Security and compliance continue to be the top concerns for migrating to SAP S/4HANA in the cloud, even above performance, flexibility and cost. That’s because, ultimately, it’s still your responsibility to ensure the security of your data and applications—even if they reside in someone else’s datacenter. Fortunately, a strong cloud provider and the right tools can take security from a project roadblock to an accelerator, while keeping your data and applications protected along the way.
We recently teamed up with Google at the SAPinsider conference to tackle this topic, discussing best practices for SAP S/4HANA transformations and running SAP in the cloud based on our respective experiences with customers working through these projects. Below we’re summarizing some key takeaways to help you address security and compliance for a successful SAP S/4HANA cloud implementation. You can watch the full recording by logging into SAPInsider here (use code ONAPSISGUEST).
Your Concerns Were Heard: Hyperscalers Have Heavily Invested in Security & Compliance Over the Past Few Years
If you look at cloud adoption trends and considerations, security continues to be near the top of the list, but it’s not the blocker it was four to five years ago. That’s in large part because hyperscalers across the board have really invested in this space, focusing on compliance, attestations, certifications, etc.
For example, Google Cloud covers compliance and certifications across the globe, including regional regulations like HIPAA and GDPR and have over two million controls across their infrastructure and operations that are audited annually. These requirements and standards are baked in at every layer of the infrastructure across the stack.
The real takeaway here is that the infrastructure is secure, oftentimes from the ground up as different components are manufactured. Infra is only one part of securely operating in the cloud. What about the applications themselves? We know that threat actors are going after vulnerable SAP applications. How can you successfully address security and compliance here?
You Need to Give InfoSec and Compliance/Audit Teams Direct Visibility at the Application Level
The idea that security and compliance should be addressed from the start of major transformation projects isn’t exactly new, but putting that idea into practice is often a different story. Lack of visibility for InfoSec and compliance/audit teams is one of the most common issues preventing this.
We hear this all the time. Even if these teams are brought into projects early, they often face very real logistical problems with trying to assess system configurations and controls to understand where risk, vulnerabilities and compliance weakness might lie. As you can imagine, moving to the cloud only adds to the problem, often resulting in even less visibility and access to certain security information since the systems aren’t even running in their own data centers.
Providing security and compliance teams with direct access to the right assessment tools that focus on the application layer is essential to solving this problem and is key throughout the migration process:
- Getting applications cloud-ready before you move: find and fix legacy issues earlier in the process before they become too difficult or costly
- Maintaining security and compliance posture once you’re up and running in the cloud: the ability to assess the cloud operating environment enables a trust, but verify approach where you can see for yourself that your hosted systems are being run according to your own security and compliance standards
With the right tools, people and processes, you can bring security front and center at the beginning of migration projects and find those potential issues that otherwise would be identified in production—and avoid all the associated delays and costs involved. By building security in from the start and providing the right people with the right visibility, you not only end up with a much more robust security and compliance posture, but, in many cases, you actually get an accelerated path to the cloud.
More Resources for Successful SAP S/4HANA Migrations
- Google and Onapsis discuss security and compliance for S/4HANA migrations: “Cloudy with a Chance of Security and Compliance” (use code ONAPSISGUEST)
- Step-by-step guide on building security, compliance and quality checks into your SAP application development lifecycle: “DevSecOps for SAP S/4HANA Migrations for Dummies”
- Case study on protecting SAP applications in the cloud: “Levi’s Deputy CISO Discusses “Trust, but Verify” Approach for Digital Transformations”