how sap runs on aws - ein erfahrungsbericht
TRANSCRIPT
Thorsten Herre, SAP Chief IT Security ArchitectJune, 2016
How SAP runs on AWS -Ein Erfahrungsbericht
Customer
© 2016 SAP SE or an SAP affiliate company. All rights reserved. 2Customer
About SAP
More than 77,000 international employees
Worldwide locations in more than 130 countries
More than 300,000 customers in 190 countries
74% of the world’s transaction revenue touches an SAP system.
SAP has been an AWS customer since 2008AWS has been an SAP Global Partner since 2011
Ready to put your SAP Systems in the Cloud?
© 2016 SAP SE or an SAP affiliate company. All rights reserved. 4Customer
SAP’s Journey to AWS
Business Software Vendor
CertifiedbySAP
Various certified SAP Solutions for AWS:• SAP HANA Infrastructure Services• SAP HANA One service• SAP BusinessObjects BI• SAP Business Suite
(incl. SAP ERP, SAP CRM, SAP SCM, SAP PLM, SAP SRM)
• SAP Business All-in-One• SAP Business One• SAP Afaria mobile device management• Sybase Unwired Platform• SAP MaxDB, SAP ASE, SAP IQ
http://aws.amazon.com/de/sap/
http://scn.sap.com/docs/DOC-47930
Please refer to SAP Note 1656099 for details
© 2016 SAP SE or an SAP affiliate company. All rights reserved. 5Customer
SAP’s Journey to AWS
Internal SAP IT &Business Cloud Service Provider
SAP runs Infrastructure on AWS for:• SAP internal Development• SAP Business One (B1)• SAP Cloud Appliance Library (Demo/Trials)• SAP Hybris [y]aaS• SAP HANA Cloud Platform (HCP)• SAP Anywhere• SAP Concur
Many more Landscapes and Clouds planned for AWShttps://cal.sap.com/
https://hcp.sap.com/
© 2016 SAP SE or an SAP affiliate company. All rights reserved. 6Customer
SAP’s Business & Security Challenges with AWS
Business Software VendorInternal SAP IT &
Business Cloud Service Provider
• Build up AWS Know-How within SAP• Getting SAP Products certified for AWS
• Existing SAP licenses can be used on AWS• Full SAP Support for Production deployments
• Getting Extra Large EC2 VM Instances• r3.8xlarge (32 vCPU; 244 GB RAM) or• x1.32xlarge (128 vCPU; 1952 GB RAM)
• >100 SAP partners have AWS Partner Network (APN) status • Agreeing on an AWS Partnership Model
• License Models (e.g. BYOL vs on-demand hourly/yearly vs free developer)
• Supporting Customer PoC
• Manage the >100 AWS Accounts used at SAP• Setting up a central Billing• Signing a SAP – AWS DPA &
Cloud Customer Contracts running on AWS• Integrating AWS Compliance into
SAP Cloud Certifications & Cloud Security Frameworks• Defining an AWS Security Standard for:
• Secure Account handling & IAM• Use of MFA for daily business• Secure configurations for AWS Services
• Defining SAP Cloud specific AWS Security Architectures
© 2016 SAP SE or an SAP affiliate company. All rights reserved. 7Customer
SAP on AWS: Central Billing & Account Management
• AWS Consumption within SAP tripled in the last 12 months
• We have >100 AWS Accounts• Many Clouds/LoBs use more than one
AWS account• Central provisioning and management of
all AWS Accounts by SAP IT• Central billing workflow and reporting to all
Cloud Units and LoBs cost centers• Modular approach for IaaS Providers• Planned: Additional security checks in the
provisioning workflow
© 2016 SAP SE or an SAP affiliate company. All rights reserved. 8Customer
SAP on AWS: Data Protection Agreement & Cloud Contracts
• Establish the possibility to bring SAP Products and Services on AWS
• SAP negotiated with AWS an dedicated ESA and MDPA
• Solve Data Protection Officer and SAP Legal concerns
• Clarify sub-contractor or sub-processor status
• Integrate AWS Compliance & Certification Status in SAP offering
• Agree on operation models, support, …
Enterprise Customer Agreement
MasterDPA
EnterpriseSupportAgreement DPA / TOMs
for cloud offerings using
AWS
DPA / TOMs SAP use in
general
Customer Contract
AWSDPA
StandardDPA
Contract between
SAP and Amazon
SAP Cloud
Customer Contract
© 2016 SAP SE or an SAP affiliate company. All rights reserved. 9Customer
SAP on AWS: Security Governance for AWS usage
SAP Global Security has created dedicated Security Standards and Checklists for IaaS Partners:• Checking IaaS Partner (e.g. AWS) against the SAP IaaS Cloud Security Architecture Framework
(based on CSA CCM and SAP Best Practice; Integrated in SAP Purchasing RFPs)• Review AWS Certification status and audit reports (e.g. SOC1/2, ISO27001, PCI/DSS, FISMA, ITAR, IRAP…) • Define a SAP Cloud Security Directive and an AWS Security Standard• Define a Network Integration Strategy and Guideline (AWS ßà SAP Corporate Network)• Assign dedicated Security Officers for IaaS Partners (e.g. AWS) for each SAP Cloud usage
Integrate IaaS (AWS) Deployments in SAP Security Monitoring & Security Incident Management: • Checking AWS Account configuration security using AWS Trusted Advisor.• Currently ongoing PoC: Usage of additional Security Monitoring Tools for
AWS Account, Security Group / ACL and Instance usage (e.g. AWS Inspector; Evident.io; Dome9) • Integration of AWS CloudTrail logs in the SAP SIEM and CyberSecurity Incident Handling
© 2016 SAP SE or an SAP affiliate company. All rights reserved. 10Customer
SAP on AWS: Example of an Hybrid Deployment
SAP production landscape runs in customer’s own datacenter
SAP development & quality assurance landscape runs on AWS
Use encrypted communication only:• Allow only e.g. HTTPS, SSH, SNC,
ODBC/SSL• Use VPN or Direct Connect
• Use AWS VPC featuresUse AWS Storage Encryption features
© 2016 SAP SE or an SAP affiliate company. All rights reserved. 11Customer
SAP on AWS: General Security Architecture
• Setup private/public subnets• Setup security groups / ACLs• Define IAM user & profiles
• Look down root account• Define users/profiles based on
use• Use MFA
• Integrate AWS CloudTrail in SIEM• Use AWS Trusted Advisor,
Inspector, CloudWatch or ext. Tools
© 2016 SAP SE or an SAP affiliate company. All rights reserved. 12Customer
SAP on AWS: Secure setup for SAP Support
• Deploy a new AWS instance only for SAProuterinto the public subnet of the VPC
• Separate Security group should be configured for this instance.(Limit to SAP’s SAPRouter IP Address and port 3299/tcp)
• Create a saprouttab file allowing access from SAP to your SAP systems on AWS
• For Internet connections use Secure Network Communication (SNC).
• Modify the existing e.g. SAP HANA security groups to trust the SAProuter security group
• (optional) Shutdown the SAPRouter instance when not in use.
© 2016 SAP SE or an SAP affiliate company. All rights reserved. 13Customer
SAP on AWS: High Availability and Disaster Recovery
• Use multiple Availability Zones• Use dedicated AWS Accounts
for Prod vs. Q/A vs. Dev Systems
Thank you Contact information:
Thorsten HerreChief IT Security ArchitectGlobal Security TeamSAP SE
© 2016 SAP SE or an SAP affiliate company. All rights reserved. 15Customer
© 2016 SAP SE or an SAP affiliate company. All rights reserved.
No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP SE or an SAP affiliate company.
SAP and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP SE (or an SAP affiliate company) in Germany and other countries. Please see http://global12.sap.com/corporate-en/legal/copyright/index.epx for additional trademark information and notices.
Some software products marketed by SAP SE and its distributors contain proprietary software components of other software vendors.
National product specifications may vary.
These materials are provided by SAP SE or an SAP affiliate company for informational purposes only, without representation or warranty of any kind, and SAP SE or its affiliated companies shall not be liable for errors or omissions with respect to the materials. The only warranties for SAP SE or SAP affiliate company products and services are those that are set forth in the express warranty statements accompanying such products and services, if any. Nothing herein should be construed as constituting an additional warranty.
In particular, SAP SE or its affiliated companies have no obligation to pursue any course of business outlined in this document or any related presentation, or to develop or release any functionality mentioned therein. This document, or any related presentation, and SAP SE’s or its affiliated companies’ strategy and possible future developments, products, and/or platform directions and functionality are all subject to change and may be changed by SAP SE or its affiliated companies at any time for any reason without notice. The information in this document is not a commitment, promise, or legal obligation to deliver any material, code, or functionality. All forward-looking statements are subject to various risks and uncertainties that could cause actual results to differ materially from expectations. Readers are cautioned not to place undue reliance on these forward-looking statements, which speak only as of their dates, and they should not be relied upon in making purchasing decisions.
© 2016 SAP SE or an SAP affiliate company. All rights reserved. 16Customer
© 2016 SAP SE oder ein SAP-Konzernunternehmen. Alle Rechte vorbehalten.
Weitergabe und Vervielfältigung dieser Publikation oder von Teilen daraus sind, zu welchem Zweck und in welcher Form auch immer, ohne die ausdrückliche schriftliche Genehmigung durch SAP SE oder ein SAP-Konzernunternehmen nicht gestattet.
SAP und andere in diesem Dokument erwähnte Produkte und Dienstleistungen von SAP sowie die dazugehörigen Logos sind Marken oder eingetragene Marken der SAP SE (oder von einem SAP-Konzernunternehmen) in Deutschland und verschiedenen anderen Ländern weltweit.Weitere Hinweise und Informationen zum Markenrecht finden Sie unter http://global.sap.com/corporate-de/legal/copyright/index.epx.
Die von SAP SE oder deren Vertriebsfirmen angebotenen Softwareprodukte können Softwarekomponenten auch anderer Softwarehersteller enthalten.
Produkte können länderspezifische Unterschiede aufweisen.
Die vorliegenden Unterlagen werden von der SAP SE oder einem SAP-Konzernunternehmen bereitgestellt und dienen ausschließlich zu Informationszwecken. Die SAP SE oder ihre Konzernunternehmen übernehmen keinerlei Haftung oder Gewährleistung für Fehler oder Unvollständigkeiten in dieser Publikation.Die SAP SE oder ein SAP-Konzernunternehmen steht lediglich für Produkte und Dienstleistungen nach der Maßgabe ein, die in der Vereinbarung über die jeweiligen Produkte und Dienstleistungen ausdrücklich geregelt ist. Keine der hierin enthaltenen Informationen ist als zusätzliche Garantie zu interpretieren.
Insbesondere sind die SAP SE oder ihre Konzernunternehmen in keiner Weise verpflichtet, in dieser Publikation oder einer zugehörigen Präsentation dargestellte Geschäftsabläufe zu verfolgen oder hierin wiedergegebene Funktionen zu entwickeln oder zu veröffentlichen. Diese Publikation oder eine zugehörige Präsentation, die Strategie und etwaige künftige Entwicklungen, Produkte und/oder Plattformen der SAP SE oder ihrer Konzernunternehmen können von der SAP SE oder ihren Konzernunternehmen jederzeit und ohne Angabe von Gründen unangekündigt geändert werden.Die in dieser Publikation enthaltenen Informationen stellen keine Zusage, kein Versprechen und keine rechtliche Verpflichtung zur Lieferung von Material, Code oder Funktionen dar. Sämtliche vorausschauenden Aussagen unterliegen unterschiedlichen Risiken und Unsicherheiten, durch die die tatsächlichen Ergebnisse von den Erwartungen abweichen können. Die vorausschauenden Aussagen geben die Sicht zu dem Zeitpunkt wieder, zu dem sie getätigt wurden. Dem Leser wird empfohlen, diesen Aussagen kein übertriebenes Vertrauen zu schenken und sich bei Kaufentscheidungen nicht auf sie zu stützen.