Our cybersecurity solutions for SAP cloud operations

Did you like our article?

As we told you in this article, Novis has been certified for SAP on AWS operations. We introduced major improvements to our public clouds security standards in order to accomplish this, which implied, among others, the following measures: adoption of a cybersecurity framework, development of policies and procedures, skills accreditation, and the necessary technologies. Our current operation adheres to the following cybersecurity principles:

1. Identity and access management.

For identity management, in accordance with best practices in this matter, our model uses a unique identity management repository, with multifactor authentication mechanisms that validate the identity of our staff using biometric mechanisms of their mobile devices registered in the domain. For access management, we apply the least privilege principle. On this basis, our advanced users have cloud account access roles adjusted to the specific authorizations needed by their role. These users connect to the public cloud management consoles through a single sign-in portal which grants them access to the accounts using a token, with a session that expires in a 4 hour period, reducing thus the risks associated with credentials theft. The remaining Novis staff does not have direct access to the cloud resources, and they interact with them through a services portal using their domain user accounts. This portal grants them access to the specific tasks they require for their work, such as restarting a server or making an on-demand backup.

2. Network protection.

In perimeter network security we seek to minimize the area of exposure to risks and cyberattacks, making use of the wide range of cybersecurity capabilities available in public clouds. One of the main elements to protect are internet-exposed applications, such as SAP Fiori apps or SAP Portal sites. In these cases, web servers are deployed on private networks and published to the Internet through load balancers protected by Web Application Firewall (WAF) and Distributed Denial of Services (DDoS) attack prevention systems. Another feature of our cloud network configuration is that all dataflows are logged, and these logs are continuously analyzed by AI-based tools to identify unusual access patterns, thus alerting timely to any attack attempts.

3. Data protection.

This subject is focused in three subdomains:

• Data classification

Information assets managed are categorized and specific policies are defined for each type. We have established rules governing access to databases, backups, software and its configuration, customer contact data, contracts, etc.

For example, backup management policies consider the following:

• The accounts where backups are stored are different from those of the originating systems.
• Backups are encrypted.
• Backup lifecycles are automated, without human intervention.
• Novis’ operational staff do not have access to backup repositories.
• Backups may only be recovered from servers into the same account and region of the protected systems.

• Dataflow encryption.

Our policies do not admit dataflows from the cloud environment without encryption, so if intercepted by unauthorized persons no information is revealed. We apply continuous compliance mechanisms that notify our security team whenever publishing to the Internet through an unauthorized port such as, for example, ports 22 (SSH), 80 (HTTP), or 3389 (RDP).

• Data at rest encryption.

All server disks and backup volumes are encrypted. When encryption is enabled, two types of authorizations are required to read the data: access or management authorization, and the encryption keys authorization. This role segregation allows for stricter data protection policies, which can prevent, for example, that unauthorized persons may transfer information to an account in another cloud region.

4. Detective controls.

Our policy in this area establishes mechanisms to protect and analyze data logs to detect security issues, both actively with artificial intelligence (AI) tools, as well as with subsequent audits.

• Log uses: Since all AWS data is consumed via APIs, we record all calls to those APIs, with their associated parameters (who called it, when, what operations where executed, etc.), thus guaranteeing security from the origin, activating security logs whenever a new account is created, which may be accessed only by the highest levels of responsibility.

In addition, we keep records of all configuration changes and of the relations between cloud infrastructure elements. All these logs are protected in such a way that nobody, not even the superuser, can erase or modify them. In addition, they are proactively and automatedly being analyzed with AI-based services. This level of security is very difficult to implement in the on-premises world.

• Compliance monitors: We use a series of monitors to verify security standards compliance with automated and continuous processes (continuous compliance monitoring). In the compliance console we can define the different international norms or standards we wish to apply, and receive diagnostics of what is being accomplished, what is missing, and recommendations for improvement. On the other hand, this makes it possible for entities that periodically audit us to check not only “photos” of the status at the time of the audit, but also to verify compliance of different norms over time with evidence, which is being generated continuously.

At Novis we have the expertise required to protect your SAP solutions with the highest standards from the increasing cybersecurity risks to which they are exposed. Please feel free to contact us to discuss your needs.

Feedback/discussion with the author, Patricio Renner, CTO, at patricio.renner@noviscorp.com

Related notes:

• Security is key to AWS outsourcing services
• Novis is certified as AWS Advanced Consulting Partner