SAP Cloud Security: How secure is the SAP Cloud?

For many a company, it is a big step that they are hesitant to take - the move to the cloud. After such a switch, the company's own data and ERP software are no longer located exclusively on servers in the company's own on-site data centre, either in whole or in part - as was the case for a long time.

Instead, the often sensitive data is now located somewhere in SAP's cloud.

• But where exactly is this "somewhere"?
• Who has access to the data and applications?
• And how secure are SAP's data centres, the cloud network structure and solutions such as the SAP Business Technology Platform?

The topic of SAP Cloud Security thus involves several dimensions: the location of SAP's data centres and the physical security of the data and applications in the data centres, the protection of networks and systems, compliance and data protection, recovery and backup processes or even the secure transfer of data.

In addition to the security solutions for SAP S/4HANA Cloud, SAP also summarises all measures relating to security for the SAP Business Technology Platform (SAP BTP) area under the keyword SAP Business Technology Platform Security. This concerns the security of data centres, but also data protection or the question of user authentication.

Your own IT: vulnerable to unauthorised access

An on-premise solution still seems safer to many companies than a cloud solution - after all, the data remains in-house. However, in-house is at least as vulnerable to data loss and data espionage, cybercrime or technical network problems.

Hardly any company today can secure its own infrastructure - and thus its own data - in a similar way or operate the security infrastructure so cost-effectively that the on-premise solution would still be cheaper than SAP's cloud.

After all, when it comes to security, building and setting up the infrastructure alone is not enough. Companies also have to factor in the costs of maintenance, security measures and the ongoing modernisation of systems. In view of growing threats, the expense is immense.

This is where the cloud scores: SAP's cloud solutions meet the most stringent industry standards for security today, according to SAP. In many cases, the level is likely to be significantly higher than that of a company's own data centres.

In addition, many SAP solutions - for example in the area of analytics, integration or with regard to new technologies such as AI or process automation - are available via the SAP Business Technology Platform and thus as cloud-based solutions.

Every company that expands the on-premise solution operated in its own data centre with the help of the SAP Business Technology Platform must therefore also deal with cloud security and SAP Business Technology Platform security at this point at the latest.

SAP systems are strictly secured and shielded

SAP currently has 88 data centres worldwide where cloud services are operated - five of them in Germany. These are the places where data is stored by companies. This makes the cloud basically a very earthly undertaking: a series of servers in a data centre.

Protecting data from data theft or other attacks by hackers thus begins with physical measures.

SAP's standard security measures include high-security fences, video and sensor surveillance, trained security personnel and strict access restrictions, usually even biometric access controls. As a rule, anyone who wants to enter an SAP data centre of this kind has to prove their identity several times.

Double data storage

The data centres are not only protected against unauthorised access, but also against fire, power failure or hardware defects. To ensure stable operation of the IT and applications, they have their own uninterruptible power supply, among other things.

In addition, data backups are carried out regularly and automatically in the data centres - as part of backup and recovery processes. A special storage system always backs up the data and log files redundantly. In addition, the data of each customer in the data centres is generally isolated from the data of other customers, i.e. stored separately from each other.

In addition, the flow of customer data is controlled and data is stored regionally, for example in the EU or the USA. Strict European data protection and privacy laws and regulations are strictly adhered to.

A company's data should only be stored in a cloud in Germany? Companies can choose and contractually specify in which SAP data centre their data should be processed and secured.

Independent audit of SAP Cloud Security

In the area of external auditing and certification, SAP now meets a wide range of industry standards and compliance requirements.

For example, SAP regularly has all guidelines and measures in the area of security and data protection independently audited. The security measures are then certified and confirmed accordingly, for example through ISO certifications or evidence according to SOC1 Type II and SOC2 Type II.

In addition, the British Standards Institution (BSI) has certified SAP's processes with regard to data protection and privacy. The certification proves that SAP complies with the applicable and strict requirements of the General Data Protection Regulation (GDPR) in the EU.

Secured multiple times - the SAP networks

Network security also plays a significant role when it comes to SAP Cloud Security, SAP Business Technology Platform Security and data protection. SAP's networks are so elaborately protected that intruders cannot gain unauthorised access.

The data and software in the cloud are surrounded by several "layers" of access controls, monitoring functions and firewalls that are constantly active. The highest possible level of protection - for example against illegal access - is provided here at SAP by, among other things:

• a web dispatcher farm (which hides the network from the outside world),
• multi-factor authentications (multi-level procedures for identifying users),
• an intrusion detection system (which continuously scans the network for attacks and unlawful access),
• multiple internet connections (which minimise the impact of distributed network attacks) and
• Proxy servers with content filtering (intermediate computers used as communication interfaces).

For the data traffic itself, SAP relies on HTTPS encryption technology. This standard component of current web browsers and clients prevents unauthorised persons from intercepting network traffic.

The ongoing operation of the SAP S/4HANA Cloud is also permanently secured and monitored, for example through appropriate virus protection and malware management.

SAP's security measures also include comprehensive threat and vulnerability management. This includes, for example, security patch management or the automatic scanning of systems for vulnerabilities.

Suspicious behaviour in view of the Security Monitoring Center

In addition, there are regular penetration tests (security tests that are based on the tools and methods of attackers and thus help prevent unauthorised access) and a Security Monitoring Centre that is staffed around the clock.

The Security Monitoring Centre - a team of SAP security experts - continuously assesses and analyses all activities in the central log system. If the experts observe suspicious behaviour, they immediately alert a special task force, which initiates appropriate defensive measures, such as blocking access by attacking users.

Further information in the SAP Trust Center

In the SAP Trust Center, SAP has compiled all information on SAP Cloud Security: from the various measures for data protection and data security to compliance, audits and controls as well as the availability of the global cloud services (and possible outages).