Few days go by without a media report of yet another security breach. Remote workers and making internal and external application available to the organization and partners has led to the disappearance of the network perimeter. Frequent ransomware and data extortion cases suggest our corporate networks aren’t secure. Adding rapid cloud transformation seems to only amplify these security concerns.
But what is often missed in this is the opportunity cloud architecture provides to manage security at scale. The perceived loss of control using cloud providers may hide the reality you have lost control over the on-premise landscape already. And notoriously, SAP systems operated by our customers can be even years behind in Security Notes. SAP security partner solutions can help with manage this, but it is still yours to manage.
Security is still yours to manage
Cloud-native practices like infrastructure-as-code, policy-as-code, and CI/CD pipelines produce more reliably well-configured landscapes that meet security compliance tests and makes configuration management a software source control problem that is integrated in the secure Software Development and Operations Lifecycle (SDOL) process. Managing landscapes through cloud APIs allows for guardrails to be implemented that prevent misconfigurations and centralized logging, scanning and containment. As I have discussed elsewhere, if we continue to look at cybersecurity challenges from the perspective of the corporate network and data centers, we fail to take advantage of the capabilities cloud platforms provide to protect infrastructure.
Cloud Providers don’t want to see your data
Cloud providers work hard to provide services that guarantee they cannot access customer data, whether through cloud HSM key management or confidential computing, or services like SAP Data Custodian that protects business application data through customer managed keys in a way that SAP cannot access. Cloud services providers not only don’t want to look at your data, they want to prove they cannot. It dramatically reduces their own cyber risk.
Customers choose SAP Cloud Services for features and functions, but 50% of their decision is based on security and software quality. We hear from customers they choose public cloud options specifically to delegate security to the vendor. There is good reason for that, because economies of scale provide cloud service providers like us with unique benefits in terms of people, processes, and tools. that would be difficult to replicate by any individual customer.
Cloud security isn’t easy
Cloud security isn’t easy, as we can attest to ourselves. But SAP has around 700 people in SAP Global Security and another 3,000 throughout the company in security roles in security, compliance, and governance roles. We have the capacity to build checkpoints in the development cycle, implement guardrails and scan the landscape for infrastructure misconfigurations, vulnerabilities, and other threats, and run a Cyber Fusion Center that collects signals from multiple data sources to monitor the cloud environment and respond to security events and incidents. Internal findings, bug bounties, audits and third-party penetration tests organized by SAP or individual customers all find their way back into the development teams and into the code base for our solutions that benefits all customers. Our public cloud solutions are always at the latest release, including any security fixes, and therefore by definition are patched before any customer on-premise landscape.
Hand over responsibility to the cloud provider
There are consistent reports there are 3-4 million of cybersecurity positions open, globally, that organizations struggle to fill. Cloud security specialists are even harder to find. Rather than build capabilities in-house, it may be far more efficient and effective to hand over a lot of the responsibility to a provider that can afford to do so, and whose business and growth strategy depend on protecting thousands of customers.
Cloud transformation is hard enough as it is.