KuppingerCole Report
Executive View
By Mike Small

SAP HANA Enterprise Cloud – Security and Compliance

An overview of the SAP HANA Enterprise Cloud together with an assessment of the security and assurance provided in respect of five critical risks faced by a cloud customer.
By
sm@kuppingercole.com

Content of Figures

  1. Figure 1 HANA Enterprise Cloud Architecture Overview (reproduced with permission from SAP)
  2. Figure 2
  3. Figure 3 HEC Multi-layered defence (reproduced with permission from SAP)

1 Introduction

The Cloud provides a way of obtaining IT services that offers many benefits including increased flexibility as well as reduced cost. One of the primary benefits of the cloud is that it enables companies of all sizes to focus on the differentiating factors of their business as opposed to managing the IT infrastructure required to run it.

There are several types of cloud service and ways in which these services are delivered. The types of services range from IaaS (Infrastructure as a Service) which provides the basic computing infrastructure, through PaaS (Platform as a Service) which provides the tools upon which to build cloud applications to SaaS (Software as a Service) which provides an application. The delivery models range from Private cloud where the infrastructure used to deliver the service is dedicated to one customer through to Public cloud where the infrastructure is shared by all the customers. Many Cloud Service Providers (CSPs) now provide services that span the range of service types and delivery models.

When a customer uses a cloud service they give control of the management of that service to the CSP. The customer therefore needs assurance that the service they receive corresponds with that which they agreed to and are paying for. This is especially true for areas like security which are not immediately transparent. There is therefore an element of risk and choosing a cloud service involves assessing and managing this risk. In this report we have considered the five critical risks that a cloud customer faces, which are:

  • Loss of compliance – many organizations depend upon their IT systems being in compliance with laws and regulations. Using a cloud service could put this at risk.
  • Cyber Risks – there are a large variety of ways in which there could be unauthorized access to a customer’s data held in the service.
  • Legal risks – the use of a cloud service may raise legal problems for the customer. One area of particular concern is around compliance with privacy laws; this involves contractual issues as well as an understanding of the legal requirements in different jurisdictions.
  • Availability of service and data – the customer is dependent upon the availability of the cloud service and the data. Loss of access to the service or data can occur for a variety of reasons, some of which are technical and some due to other causes such as takeover or financial failure of the CSP.
  • Lock in – there is a risk of the customer becoming locked into a particular CSP for contractual or technical reasons which make it difficult or expensive to migrate to another provider’s service.

Not all of these risks are under the direct control of the CSP; for example, it is up to the customer to identify the regulatory compliance needs for their data and to assure that these are met.

It is important that customers understand their business needs for a cloud service, the division of responsibility for security between themselves and the service provider and the scope of independent certifications to ensure that these cover their actual needs.

2 Product Description

This section provides an overview of SAP HANA Enterprise Cloud (HEC) together with an assessment of the security and assurance provided in respect of ...

Login Get full Access

2.1 Overview

SAP is a world leader in enterprise applications and, based on market capitalization, SAP is the world’s third largest independent software manufact ...

Login Get full Access

2.1.1 Security Architecture

The fundamental security architecture of the HEC infrastructure follows the principle of a private cloud. This means that the customer receives an iso ...

The key features of this architecture are:

  • Each HEC customer receives their own isolated landscape that is fully integrated into the customer’s ...
Login Get full Access

2.1.2 Division of Responsibilities

The responsibilities for the various aspects of service delivery, management and security are clearly defined by SAP. In outline SAP is responsible f ...

Login Get full Access

2.2 Critical Risk Security and Assurance

This section describes our assessment of the security and assurance provided by SAP Hana Enterprise Cloud services against the five previously defined ...

Login Get full Access

2.2.1 Compliance

The strongest assurance that a CSP can provide is independent certification and attestation of the service that they provide.

All SAP Hana Enterpr ...

Note that ISAE3402 attestation report types have the following meaning:

  • Type i: provides a report of procedures / controls an organization has put ...
Login Get full Access

2.2.2 Cyber Security

The end-to-end security of the HEC is shared between SAP and the customer. SAP is responsible for the security of those components over which it has l ...

  • Cloud Platform Security: The HEC environment is designed, built, and operated to provide high levels of infrastructure security and specifically op ...
Login Get full Access

2.2.3 Availability and Disaster Recovery

SAP Cloud Solutions and Customer Data are operated in a Tier Level III, III+ or IV classified Data Centre. SAP checks on site the compliance to the SA ...

The definition of the business continuity requirements for data centres is published in the standard ANSI/TIA-9422 . This specifies 4 tier levels co ...

Login Get full Access

2.2.4 Legal Service Contract

The service is offered on a subscription that is negotiated with SAP. Most requirements can be met on demand but services that require very large appl ...

Login Get full Access

2.2.5 Lock-in

HEC is intended for customers running SAP applications. These applications while being widely used are non the less include proprietary interfaces and ...

Login Get full Access

3 Strengths and Challenges

SAP Hana Enterprise Cloud is ideally suited to organizations wishing to migrate their on-premise SAP business critical applications to the cloud. It o ...

Login Get full Access

4 Related Reasearch

Advisory Note: Security Organization, Governance, and the Cloud – 71151
Executive View: Cloud Standards Cross Reference – 71124
Scenario Report: Understanding Cloud Security – 70321
Advisory Note: Cloud Provider Assurance – 70586
Executive View: Cloud standards and advice jungle – 70641
Advisory Note: Selecting your cloud provider – 70742
Leadership Compass: Infrastructure as a Service - 70959
Executive View: Executive View: Using Certification for Cloud Provider Selection - 71308

Endnotes

  1. HEC_IT_Security_and_Compliance_Customer_Package_v2.pdf
  2. TIA-942 Certified Data Centers | Consultants | Auditors | TIA-942.org
  3. sap-cloud-service-level-agreement

Copyright

©2021 KuppingerCole Analysts AG all rights reserved. Reproduction and distribution of this publication in any form is forbidden unless prior written permission. All conclusions, recommendations and predictions in this document represent KuppingerCole´s initial view. Through gathering more information and performing deep analysis, positions presented in this document will be subject to refinements or even major changes. KuppingerCole disclaim all warranties as to the completeness, accuracy and/or adequacy of this information. Even if KuppingerCole research documents may discuss legal issues related to information security and technology, KuppingerCole do not provide any legal services or advice and its publications shall not be used as such. KuppingerCole shall have no liability for errors or inadequacies in the information contained in this document. Any opinion expressed may be subject to change without notice. All product and company names are trademarks™ or registered® trademarks of their respective holders. Use of them does not imply any affiliation with or endorsement by them.

KuppingerCole Analysts support IT professionals with outstanding expertise in defining IT strategies and in relevant decision-making processes. As a leading analyst ompany, KuppingerCole provides first-hand vendor-neutral information. Our services allow you to feel comfortable and secure in taking decisions essential to your business.

KuppingerCole, founded in 2004, is a global, independent analyst organization headquartered in Europe. We specialize in providing vendor-neutral advice, expertise, thought leadership, and practical relevance in Cybersecurity, Digital Identity & IAM (Identity and Access Management), Cloud Risk and Security, and Artificial Intelligence, as well as for all technologies fostering Digital Transformation. We support companies, corporate users, integrators and software manufacturers in meeting both tactical and strategic challenges and make better decisions for the success of their business. Maintaining a balance between immediate implementation and long-term viability is at the heart of our philosophy.

For further information, please contact clients@kuppingercole.com.

top