The increased agility that comes with moving to the cloud solves many current technology challenges, but the journey to cloud computing can also accelerate the erosion of perimeter enforcement and trust boundaries. Many companies have been reluctant to deploy mission-critical applications, such as SAP HANA, in hosted cloud environments due to these security and compliance issues. Enterprise companies looking to leverage all the typical advantages of cloud (cost, agility, scale, etc.) need to examine the following critical areas when considering this computing paradigm:
- Experience: SAP systems are typically complex, and require a number of interconnected servers, need correct versioning, and need certified and expert support.
- Performance: Hundreds, if not thousands, of global users may need to access SAP systems, and if response time is slow, users will be inefficient and there will be direct costs.
- Migration and on-boarding: This critical phase needs to have a project plan that makes sense, and processes that limit the risks and time in transition.
- RACI: Who does what? The RACI dilemma must be solved. Companies leveraging the cloud have to understand that there are shared security responsibilities.
- Data Sovereignty: Organizations that have PII data and workloads located in countries that have specific laws regarding where that data can and cannot be hosted, have to be supported.
- Search and Seizure and eDiscovery Issues: Organizations typically have many questions related to how the cloud service provider deals with subpoenas and requests for eDiscovery. Sophisticated and enlightened cloud users know how to leverage encryption and key management to eliminate this risk.
- Audit and Compliance Support: Organizations should have their compliance framework fully supported by the supplier. ISO 27k, PCI 3.0, GxP, CSA, SOX, SSAE16, SOC2, HIPAA, NIST, FISMA, FedRAMP, etc. independently audited and compliant environments must be available.
- Security Posture: The organization’s security posture and maturity should improve during a move to the cloud. This is not counterintuitive.
- Resilience: The provider must have resilient capabilities to ensure that disruptions and costs are minimized during unexpected events.
- Misconfigurations, Patching, SAP Notes: One of the highest risks for companies running SAP solutions is ensuring the secure configuration is maintained during the product lifecycle, and risks increase if there are multiple support organizations involved.
As organizations continue to deploy complex and collaborative applications in private, public, and hybrid cloud environments, and share data with global customers, suppliers, and partners, security leaders must figure out how best to protect their entire ecosystem, and not just their organization. Hopefully some of the actions listed above give you additional considerations if you are contemplating leveraging the cloud for your critical SAP workloads.
For more information, visit www2.virtustream.com/SAPandSecurityintheCloud.