Three questions to ask your cloud provider about security for your SAP environment
As enterprises grow increasingly interconnected and sensitive information is shared around the world, protecting critical data has become more complex than ever before. Several years ago, most IT attacks targeted the operating system. Today, new types of threats use malware that targets your most precious data by attacking everything from the infrastructure all the way up to the application layer.
When it comes to protecting critical data, SAP has taken extensive measures to help its software run securely. But because modern attacks may threaten the entire technology stack, a cloud provider with a truly robust security strategy might require a more holistic approach that takes into account not only the SAP layer and the operating system but also the entire IT environment. If you’re considering the benefits of deploying this critical information in the cloud, here are three questions to ask potential cloud providers about protecting your SAP data:
1. What’s your security strategy?
It’s clear that you want a cloud provider that offers integrated security products and highly trained personnel who use security-rich coding practices. The provider should also help you identify what information your security event and information management (SIM) solution requires to provide the best insight into your IT landscape.
Ensure you understand which elements are critical within your environment. This may include network boundary devices such as routers and firewalls as well as multifunction devices for intrusion prevention, servers and virtual machines. Information from these systems should be effectively aggregated and analyzed for insight into your security weaknesses and used to help prevent breaches.
2. If a breach happens, how will you respond?
The right provider should have a clear strategy for responding to security incidents. The provider should work closely with you to establish an incident response plan or direct you to services that can fulfill this need. This should include characteristics such as key emergency contacts, clear roles and responsibilities, regular mock exercises to test the plan, procedures for collecting forensic data, retainers for incident and forensic services and instructions for engaging these services.
Be sure you know how your cloud provider responds to security incidents. While some cloud providers might not provide incident response services, you may be able to acquire these services from a third party, including a different cloud provider.
3. What are your security certifications?
Ongoing analysis of the threat landscape can detect security deviations early and enable you and your provider to prepare countermeasures to potential breaches.
To help assess the service provider’s ability to detect and prevent breaches, ask if they hold key certifications such as ISO 27001. Insist on annual audits in the form of SSAE-18 SOC 1 and SOC 2 assessments. You may also look for a provider that supports key regulatory standards such as PCI-DSS, HIPAA and FFIEC.
To learn more about how IBM Cloud integrates security products to detect, address and prevent breaches, schedule a consultation with an IBM Cloud Services expert.