Securing SAP in the public cloud: Navigating the shared responsibility model

Zane Wilson, SVP, SAP Architecture EMEA, Lemongrass, on bringing the concept of shared responsibility to cloud security.

As enterprises continue to embrace cloud computing, the adoption of public Cloud platforms for mission-critical applications like SAP has been steadily increasing.

Driven by the potential for cost savings, scalability and agility, organizations are increasingly migrating their SAP workloads to the Cloud. However, this migration introduces new security challenges that must be addressed proactively.

A fundamental concept in Cloud security is the shared responsibility model, which defines the roles and responsibilities of the Cloud provider and the customer in securing the Cloud environment. While the Cloud provider is responsible for securing the underlying infrastructure, the customer is accountable for securing their applications, data, and adherence to compliance requirements. Failing to understand and address the risks associated with this shared model can lead to security gaps, data breaches and potential regulatory violations.

Understanding the Shared Responsibility Model

In the public Cloud, the shared responsibility model is a critical framework that outlines the division of security duties between the Cloud provider and the customer. The Cloud provider is responsible for securing the physical infrastructure, including data centers, servers, network equipment and the virtualization layer (hypervisor). The customer, on the other hand, is accountable for securing the operating systems, applications, data and access controls within the Cloud environment. This includes configuring firewalls, installing security updates, implementing access controls, and ensuring compliance with relevant regulations.

The shared responsibility model is further divided between the customer and their system integrator (SI) partner. The SI may be responsible for managing certain aspects of the Cloud environment, such as application deployment and configuration, while the customer retains overall responsibility for the security and compliance of their SAP systems.

Risks Associated with the Shared Responsibility Model

While the shared responsibility model offers benefits, it also introduces several risks that organizations must address:

1. Misunderstanding or Overlooking Responsibilities: A lack of clear understanding of the responsibilities by either party can lead to security gaps and potential vulnerabilities.
2. Misconfiguration and Security Gaps: Improperly configured security settings, access controls or network configurations can expose sensitive data and systems to unauthorized access or attacks.
3. Compliance and Regulatory Challenges: Ensuring compliance with industry regulations and data protection laws can be challenging when data and workloads are hosted on public Cloud infrastructure.
4. Lack of Visibility and Control: Customers may have limited visibility and control over the underlying infrastructure, making it difficult to monitor and respond to security incidents effectively.
5. Human Error and Social Engineering: Inadvertent misconfigurations, inadequate access controls, and susceptibility to social engineering attacks can expose Cloud environments to significant risks.

Real-World Examples

Several organizations have faced security challenges when migrating their SAP systems to the public Cloud, highlighting the importance of proactively addressing the risks associated with the shared responsibility model:

• Organization A, a large manufacturing company, migrated its SAP ERP system to a public Cloud platform without clearly defining security responsibilities and implementing robust access controls. This led to a security breach where an unauthorized user gained access to sensitive financial data, resulting in significant financial losses and regulatory fines.
• Organization B, a healthcare provider, successfully secured their SAP systems on a public Cloud by implementing a comprehensive security strategy. They clearly defined roles and responsibilities, encrypted all sensitive data, implemented centralized identity and access management and conducted regular security audits and assessments. This approach helped them maintain compliance with industry regulations and avoid data breaches.
• Organization C was migrating their estate to SAP RISE, when a beady-eyed customer technician spotted that a mistake had been made in a firewall rule, briefly exposing their RISE development environment to the public Internet. Fortunately, this was detected and remediated before production systems were exposed.

Strategies for Minimizing and Mitigating Risks

To effectively mitigate the risks associated with the shared responsibility model for SAP on public Cloud, organizations should implement the following strategies:

1. Clearly Define Roles and Responsibilities: Establish a clear understanding of the responsibilities of the stakeholders: Cloud provider, the customer and the system integrator (if applicable)
2. Implement Robust Access Controls and Identity Management: Implement strong access controls, multi-factor authentication and centralized identity and access management solutions
3. Encrypt Data at Rest and in Transit: Encrypt sensitive data at rest (stored data) and in transit (data in motion) using industry-standard encryption protocols
4. Monitor and Log Security Events: Implement and regularly review robust monitoring and logging mechanisms to detect and respond to security incidents promptly
5. Automate Security Processes and Configurations: Leverage automation tools not people to apply security configurations, updates and patches consistently across the environment
6. Implement Cloud Security Posture Management (CSPM) Tools: These help organizations maintain visibility and control over their Cloud security posture, identifying misconfigurations, excessive permissions and compliance violations
7. Foster a Security-Conscious Culture: Prioritize security awareness training, implement stringent access management policies and cultivate a culture of vigilance to mitigate human vulnerabilities
8. Continuously Improve and Adapt: Regularly review and update security practices, stay informed about the latest threats and mitigation strategies and foster a mindset of continuous improvement and adaptation

Best Practices for Secure SAP on Public Cloud

In addition to the strategies above, organizations should consider the following best practices to ensure the secure operation of SAP systems on public Cloud platforms:

1. Follow Industry Standards and Guidelines: Align security practices with industry standards and guidelines, such as the Cloud Security Alliance (CSA) Cloud Controls Matrix, the Center for Internet Security (CIS) Benchmarks and SAP-specific security guidelines
2. Adopt a Security-First Mindset: Embed security considerations into every stage of the Cloud migration and application development processes
3. Provide Continuous Training and Awareness: Offer regular security training for IT teams and end-users to ensure they understand and follow secure practices
4. Stay Up to date with Security Updates and Patches: Regularly monitor and apply security updates, patches, and hotfixes provided by the Cloud provider, SAP and others to address known vulnerabilities
5. Implement Defence in Depth: Adopt a layered approach to security by implementing multiple layers of protection, including firewalls, intrusion detection/prevention systems and SIEM solutions
6. Regularly Audit and Assess: Conduct regular security audits, penetration testing and risk assessments to address potential vulnerabilities, misconfigurations and areas for improvement
7. Collaborate and Share Knowledge: Foster collaboration and knowledge sharing within the organization and with industry peers, security researchers, and experts to stay up to date with the latest security trends and best practices

Where does SAP RISE Fit In?

RISE is SAP’s latest iteration of hosted private Cloud modelled on HEC with AWS, Azure or GCP Cloud infrastructure and a layer of SAP managed services on top. Here, SAP acts like any other service provider offering build, migration and management services on top of public Cloud IaaS. All the same risks exist – but the customer is more at arm’s length.

You might perceive the security of the RISE platform as SAP’s problem, not yours, but you need to remain proactive in ensuring that the deployment you’ve received from RISE is secure, penetration-tested and properly configured. Ensuring that SAP stays on their toes and demonstrates that they are running a tight security ship is your responsibility.

In conclusion, securing SAP systems on public Cloud platforms requires a comprehensive approach that addresses the unique challenges of the shared responsibility model. By clearly defining roles and responsibilities, implementing robust security controls, continuously monitoring and auditing and adhering to industry best practices, organizations can effectively mitigate the risks and leverage the benefits of running SAP workloads on public Cloud.