Cloud Security Fundamentals

Approaches Vary Depending on Service Model

Reading time: 6 mins

Meet the Experts

Key Takeaways

⇨ Leverage the move to the cloud as an opportunity to re-evaluate your security plans

⇨ Evaluate your environment to understand what infrastructure and landscapes you will be using and what is needed to do to secure them

⇨ Ensure that your SAP solutions are integrated into your overall security plans and management

SAP workloads are moving to the cloud at an accelerating rate. According to the latest SAPinsider research, at least half the SAP workloads that are still running on local infrastructure are likely to move to the cloud within the next two years. But as workloads move to the cloud, both the workloads and the data running in them need to be secured. And while some cloud solutions are inherently more secure, others may rely largely on the users to secure the data in them. Understanding the fundamentals of cloud security will help ensure that you are taking the right steps for your environment.

To learn more about cloud security and how that applies to SAP systems, I sat down with JP Perez-Etchegoyen, CTO of Onapsis. Perez-Etchegoyen has years of experience with securing SAP systems and the data in them, while Onapsis provides a unified perspective about threat, risk, and compliance management across business critical applications from both SAP and other vendors through the Onapsis Platform.

Cloud Security Challenges

According to Perez-Etchegoyen there is still a great deal of confusion about cloud security, much of which stems from the fact that different cloud service models require different security models. For example, the security required for a software-as-a-service (SaaS) solution is very different from running SAP solutions in an infrastructure-as-a-service (IaaS) environment. If you are primarily using SaaS solutions, the vendor is responsible for securing the data as well as the software itself. The user of the solution is primarily focused on the type of security that is more traditional for SAP systems – controlling which users have access to the system, and what data they can access within it. But in an IaaS environment it is incumbent on the user to focus not only on controlling system access, but they need to secure the data and the software as well.

But more than just the different security requirements for different types of cloud service models, Perez-Etchegoyen says that complexity is a also driver for cloud security challenges. “It’s very rare to go cloud-first, use only cloud services, and do everything SaaS,” says Perez-Etchegoyen. “Usually it’s more of a mix, and complexity is added when you start integrating different technologies and concepts. ERP environments are already complex, and once you add the cloud then there is a layer of risk that needs to be managed. In these complex environments you need architects, and a threat model to understand where the risks are.” This is especially true for organizations running SAP NetWeaver or ERP systems like SAP ECC or SAP S/4HANA that include customizations.

Adding to this complexity is the fact that SAP applications have frequently been siloed from a security perspective. The security of SAP applications is often managed by the SAP team, which makes it a black box for CISOs and security teams. It’s only when IT security starts managing SAP applications as well as everything else in the IT landscape that it’s possible to catch up from a security perspective.

What has also changed over the last year is that threat actors have a lot more skills and knowledge of SAP than in the past. Historically threat actors might have been exploiting vulnerabilities in the environments in which SAP systems are running, but now they are leveraging very specific targets and attacks that require a knowledge of SAP applications. In addition, Onapsis sees SAP vulnerabilities being published regularly that allows these threat actors to exploit vulnerabilities once they become known.

Setting Up Fundamentals

The good news is that Perez-Etchegoyen sees that the move to the cloud is causing organizations to have a more significant security conversation. This is important because it means that, as organizations are moving their SAP workloads to the cloud, they are recognizing that it is an appropriate time for them to evaluate their security across the enterprise. But the first thing that organizations need to do is understand their environment so that they can implement the appropriate security.

This starts with your cloud service model. In a SaaS environment, both software and environment are completely managed by the vendor and they can patch vulnerabilities very quickly. That makes for a different set of potential vulnerabilities that can be exploited than when compared with an IaaS environment. SaaS is all about application vulnerabilities, but IaaS is more like an on-premise environment with the additional of a layer of cloud services. Critical vulnerabilities can be created by software misconfigurations, an accidentally open database, or file systems left open to unauthenticated connections. There is much more complexity in the infrastructure layer. Added to that is managing security at the application layer.

Generally speaking, the more that the vendor is responsible for in your landscape the less you will need to be concerned with from a security standpoint. A platform-as-a-service (PaaS) environment addresses some of the concerns that may exist in an IaaS environment, but there are specifics that you need to be aware of around the boundary between what you control and what the vendor does. This is where having a complete understanding of what you are responsible for from a security perspective and what the vendor is responsible for is a crucial part of having the right security in place.

What Does This Mean for SAPinsiders?

The biggest factor impacting the cybersecurity plans for SAP organizations today remains protecting the sensitive data in those systems. This very much plays into the plans that organizations must make when adopting cloud-based systems and landscapes. And with cyber attacks against organizations increasing both in frequency and in prominence, organizations must be prepared for an eventual attack and that starts with putting the right security in place. But how do you get started when you’re considering moving SAP workloads to the cloud?

  • Use moving workloads to the cloud as an opportunity to re-evaluate your security strategy and plans. As you start planning to move enterprise workloads to the cloud, which could be either SAP solutions or anything that is integrated with them, spend time evaluating your existing security plans and determining how they will integrate with your new environment. Dedicating time early in your cloud project to thoroughly evaluate your security plans will not only help set you up for future success but will also accelerate that move as you will be able to work your security requirements in from the beginning.
  • Evaluate your environment to understand what infrastructure and landscapes you will be using and what is needed to do to secure them. Whether you have already begun moving workloads to the cloud or are just in the process of starting that move, thoroughly understanding your environment and the security implications that are part of that environment is your most important step for building cloud security. Are you using SaaS applications or installing solutions in an IaaS or PaaS environment? Where are the integration points with your existing applications? Does data need to travel through a firewall? Do you need data encryption? Do you only need to focus on application security? All these are questions you need to understand to properly protect your cloud environment.
  • Ensure that your SAP solutions are integrated into your overall security plans and management. Historically, the security applying to SAP solutions was primarily focused on access and process control. While this is still important, especially for solutions running in SaaS environments, your SAP solutions must be integrated with your broader security plans and security management. Having systems not being managed by your security teams leaves them more open to attack, and more likely to have critical vulnerabilities overlooked. Taking this step should be part of the broader re-evaluation of your overall security strategy.

More Resources

See All Related Content