HCP - Globally Insecure
Blog Editor-in-Chief

HCP – Globally Insecure

Just how certain can an established SAP customer be that IoT data on the Hana Cloud Platform is stored securely and remains where it belongs? Of course, SAP has no global, outage-proof data network with hundreds of datacenters linked up to it. Who is the provider of infrastructure-as-a-service?

The cloud business has two kinds of providers: those that offer ideas, concepts and visions, such as SAP. Then there are the less well-known technical service providers, responsible for data lines and -centers. The first group works under glaring showbiz-style lights, the others operate backstage – it’s less glamorous but what they do is very efficient.

These two groups need each other and usually they harmonize outstandingly well.

From the viewpoint of this divided world of cloud computing providers, Deutsche Telekom takes on a hybrid role. They own the lines and global datacenters, yet also step out into the limelight. At the same time, they are an important infrastructure-service partner for Microsoft – for instance enabling customers to make sure that the data does indeed remain where it should.

Bernd Leukert, SAP Board Member for Technology, promised something similar two years ago, at the DSAG (the German-Speaking Countriesꞌ SAP Usersꞌ Group) annual congress in his opening presentation: EU Access from SAP.


SAP’s Big Data Plan for HCP

Not solely from an emotional standpoint but also from the legal one, it is for instance very important for many European SAP customers to have an assurance that their own data is remaining inside their own country per EU law.

IT experts agree that such a commitment can be implemented relatively simply and securely for simple cloud services, i.e. outsourcing. However, what happens in IoT scenarios, if a global supply chain consists of billions of ꞌconnected thingsꞌ, using the SAP Hana Cloud Platform as the intended platform-as-a-service (PaaS)?

Gartner forecasts the following: 8.4 billion “connected things” will be in use in 2017 – amounting to a 31 per cent increase on 2016.

Big Data on HCP is now a reality just like SAP wanted. As its infrastructure-as-a-service provider for HCP, SAP has selected the global company Cloudflare. They operate more than 100 datacenters worldwide and offer numerous services: these start with a free-of-charge content delivery network for http protocol, provided to minimize the upload time for websites, and go right through to outage-proof IT infrastructures for business-critical applications.

SAP, mindful of its responsibility toward its own customers, must of course put a robust global IT network in place.

Local Security Needs

That said, how do global aspirations, as represented by Cloudflare – SAPꞌs partner – become compatible with the local security needs that the established SAP customer faces? The Diplomatic Council, a global thinktank providing consultancy to the United Nations, working jointly with the National Initiative for Information and Internet Security (NIFIS), has recently submitted a report on so-called ꞌCloud Sync & Share Servicesꞌ –  internet services for data synchronization, covering a variety of devices.

In this context, the Diplomatic Council established that, with approximately the same scope of services rendered, there were “grave differences evident with regard to data security and data protection“. The global thinktank views it as “remarkable” that “the two services with their home base in Germany – MagentaCloud and Strato HiDrive – fail on practically all security-relevant measurement criteria“.

The report’s exact wording is: “Without end-to-end encryption, without a zero-knowledge concept, without hybrid data-storage, without an audit-trail space and without 2-factor authentification, neither service merits certification with regard to confidentiality and security”.

An audit-trail-space makes it possible to check on-demand who had access to the data and when, as well as – above all – who changed, relocated or deleted the data. This usually covers a period of several years.

Minimum Requirements for HCP

Of course, what applies for simple business-data is also the minimum requirement for IoT data and for platforms such as SAP’s HCP, on which data is gathered, transported and processed worldwide. If those necessary functions – according to the Diplomatic Council – are absent, and if users find themselves in a globally-redundant data network like Cloudflare, then the concerns of many SAP customers appear to be justified.

SAP’s answer to established customersꞌ worries is called ꞌEU Access from SAPꞌ. The German company is offering the opportunity to get personal data stored and processed exclusively in the European Union (in the European Economic Area) and in Switzerland. SAP’s EU Access Service is available for on-premise systems and a growing number of cloud solutions.

However, this service, offered by SAP Board Member for Technology, Bernd Leukert, at the 2015 DSAG Annual Congress, will not be enough.

Thomas Lapp, Chairman of the Global Information Security Forum in the Diplomatic Council and Chairman of the National Initiative for Information and Internet Security, explains: “Hope has to be that operators of all services immediately recognize security flaws in their services and introduce the needed improvements as soon as possible. A high level of security is in the interests of everyone involved.”

Rate of Use Rising

There is need to act in HCP and at Cloudflare: by now 75 per cent of companies are obtaining services from their own cloud. For services using a provider’s cloud the figure is as high as 79.6 per cent, as Capgemini ascertained in Germany, Austria and Switzerland.

Yet the high rate of use should not blind us to the fact that, like before, the latter services only account for a small share of total economic output. This year they provide 10.2 per cent of all IT services (last year: 6.5 per cent), while companies‘ own clouds account for a 36.6 per cent share (last year: 27.1 per cent).

In particular it is major corporations and small-to-medium-sized enterprises that have strongly expanded their use of the cloud.

IT security and cloud computing are the most important topics facing the digital business sector in 2017. Next down in the rankings is the internet of things and Industry 4.0. This was the official result of the annual survey of trends made by the digital association Bitkom.

The survey states that two out of three companies (67 per cent) named IT security as one of the defining technology and market trends of this year. “IT security is becoming even more important because, as part of the digitalization process, more and more critical systems are being digitally connected, like vehicles, medical technology or machines”, Bitkom CEO Bernhard Rohleder notes.

The Security Conundrum

“At the same time, criminals and hackers are becoming more and more sophisticated. Companies are finding the normal security tools like virus scanners or firewalls, are often incapable of providing protection.” Furthermore, 60 per cent of firms responding cited cloud computing as an important topic.

“Cloud computing is the base for digitalization because it makes having more efficient business processes as well as wholly new, digital business models possible”, said Rohleder. At 55 per cent, the internet of things – i.e. connecting equipment and machines – leapt into the Top 3 this year (ranked fifth last year).

While in the consumer sector it is televisions, audio equipment or cameras that are at the heart of digitalization, for corporate customers it is machines, measurement devices or smart building-technology, among other products.

For the first time, the topic of ꞌdigital platformsꞌ claimed its place in the Bitkom selection of relevant high-tech topics, racing from a standing start to score a 32 per cent response rate, taking sixth place behind Big Data (on 41 per cent).

SAP have set out on the right path with HCP and Cloudflare as IaaS. Yet for many SAP customers the question of security and transparency seems to be unanswered. The result of a recent E-3 survey among the SAP community was that Cloudflare, as a base for the HCP, is a well-kept secret so far.

The question remains: where is the IoT-HCP data stored? For the time being, SAP does not want to give an answer.

E-3 Magazine

About the author

Peter M. Färbinger, Editor-in-Chief

Peter M. Färbinger is Editor-in-Chief and Publisher at E-3 Magazine, B4Bmedia.net AG, Munich, Germany. He can be reached at pmf@b4bmedia.net

Add Comment

Click here to post a comment

Social Media

Sign up for e3zine´s biweekly newsbites

Please do not use administrative mail adresses like "noreply@..", "admin@.." or similar as these may get blocked for security reasons.

We use rapidmail for dispatching our newsletter. By signing up, you agree that the data you have entered will be transmitted to rapidmail. Please take note of their terms and conditions and privacy policy. terms and conditions .

Our Authors