Security/Network Design to enable Connectivity from Cloud to SAP

Lots of customers are nowadays onboarding their business processes on cloud applications like Concur, AWS, Salesforce, Success Factors, Ariba, etc. There is no doubt that Cloud applications enable customers with a standardized business process, a pleasant user experience ‘UX’, Omni-channel capabilities and of course reduced the cost of ownership over a long time.

As I perceive, leveraging full-blown cloud application capabilities is more of a journey rather than a destination. Businesses do see value in making investments on cloud application however the key enabler of business process running on cloud application is mostly “Data”. The Data here we are talking about is of great value to businesses which they have collected, tabulated, mined, secured ever since before the term data became a buzz word to follow up with the next revolution in Technology “Data Science” or business analytics/decisions driven by Data. It is pretty simple to guess by now, for some Industry verticals “Data” is the key and they must enable seamless secure Data exchange between their existing on-premise/data center hosted applications and newly scoped Cloud Applications.

This opens up an interesting and imperative subject of discussion – “System Integration”. With customers taking on this journey to leverage cloud application capabilities, the very first step of this planned migration is usually achieving “Hybrid Business processes” where the end user facing application are being scoped under Cloud contenders but the data enabling secured applications are still held in its as-is setup of being on premise/data center hosted applications.

Businesses need to integrate On-Premise applications with Cloud applications. With that inevitable requirement in place, the next phase is to iron out the deliverable. Often in my experience, I have seen that Security/Networks team is not that confident in exposing their most secured back-end system of records applications directly over the internet. The general direction from most of the Cloud providers is to white-list the Cloud application domain’s IP address range at the Firewall/Network level. Though it seems logical, many customers Security offices are reluctant to go with this design approach.

Reasons –

• Cloud Application’s domain IP addresses are too many to ignore, sometimes in hundreds of thousands of IP address pools.
• IT Security departments do not encourage exposing application servers to the internet or via DMZs. Directly opening the front door of the house doesn’t seem to be the right idea and that too when the number of visitors is too high “jokes”, also building a separate door (firewall IP white-listing) for each separate visitor (cloud applications) does not make sense from a governance perspective.
• Customers question on “what if” the cloud service provider network is compromised. Customers look for security policies and disaster recovery or risk mitigation practices in place at Cloud Providers Infrastructure end. Cloud providers can earn customers’s confidence by securing compliance certifications like Fed RAMP, ISO 27001, and DIACAP etc.
  

Some of the customers go ahead with straightforward IP white-listing as the quickest and logical way of addressing the integration requirements, however, few resist.

For those few customers that resist and want to go ahead with their reasoning, below is a diagrammatic synopsis of one of the many possible designs to handle the Security/Network piece of “Systems Integrations”.

Originally shared at:

https://blogs.sap.com/2016/09/02/securitynetwork-design-to-enable-connectivity-from-cloud-to-sap/