As we told you in this article, Novis has been certified for SAP on AWS operations. We introduced major improvements to our public clouds security standards in order to accomplish this, which implied, among others, the following measures: adoption of a cybersecurity framework, development of policies and procedures, skills accreditation, and the necessary technologies. Our current operation adheres to the following cybersecurity principles:
1. Identity and access management.
For identity management, in accordance with best practices in this matter, our model uses a unique identity management repository, with multifactor authentication mechanisms that validate the identity of our staff using biometric mechanisms of their mobile devices registered in the domain. For access management, we apply the least privilege principle. On this basis, our advanced users have cloud account access roles adjusted to the specific authorizations needed by their role. These users connect to the public cloud management consoles through a single sign-in portal which grants them access to the accounts using a token, with a session that expires in a 4 hour period, reducing thus the risks associated with credentials theft. The remaining Novis staff does not have direct access to the cloud resources, and they interact with them through a services portal using their domain user accounts. This portal grants them access to the specific tasks they require for their work, such as restarting a server or making an on-demand backup.
2. Network protection.
In perimeter network security we seek to minimize the area of exposure to risks and cyberattacks, making use of the wide range of cybersecurity capabilities available in public clouds. One of the main elements to protect are internet-exposed applications, such as SAP Fiori apps or SAP Portal sites. In these cases, web servers are deployed on private networks and published to the Internet through load balancers protected by Web Application Firewall (WAF) and Distributed Denial of Services (DDoS) attack prevention systems. Another feature of our cloud network configuration is that all dataflows are logged, and these logs are continuously analyzed by AI-based tools to identify unusual access patterns, thus alerting timely to any attack attempts.
3. Data protection.
This subject is focused in three subdomains:
Information assets managed are categorized and specific policies are defined for each type. We have established rules governing access to databases, backups, software and its configuration, customer contact data, contracts, etc.
For example, backup management policies consider the following:
Our policies do not admit dataflows from the cloud environment without encryption, so if intercepted by unauthorized persons no information is revealed. We apply continuous compliance mechanisms that notify our security team whenever publishing to the Internet through an unauthorized port such as, for example, ports 22 (SSH), 80 (HTTP), or 3389 (RDP).
All server disks and backup volumes are encrypted. When encryption is enabled, two types of authorizations are required to read the data: access or management authorization, and the encryption keys authorization. This role segregation allows for stricter data protection policies, which can prevent, for example, that unauthorized persons may transfer information to an account in another cloud region.
4. Detective controls.
Our policy in this area establishes mechanisms to protect and analyze data logs to detect security issues, both actively with artificial intelligence (AI) tools, as well as with subsequent audits.
In addition, we keep records of all configuration changes and of the relations between cloud infrastructure elements. All these logs are protected in such a way that nobody, not even the superuser, can erase or modify them. In addition, they are proactively and automatedly being analyzed with AI-based services. This level of security is very difficult to implement in the on-premises world.
At Novis we have the expertise required to protect your SAP solutions with the highest standards from the increasing cybersecurity risks to which they are exposed. Please feel free to contact us to discuss your needs.
Feedback/discussion with the author, Patricio Renner, CTO, at email@example.com