Introduction and need for Customer-Controlled Encryption Key (CCEK):
Organizations are increasingly focused today on the safety of the company and personnel data. This focus has resulted in Data privacy and protection becoming one of the most important topics. For SAP, the security of the Customer’s data is important.
SAP’s Asset Performance Management (APM) uses various methods to protect the Customer’s data in the Cloud.
The default approach used is the standard encryption supported by HANA (SAP HANA is a modern in-memory database platform that is deployable as an on-premise appliance or in the cloud).
For Customers with a higher security requirement, we're introducing an extra security feature in the application: Customer-Controlled Encryption Keys (CCEK), also referred as Customer-Managed Keys (CMK).
With CCEK, the Customer is in full control of the data. As the name suggests,Customer manages the encryption key and shares with SAP for encryption during the subscription process. SAP won't have access to the Customer data in this approach.
Refer to the following video for a sample scenario and how Customers can enable CCEK for APM (Click on the image below):
Benefits of CCEK:
Customer has full control over data access. Even SAP won't have any control over the data and so any requests to access the Customer’s data from SAP can't be complied with.
If data is encrypted using Customer-Managed Keys and the Customer disables access to the encryption key, it's technically impossible for SAP to decrypt the data. Only the Customer can respond to the access requests.
Customer can also eliminate data breach scenarios by revoking access to the keys from SAP (any other) as needed.
Refer the following SAP help document for further information on CCEK implementation in APM: