Our cyber security solutions in the SAP cloud operation

Did you like our article?

Novis obtained SAP competency certification on AWS in October 2020, and we subsequently certified our operation to ISO 27001. to achieve this, we made a very profound improvement to our public Cloud security standards which involved, among other things, the following measures: the adoption of a cybersecurity framework, the development of policies and procedures, the accreditation of competencies and the necessary technologies. Our current operation adheres to the following five cybersecurity principles:

1. Identity and access management

In identity management, in accordance with best practices in this area, our model has a single identity management repository, with multifactor authentication mechanisms that validate the identity of our personnel using biometric mechanisms of their mobile devices registered in the domain. In permissions management, we are governed by the principle of least privilege access. Based on this, our power users have access roles to their cloud accounts tailored to the specific permissions required for their role. These users connect to the public cloud administration consoles via a single sign on portal associated with our IDM, which grants them access to the accounts via a token with a session that expires within four hours, reducing the risk of credential theft. Other Novis staff do not have direct access to cloud resources and interact with them through a service portal that they log into with their domain users. This portal gives them access to the specific tasks they need to perform their functions, such as restarting a server, taking a backup on demand, or stopping a process.

2. Network protection

In network perimeter security, we seek to minimize the surface of exposure to risks and cyber-attacks, taking advantage of the wide range of cybersecurity functionalities in the public cloud. One of the main areas to protect are applications exposed to the internet, such as SAP Fiori apps or SAP Portal sites. In these cases, the web servers are deployed in private networks and published to the internet via load balancers protected by Web Application Firewall (WAF) and Distributed Denial of Service (DDoS) attack prevention systems. Another feature of our cloud network configurations is that all flows are logged, and the logs generated are continuously analyzed using AI-based tools, which seek to identify unusual access patterns that can provide early warning of an attack attempt.

3. Zero Trust Access Network

For regulated clients, or those who are concerned about exposing their critical systems to the Internet, we offer a multi-layered security technology through a “Zero Trust” network, which makes your SAP system available to all your remote users without the need to expose your system to the Internet. This type of access can be called the evolution of VPNs, since, in comparison, it adds multiple layers of security, allows a higher level of customization, and reduces the costs and complexities of securely publishing a critical service to the Internet.

4. Data protection

In this category we focus on three subdomains:

1) Data classification: We categorized the information assets we manage and established specific policies for each type. We have defined rules that regulate access to databases, backups, computer programs and their configuration, customer contact data, contracts, etc.

For example, backup management policies consider the following:

• • The accounts where backups are stored are different from the accounts of the source systems.
  • Backups are stored encrypted.
  • The backup lifecycle is managed programmatically without human intervention.
  • Novis operational staff do not have access to backup repositories.
  • Backups can only be retrieved from servers in the same account and region as the protected systems.

2) Data flow encryption (encryption data flow):
Our policies do not allow data to flow outside the cloud environment without encryption so that, if intercepted by someone unauthorized, no information is disclosed. We have continuous compliance mechanisms that notify our security team when a service is published to the Internet through an unauthorized port, such as ports 22 (SSH), 80 (Http) and 3389 (Rdp). Finally, traffic communicating secure networks (isolated networks or client networks) are also encrypted using VPN.

3) Encryption of data at rest (encryption at rest):
We keep server disks and backup volumes encrypted. When encryption is enabled, two types of permissions are required to read the data: the access or administration permission and the permission associated with the encryption keys. This segregation of roles allows finer-grained data protection policies to be established, which can prevent, for example, unauthorized personnel from taking information out of the account in which it was created and into another region of the cloud.

5. Detective controls

Our policy on this topic establishes mechanisms to protect and analyze log data to detect security events, both actively with artificial intelligence (AI) tools and in subsequent audits.

1) Use of logs:
Since all Public Cloud data is consumed through APIs, we keep records of all calls to those APIs, with their associated parameters (who called it, what time it was, what operations it executed, etc.) This way we guarantee security from the origin, since from the moment an account is created, security logs are activated, to which only the highest levels of responsibility have access.
Similarly, we keep a record of all configuration changes and relationships between infrastructure elements in the cloud. All these logs are protected in such a way that no one, not even the super administrator, can delete or modify them. In addition, they are being analyzed proactively and automated with AI-based services. This level of security is very difficult to ensure in the on-premises world.

2) Compliance monitors:
We have a series of monitors to verify compliance automatically and continuously with safety standards (continuous compliance monitoring). In the compliance console that we have implemented, we can indicate the different international norms or standards that we wish to comply with, and we receive a diagnosis of what is being achieved, what is missing and what are the recommendations to correct. On the other hand, it allows the entities that periodically certify us to review not only “photos” of the status at the time of the audit, but also to verify compliance over time with the different standards, through the evidence of compliance, which is generated on an ongoing basis.

At Novis we have the specialized knowledge required to protect your SAP solutions with the highest standards against the growing cybersecurity risks to which they are exposed.

We invite you to contact us for a discussion.

Feedback/discussion with author Flavio Fernandes, CISO at Novis, flavio.fernandes@noviscorp.com