Data is the most precious commodity for companies like yours, and you need to protect it at all costs. Today, it’s becoming an increasing challenge to protect and retain control of your data stored in third-party services as you move from an on-premise world into the cloud and software-as-a-service (SaaS) environments. And as data protection regulations impose heavy penalties on data breaches, a single data breach can be detrimental for your company.
The SAP Data Custodian solution offers data protection features to help you take control of your data in cloud, hybrid, and SaaS environments. This includes data residency control, contextual application access control, cloud provider access control, data classification, and anomaly detection features – to name a few.
Customer-controlled encryption keys have recently emerged as an imperative for you to further strengthen your control over cloud and SaaS data. “My data, my encryption key” is fast becoming an industry standard. This requirement is primarily customer driven for customers who require a higher level of data security. Companies are also driven by their heightened concerns about their data being accessed by states and state actors without their authorization.
SAP Data Custodian key management service for customer-controlled encryption keys
Our latest release of SAP Data Custodian comes with a key management service to provide you with full control of your data encryption keys. SAP Data Custodian key management service is an independent, cloud-agnostic encryption service built on Intel SGX technology with an FIPs 140-2 Level 3-compliant (hardware security module) key vault to secure customer-controlled keys. All key lifecycle management processes (key generation, import, wrapping, rotation, and deletion) and crypto operations (encrypt, decrypt, sign, verify, and so on) are supported.
SAP Data Custodian key management service supports different key types including Rivest-Shamir-Adleman (RSA), Advanced-Encryption-Standard (AES), elliptic-curve cryptography, and more. Additionally, the service defines different user roles, including service admin, key admin, key user, and key auditor - to ensure the segregation of duties principle.
SAP Data Custodian key management service is available globally and you can geofence your keys in terms of storage and access based on your requirements. The key lifecycle operations are supported through the service’s portal, as well as through REST APIs. You can create keys in the service and use these keys to encrypt your data in your public, cloud or multi-cloud, and on-premise environments. You can also bring your own keys from your on-premise hardware security models using the service’s secure import functionality. What's more, you can use the service's secure key export feature to encrypt your cloud infrastructure resources with keys generated by SAP Data Custodian.
Customer-controlled encryption keys for SAP HANA and SAP applications
SAP Data Custodian key management service has native integration with the SAP HANA database , starting with HANA 2.0 SP05 (both Infrastructure as a service and on premise), so you can take advantage of much needed customer-controlled encryption key functionality for the database. You can create keys in SAP Data Custodian key management service and use these keys to encrypt SAP HANA. You can also manage their complete key lifecycle and delete your keys at any time to lock your database for any unauthorized access.
Our upcoming releases of SAP Data Custodian will gradually offer customer-controlled encryption key functionality for additional SAP applications including cloud solutions from SAP and SaaS offerings. With SAP Data Custodian key management service, we hope to provide you with one solution to manage all your encryption keys for your SAP applications.
How do I learn more?
For further details, please visit our webpage at:
https://www.sap.com/products/data-custodian.html. If you would like to learn more, please contact us at
SAP_DataCustodian@sap.com.