The notion of a cloud-based network actually dates back to the 1960s. But “cloud” wasn't coined until former Google CEO, Eric Schmidt, first used the term "cloud computing” in the modern sense, on August 9, 2006. Now, according to Statista, the cloud market is expected to reach an estimated 482 billion U.S. dollars in 2022.
Moving workloads and applications into the cloud certainly have its advantages, such as getting rid of some of those pesky maintenance contracts from on-premise hardware and software as well as freeing up on-site compute abilities for other applications you want to keep closer to home. However, as critical data leaves the premises and enters the cloud, there is a heightened need for continued monitoring and obtaining in-depth insights on its operations—paramount to this off-site operational insight is security.
Just because an application is now hosted by a cloud provider (no matter how big they are) security is still the responsibility of the application’s owner. Keep this in mind: the cloud host is not fully responsible for informing their clients about internal breaches. Meaning that cloud customers are not off the hook for cybersecurity monitoring. Gartner underscores this notion by stating that “Through 2025, 99% of cloud security failures will be the customer’s fault.” The takeaway here is that all cybersecurity cannot be outsourced and shared cloud resources conflict with ultimate responsibility.
Organizations placing mission-critical applications such as SAP’s software into the cloud should be particularly careful because it also opens up large cybersecurity risks such as:
- Unauthorized Data Access
- Account Hijacking
- Data Loss
In fact, new implementations of SAP systems, SAP upgrades, and conversions to S/4HANA are now more often found in the cloud than on-premises. Although these cloud-based SAP deployments add a new layer of agility and scalability—they also expand the cyberattack surface. The notion of moving SAP to the cloud is not a new invention; in fact, even SAP itself is undergoing a transformation as a company to become a cloud provider. It’s common practice that a lot of their new SAP applications are first released as a cloud service and later on brought as an on-premises solution.
Moving SAP To Any Cloud - Apply Zero Trust
When organizations move their SAP applications to a cloud provider, what they are really doing is placing their mission-critical application into someone else's hands—this exacerbates the need for more cybersecurity monitoring to ensure the provider is handling it with care. Beware, some cloud service providers offer a monitoring service, but the customer also needs to have a process in place to understand what activities are ongoing in the hosted SAP system.
When companies give their SAP applications over to the cloud, they also need to apply a Zero-Trust level to the cloud vendor. Initially developed in 2010, Zero Trust focuses on the IT infrastructure and operates under the assumption that every connection and endpoint is considered a threat. Specifically for SAP application security, Zero-Trust should be adopted by assuming any action could be a part of a threatening act. When adopting this mindset, organizations must constantly monitor for abnormal behavior, keep reviewing all in-app permissions as well as leverage real-time analytics for insights into better user governance.
To implement a zero-trust policy, cloud customers need to connect their new cloud environments to a separate central monitoring or Security Operation Center (SOC). This will ensure SAP application security events are being conducted to monitor device logs and correlate data to identify anomalies that need attention.
Organizations are not off the “cybersecurity hook” if they select to consume specific cloud services entering a hybrid cloud scenario. Selecting the hybrid cloud approach is much like dipping your toe into the cloud because the majority of a company’s core system remains outside the cloud and still under its own control. Organizations taking this approach absolutely need to be concerned with cybersecurity challenges because their data processed by the SAP instance is now in two locations. Linking and constantly communicating with the on-premise and cloud location is a myriad of channels from endpoints and mobile devices. All these communication points need to be secured with encryption, and user integrity constantly needs to be verified.
Conclusion
Moving SAP applications to any Infrastructure as a Service cloud provider ranging from AWS, Google Cloud to Microsoft Azure may open up new attack vectors. No cloud provider, no matter how big they are, is immune to being attacked. You need to look no further than the multiple AWS attacks in 2021, where misconfigured S3 buckets presented serious vulnerabilities without customers knowing.
Organizations moving their applications to the cloud must take responsibility for the SAP security of their data by applying their own monitoring services in order to gain full visibility into all channels. Investing in SAP cloud security—intrusion prevention and detection technologies to run in-house could help you avoid contention between you and your cloud provider over the culpability of an SAP security breach.