logs.  

In addition, to ensure that the US federal secure cloud environment maintains strict adherence to export control regulations, SAP NS2 is a registered munitions manufacturer with the US Department of State, and maintains an Export Control Policy as well as a Technology Control Plan for ongoing compliance.

Your Cloud, Your Way

Backed by SAP NS2’s service and support expertise, the US federal secure cloud offering can help ensure you are meeting regulatory requirements for your export-controlled data while enabling you to take advantage of the benefits of cloud computing. The combination of SAP’s cloud technology and SAP NS2’s enhanced security offerings lays the groundwork for using innovation to deliver on your business objectives with speed and efficiency without sacrificing compliance and security. Learn more at



1 For an overview of SAP NS2 and its support offerings, see the article “High-Security Support for SAP Solutions” in the January-March 2015 issue of SAPinsider. [back]

An email has been sent to:


Dale Turza
Dale Turza

Dale Turza ( is SVP and General Counsel at SAP National Security Services (SAP NS2). Prior to joining SAP NS2, Dale was a Partner in the White Collar Defense and Complex Litigation Group of the New York law firm Cadwalader, Wickersham & Taft, LLP, where for over 10 years she advised SAP NS2, as well as numerous domestic and foreign defense contractors, industrial companies, and financial institutions. She is a nationally recognized expert in issues relating to national security, commercial and arms export controls, corruption, and terrorism.

More from SAPinsider


Please log in to post a comment.