VaradIntroduction
SAP Security Best Practices in the Cloud: Communication users should not be reused for multiple connections (communication arrangements). Communication must be set up by the customer. No communication users are configured by default. Authentication should always employ the strongest authentication method supported by the communicating systems.
Why Is Cloud Security Important ?
Organizations are adopting cloud platforms for their mission-critical workloads more than ever, thanks to the flexibility and efficiency provided by the cloud in comparison to traditional data centers. SAP Security Best Practices in the Cloud
One of an organization’s key concerns while embarking on a digital-transformation journey in the cloud is security, because cloud security entails a paradigm shift from traditional security solutions and approaches. In addition, security breaches and malware attacks are becoming commonplace in the cloud, as the threat vectors keep evolving every day. It’s therefore important to understand the constructs of security in the cloud, to implement the right tools and best practices to protect your cloud-hosted workloads, and to evolve the maturity of your security practices as your organization progresses along its cloud-adoption journey.
Cloud Security Best Practices
What are the best practices for cloud security?
- Understand the Shared Responsibility Model
- Secure the Perimeter
- Monitor for Misconfigurations
- Use Identity & Access Management
- Enable Security Posture Visibility
- Implement Cloud Security Policies
- Secure Your Containers
- Perform Vulnerability Assessment and Remediation
- Implement Zero Trust
- Train Your Employees
- Use Log Management & Monitoring
- Conduct Penetration Testing
- Encrypt Your Data
- Meet Compliance Requirements
- Execute Your Incident Response Plan
- Leverage a Comprehensive Cloud Security Tool
1. Understand Shared Responsibility
All leading cloud service providers — AWS, Azure and GCP — follow a shared responsibility model when it comes to cloud security. While some of the aspects such as underlying hardware security are managed by the service provider, customers are expected to enable security at the infrastructure and application layer.
For infrastructure-as-a-service (IaaS) deployments, this includes securing the OS of any virtual machines by regularly applying patches, configuring its firewall, and enabling virus and malware protection, among other measures. In platform-as-a-service (PaaS) deployments, VM-level protection is the prerogative of the cloud provider. However, the customer must still manage application and data protection. With software-as-a-service (SaaS) deployments, the majority of security controls up until the application are managed by the cloud provider, while the customer handles usage and access policies.
It is crucial for your cloud service provider to review the shared responsibility matrix, presented below, and enable the relevant controls for your app using native or third-party security tools and services
| Element | SaaS | PaaS | IaaS |
|---|---|---|---|
| Application Security | CSP | User | User |
| Platform Security | CSP | CSP | User |
| Infrastructure | CSP | User | CSP |
| Endpoint Security | User | User | User |
| Data Security / Data Protection | User | User | User |
| Network Security | CSP | CSP | User |
| User Security | User | User | User |
| Containers and Cloud Workloads | User | User | User |
| APIs and Middleware | CSP | User | User |
| Code | User | User | User |
2. Secure the Perimeter
As cloud networks are based on software defined networking (SDN), there is greater flexibility to implement multilayer security guard rails. You should start with a basic segmentation of workloads between different virtual networks and allow for only required communication between them. Additionally, restrict incoming traffic to your applications using network or application layer firewalls.
Attacks such as SQL injection, data exposure and cross-site scripting are some of the major application security concerns that a web application firewall (WAF) based on OWASP threat detection rules can help detect and protect against. A multilayer DDoS defense strategy is unavoidable to protect workloads from organized DDoS attacks in the cloud. All cloud service providers offer DDoS protection tools that can be integrated with your application frontend to detect and protect against such attacks.
An efficient firewall that can act as a gatekeeper against incoming threats and malicious attacks should be deployed at your network perimeter. These can be cloud-native firewall services or more advanced third-party tools that perform intrusion detection, packet inspection, traffic analysis and threat detection. You can also opt for a separate intrusion detection system (IDS) or intrusion prevention system (IPS) in the architecture to fortify the perimeter security of your cloud deployments.
3. Monitor for Misconfigurations
Successful infiltrations of cloud workloads are most often the result of service misconfigurations or manual configuration errors. Cloud security posture management (CSPM) solutions should be incorporated into your architecture to monitor for misconfigurations that could creep into your cloud deployment.
CSPM solutions add value by evaluating your deployments against a set of best practice guidelines. These could be organization-specific standards or aligned to leading security and compliance benchmarks. A secure score is provided that quantifies the current state of security of all your workloads in the cloud, with a healthy security score indicating a secure cloud deployment. These tools will also flag any deviations from standard practices so that customers can take the necessary corrective action.
4. Use Identity & Access Management
When it comes to your cloud workloads, control plane security is critical since it holds the keys to the kingdom. You will need to use identity and access management services native to your cloud platform to implement role-based, fine-grained access control to cloud resources.
Cloud platforms also provide tools for hassle-free integration of on-premises solutions like Active Directory with cloud-native identity and access management (IAM) services; this can provide users with a seamless single sign-on (SSO) experience for cloud-hosted workloads. When it comes to IAM controls, the rule of thumb is to follow the principle of least privilege, which means allowing required users to access only the data and cloud resources they need to perform their work
5. Enable Security Posture Visibility
As the cloud landscape expands, the likelihood of breaches remaining unreported increases. Having the right tools in place will help achieve much-needed visibility into your security posture and enable proactive security management.
All leading cloud platforms have an advanced/premium tier of a native CSPM solution that can provide capabilities like detection of data exfiltration, event threat detection, IAM account hijacks and cryptomining, to name a few. However, note that these features are often limited to their respective cloud platforms. For hybrid or multi-cloud deployments, it is recommended to incorporate a specialized tool for enabling security posture visibility.
6. Implement Cloud Security Policies
Cloud security policies are defined to implement organization-wide restrictions to ensure security. For example, restrict workload deployment using public IPs, contain east-west traffic flow, or implement monitoring of container workload traffic patterns.
The implementation approach differs among service providers. In Azure, customers could use Azure policies, while in GCP, this can be done using organizational policies. The advantage of security policies is that they will auto-enforce the compliance standard across the board in cloud deployments.
7. Secure Your Containers
Container security involves both container and orchestration platform protection, with Kubernetes being the solution most often used in the cloud. You will need to create industry-standard security baselines for containerized workloads, with continuous monitoring and reporting of any deviations.
Organizations require tools that can detect malicious activities in containers, even those that happen during run time. The necessity of security technologies that enable visibility into container-related activities, as well as the detection and decommissioning of rogue containers, cannot be overstated. With the threat landscape always changing, it’s best to employ technologies that leverage advanced artificial intelligence (AI) and machine learning (ML) to detect malware without relying on signatures.
8. Perform Vulnerability Assessment & Remediation
You should have a real-time vulnerability scanning and remediation service to protect your workloads against virus and malware attacks. The service should be able to support workloads deployed in VMs as well as in containers.
Consider a vulnerability management solution that can continuously scan workloads for vulnerabilities, compile reports and present the results in dashboards, and auto-remediate problems where possible
9. Implement a Zero Trust Approach
The Zero Trust (aka assume breach) approach is the gold standard for enabling cloud security. It entails not assuming any trust between services, even if they are within the organization’s security perimeter.
The main principles of a Zero Trust approach involve segmentation and allowing for only minimal communication between different services in an application. Only authorized identities should be used for this communication aligned with the principle of least privilege. Any communication that happens within or with outside resources should be monitored, logged and analyzed for anomalies. This applies to admin activities as well. Here, you can adopt either native or third-party monitoring and logging tools.
10. Implement a Cybersecurity Training Program
There are great tools available to protect the cloud from different kinds of adversaries, but something many security leaders realized is that it is better to be proactive about cybersecurity.
A great starting point to incorporating cybersecurity into the organization’s culture and have it be a priority for employees and other stakeholders is to implement a comprehensive security training program for employees. Make sure the program includes the most common adversaries in your industry and how they perform their attacks.
Additionally, incorporate specific training designed to identify phishing attempts, since phishing is one of the most common ways hackers gain unauthorized access to a company’s network and potentially sensitive information.
11. Use Log Management and Continuous Monitoring
It is essential for companies to enable logging capabilities within their cloud infrastructure to ensure full visibility into the network and quickly identify unusual activity to remediate if necessary. Within your log management platform, ensure you turn on notifications so that you find out in real time about any unusual activity.
12. Conduct Penetration Testing
In addition to performing vulnerability assessments like described above, it is recommended organizations conduct penetration testing, also known as pentesting. An advantage of conducting pentests is to determine whether security measures currently in place are enough to protect your applications and environment. It is also known as “ethical hacking” because these white hat hackers act as adversaries to simulate a real-world attack.
13. Encrypt Your Data
Cloud data encryption is key to a robust cloud security strategy. It allows for a seamless and secure flow of data among cloud-based applications by concealing it to unauthorized users. Data should be encrypted in the cloud itself as well as when it is in transit to ensure optimal protection.
There are cloud providers that offer data encryption services. Some of them are free, others come at a cost, but whichever solution you decide to pursue, make sure it can be incorporated into your current organization processes to avoid bottlenecks and other inefficiencies.
14. Meet Compliance Requirements
As with any product, service, or process, cloud security solutions and strategies should have cloud and data compliance requirements top of mind. Staying compliant means you are meeting standards set by laws and regulations to ensure customer protection.
Depending on the industry, companies hold a whole lot of sensitive customer information such as card numbers, social security numbers, addresses, and health information. A strong cloud security solution or strategy is one that has compliance in mind through every step of the process.
15. Execute Your Incident Response Plan
When it comes to cybersecurity, organizations that have an incident response plan in the event of a breach are better equipped to remediate the situation, avoid operational disruptions, and recover any lost data.
Incident response plans are designed to ensure your security teams act in the most efficient manner in the event of an attack. Think of the plan as a remediation framework that should include strict roles and responsibilities so that each team member knows what they have to do in each scenario. Enable notifications so that your team is notified as fast as possible of the breach.
16. Stay Protected With CrowdStrike Falcon Cloud Security
Leading cloud platforms provide native tools that can implement some of the above security controls. However, it is always recommended to complement native cloud security with advanced tools like those offered by CrowdStrike.
CrowdStrike offers unified cloud security posture management and breach prevention for workloads deployed across hybrid and multi-cloud environments. The Falcon Cloud Security solution provides much-needed visibility across multi-cloud deployments, monitors for misconfigurations, eliminates compliance violations and enables continuous protection from identity-based threats. It also provides comprehensive container security by identifying and remediating even the most discrete threats.
Your organization can also leverage the Falcon Cloud Security solution’s CWP capabilities to provide full breach protection for workloads, containers and Kubernetes, allowing you to quickly design, manage and secure cloud-native applications.
Key Sections – SAP Security Best Practices in the Cloud
- Overview – SAP BTP Cockpit – Cloud Foundry
- Security Strategy & key integration requirements
- SAP Cloud Environment Model
- 3rd Party Cloud application (to be integrated)
- Governance & Compliance Model
- Security & Controls Model – Best Practices
- Cloud BTP Cockpit & Identity Authentication Services (IAS) – Controls Framework
- End To End Integration process Flow
- Conclusion
Overview – SAP BTP Cockpit
Commonly known as SAP Business Technology Platform – BTP. (Source – BTP – SAP Help) and provides hosting capabilities for web-based user interface to manage the various cloud applications. It is also said as “central point” of entry to the cloud platform, where one can create and access your accounts, sub-accounts, applications and manage all activities associated with them.
Image 1 – Architecture and Users overview – SAP BTP Cockpit
Strategy & Key Integration Requirements
In similarity with any particular ERP solution, for SAP Cloud Foundry (aka BTP Cockpit) below listed are some of the key things to be considered –
To assess and baseline an optimal strategy for developing these integrations, one should leverage the security design keeping the below 3 categorizations
- Governance Model
- Cloud Connector Model
- Security & Authorization Model
Image 2 – Approach & Integration Model Diagram
SAP Cloud Environment Model
Few key pointers – will help understand the difference between SAP Cloud Foundry (versus) Neo
Recommended based on the use case data and my implementation experience, will be – SAP Cloud Foundry. Key elements are –
- Cloud Connector – Identity Authentication Services (IAS)
- BTP Cockpit Connector
Image 3 – Difference between SAP – Cloud Foundry and Neo
SAP Security Best Practices in the Cloud
