How SAP runs on AWS - Ein Erfahrungsbericht

In particular, SAP SE or its affiliated companies have no obligation to pursue any course of business outlined in this document or any related presentation, or to ...

PDF Herunterladen

PNG-Bilder

8MB Größe 26 Downloads 365 Ansichten

Kommentar

How SAP runs on AWS Ein Erfahrungsbericht Thorsten Herre, SAP Chief IT Security Architect June, 2016

Customer

About SAP 77,000 international employees Worldwide locations in more than 130 countries More than 300,000 customers in 190 countries 74% of the world’s transaction revenue touches an SAP system. SAP has been an AWS customer since 2008 AWS has been an SAP Global Partner since 2011 More than

© 2016 SAP SE or an SAP affiliate company. All rights reserved.

Customer

2

Ready to put your SAP Systems in the Cloud?

SAP’s Journey to AWS

Business Software Vendor Certified by SAP Various certified SAP Solutions for AWS: •

SAP HANA Infrastructure Services

•

SAP HANA One service

•

SAP BusinessObjects BI

•

SAP Business Suite (incl. SAP ERP, SAP CRM, SAP SCM, SAP PLM, SAP SRM)

•

SAP Business All-in-One

•

SAP Business One

•

SAP Afaria mobile device management

•

Sybase Unwired Platform

•

SAP MaxDB, SAP ASE, SAP IQ

© 2016 SAP SE or an SAP affiliate company. All rights reserved.

http://aws.amazon.com/de/s ap/ http://scn.sap.com/docs/DOC-47930 Please refer to SAP Note 1656099 for details

Customer

4

SAP’s Journey to AWS

Internal SAP IT & Business Cloud Service Provider

SAP runs Infrastructure on AWS for: • SAP internal Development •

SAP Business One (B1) SAP Cloud Appliance Library (Demo/Trials)

•

SAP Hybris [y]aaS

•

SAP HANA Cloud Platform (HCP) SAP Anywhere

•

• https://cal.sap.com/ https://hcp.sap.com/

© 2016 SAP SE or an SAP affiliate company. All rights reserved.

SAP Concur Many more Landscapes and Clouds planned for AWS •

Customer

5

SAP’s Business & Security Challenges with AWS

Internal SAP IT & Business Cloud Service Provider

Business Software Vendor

•

Build up AWS Know-How within SAP

•

Manage the >100 AWS Accounts used at SAP

•

Getting SAP Products certified for AWS

•

Setting up a central Billing

•

Signing a SAP – AWS DPA & Cloud Customer Contracts running on AWS

•

Integrating AWS Compliance into SAP Cloud Certifications & Cloud Security Frameworks

•

Defining an AWS Security Standard for:

•

•

Existing SAP licenses can be used on AWS

•

Full SAP Support for Production deployments

Getting Extra Large EC2 VM Instances •

r3.8xlarge (32 vCPU; 244 GB RAM) or

•

x1.32xlarge (128 vCPU; 1952 GB RAM)

•

>100 SAP partners have AWS Partner Network (APN) status

•

Secure Account handling & IAM

•

Agreeing on an AWS Partnership Model

•

Use of MFA for daily business

•

Secure configurations for AWS Services

•

License Models (e.g. BYOL vs on-demand hourly/yearly vs free developer)

•

Supporting Customer PoC

© 2016 SAP SE or an SAP affiliate company. All rights reserved.

•

Defining SAP Cloud specific AWS Security Architectures Customer

6

SAP on AWS: Central Billing & Account Management

•

AWS Consumption within SAP tripled in the last 12 months

•

We have >100 AWS Accounts

•

Many Clouds/LoBs use more than one AWS account

•

Central provisioning and management of all AWS Accounts by SAP IT

•

Central billing workflow and reporting to all Cloud Units and LoBs cost centers

•

Modular approach for IaaS Providers

•

Planned: Additional security checks in the provisioning workflow

© 2016 SAP SE or an SAP affiliate company. All rights reserved.

Customer

7

SAP on AWS: Data Protection Agreement & Cloud Contracts •

Establish the possibility to bring SAP Products and Services on AWS

•

SAP negotiated with AWS an dedicated ESA and MDPA

•

Solve Data Protection Officer and SAP Legal concerns

•

Clarify sub-contractor or sub-processor status

• •

Integrate AWS Compliance & Certification Status in SAP offering Agree on operation models, support, …

© 2016 SAP SE or an SAP affiliate company. All rights reserved.

Contract between

SAP Cloud

SAP and Amazon

Customer Contract

Enterprise Customer Agreement Master DPA

Enterprise Support Agreement

Customer Contract AWS DPA

Standard DPA

DPA / TOMs for cloud offerings using AWS

DPA / TOMs SAP use in general

Customer

8

SAP on AWS: Security Governance for AWS usage SAP Global Security has created dedicated Security Standards and Checklists for IaaS Partners: •

Checking IaaS Partner (e.g. AWS) against the SAP IaaS Cloud Security Architecture Framework (based on CSA CCM and SAP Best Practice; Integrated in SAP Purchasing RFPs)

•

Review AWS Certification status and audit reports (e.g. SOC1/2, ISO27001, PCI/DSS, FISMA, ITAR, IRAP…)

•

Define a SAP Cloud Security Directive and an AWS Security Standard

•

Define a Network Integration Strategy and Guideline (AWS ßà SAP Corporate Network)

•

Assign dedicated Security Officers for IaaS Partners (e.g. AWS) for each SAP Cloud usage

Integrate IaaS (AWS) Deployments in SAP Security Monitoring & Security Incident Management: •

Checking AWS Account configuration security using AWS Trusted Advisor.

•

Currently ongoing PoC: Usage of additional Security Monitoring Tools for AWS Account, Security Group / ACL and Instance usage (e.g. AWS Inspector; Evident.io; Dome9)

•

Integration of AWS CloudTrail logs in the SAP SIEM and CyberSecurity Incident Handling

© 2016 SAP SE or an SAP affiliate company. All rights reserved.

Customer

9

SAP on AWS: Example of an Hybrid Deployment Use encrypted communication only: •

Allow only e.g. HTTPS, SSH, SNC, ODBC/SSL

•

Use VPN or Direct Connect

•

Use AWS VPC features

SAP production landscape runs in customer’s own datacenter

SAP development & quality assurance landscape runs on AWS

Use AWS Storage Encryption features

© 2016 SAP SE or an SAP affiliate company. All rights reserved.

Customer

10

SAP on AWS: General Security Architecture

•

Setup private/public subnets

•

Setup security groups / ACLs

•

Define IAM user & profiles •

Look down root account

•

Define users/profiles based on use

•

Use MFA

•

Integrate AWS CloudTrail in SIEM

•

Use AWS Trusted Advisor, Inspector, CloudWatch or ext. Tools © 2016 SAP SE or an SAP affiliate company. All rights reserved.

Customer

11

SAP on AWS: Secure setup for SAP Support •

Deploy a new AWS instance only for SAProuter into the public subnet of the VPC

•

Separate Security group should be configured for this instance. (Limit to SAP’s SAPRouter IP Address and port 3299/tcp)

•

Create a saprouttab file allowing access from SAP to your SAP systems on AWS

•

For Internet connections use Secure Network Communication (SNC).

•

Modify the existing e.g. SAP HANA security groups to trust the SAProuter security group

•

(optional) Shutdown the SAPRouter instance when not in use.

© 2016 SAP SE or an SAP affiliate company. All rights reserved.

Customer

12

SAP on AWS: High Availability and Disaster Recovery

•

Use multiple Availability Zones

•

Use dedicated AWS Accounts for Prod vs. Q/A vs. Dev Systems © 2016 SAP SE or an SAP affiliate company. All rights reserved.

Customer

13

Thank you

Contact information: Thorsten Herre Chief IT Security Architect Global Security Team SAP SE [email protected]

© 2016 SAP SE or an SAP affiliate company. All rights reserved. No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP SE or an SAP affiliate company. SAP and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP SE (or an SAP affiliate company) in Germany and other countries. Please see http://global12.sap.com/corporate-en/legal/copyright/index.epx for additional trademark information and notices. Some software products marketed by SAP SE and its distributors contain proprietary software components of other software vendors. National product specifications may vary. These materials are provided by SAP SE or an SAP affiliate company for informational purposes only, without representation or warranty of any kind, and SAP SE or its affiliated companies shall not be liable for errors or omissions with respect to the materials. The only warranties for SAP SE or SAP affiliate company products and services are those that are set forth in the express warranty statements accompanying such products and services, if any. Nothing herein should be construed as constituting an additional warranty. In particular, SAP SE or its affiliated companies have no obligation to pursue any course of business outlined in this document or any related presentation, or to develop or release any functionality mentioned therein. This document, or any related presentation, and SAP SE’s or its affiliated companies’ strategy and possible future developments, products, and/or platform directions and functionality are all subject to change and may be changed by SAP SE or its affiliated companies at any time for any reason without notice. The information in this document is not a commitment, promise, or legal obligation to deliver any material, code, or functionality. All forwardlooking statements are subject to various risks and uncertainties that could cause actual results to differ materially from expectations. Readers are cautioned not to place undue reliance on these forward-looking statements, which speak only as of their dates, and they should not be relied upon in making purchasing decisions.

© 2016 SAP SE or an SAP affiliate company. All rights reserved.

Customer

15

© 2016 SAP SE oder ein SAP-Konzernunternehmen. Alle Rechte vorbehalten. Weitergabe und Vervielfältigung dieser Publikation oder von Teilen daraus sind, zu welchem Zweck und in welcher Form auch immer, ohne die ausdrückliche schriftliche Genehmigung durch SAP SE oder ein SAP-Konzernunternehmen nicht gestattet. SAP und andere in diesem Dokument erwähnte Produkte und Dienstleistungen von SAP sowie die dazugehörigen Logos sind Marken oder eingetragene Marken der SAP SE (oder von einem SAP-Konzernunternehmen) in Deutschland und verschiedenen anderen Ländern weltweit. Weitere Hinweise und Informationen zum Markenrecht finden Sie unter http://global.sap.com/corporate-de/legal/copyright/index.epx. Die von SAP SE oder deren Vertriebsfirmen angebotenen Softwareprodukte können Softwarekomponenten auch anderer Softwarehersteller enthalten. Produkte können länderspezifische Unterschiede aufweisen. Die vorliegenden Unterlagen werden von der SAP SE oder einem SAP-Konzernunternehmen bereitgestellt und dienen ausschließlich zu Informationszwecken. Die SAP SE oder ihre Konzernunternehmen übernehmen keinerlei Haftung oder Gewährleistung für Fehler oder Unvollständigkeiten in dieser Publikation. Die SAP SE oder ein SAP-Konzernunternehmen steht lediglich für Produkte und Dienstleistungen nach der Maßgabe ein, die in der Vereinbarung über die jeweiligen Produkte und Dienstleistungen ausdrücklich geregelt ist. Keine der hierin enthaltenen Informationen ist als zusätzliche Garantie zu interpretieren. Insbesondere sind die SAP SE oder ihre Konzernunternehmen in keiner Weise verpflichtet, in dieser Publikation oder einer zugehörigen Präsentation dargestellte Geschäftsabläufe zu verfolgen oder hierin wiedergegebene Funktionen zu entwickeln oder zu veröffentlichen. Diese Publikation oder eine zugehörige Präsentation, die Strategie und etwaige künftige Entwicklungen, Produkte und/oder Plattformen der SAP SE oder ihrer Konzernunternehmen können von der SAP SE oder ihren Konzernunternehmen jederzeit und ohne Angabe von Gründen unangekündigt geändert werden. Die in dieser Publikation enthaltenen Informationen stellen keine Zusage, kein Versprechen und keine rechtliche Verpflichtung zur Lieferung von Material, Code oder Funktionen dar. Sämtliche vorausschauenden Aussagen unterliegen unterschiedlichen Risiken und Unsicherheiten, durch die die tatsächlichen Ergebnisse von den Erwartungen abweichen können. Die vorausschauenden Aussagen geben die Sicht zu dem Zeitpunkt wieder, zu dem sie getätigt wurden. Dem Leser wird empfohlen, diesen Aussagen kein übertriebenes Vertrauen zu schenken und sich bei Kaufentscheidungen nicht auf sie zu stützen.

© 2016 SAP SE or an SAP affiliate company. All rights reserved.

Customer

16