In my previous post, I highlighted several challenges that make Cloud-based security a matter of constant vigilance. In this post, I’d like to offer some solutions that can help your organization meet these challenges and stay secure in the Cloud.

These security solutions make good business sense, because they help you function more effectively in today’s world. For example, they can help you:

  • Protect internal data: You want to give employees easy access to company information that makes them more productive. But you also need to protect any data that is accessible via the cloud. Virtual private networks, or VPNs, allow you to place your internal applications behind a firewall that is accessible only by authorized users. They can be very effective in protecting your organization’s data. But that protection is only as good as the sign-on procedures. Simple password-based systems do not provide adequate protection. More sophisticated systems that support a variety of authentication methods – such as two-factor authentication or biometrics – are more effective.
  • Protect customer and partner data: You’ve read about the famous and highly embarrassing cases of hackers capturing sensitive information such as customer-related data. These episodes can seriously damage your credibility with customers and business partners, and violate data privacy laws. But data loss prevention software can help ward off attacks by detecting any breaches of your Cloud-based system and preventing hackers from accessing critical data.
  • Deliver faster insights: More and more organizations are discovering the value of delivering real-time analytical insights via mobile devices. But a mobile business intelligence strategy requires a high level of security. Mobile Device Management (MDM) software helps ensure that all devices used by your team – including BYOD devices – are protected by data encryption and other configuration settings. In addition, it can ensure that any device may be immediately wiped clean in the event of loss or theft.
  • Provide role-based access: Different employees require different data access clearance. But how do you enforce role-based policies so that each employee gets the data he or she needs – while preventing unauthorized access to critical applications? Among the challenges to consider are:
  • Role changes: When an employee changes roles due to a promotion or other reason, they may need new permissions. In addition, they may need to have their previous permissions revoked
  • Temporary duties: When an employee fills in for a colleague or takes part in a special assignment such as year-end closing, they may acquire new access privileges that need to be revoked when that temporary assignment is finished. For example, a purchasing manager may need to step in for a colleague who is authorized to create new vendors within the system. That PA could now potentially create fictitious vendors and direct purchase orders to them, resulting in a security risk. To minimize such risks, your systems need to enable frequent compliance checks for all roles – especially those that involve access to critical business applications such as ERP.
  • Outgoing employees: When an employee leaves, he or she could retain access to the organization’s systems for months or even years to come. Your systems need to provide for immediate termination of privileges
  • Protect against malware: Malware can damage workflows and compromise productivity. So every Cloud-based environment should be equipped with software that continually detects and prevents malware attacks. Because malware continues to grow more sophisticated, prevention systems should be updated on a daily basis.

While these solutions may seem a bit technical, even non-tech executives should be aware of their existence – and their advantages. And if your Cloud provider does not offer most or all of them, you should ask them why.

Have You Read this Report?
If you haven’t yet read “Protecting the Cloud” by Oxford Economics, I highly recommend it as an excellent introduction to the most critical issues of Cloud security. To download a complimentary copy,

Ralph Salomon, Head of IT Security, SAP

As IT security professionals, we work hard to develop new and more effective ways to protect our customers’ data. But even the most advanced, state-of-the-art security technology can be quickly undermined by the human factor.

That is, security technologies are only as effective as the people who use them. And if people on your team don’t understand how, why, and when to use security properly, they can compromise your critical information assets. Therefore, make sure your security practices include:

  • Built-in controls: Software engineers should make security controls an essential part of every day-to-day business process – without decreasing efficiency. In addition, they should include preventive controls that help identify errors. Or, better yet, include automatic alerts to potential errors.
  • Simple design: The more difficult or cumbersome a security measure is, the more likely it is to be ignored or disregarded. So design yours to be easy to understand and use.
  • Testing on users: The best way to know if your systems are easy to use is to test them on actual users. This important step helps avoid the tunnel vision that sometimes afflicts engineers who can’t relate to how “real” people think and work.
  • Training for everyone: Make sure that everyone on your team, from the CEO on down, understands why security is so important – and the consequences of any lapses. Conduct mandatory training on the full scope of your security methods. Then, provide refresher training every six months – or any time you modify your security regimen. And to be certain that these lessons are understood, require that everyone pass a written exam that includes simulations of real-world situations.

Mobile Devices
Mobile devices – including BYOD – are the perhaps the best example of the human factor at work.

Smartphones and tablets can be left on an airplane seat. They can be stolen from a handbag. They can be lent to a teenage child and never seen again. Things happen!

The impact can be catastrophic. Or, it can be no big deal. The difference lies in how the device is set up.

The best form of mobile device security is mobile device management (MDM) backed by encryption.

If a device is lost or stolen, MDM solutions wipe it clean by overwriting the encryption key, and the physical data remains encrypted. (In theory, data could be extracted and the thief may try to decrypt it. But AES 256 or even AES 128 will provide a high level of encryption security.)

There are also non-MDM methods and tools that allow you to overwrite the device’s memory with zeros. However these methods are not available remotely. They can only be used if the device is handed back to the IT pool.

For a closer look at how you can manage all aspects of Cloud security, including the human factor, check out “Protecting the Cloud,” a new report by Oxford Economics. To download a

Axel Buelow, Interim CIO, SAP AG

With all its economic, technological, and strategic advantages, the Cloud is clearly here to stay. But that doesn’t mean it is fully formed. In the years ahead, the Cloud and its related technologies will continue to evolve. Among the developments I envision for the future are:

  • Increasing reliance: Over the next three to five years, a growing number of mobile workers will rely on Cloud services for all aspects of their daily lives. At the same time, enterprises will move more and more of their core business processes to the Cloud.
  • Hybrid model: The model for Cloud services will be a hybrid approach. That is, organizations will use public Cloud and other shared services in combination with “private” clouds that are isolated, restricted, and encrypted. This model will help ensure full access and proper security.
  • Data flows: To ensure that data is not exposed to the wrong people or devices, data flows will be controlled by data labeling and very granular permission models.

Staying Ahead of the Bad Guys
One of the most important prerequisites for the Cloud’s evolution will be security.

In our imperfect world, there will always be bad actors – from amateurs, to government-sponsored hackers, to cyberterrorist groups. And as long as there are, they will work tirelessly to defeat any security measures that are created by our best and brightest engineering minds. The temptation of so much Cloud-based data – which grows every day – is simply too great.

For the software industry, the only answer is to vigilantly protect our customers – one transaction at a time. Technologies such as in-memory computing, which allows real-time monitoring of transactions, help us stay one step ahead of the bad guys.

For example, let’s say someone’s credit card is stolen. An in-memory database can process both structured and unstructured data at unprecedented speeds. So in less than a second, a credit card company can comb through a cardholder’s entire history and identify that a transaction doesn’t fit the customer’s normal spending patterns. Then, they can place an immediate lock on the card.

What’s the Safest Place?
People sometimes ask me where I would store information that I considered to be very private – on a desktop, on a laptop, or in the Cloud. My answer is that I would choose any of these places as long as they had strong encryption.

In the future, the location of data will become less and less relevant, because data will be replicated between all your desktops, laptops, and mobile devices using Cloud storage as connection hub.

Data anywhere at any time will be a fundamental requirement. Therefore, we will need to continually isolate the data flows, and personalize them through encryption, tracking, and labeling.

Learn More
Data security should be everyone’s concern. So if you’d like to learn more, I recommend a new report by

Ralph Salomon, Head of IT Security, SAP

According to a new report from Oxford Economics entitled the #1 concern of Cloud customers is consistent security.

Clearly, the market is looking for proof that it’s safe to operate in the Cloud. And yet, so far there is no holistic, “golden” cloud security standard that can be used for certification.

If such a standard were available, a software provider could reach out to certification bodies and ask for confirmation that its implemented control system and security measures were compliant. And customers could feel more confident that their all-important data was secure in the Cloud.

Any certification standard should include all necessary security requirements across the different layers that need to be implemented to offer a secured cloud solution. In addition, it will most likely begin at the national level, and then move to the regional and international levels.

The Industry Responds
Recognizing the importance of Cloud security, SAP and other software companies are working to develop industry standards and best practices. For example, my company’s current efforts include but is are not limited to:

  • Cloud Scout: As a project partner in “Deutschland sicher im Netz” (Germany Safe on the Net), SAP is helping to develop “Cloud Scout” for small and mid-size business. The goal of this initiative is to increase the level of acceptance for Cloud by providing transparency on legal and security aspects.
  • ENISA: Together with the European Network and Information Security Agency (ENISA) we are currently working to expand “Cloud Scout” into Europe
  • SafeCODE: As a member of the board of directors in, we are working with other leading software providers to drive security development best practices.
  • BSI/BMI: We are a member of the BSI/BMI steering committee work group that supports the development of national security standards.
  • ISO: Along with other leading software providers, we are working to help the International Organization for Standardization (ISO) define the new industry standard for cloud security.
  • Information Security Forum: As a member of the Information Security Forum, we are working to understand concerns, exchange good practices, and find best practices.

Through organizations such as these, there is a good chance for the development of at least one certification standard for Cloud security. If so, it will benefit customers and the software industry alike. And it can’t come soon enough.

I like to compare the Cloud to banking. Before banks existed, everyone kept their valuables at home. But today, with constantly improving security technologies and a modern and highly regulated financial services industry, the safest place for valuables is in the bank.

As the public Cloud industry matures, I believe we will see more and more of our valuable data – including the most sensitive data – being kept outside the four walls of our organizations.

But like any emerging technology, the Cloud is not without its challenges. For example, before signing on to a public cloud service (also known as “Infrastructure as a Service,” or IaaS) you should first address the following issues:

  • Service Level Agreements: With many providers, you can’t negotiate the price or conditions of SLAs, and terms may change frequently. What’s more, providers may ensure availability of the platform – but not the content running on the platform. Try to find a provider who offers flexible, predictable terms and a solid track record of uptime performance.
  • Hidden costs: When your first invoice arrives, you may be surprised to find charges and fees for items such as network transfer, input/output consumption, and support. Make sure to ask your provider for a complete listing of any fees before you sign on.
  • Incompatibility / Lock-in: Currently, it’s not that easy to migrate from one provider to another, because most providers use different cloud technologies such as different “hypervisors” – the software, hardware, or firmware that governs their virtual machine environments. One way to mitigate this issue is through the use of platform services and automated application deployment to ease workload mobility.
  • Distribution: To properly protect your enterprise and its customers, you need to know where your critical data actually resides. For example, should your information for the EMEA region reside only in EMEA data centers? If some of it resides in U.S. data centers, is it subject to compliance with the PATRIOT Act? Make sure your provider offers detailed monitoring of data placement.
  • Software licensing: You may have enterprise license agreements for your company’s software applications, but chances are they are not valid for use in public cloud deployments. Therefore, you must negotiate new licenses. This can be difficult, because it’s hard to measure license usage for cloud-based applications that may be used infrequently.

Meeting the Challenges
How can you ensure a smooth transition to the Cloud? Here are some suggestions I would like to share with you:

  • Plan ahead: Even as you enter a public cloud deployment, have a clear exit strategy at the ready so that you’re prepared for unforeseen circumstances.
  • Choose carefully: Be sure to have a use case for every block of data that is placed in the cloud. Would it provide greater value if maintained on your own servers? Do the cost savings outweigh any risks?
  • Oversee: Create a clear governance plan, and assign your internal IT professionals to serve as cloud services “brokers” who represent your organization’s best interests.
  • Audit: Conduct regular audits of the security and quality certifications of your provider – including their SSAE16 and ISO 27001 compliance.

Worth It
The challenges presented by the Cloud are all manageable. And for most companies, they are outweighed by the tremendous benefits, which include flexibility, cost-effectiveness, and rapid adoption of new business processes.

In a new report series from Oxford Economics, sponsored by SAP, you can learn more about the many ways in which organizations around the world are meeting the challenges and opportunities of the Cloud. To download the first report, Unlocking the Cloud, .

As I travel the world, I see great excitement regarding the Cloud. It seems that virtually every organization, large or small, recognizes the need for a platform-as-a-service strategy. And many already have a well-established presence in the Cloud.

But there’s something larger at work here. Cloud is not merely the key to a faster, easier, cheaper IT infrastructure for today. It is also a gateway to many of the most exciting technologies of tomorrow.

From Mobile to Quantum

Cloud platforms offer the fastest way to adopt new technologies and new applications – such as mobile analytics and advanced collaboration platforms. The path to implementation can be measured in weeks, days, or even seconds.

For example, Nebraska Book Company recently used a Cloud platform to implement a highly collaborative sales application that helps the company compete with far larger competitors like Amazon and eBay.

Other innovative uses of the Cloud include:

  • An ideal testing environment: For developers, Cloud is becoming a preferred way to save time and resources when testing mobile devices and mobile apps.
  • The ultimate in connectedness: Cloud is an ideal platform for “ubiquitous intelligence,” the future state in which everyone and every device is connected. Examples include the Internet of Things, which is revolutionizing machine-to-machine communication.
  • The path to new frontiers: Scientists have recently made great strides in “quantum” computing. Harnessing “superposition” and other principles of quantum physics, an emerging breed of atomic-level computers promises to tackle problems that cannot be solved by conventional linear processors.

As these and other technologies develop, many of them will simply work better through the Cloud. In fact, in their earliest stages they may be accessible and affordable only through a shared services model. Therefore, those organizations who are experienced in the Cloud could be among the first to adopt the latest advances.

In the meantime, platform-as-a-service (PaaS) is a model that makes sense for virtually any organization that wants to implement innovative applications – while reducing operating costs.

CIO to CIO Advice

As a CIO, here are three key characteristics I would look for in a Cloud platform provider:

  • Security: Does the provider offer the latest in security, such as deterrent controls, corrective controls, and business continuity?
  • Stability: Is the provider an established, well-run company that will be there for the long run?
  • Flexibility: Does the provider offer a wide range of plans that fit your business requirements?

A New Report Series

I’m excited to be following a new series of reports from Oxford Economics, sponsored by SAP, that offers important insights into how organizations around the world are harnessing the cloud to improve business outcomes. I think you’ll find it interesting too.

In my role on SAP’s Global IT Strategy 2.0 team, I helped develop our company’s internal Cloud strategy. And I have been gratified to see how quickly it has been adopted throughout the organization.

From development, to sales, to education, people love the way the Cloud enables them to deploy new applications and system landscapes in minutes and hours – rather than weeks and months. They also love how the Cloud allows them to deploy applications that enable completely new business models, thanks to a wide range of self-service and automation tools we provide.

Great Time-Savers

The key ingredients for successful cloud adoption are our self-service and automation capabilities, combined with direct access to all Cloud features via APIs (application programming interfaces).

Through our automation engine, we help people eliminate manual tasks and significantly increase quality and speed. In addition, we provide an online community where users can share and collaborate on the development of additional automation scripts.

The Value of APIs

In a Cloud environment, APIs become even more critical than ever. APIs can help your organization leverage infrastructure services without having to manage the many technical and configuration issues that pose barriers in the non-Cloud world.

Through APIs, infrastructure becomes code, which can be directly embedded into Cloud-ready applications – providing tremendous elasticity and high availability.

APIs also provide far greater flexibility for integrating Cloud services with any existing solution. However, it is important to follow industry standards created by the leading Cloud providers – such as Amazon EC2, and VMWare vSphere.

The New Standard

Clearly, the Cloud is a great place for users. But it’s also a great place for IT professionals, who now have more time to focus on more strategic tasks that add value to the business.

That’s why Cloud and PaaS (platform-as-a-service) will soon become the preferred delivery model for most applications. What’s more, Cloud will increasingly be used as a convenient way to manage test, sandbox and training systems since it is so easy to get what you need within minutes.

I encourage all IT professionals to become conversant in the language of the Cloud, and to look for opportunities to leverage pure Cloud or “hybrid” environments.

The good news is, a recent study by Oxford Economics indicates that this is quickly becoming a reality. In the next few posts, my colleagues and I will take a closer look at the study, and explore the many reasons why Cloud is the new standard in IT.