When companies move their business processes to the cloud, security is their top priority. Sven Denecken, global vice president of Strategy and Co-Innovation Cloud Solutions at SAP, explains what potential cloud customers need to know.
Q: When companies start thinking about moving their IT to the cloud, their first question is usually, “How secure is it?” How would you answer this question from SAP’s perspective?
A: We build our cloud software with the same care and the same security mechanisms as our traditional on-premise solutions. For us, security begins at the development stage. Because this is the only way of ensuring that we can exercise a strong influence on the quality of the finished solution right from the start. We also maintain our cloud solutions on an ongoing basis and with the utmost care. For instance, we provide regular updates to ensure that our customers’ systems always operate according to the latest security standards.
We also take a holistic approach. This is because, when people speak about security in the cloud, they are often only referring to the software level. A truly secure solution must address security at the platform and infrastructure levels as well. A good, stable cloud solution needs an equally good and secure platform and infrastructure. Which is why, in our eyes, security isn’t just a software-development topic. It also extends to the way in which solutions are operated and how the corresponding infrastructure is modeled. At SAP, this includes the measures in place for operating our data centers, securing data access, and managing data. SAP is by no means a stranger to handling sensitive customer data either: We have over 40 years’ experience of managing customer data, having successfully hosted applications for numerous customers in the on-premise world. Today’s cloud customers are benefiting from this wealth of experience.
We want to ensure that the companies of the future will be able to run all of their business processes securely in the cloud. This is the objective to which every cloud solution from SAP aspires.
Q: Handing enterprise data over to an external provider requires an enormous amount of trust. How can SAP build trust on this scale?
A: First, we are very open about showing our customers how and where we are investing in our cloud offerings. Here, it often becomes apparent that we are able to invest much more heavily, notably in infrastructure, than many of our customers ever could. Software security is part of our core business. In fact, you could say that data security and protection are programmed into our DNA.
The second point is that we attach maximum importance to ensuring that our customers’ data is stored securely. Our data centers are designed to map cross-enterprise scenarios end to end, that is, to meet the most stringent security requirements that a company could have. Moreover, SAP data centers are equipped with a comprehensive, multi-layered security system that includes biometric access control to sensitive areas, redundant data storage, an independent power supply, and fire and flood protection measures. Germany’s technical inspection association TÜV, auditors KPMG, and SAP itself perform regular checks to ensure that both the technology and the infrastructure are functioning correctly. Most of our German customers store their data at our German data center, which is located in St. Leon-Rot, just three miles from SAP headquarters in Walldorf. We offer regular tours of the data center in St. Leon-Rot, which is also open for a virtual visit at www.sapdatacenter.com. Visitors get a detailed look at the measures we take to ensure physical security, network security, backups, and compliance.
Finally, while many discussions today are confined to secure data access, we go a step further and ask customers with distributed landscapes which data should be stored where. They can then decide for themselves which jurisdiction they want us to store certain data in. This freedom to decide is vital, because it is one of the security requirements that our customers have. For example, a customer can decide to store data from its Chinese subsidiary in China, separated from data from other regions. Similarly, a customer can elect to continue storing some of its data on premise and some in the SAP Cloud. On request, we can also ensure that customer data is only stored in one location. By the end of 2014, we’ll be operating some 20 data centers throughout the world and offering our customers distribution mechanisms and scaling options to meet their needs.
Q: In cloud computing, data is transferred across national boundaries for storage purposes. Which legal framework and standards does SAP comply with here?
A: SAP complies with local legislation. We also adhere to international standards including ISO 27001, ISAE-3402, and SSAE-16 worldwide. When it comes to data protection, our data centers in Europe comply with the European regulations. In Germany, we are bound by the German Data Protection Act, which is particularly stringent. We can also offer this very high standard of quality to non-German customers in Germany.
In the supra-regional context, we’re also looking at how we can simplify data traffic securely. This is particularly relevant in use cases such as business networks like our own Ariba network. Because B2B networks often have members located at vast distances from each other and are therefore affected by differing sets of local laws. This can pose an obstacle. That’s why we’re lobbying at the highest levels for globally standardized and harmonized legal regulations.
Q: We’ve spoken about what SAP does to secure its customers’ data. But what do customers themselves need to consider then they use software in the cloud?
A: The main thing is not to limit cloud-security considerations merely to the question of data security, that is, to making access to data secure. Vital though this aspect obviously is, there are others that are just as important in ensuring a secure cloud.
Customers need to accept that the growing trend toward shifting business processes to the cloud is a reality. Not all processes will move to the cloud, but solutions will increasingly be served from it. Thus, every cloud solution should be designed to allow business processes to be integrated. The issue of security doesn’t just apply to the cloud solution itself, but also to its ability to be integrated into the customer’s existing on-premise landscape and other cloud solutions.
Another important point to remember is that strict security measures are required where end users work with cloud solutions, especially if they do so on mobile devices. Companies therefore need to make sure that their chosen provider can supply mobile versions of its cloud solutions with the corresponding levels of quality and security. This includes central mobile device management, including “Bring Your Own Device,” and configuration options for controlling who has access to which parts of the solution.
Q: Are there any other points to consider when selecting a cloud solution?
A: There are several very fundamental questions that companies should ask their providers and insist on clear answers to:
- Which data is stored where? This question requires both a region-specific and a product-specific response. “Region-specific” means, do I know which countries my data is stored in, and can I choose which those countries are? “Product-specific” means, can I set up my business processes such that some data stays in my own systems while the rest is stored in the cloud? In other words, are hybrid landscapes possible?
- Portability: If I decide tomorrow that I no longer want to use a particular cloud service, can I move my data to a different cloud service securely and with minimal disruption?
- Identity management: How do I manage users who access my data and applications via several different systems? And how do I make sure that only the “right” person has access to the “right” data?
- System support: Can I use the tools that I am familiar with from the on-premise world to support my cloud solutions? Or does the provider have sole responsibility for support?
Ultimately, security is also inevitably a question of culture. Security must be etched into the employees’ mindset. And that includes such seemingly simple things as taking care when handling passwords and locking mobile devices when they are not in use. At SAP, as both a provider and a user of cloud solutions, we attach great importance to ensuring that all employees receive comprehensive security training and are regularly tested to keep their knowledge up to date.