Zero Trust for the Highest Level of Data Protection, Security, and Privacy in the Cloud


When Rihanna sang some of her greatest hits suspended on a platform that hovered 15 to 60 feet above the stadium at this year’s Super Bowl, trust in technology was of utmost importance. On the same note, trust is crucial when it comes to an organization’s security on every platform it operates.

Data privacy, risk management, and cybersecurity remain key priorities for businesses in 2023 to ensure continuous high performance and to catapult to new heights. In a recent CIO Magazine survey, 43% of survey respondents said that they plan to upgrade IT and data security to reduce corporate risks. That includes security and data protection measures to keep their data safe. This becomes even more important when moving to and operating in a cloud enterprise resource planning (ERP) environment to drive continuous innovation. In the same CIO survey, 12% of the respondents said that they are planning to accelerate the move to the cloud as a service.

Adopt a Zero Trust Security Approach for the Cloud

To secure data and operations in a hybrid work environment, companies have been adopting a zero trust approach. Forrester defines zero trust as an “information security model that denies access to applications and data by default. Threat prevention is achieved by only granting access to networks and workloads utilizing policy, informed by continuous, contextual, risk-based verification across users and their associated devices.”

According to 2022 global survey data published by Statista, 39% of companies have already begun to roll out a zero trust solution and 41% of companies have plans to adopt a zero trust strategy and are in the early phases of doing so.

My principle in life is to trust people and systems until I am provided a reason not to. The zero trust principle is the exact opposite of this.

The zero trust approach has three key principles: all entities and users are untrusted by default until authorized, the least privilege access is enforced, and extensive security monitoring is in place. In short, no connections to corporate networks and systems should be trusted at sight. All users, devices, and systems need to be authenticated, reverified, and continuously monitored when accessing networks, systems, and data.

Adopting this approach to cloud transformation has become the leading industry standard to keep operations and data safe across the entire virtual and physical network infrastructure.

Here are some best practices for putting an enterprise security plan in place that utilizes zero trust concepts to run operations safely and securely in the cloud.

Define Clear Security Roles and Responsibilities

First and foremost, ensuring security is always a shared responsibility between companies and their cloud transformation partners. It is a common goal and commitment that is independent of the type of cloud path companies take.

Like with any shared responsibility, the best way to approach it is by defining the roles and responsibilities up front. This process starts by asking these key questions: who is managing the cloud, how will everyone work together to secure the cloud, who is responsible for which part, and where are dependencies?

This will ensure that there is a clear strategy and plan to monitor and implement security policies and measures.

Keep an Eye on Users, Devices, Network, Applications, and Monitoring

Based on our experience at SAP Enterprise Cloud Services, another best practice is to focus the zero trust security approach on five pillars: users, devices, networks, applications, and monitoring.

Eighty-seven percent of organizations consider the application layer as being the front door for data breaches. Most data breaches through cyberattacks happen because users fail to keep their credentials safe or fall prey to false identities. In addition, the number of remote users with their own devices has significantly increased in enterprise networks as well as the number of cloud-based assets that are not located within an enterprise-owned network boundary.

By regulating and monitoring user access to devices, networks, and applications, companies can protect all their resources, including assets, services, workflows, and network accounts. For example, identity management systems can manage privileged user authentication and access at a very granular level. This includes keeping administrative accounts separate from corporate accounts and applying encryption to several layers in the IT environment. Data classification makes it possible to associate the security levels with specific types of data, regardless of where that data resides – in the cloud, at endpoints, or in owned data centers.

Scaling Security Needs Faster with the Cloud

While managing the complexity of security needs for cloud transformations can be daunting, here is an added merit: companies can scale their security needs much faster in the cloud, according to Deloitte research. Benefits include better automation capabilities as well as higher storage and data capacity in the cloud. Companies can push infrastructure as code and fix a security problem in real time when operating in the cloud. Automation also helps in increasing the maturity of identity management and security management systems. Deloitte recommends embracing cybersecurity as a differentiator to promote greater stakeholder trust and better use of cloud-native solutions that take advantage of the cloud’s full potential.

In other words, you can shine like a diamond on your cloud platform of choice with a zero trust security approach for the cloud.

For more information, visit the SAP Trust Center site and read this Forbes article by Roland Costea, chief security officer for SAP Enterprise Cloud Services.

Peter Pluim is president of SAP Enterprise Cloud Services and SAP Sovereign Cloud Services.