When searching for a cloud provider, customers are attaching ever more importance to a provider’s ability to prove how secure its services are. Gerold Huebner, chief security officer for SAP Cloud Platform, explains the effort SAP puts into ensuring the greatest possible security and what role certificates play.
Since the GDPR came into force, there is no doubt that security and data protection topics have been pushed even higher up the agenda of company executives and IT managers. GDPR creates a legal framework with which data protection authorities can punish violations with hefty fines. And the rules apply both within a company’s own four walls as well as if data and applications are shifted into the cloud.
For many companies today, security is the biggest hurdle to using cloud services because it involves more than IT managers just handing over their data. They also relinquish control of security mechanisms and compliance with data protection standards. It is not only pure self-interest on the part of companies to ensure that their data is processed securely by the provider of the public cloud; the law requires them to do so.
According to the “Cloud Security 2019” study by IDG Research, “The GDPR has a significant impact on the choice of a cloud provider.” Customers expect both the cloud service and the cloud provider to have high security and data privacy standards, with cloud certificates and data protection certification being among the key selection criteria. Should the provider not have the relevant certificate, companies want compliance to be confirmed through data protection audits. “Certification and audits help not only in the selection process, but they also heighten awareness about the security of cloud services,” the study states.
Huebner, responsible for the security of SAP Cloud Platform, confirms this.
“Without certification, you can’t sell cloud services at all,” he says. And users demand proof for good reason: “Certifications are objective confirmation by an independent third party that all the security requirements specified in the certification framework are met.”
Public Cloud Provider Requirements
Companies are often interested in more than security. After all, they also must prove to auditors and supervisory authorities that the services they use are secure. Companies in regulated industries such as pharmaceuticals or the financial sector have a particularly responsibility here.
“This is where security certificates become business enablers,” Huebner explains. “They are required by customers who need to produce documents to auditors as evidence that they operate compliantly.”
For many years now, SAP has been using the secure software development lifecycle (secure SDL) as a binding procedure model for secure software development. It is an essential cornerstone of SAP Cloud Platform. For secure and privacy-compliant design and service development and by using testing and internal validation, many coordinated measures dovetail to help ensure the highest possible level of security.
In the cloud, secure SDL also covers processes for guaranteeing secure operations, maintenance, and incident management, for example. SAP confirms the effectiveness of this approach with a range of standards and certificates, such as SOC 1 and SOC 2 audit reports, ISO 27001/22301, and TISAX.
Another framework has now been added in the form of GDPR, which is valid across Europe. It sets out the legal bases for processing personally identifiable information and the duties of SAP as a commissioned processor of personal data in SAP Cloud Platform. The result can be found in ISO 27018, which defines a data privacy standard for cloud services. The independent auditing company PwC audits SAP according to this standard and awards the certification to confirm compliance. Compliance with ISO/IEC 27018 is one of the main requirements for all public cloud providers. Certification means that the cloud provider meets most of the GDPR provisions. Currently, it is the only international certification for this area.
Greater Security in the Cloud than On Premise
“SAP Cloud Platform has been issued with all the certificates that are relevant to security and data protection,” says Huebner. Furthermore, he disputes the claim that companies that use cloud services have to accept limitations concerning the safety of their data. “It’s more of a subjective feeling. In truth, they’re only placing part of the responsibility in the hands of the cloud provider, which, in most cases, even means a considerable increase in the level of security.”
With their invariably limited resources and IT budgets, small and midsize enterprises often cannot afford a sufficient number of highly qualified security experts or costly and time-consuming tests, audits, or certifications.
“Employees with top-end security knowledge, which must always be up-to-date, are not only expensive, there’s also a dearth of them on the labor market,” says Huebner. With internationally operating platform providers such as SAP, it is another story: They have dedicated security experts for all areas of IT security.
Certificates for the Public Cloud
Installing security mechanisms and getting them certified is a lot of work. A single certificate often contains more than 100 security controls. These can be, for example, technical or organizational measures or process mechanisms. Regular penetration tests by external specialists are also necessary, as are analyses of security-relevant incidents. “We perform a retrospective check twice year, where we closely examine all the events that had – or could have had – an impact on security,” Huebner explains.
And then, to draw the right conclusions and figure out suitable measures, you also need a comprehensive knowledge of security architectures and mechanisms, because guaranteeing security is a continuous process. He continues: “We know how to find security gaps, how to close them, and what we can learn from them for the future.”
At SAP, such measures are defined in a secure software development process, which, in turn, is aligned with the corresponding ISO standard (security development lifecycle, ISO 27034).
Huebner believes that the certificates for IT and cloud security are dependable and deliver on their promise “because rules are never bent.” Nevertheless, he admits that there is no such thing as 100 percent security: “IT security is always a question of probabilities and risk management, so it’s therefore about taking all technical and organizational steps to manage the risks to which operations and data can be exposed.”