As I’ve discussed before, security is a top concern for organisations looking to embrace the cloud. When talking with customers about wanting to make the most of the cloud by using SAP Cloud for Customer, I’ve found that there are many questions about security.
In this blog post I’ve answered 10 frequently asked security related questions on SAP Cloud for Customer. This is not an official SAP FAQ, but rather my summary of the questions which have come up most when talking to clients. If there’s something not answered, or if you have any questions, do leave me a comment and I will add the question to the list.
1) Where’s my data stored?
Data is stored in SAP data centres. Customers share physical hardware, but data is separated into different tenants. SAP currently has data centres in the US, Germany and Japan. Customers can choose which one they want their data stored in.
2) Who owns my data?
You own your data. Not SAP, or anyone else for that matter. But of course, this is something you should always check with your service provider.
3) What measures are in place to protect my data?
Everything you would expect; industry best practices and high cryptographic standards secure communication between your devices and the server. This is the same encryption used for online banking. Communication with the server is carried out via Reverse Proxy (which requires its own certificate from SAP). Secure Socket Layer (SSL), Transport Layer Security (TLS) and HTTPS protocols are also used. Authentication of end user devices requires a client certificate from SAP. Even the monitoring and maintenance of the Cloud for Customer solution is encrypted and authenticated. This applies irrespective of whether you are accessing Cloud for Customer via a mobile app, or web browser.
4) Are data centres physically secure?
Besides the electronic encryption protecting your data, which would take 1000s of years to crack, SAP’s data centres are protected by staff 365 days a year, with no direct links between different data centres (making them entirely autonomous), and by a biometric security system.
5) What happens if there is a power outage?
SAP data centres maintain multiple connections to different power companies, making a complete power outage, and therefore downtime in your production system, incredibly unlikely. An on-premise system is therefore likely to have a higher risk of a power outage.
6) How is user management handled with SAP Cloud for Customer?
The business administrator user can maintain all your users and their different authorisations. For example, business administrators can unlock passwords, assign access rights for various parts of your solutions, and create technical users which are used to run tasks in the background. Users can be defined as either a business user (who use various parts of the solutions), a technical user or a support user.
7) Can my organisation have our own security policy for our SAP Cloud for Customer solution?
Yes. The system administrator can manage the required complexity and validity length of passwords. For users accessing SAP Cloud for Customer via a mobile app, you can even specify the length of time after which users must re-enter the app password. A maximum number of failed attempts can also be set for the mobile apps, after which mobile data within the app will be deleted. As an organisation, you may also want to setup security policies for devices using your networks and systems as well, such as the new security features found in iOS 7, in which case lost devices can be remotely locked or wiped.
8) How do I manage segregation of duties?
Segregation of duties is incredibly important for many organisations, and especially those which are operate in industries which are heavily regulated. Within SAP Cloud for Customer, the system checks if a user’s assigned workcentres conflict with a segregation of duties. For example, a segregation of duties conflict within Cloud for Customer would occur if a user has access to different screens which may allow the user to commit fraud, or approve their own work. The system automatically indicates such scenarios and proposes possible solutions.
9) What web technologies does the desktop front-end of SAP Cloud for Customer use, and is it secure?
The Cloud for Customer webapp can run using Microsoft Silverlight, or HTML5. It is preferable to use the HTML5 version of the webapp, as it runs quicker, is a modern web technology which works on any modern device, does not require a 3rd party plugin, and offers enhanced capabilities over Silverlight (which is comparable to running Cloud for Customer through a clunky flash plugin).
The newest HTML5 version of SAP Cloud for Customer also offers secure features such as protection from clickjacking attacks and UI and domain protection against URL, and content mashups (a great feature where you can embed content from elsewhere onto your screen).
10) Can I monitor all relevant activity in relation to system security?
The Application and User Management workcentre offers a set of tools to monitor access rights change logs, all current access rights, all current users, and the user activation and deactivation logs. The IT Compliance view also allows you to monitor server provider access to your solution, including system updates and incident analysis.