AI-generated image of a highway with guardrails running through the clouds
Our Most Effective Security Controls
One of the most powerful security controls we have in place at SAP are our cloud guardrails, or preventive controls applied to our public cloud landscape (see this blog, April 2021). These are controls such as AWS's service control policies and their equivalents that apply to all cloud accounts, subscriptions and projects collected in an organization in each public cloud provider. Implementing such guardrails is a powerful approach that makes your cloud accounts more secure-by-default and prevents common misconfigurations that regularly prove to be the source of security breaches and data leaks. This is especially important because in the cloud developer teams, the actual users of cloud accounts, have much more autonomy than more traditional data centers with its variety of gatekeepers such as Change Control Boards or network security teams.
SAP structured its cloud accounts into cloud provider organizations in 2018-2019. That was the precondition for our preventive controls to be feasible and practical. Speaking to peers and customers, we know that for many, such consolidation is not necessarily the case. Cloud guardrails can be implemented in multiple organizations, but the more organizations you have, the harder it becomes to manage these policies across all of them and leave gaps.
SAP's first cloud guardrails went into effect in 2020 before most of the current landscape even existed. We have expanded on them ever since while the landscape continued to grow from ~4,000 cloud accounts to over four times that today. These guardrails are baseline security controls that prevent or auto-remediate common security misconfigurations that can occur in our cloud infrastructure. The automatic enforcement of these baseline security controls allows teams in the organization to focus on more complex and ambiguous security challenges higher up the stack, such as VMs, containers, IAM and application logic.
Our guardrails have formed the core of our cloud security compliance success. Moreover, by taking care of "the basics" they have cascading effects elsewhere. When we deployed a Cloud Native Application Protection Platform (CNAPP) in July 2022, we could see the effect on our vulnerability management program as well. 99.6% of our open vulnerabilities were classified as "Informational" (instead of High, Medium or Low), indicating that they didn't pose an immediate risk to be addressed. This percentage lined up directly with the compliance rates of our cloud network security controls enforced by these guardrails, ensuring that these vulnerabilities were not exposed to the internet.
Endless "state of cloud security" reports from any of the vendors in the market say the same thing: that organizations struggle to keep cloud misconfigurations under control. Cloud guardrails such as these are among the most effective measures to improve your cloud security and compliance posture.
Scope of the Cloud Guardrails
The cloud guardrails are part of a larger SAP security policy framework for public cloud. The vast majority of these policies break down in high and medium severity which we scan for using a Cloud Security Posture Management (CSPM) solution to verify compliance with these policies. A subset of the high severity policies are implemented as organizational service control policies that apply as preventive controls to all cloud accounts in each cloud provider.
To prevent disruption, in some cases controls only apply to new or updated resource configurations, which can leave you a legacy problem to work through. To reduce the scale of that - to stop the bleeding, if you will - the sooner you can implement such guardrails in your landscape, the better. Other controls, such as enforced logging, are non-disruptive and can be safely rolled out across the landscape.
List of Guardrails in Place
Below is the list of cloud guardrails in place in SAP's global landscape (AWS, Azure and GCP). Due to the capabilities of cloud service providers there, the situation is more nuanced in China where a subset is implemented.
Enforce SAP password policy
Setup SAP AD integration for all accounts
Prevent the use of non-SAP domain users for all IAM admin users
Enforce MFA for all accounts
API logging cannot be deactivated
API logging centrally collected and stored
API logging must be stored for at least 6 months
API logging central storage location must not be publicly accessible
Storage access logging centrally collected and stored
Ensure logging on Kubernetes master node is activated
Ensure container registries are private
Ensure only the latest 3 major Kubernetes versions can be started/deployed
Security groups cannot have blocklisted ports (22, 23, 135, 111, 5500, 5900, 3389, 1433, 1434, 4333, 3306, 1521, 5432, 27017) exposed to the internet (0.0.0.0/0)
Enforce SSL policies of TLS1.2+ for storage
Enforce SSL policies of TLS1.2+ for load balancers
Enforce SSL policies of TLS1.2+ for CDN services
Enforce SSL policies of TLS1.2+ for fully managed database services
Enforce encryption on disk volumes for new volumes and ensure encryption cannot be removed
Enforce disk volumes and snapshots are not publicly accessible for everyone
Enforce encryption on storage buckets
Enforce storage buckets private by default
Enforce secure storage transfer is enabled
Enforce encryption of managed database services snapshots
Ensure secure KMS/Key Vault configuration (key rotation active, access control and key policies, strong keys)
All of these we can agree on are things you should be doing in cloud landscapes. All of these have associated NIST 800-53 controls or a Cloud Information Security (CIS) benchmark. These are not controversial. Unfortunately, these earlier mentioned vendor reports show that in many cases, cloud users struggle to meet these baseline controls.
By implementing such baseline controls as cloud guardrails, we prevent our teams from getting it wrong. At the same time, they prevent malicious users from accessing what they shouldn't, or turn off logs we rely on to detect them. Ask your cloud service provider how you can deploy such guardrails in your landscape, too, to improve your security and compliance posture.