Ready for SAP in the Cloud? Find Out [Checklist]
Apr 22, '20 by Joerg Schneider-Simon
Migrating your SAP systems to the cloud offers many operational and financial benefits. SAP migration to the cloud reduces your hardware costs, makes backup and disaster recovery more robust, and improves availability, reliability and scalability.
A successful SAP migration requires strategic planning, implementation and testing, so you should only make the move if you’re ready.
But how will you know if your SAP cybersecurity is ready for the move to the cloud as well? Review our checklist to see what you need to think about before moving to the cloud.
What resources and systems are you moving?
Few organizations will flip the switch all at once, transferring all their SAP systems to the cloud in one fell swoop. Instead, most companies will move (or have moved) some resources to the cloud while keeping the rest local. It’s a sensible approach, but it does raise some cybersecurity-related questions.
SAP systems function by being highly interconnected, which is one of their strengths. However, if some systems are local and others are cloud-based, you need to ensure that those respective systems can talk to each other. The problem, however, comes during that conversation – how will the data in motion be encrypted? Take the time to be certain that access control is in place to ensure that only legitimate SAP systems in the cloud can reach through to the corporate networks. There is a helpful component from SAP called the SAP Cloud Connector, which links SAP cloud applications with on-premises systems. However, in January of 2019, SAP published HotNews note #2696233, addressing two vulnerabilities (a missing authentication and a code injection). And of course, if SAP Cloud Connector is in place, you must apply a normal security review and patch processes to that additional component also.
What security tools is your cloud provider using?
When you have your SAP systems on-premises, you own the entire stack, all the way from the hardware to the operating systems, the middleware, the applications, and the database. When you move to the cloud environment, there comes a double-edged sword: You’re no longer 100% responsible for the management of those systems … but ceding that responsibility also comes with ceding a considerable amount of control.
Think, for example, of your typical software as a service. When you subscribe to Microsoft 365 for example, you have no visibility at all into the underlying operating system or security measures that are implemented underneath the tools you are using. You trust that they’re taking security seriously, but you cannot control nor enforce it.
When moving your SAP systems to the cloud, you are essentially giving up that same level of control. So, make sure to dig deep into your potential cloud provider’s security practices to ensure they’re at least as (and preferably even more) stringent than your own. For example, if you’ve been using Anti-Virus for SAP Solutions for your on-premises SAP systems, make sure your cloud provider also offers it.
Is the cloud provider preventing internal threats?
A 2019 survey conducted by IDC for Onapsis revealed that sometimes, the call is coming from inside the house: Larry Harrington, former Chairman of the Global Board of the Institute of Internal Auditors, stated “Most concerning is the popularity of sales, financial data and personally identifiable information, all of which should raise flags about the possibility of insider trading, collusion and fraud.”
Keeping your own security controls in place to prevent internal threats is wise – but is your cloud provider equally stringent about access? By moving your system to the cloud, those company admins will have full access to your system. Theoretically, they could go all the way down into the operating system, look into the database, and extract information from it. Once your data is in the cloud, you no longer have the certainty that anything you delete will actually be deleted. Your complete physical control over your data is gone – permanently.
Is your data protected and accessible?
Fortunately, making sure any cloud-stored data is encrypted can help prevent this from happening. But that comes with another thing to think about: how you’re going to access the data.
When you wish to work with that data, it must be decrypted, and then re-encrypted when you’re finished working with it. All of this encrypting, decrypting, and re-encrypting is a burden on overall SAP performance and is also a fairly complex IT management task.
Fortunately, there are solutions that can take care of this in an automated way. Cloud Access Security Broker (CASB) software helps IT departments gain visibility and control around cloud usage and access, with a few vendors even specializing in SAP cloud security.
Security vs. Convenience
Migrating SAP systems to the cloud—changing the physical location of your SAP environment—carries the promise of tremendous rewards—and risks. As the saying goes, "There's no such thing as the cloud. It's really just someone else's computer."
This is the mindset to be in when moving business critical applications to the cloud: You’re trusting other people to take care of your data and systems. And if the service provider you choose fails that trust, the consequences could be devastating. But, by carefully screening and monitoring your cloud service, and by putting stringent safeguards in place, it is possible to have the best of both worlds: convenience AND security.