Tips for CISO Officers: Enhancing SAP Security in Amazon Web Services (AWS) and Microsoft Azure
In the digital age, businesses are increasingly moving their mission-critical SAP workloads to public clouds like Amazon Web Services (AWS) and Microsoft Azure. While these platforms promise agility, scalability, and innovation power, a common misconception persists: that cloud providers will secure SAP applications on behalf of the companies.
This assumption can lead to a false sense of security, leaving SAP applications vulnerable to significant risks. To address this, solutions like the Onapsis Platform and the Microsoft Sentinel solution for SAP applications provide a consistent security layer that works independently of the cloud provider, within the SAP application. These solutions offer comprehensive transparency of the application, ensuring a unified security posture, and integrate with cloud-native tools like Azure Sentinel and AWS CloudTrail.
Onapsis identifies and addresses risks within the SAP application itself, including vulnerabilities in custom code, misconfigurations, and unauthorized access - risks that are invisible to infrastructure-level tools. It feeds critical, context-rich SAP security alerts into cloud Security Information and Event Management (SIEM) systems like Azure Sentinel, giving security teams a truly unified view of threats ranging from infrastructure to the application core.
Securing the network perimeter for SAP systems in Azure is fundamental. Methods such as using Azure Virtual Networks (VNets) and Network Security Groups (NSGs) for strict traffic control are essential. For companies running SAP workloads on AWS, a similar multi-layered security approach is crucial, with the networking foundation being the Virtual Private Cloud (VPC).
However, cloud security requires a deep understanding of the shared responsibility model and continuous collaboration between SAP, security, and cloud teams to protect business-critical assets during and after the move to the cloud. Under this model, AWS and Azure are responsible for the security of the underlying cloud infrastructure, but customers are always responsible for the security of all data they put into the cloud, including the security of the SAP application itself, user access, and configurations.
Threat Detection with Microsoft Sentinel is essential for unified threat monitoring, enabling correlation of SAP security events with data from the underlying Azure infrastructure. Amazon CloudWatch monitors AWS resources and applications in real-time, allowing the collection of logs, tracking of metrics, and setting alarms for suspicious or anomalous infrastructure-level activities.
A truly resilient cloud strategy integrates the strengths of the cloud provider's infrastructure security with specialized solutions that provide comprehensive transparency and control over the SAP application itself. Proactive SAP cloud security is crucial to secure the digital transformation, as merely relocating SAP systems via "lift and shift" without adjusting the security strategy exposes valuable corporate resources to significant risks.
The biggest mistake is the ignoring or misunderstanding of the Shared Responsibility Model, which can result in a secure infrastructure running a highly vulnerable and exposed SAP system. Companies must be vigilant and proactive in their approach to SAP cloud security to ensure a successful and secure digital transformation.
%20and%20Microsoft%20Azure){kind=link}