Security Strategies

COlumn
This article appeared in the Oct Nov Dec 2010 issue of
n n

SAPinsider (http://sapinsider.wispubs.com) and appears

here with permission from the publisher, WIS Publishing.

Will Your Move to the Cloud

Open Up Your Company to
Security Threats?
Tips and Tools to Secure Your Cloud Solutions
by Gerlinde Zibulski and Regine Schimmer, SAP

When companies consider cloud computing, they questions your company should ask itself at the
often think of its numerous benefits: no more outset of any cloud project.
costly infrastructures and administration tasks,
and instant gratification in terms of availability. 1. What Kind of Cloud Offering Should We Use?
Small and midsize businesses in particular can Depending on the degree of privacy they offer,
benefit from this easy-to-use software that comes clouds can be categorized into four subtypes,
without the burden of ongoing administration each of which offers a different level of security:
and system maintenance (see sidebar on the next  A private cloud offering is a hosted offering
page for a cloud computing refresher). for just one business and a selection of its
But what about the potential risks? Unfortu- suppliers — here, a company can “privately”
nately, too few companies make security a priority access its applications and data. You would Gerlinde Zibulski (gerlinde.
when it comes to their cloud explorations. While choose a private cloud for data that you [email protected]) has been with
solutions outsourced to the cloud are convenient SAP for over 11 years. Gerlinde is
consider highly security-critical, such as busi- the Head of the Product
(because your staff will not have to deal with the ness or financial data that would give someone Management Team for Security
applications and the data that passes through insider knowledge. and Identity Management.
Gerlinde holds a master’s degree
them), it’s important to remember that someone
 A public cloud offering is a hosted solution in economics from the Private
else will. Cloud computing means letting external University Witten/Herdecke.
available for multiple tenants and open to
administrators access, manage, and, to a certain
anyone who would like to participate in the
extent, control your business data. It also means
offering. This is a cloud you would choose for
moving your information out of the relatively
sharing open information geared toward your
secure perimeter of your own company, into the
own customers, such as help portals and
cloudy environs of the Internet. It’s a jungle out
product descriptions.
there, and you need to ensure that appropriate
security measures are in place to protect your  A hybrid cloud offering consists of multiple
vital assets and interests — from both a business internal and external providers and is geared
perspective and a legal one. toward specific business-to-business applications
But note: Securing the cloud isn’t rocket science. with a focus on commercial usage. Less critical
With proper planning and the right tools, compa- applications can be run in a public cloud, whereas
Regine Schimmer (regine.
nies can take advantage of the benefits of a cloud the more sensitive, business-critical applications [email protected]) is a Solution
environment and mitigate potential risks. can be run in a private cloud. This offering is for Manager for SAP NetWeaver
Identity Management. She has
those looking to set up restricted marketplaces
several years of experience with
Exploring the Cloud? 3 Key Questions or with public invitations to tender. SAP security solutions and has
worked on SAP Security Product
You Should Get Answered First  A community cloud offering consists of hosted
Management teams at SAP AG
There are many considerations for companies offerings for Internet communities (usually and SAP Labs.
looking into cloud computing. Here are three organized around a specific topic), thus easing

Subscribe today. Visit sapinsider.wispubs.com.

 the information exchange. This is an offering for application is provided for multiple clients
information sharing and decision making that (tenants). An additional benefit of this multi-
enables all participants to comment on infor- tenant architecture is that it allows tenants to
mation and share additional data — by configure the user interface according to their
uploading files or inserting links, for instance. corporate branding and configure their own
business processes and rules without changing
2. How Will the Provider Ensure Privacy? the code, which is shared by all tenants.
Cloud providers are responsible for ensuring that Of course, there’s still an element of risk in this
companies and users see only their own portion scenario. Administrators can still access the serv-
of the data hosted in the cloud. To do so, these ers and data — and potentially abuse their access
providers use a concept called multi-tenancy — privileges for industrial espionage. Data privacy
meaning that a single instance of a hosted issues could also arise due to the aggregation of
data. Consider, for example, that your controlling
application and its data were hosted on a server
What Is Cloud Computing, Really? alongside your fiercest competitor’s data. This
might give someone the opportunity to compare
The term “cloud” describes the complex system of connected devices and
services that make up the Internet. Cloud computing, then, is based on the internal costs and profit margins of the two.
the concept of shared resources. It’s a large pool of easily usable and This is why a company might require that its
accessible virtualized resources (such as hardware, development platforms, solutions never get deployed along with those of
or services) that can be dynamically reconfigured to adjust to a variable its competitors. A good workaround for this situa-
load, enabling optimal resource use.* tion is to deploy your solution in a private cloud,
Instead of relying solely on in-house computing power, companies out- or to encrypt data at rest (that is, data in computer
source their solutions, having them hosted in the cloud. It’s a convenient, storage that is never changed or is changed in
cost-saving way of extending computing power without having to buy regular intervals) and data in transit (that is, data
technology to do so. Companies rent software and pay as they go so they that is being transferred over a network or that is
can vary their resources in accordance with their requirements. temporarily stored in memory to be used or
There are three key characteristics of cloud computing: updated) to ensure confidentiality. And, of course,

1. The software is hosted. Cloud software runs on servers that are hosted strong authentication mechanisms are a must.
by an external outsourcer or by the company’s IT department as a sepa- It is also highly crucial to understand the
rate corporate entity. In a hosting scenario, companies might run their outsourcer’s key management policy. Ask the
own systems and applications on hosted servers and transfer formerly outsourcer where the encryption keys will be
on-premise software onto servers hosted by a provider. Or they might stored and who has access to them. Ideally,
leverage applications on top of hosted servers. only the businesses themselves or the end users
2. The software can be accessed on-demand. Companies access cloud solu- should be able to see the keys.
tions via the Internet (browser-based) or via web services (SOA-based).
On-demand access requires high availability of the software, since users 3. What Should I Look for in a Provider’s SLA?
expect to be able to execute cloud offerings anytime and anywhere and Service-level agreements (SLAs) regulate the
have a very limited tolerance for system downtime. Internet-based ac- conditions and define the contract for a cloud
cess allows providers to leverage various standards for web services, in- offering. As a business or an end user, you should
teroperability, and security developed by entities such as the World carefully read and make sure you understand
Wide Web Consortium (W3C) or the Liberty Alliance, in which business-
these terms. In regards to security, pay special
es, academia, and software vendors cooperate to ensure ease of imple-
attention to security management and secure
mentation and interoperability.
configuration. For example, ask:
3. The IT administration is outsourced. To reduce costs, businesses will usu-
ally choose a cloud offering where the IT administration is outsourced,  What are the provider’s encryption offerings
which means that someone external to the business’s workforce has for credit card payments? Are they compliant
administrative rights on the servers and access to the application data with the Payment Card Industry Data Security
— this outsourced administration is what makes security so pressing. Standard (PCI-DSS)?

* See “Cloud Computing and SAP: Where We Are and Where We’re Going” by Kaj van de Loo and  How often do servers receive security patches?
Roland Wartenberg in the July-September 2010 issue of SAPinsider (sapinsider.wispubs.com).
What are the guarantees for high availability?
When are the scheduled downtimes?

Subscribe today. Visit sapinsider.wispubs.com.

 Where are the servers located? How is the staff businesses have offered Internet-based access to
at that location trained? their systems for a long time, and they also have
the appropriate security measures to ensure
 What are the provider’s back-up and recovery
authentication, encryption of communication
offerings, and which access rights are manda-
paths, and the security of web services. The
tory? What happens when a back-up does not
evolving security tools that enable all this will
run smoothly or if data gets lost?
also help authenticate user credentials at registra-
 How do you transfer security policies when tion, while still ensuring privacy — thus allowing
moving data from an on-premise installation a secure connection between on-premise and
to a cloud application? on-demand solutions.
 What are the procedures if there is a data The key here is identity federation, a new indus-
breach or if data is lost or accessed by an unau- try standard that allows a business to establish
thorized entity? Who will investigate such a cross-domain single sign-on within heterogeneous
breach, and what are the mitigation measures? landscapes.1 The standard was developed to enable
the new kind of trust relationships that cloud
 Who owns the data? How is retention handled?
computing requires. Identity federation can be
When considering a cloud offering, you also combined with an identity and access manage-
want to ensure that the outsourcer can enforce ment (IAM) infrastructure to create a strong
what it states in its SLA. That’s why it’s also a authentication and to link access management
good idea to pay the provider of your choice a with the administration of the repositories where
site visit and ask for a demonstration. the identities reside. And with the latest release of
SAP NetWeaver Identity Management, the stan- Identity management
Adapt Existing Identity Management dards needed to enable this identity federation are
is an important part
Tools and Strategies for the Cloud now available to SAP customers. Let’s take a look
Identity management is another important part at the identity federation concept in practice. of cloud computing,
of cloud computing, and it will only become more and it will only
so as the cloud evolves. Consider this: In the Identity Federation in Action: Securing a
become more so as
future, customers, regardless of size, will have to Business Process in the Cloud
open their on-premise applications to make them Consider an airline that wants to offer special the cloud evolves.
accessible from cloud applications. Why? To attract services for its members. For example, the airline
younger customers, businesses need to expand wants to work with a hotel agency to offer its
access to their software via community cloud Platinum members a free room upgrade, and with
applications, such as Twitter or Second Life. a car rental company to offer Regular members
Business applications will then be run as a discount. This cooperation between different
connections in the form of networked applications companies requires a cloud-based business process
or networked solutions. Of course, the business to exchange information about the customer. And
won’t want to outsource all of its critical data to a the key to securing that information exchange is
cloud solution, but will instead complement its identity federation (see Figure 1 on the next page).
on-premise software with on-demand extensions. In this case, the airline company acts as the
To bridge the gap between these on-premise identity provider (IdP) in the process — this
and on-demand solutions, software vendors will means that the airline is responsible for handling
have to ensure that their solutions are both the authentication and identification of a user.
interoperable and secure. Of course, on-premise The IdP stores the central ID of all users — here,
solutions generally call for stronger authentica- the airline members — and all the federation
tion procedures, while on-demand solutions information for the participating target systems
often thrive on their users’ anonymity. To meet — here, the car rental company and the hotel
both of these needs, companies need a solid agency’s systems. These target systems act as the
identity management strategy and tools.
Luckily, many companies already have some 1
See “Taking SSO to the Next Level: SAP Supports Identity
Federation with SAML 2.0” by Yonko Yonchev and
kind of identity management functionality Dimitar Mihaylov in the July-September 2010 issue
and strategy for the cloud. For example, many SAPinsider (sapinsider.wispubs.com).

Subscribe today. Visit sapinsider.wispubs.com.

Figure 1 u Using SAP NetWeaver
Identity Management’s identity
Airline Hotel Agency
federation standards to securely
send information between
Service
different companies „ Offers its members „ Airline members get
provider
discounts for booking Attribute an automatic room
hotel rooms and car upgrade
rentals (member status „ Required federation

depends on flight information: Member

miles) status + company
name

Identity Car Rental

provider Named Company
user
Service
provider
„ Airline members get a
10% discount
„ Required federation

information: email
address

service providers (SPs) in this scenario. To sign-on between businesses and a variety of SP
establish identity federation, the airline and back-end systems. The SP does not need to sanitize
the administrators from each SP company need or cleanse the user IDs. And the users can keep
to set up agreements about how to exchange their various back-end IDs to ensure their privacy,
the user ID information. In this example, the but still be properly and strongly authenticated.
As more and more companies go about this requirement in
companies explore the different ways: Summary and Outlook
 Attribute-based identity federation: The only As more and more companies explore the possi-
possibilities of cloud bilities of cloud computing, the issue of security
information the hotel agency requires is the
computing, the issue airline’s name and the member’s status. It does should be top-of-mind. Hosting solutions in
the cloud and linking on-premise solutions and
of security should be not need a named user, but instead uses the
attribute “member status” to process the user. on-demand cloud offerings provide a bevy of
top-of-mind. benefits, but also involve making your business’s
The required information about the airline
company is included in the authentication information accessible to more outside forces. To
information from that company. With attribute- mitigate the potential risks that come with this,
based identity federation, companies can use there are many considerations to keep in mind
virtually any information to identify the user: and several tools you’ll want at your fingertips.
cost center and company code combinations For more information, visit www.sdn.sap.
or a social security number, for example. com/irj/sdn/virtualization and www.sdn.sap.
com/irj/sdn/security. n
 Named user-based identity federation: The
car rental company requires named users in its
systems, but does not want to share the user
names over the Internet because of security
Additional Resources...
and data privacy reasons. It uses the customer’s n
Special Report on Cloud Computing
email address as federation data and maps it (SAPinsider, July-September 2010,
to the car rental user account. sapinsider.wispubs.com)

For both authentication mechanisms, the IdP

n
“Get Started with Cloud Computing and SAP
issues a standardized Security Assertion Markup Today” by Scott Wall (SAP Professional Journal,
Language (SAML) token. With its 2.0 version, Volume 12, Update 5, www.SAPpro.com)
SAML can be leveraged to establish trusted single

Subscribe today. Visit sapinsider.wispubs.com.