The increased agility that comes with moving to the cloud solves many current technology challenges, but the journey to cloud computing can also accelerate the erosion of perimeter enforcement and trust boundaries. Many companies have been reluctant to deploy mission-critical applications, such as SAP HANA, in hosted cloud environments, due to these security and compliance issues. Enterprise companies looking to leverage all the typical advantages of cloud (cost, agility, scale, etc.) need to consider the following critical areas when considering this computing paradigm:
- Experience: SAP systems are typically complex, and require a number of interconnected servers, need correct versioning, and need certified and expert support. If your cloud provider does not have extensive and referenceable experience, with your exact landscape, then you need to keep looking!
- Performance: Hundreds, if not thousands, of users, potentially spread all over the planet, may need to access SAP systems, and if response time is slow, users will be inefficient and there will be direct costs. Hosted SAP systems need to use an architecture and WAN access process that balances cost with response time and an optimal design. Your cloud service provider must understand these challenges, offer various approaches and have extensive benchmarking experience to share so there are no surprises.
- Migration and On-boarding: This critical phase needs to have a project plan that makes sense and processes that limit the risks and time in transition. The longer a businesses is paying for two environments, the higher the costs, there are more database replication and updating issues, and other risks. Organizations need to see a detailed plan that is based on experience as mentioned above.
- Security Related Items:
- RACI: Who does what? The RACI dilemma must be solved. Companies leveraging the cloud have to understand that there are shared security responsibilities. The cloud service provider typically handles all of the underlying physical, environmental, networking, storage and support systems management. Organizations that have needs for process and tools that include OS patching, scanning, logging, AV/AM, IPS, WAF, archiving, DR and IR Plans and testing, firewalls… on and on! The provider must have a well-defined process for identifying all of the necessary processes and then ensuring delivery of the selected items.
- Data Sovereignty: Organizations that have PII data and workloads located in countries that have specific laws regarding where that data can and cannot be hosted, have to be supported. The cloud service provider has to have technical measures, contractual obligations and processes that fully support this critical area.
- Search and Seizure and eDiscovery Issues: Organizations typically have many questions related to how the cloud service provider deals with subpoenas and requests for eDiscovery. The risk is that the cloud service provider hands over businesses data to authorities without the awareness of the data owner. Sophisticated and enlightened cloud users know how to leverage encryption and key management to eliminate this risk. Ensure that your cloud provider offers the tools to fully support the encryption during entire data lifecycle: before move, in transit, in use, in archive and data destruction once the workload is de-provisioned. Companies should be able to fully manage their own encryption keys, so they have exclusive control over who has access to data.
- Audit and Compliance Support: Organizations should have their compliance framework fully supported by the supplier. ISO 27000, PCI 3.0, GxP, CSA, SOX, SSAE16, SOC2, HIPAA, NIST, FISMA, FedRAMP, etc. independently audited and compliant environments must be available. Audit reports and all of the related artifacts must be made available to the company, and the provider must fully support the business’s “right to audit.” Run, don’t walk, away from providers that don’t have this critical area fully addressed.
- Security Posture: The organization’s security posture and maturity should improve during a move to the cloud. This is not counterintuitive. The cloud service provider should be using better tools from a very complete portfolio, have more security staff, leveraging threat feeds, and have the stated goal and offer proof of before and after, to demonstrate that the security of the businesses is in better shape after a move to the cloud.
- Expert Consulting Available: Your cloud provider should have certified and experienced experts that can ensure that all risks are addressed appropriately. Test your potential provider with tough questions and challenges, if you don’t get good answers before the move, then you should not expect good support after the move.
- Integration with Processes: Incident Response and Disaster Recovery are examples of critical functions that must be supported by the cloud service provider fully, or partially, as determined by the businesses. Testing, documentation and expert support must be in place to ensure continuity of operations during unplanned events.
- Resilience: Things go wrong, but how the cloud service provider deals with an issue makes all the difference. The provider must have resilient capabilities to ensure that disruptions and costs are minimized during unexpected events.
- Misconfigurations, Patching, SAP Notes: One of the highest risks for companies running SAP is ensuring the secure configuration of SAP is maintained during the product lifecycle, and risks increase if there are multiple support organizations involved. Ensure the cloud service provider has specialized tools that are specifically designed to scan for, identify, track and manage remediation efforts for SAP. Look to the recent breach of the SAP application at the US Federal Office of Personnel for evidence that vulnerabilities in this area must be addressed.
Support and Language Issues: Many cloud providers either outsource or partner with System Integrators, Basis Support Providers and other third parties. Ensure that your support is provided in a manner that minimizes costs and provides for as comprehensive as desirable support. The cloud provider should also offer those support resources directly and support all the languages that your user community needs.
As organizations continue to deploy complex and collaborative applications in private, public and hybrid cloud environments, and share data with global customers, suppliers and partners, security leaders must figure out how best to protect their entire ecosystem, and not just their organization. This is just a short list of the myriad items that organizations must consider as they contemplate moving critical SAP workloads to the cloud. Hopefully some of the items listed above give you additional considerations as you contemplate leveraging the cloud for your critical SAP workloads.