Data Custodian Model: Protecting Your Data in the Public Cloud

As announced in March 2017, SAP has partnered with Google to develop an innovative governance, risk, and compliance (GRC) model for data protection in the cloud: data custodian.

While many enterprises want to move to the public cloud to benefit from its greater flexibility, agility, and scalability, they are nevertheless worried about complicated data protection, privacy, and sovereignty-related legal requirements such as the General Data Protection Regulation (GDPR) and the Federal Data Protection Act (FDPA). The European Union, Canada, Russia, Saudi Arabia, and many other countries are introducing new and stringent data protection laws.

Data privacy laws often restrict the geographies in which enterprises may store, process, and access sensitive data. Enterprises that do not comply with these laws potentially risk significant fines and dissatisfied customers. But opting for a physically isolated or private cloud solution to meet these complex data protection and sovereignty requirements comes at a high cost and can severely limit the cloud provider’s ability to fulfill its availability and disaster recovery commitments.

SAP’s data custodian model developed in partnership with Google will provide enterprises a winning solution, giving them both the flexibility and scalability of the public cloud and transparency and control of the private cloud. Our joint model has been designed to offer extensive and unique access transparency features. In the future, we are working to provide advance data access control features.

The Data Custodian Model

The data custodian model will be a game changer because it gives back control of the data in the public cloud to customers. We anticipate the solution will provide unique features such as cloud provider access visibility and software-defined geo-fencing of customer data and resources in Google Cloud Platform (GCP). For enterprises requiring an independent entity to oversee and handle their data on a public cloud, SAP is planning an offering where SAP will act as a trusted data custodian for their data on GCP.

With the data custodian model, it is envisioned that our enterprise customers will be able to flexibly configure policies for their data in GCP to help address their unique customer needs and specific regional data protection regulation requirements (such as GDPR and FDPA). This includes geo-fencing policies for data access, storage, movement, and processing. As the data custodian, SAP will continuously monitor and provide risk and compliance reporting in alignment with the customer-defined policies and help the customer manage policy violations as needed. The reporting will provide data access transparency into, for example, geo-location of the customer resources and data accessed, geo-location of the accessor, reason for the access, read/write actions performed on data during that access, and time of access. The reporting will also capture details of access made by Google as the cloud provider.

Additional data access control features will be introduced going forward. We anticipate focusing on three major control features: data access approvals, geo-fencing controls for data access, storage and processing, and key management system approval and monitoring. SAP will work with the customer to help them conform to their policies and protect their data from unauthorized access, including access made by the cloud provider. SAP anticipates acting as a gatekeeper for customers, overseeing access to customer data and resources. This includes access to support and maintenance activities. Moreover, SAP will provide detailed reports for all data access-related activities to customers.

Significant Customer Benefits

There are several key benefits of the data custodian model. Using this jointly developed model, enterprise customers will be able to use SAP’s strong GRC expertise and deep knowledge of GCP security posture, administrative controls, and workflows. This will help customers ensure that their data is accessed and stored in compliance with their data protection policies, there is no unauthorized data access, and the data does not cross the prescribed geo-boundaries.

It is planned that the data custodian model will provide near real-time notifications of policy violations. This will help customers respond quickly and take immediate corrective action to protect customers’ data. SAP is planning to offer a high level of flexibility by allowing customers to specify software-defined geo-fencing policies for their data and resources in the public cloud. In other words, customers would be able to enjoy the benefits of a globally connected public cloud, while still addressing their country or customers’ data sovereignty requirements. Our software-defined geo-fencing approach would further help our customers adjust their data protection policies within a reasonable timeframe in response to changes in regulations, offering a significant advantage over approaches based on physical separation and isolation.

Going forward, SAP and Google will continue to work on defining and introducing additional monitoring and control features to offer our customers unparalleled levels of data protection and privacy in GCP.

How Do I Learn More?

Today, we are demonstrating a preview of the data custodian model. To learn more, contact us at

Dr. Christoph Böhm is senior vice president of Cloud Delivery Services and Global Infrastructure at SAP