SAP’s Commitment to Secure & Trustworthy Cloud Services
The SAP Global Security and Cloud Compliance team supports Lines of Business within SAP in helping deliver secure and trustworthy enterprise software services. Within it, my team SAP Product Security enforces controls that assure secure software development and operations. Convinced that strong security configuration is an essential part of protecting customer data, we want to help SAP customers execute their part of the shared responsibility. This blog will guide SAP customers in securely configuring their cloud landscape, and automating configuration compliance reporting using the APIs that SAP has published.
Listening to the Voice of the Customer
Importantly, this blog celebrates the outcome of a remarkable collaboration between SAP and the DSAG (German-speaking SAP User Group) Taskforce for Security & Vulnerability Management. Delivering on the promise made to the DSAG, we executed a project spanning the breadth of the company to deliver an automation-centric approach to security based on security APIs that deliver configuration insight across key cloud services. Visualization can be customized to view risks emerging from insecure configuration across the customer landscape.
Figure 1: Customer Expectations on Security Configuration Reporting
Securely Configuring Your SAP Cloud Services
Here are the few steps that will immediately help you secure your SAP cloud service portfolio:
If you are configuring or administering SAP Cloud Services, visit the guidance here that helps you secure over 10+ popular SAP cloud services (the number is expected to increase).
If you are an SAP partner or developer and intend to automate cloud configuration monitoring, visit this blog that explains how you may consume security APIs that deliver configuration status of subscribed SAP cloud services.
If you are an analytics engineer, use the SAP Analytics Cloud template as a starting point to build a security configuration dashboard as explained here.
(If you are a security enthusiast in addition, continue reading… )
The Importance of Secure Configuration
Secure configuration is essential to ensuring secure and compliant operation and data integrity. System administrators and security experts shall be able to easily verify the configuration of their cloud services and that there are no unknown deviations from the SAP Security Recommendations. Managers and auditors need to know whether the security measures established for their SAP Cloud Solutions are within expectations and accepted risk. As a first step, services and applications must identify the security-relevant settings that are in the customer’s responsibility and provide recommendations with accepted secure values. This information might already have been part of the solution’s security guide. However, we have consolidated essential security recommendations in form of condensed documentation for easy reference. Major SAP cloud products and services that require the customer to manage certain security settings are now delivering the recommended security configurations as a publicly available and freely distributable document published on the SAP Trust Center. Further information can be found in this blog post.
Enabling Security through Partnerships & Automation
SAP is deeply invested in helping our customers secure their enterprise landscape in every way possible. Like every trustworthy cloud services provider, SAP not only provides the tools and capabilities for customers to consume SAP services securely, we also do our best in delivering our security capabilities in ways that established security companies with a foothold among SAP customers may enrich existing risk management products using the information that we share. Therefore, an API has been published by SAP Cloud ALM to enable customers and security partners consume the centrally collected security configuration data from connected services and applications. More details are available in this blog post.
Visualization of Risk posed by Insecure Configuration
Finally, visualization of security non-compliances is essential to delivering the risk posture in an impactful manner. Such data can be visualized using SAP Cloud ALM or optionally through an SAP Analytics Cloud dashboard template (explained in blog post) delivered as community content.
The SAP Analytics Cloud dashboard template when customized can help:
Provide transparency on security-related settings across cloud services.
Identify security misconfigurations.
Understand security best practices.
Drive a risk-based approach to prioritize security investments.