The future, with digital transformation clearly accelerating, is cloud computing. Before addressing the migration of any system to the cloud, especially mission critical ones such as SAP, it is necessary to know all the implications involved in order to achieve the efficiencies provided by this model. It is for this reason that we dedicate this article to our Consulting and Advisory Services, which we call Advisory Services, which are decisive in successfully tackling a cloud migration project.

Through them, our consultants ensure that the deployment of an application or system on a cloud infrastructure is carried out as quickly and efficiently as possible, so that our customers can quickly see the advantages of the model in terms of performance gains, scalability, agility and cost control.

Broadly speaking, we try to ensure that the roadmap to the cloud goes smoothly, assessing the scope of the project, detecting potential challenges and how to solve them. This is what we call Migration Discovery.

It is also essential to define the processes at each stage of the migration, which we do through Assessment and Planning services, which follow the discovery phase.

Our migration services for SAP environments to the AWS public cloud are a proven model, based on best practices, with which we define the appropriate hosting model, the most appropriate architecture for each company, and design the path to follow, through the planning of all phases of the migration. In short, the goal is to offer our clients a solid foundation and guarantees a smooth transition to the cloud.

What are the Advisory Services: step by step?

We have structured our advisory services around three elements, coordinated with each other.

Migration Discovery

In the discovery phase, our experts, through different sessions, analyze the initial situation or starting point of a company and its objectives in order to define the optimal strategy. At the end of this stage, specific recommendations on the future hosting and migration strategy are obtained.

Migration readiness assessment

The aim of these services is to obtain an x-ray of the current state and the target image of the systems to be migrated. Thus, the project is planned and the necessary resources, both technical and human, are provided. The migration plan and a detailed business case takes into account factors such as the transfer of workloads and interfaces, integration with other systems, accessibility and operation of the migrated environments. A ‘migration factory’ is designed, generating the automatisms that will allow us to be much more agile in the execution of the initiative, but it must also be thought of as an element for subsequent operations.

Planning the preparation for migration

The final migration plan defines the future cloud architecture and operating model, as well as the tools to be used. Last but not least, a specific roadmap for the system transfer is proposed, preparing the company to be able to maintain the systems and make the handover from Project to Operations.

If you found this article interesting, we recommend that you find out more about cloud migration services and learn about the methodologies we use, such as SAP MAP.

The post Reasons why consulting services are key to a cloud project appeared first on Syntax Europe.

In our last post, we summarized the main findings of a study by Syntax and the SAP Users Group in the United States. One of the findings of this year’s edition is that, as we explained, the need to innovate is one of the factors driving migrations.

However, any organization expects and wants that journey to be easy and, at the same time, to go in the right direction. They will be more likely to take advantage of the innovation that the cloud brings if they follow these three tips.

1. Keep costs in mind

One of the factors that drive a company to innovate is cost reduction, so it’s an issue that will always have to be in the spotlight, both when migrating and when trying to innovate, because small costs add up. So you need to be clear about the benefits of innovations, and how these correlate to cost savings and time value.

It will help to work with a reliable vendor who understands the SAP environment so that you can get the most out of your cloud investment, while helping to keep costs under management. And, in this, it is critical to have visibility into and understanding of all the variables that influence this. From our perspective, this is achieved with FinOps, a methodology that combines best practices, standardized processes and training applied to cost management.

2. Achieving a satisfactory experience with the cloud provider

According to the study conducted by Syntax and ASUG, SAP customers need clear pricing models and good support, as well as easy integration between SAP and non-SAP applications, which will be key when working with a cloud provider.

In our view, Amazon Web Services, which has more than 5,000 SAP customers in the cloud, has done a good job of meeting these needs and has developed native services to provide companies with tools that improve productivity and drive innovation.

In addition, it is important to highlight SAP MAP, the AWS Migration Acceleration Program for SAP, which brings together a set of methodologies and best practices, tools and resources that facilitate the execution of this type of project. In addition, it comes with financial incentives.

Not only the cloud platform chosen is essential, but also the partner, who must be a specialist in both environments to provide advice and project execution capabilities, as well as solutions that help optimize investments, such as our CxLink Document solution, an AWS SDK for ABAP language that allows connecting our customers’ on-premise SAP systems directly to AWS services.

3. Sharing the benefits of innovating with the cloud

Both cloud platforms and integrators specializing in the model should communicate more about the benefits of innovation in areas such as the ease of scaling workloads, improvements in aligning IT with the company’s strategic objectives, and the speed of deployment and delivery of services. This helps to generate more innovation.

Our company understands the challenges of the cloud journey and we emphasize the different options to leverage the benefits. To learn more, you can consult our cloud migration services and success stories.

The post Tips for making the most of cloud innovation appeared first on Syntax Europe.

Cloud adoption is becoming commonplace to meet corporate priorities that set the CIOs’ agenda, in areas such as customer experience, creating value through data, providing organizations with flexible and resilient infrastructures or incorporating technologies that accelerate digital transformation processes. This is what IDC stated in its forecasts for this year and the coming years, and also our experts in their predictions for 2021.

And this is a marked trend that is confirmed by this new study, conducted jointly by Syntax and ASUG, since cloud adoption among companies using SAP systems in the United States has increased by 15% since 2020, and 73% of those that have not yet taken the step, have plans to incorporate cloud services next year.

Cloud usage is high at 81% of all respondents and, of these, 74% are using Platform-as-a-Service (PaaS) and 71% are already working on an Infrastructure-as-a-Service (IaaS) model. In terms of the type of service chosen, the majority (46%) have opted for a hybrid environment, and 61% for using the services of various providers.

The report indicates that companies that are more advanced in cloud adoption are benefiting from greater innovation by incorporating analytics capabilities, automation and technologies such as IoT, machine learning and artificial intelligence. They also get greater ability to scale, more speed in deploying services, and their IT departments have less workload.

Need to innovate drives migrations

The report’s findings indicate that SAP customers need to innovate to achieve cost savings, increase productivity and performance, and improve their customer experience, and they are finding the answer in the cloud.

Currently, they are leaning toward leveraging analytics (54%) and automation (31%) capabilities, versus IoT, Machine Learning and AI solutions, but it will change soon, as by 2022, two out of three respondents plan to integrate these into their cloud innovation roadmap.

The study also delves into the challenges posed by cloud for these organizations. In this regard, many (34%) lack the knowledge to manage these environments or do not have a comprehensive cloud strategy (29%).

Our teams are specialized in solving the challenges involved in a migration project from on-premise SAP environments to the Amazon Web Services (AWS) public cloud, with tangible results for our clients. Companies such as MRG, FAIN, Cepsa, Simon or PortAventura World have already trusted us.

Find out more about our cloud migration services.

The post Why are SAP customers migrating to the cloud? appeared first on Syntax Europe.

The challenge for any company today is an increasing number of hacker attacks added to higher regulatory requirements for security and compliance controls.

Today, it’s clear for any SAP organization that Roles and Authorizations only does not protect an SAP S/4HANA environment, this must be added to a Perimeter and IT infrastructure security while at the same time analyzing the huge amount of events coming from the SAP S/4HANA Business Applications.

Processing all SAP log events in a non-SAP SIEM solution brings an additional challenge since costs can be high when SIEM solutions are licensed based on the log volume and the volume of logs provided out of the SAP applications is not only big but difficult to understand its semantic and integrate into these offers, for this SAP created Enterprise Threat Detection.

Enterprise Threat Detection

While traditional SIEM solutions like HP Arcsight, IBM Q-Radar or Splunk have focused on Database, OS and Network logs, ETD solely focuses on SAP application and HANA database. ETD can detect user data tables with weak password hashes downloaded on file system or brute force attack used to access SAP with superuser permissions, among many other security checks.

ETD can also help in combination with the SAP standard Security Audit Log (aka SAL) by receiving and archiving all logs created by SAP and providing a higher level of modelling.

GRC and Identity Management

GRC and IDM are not new SAP products, both have been around for many years and a lot of literature is available already, but it’s always good to remind what is the purpose of GRC and Identity Management, while GRC focuses on streamlining and automating risk management and compliance processes like FireFighter users and workflows, Identity Management focuses on ensuring and maintaining the identity of any enterprise user around the company, in the CMD (Create, Modify and Delete) process.

SAP Cloud Identity Access Governance

Not only SAP is evolving both GRC and IDM (both have a roadmap) but also new cloud products were launched like SAP Cloud Identity Access Governance (SAP IAG) which provides a good alternative for GRC Access Control.

SAP Cloud Identity Access Governance is a cloud-based tool for admins to use in simplifying governance processes. Functionality includes continuous access analysis, user assignment optimization, preconfigured audit reporting, among others.

SAP Code Vulnerability Analyzer

Also known as SAP NetWeaver AS Code Vulnerability Analysis (CVA), the SAP Code Vulnerability Analyzer is an ABAP add-on that analyzes source code and secures it from potential attacks before delivering applications to end users.

How AWS can help to solve SAP top Security concerns

We organized this year a webinar describing how a combination of SAP Enterprise Threat Detection with Amazon Guard Duty can be leveraged by Amazon Macie. 

Amazon Macie is a service that uses machine learning and pattern matching to discover and protect sensitive data. As organizations manage growing volumes of data, identifying and protecting their sensitive data at scale can become increasingly complex, expensive, and time-consuming. Amazon Macie automates the discovery of sensitive data at scale and lowers the cost of protecting data.

8 Golden rules for a safe SAP on AWS landscape:

1. Perform Log Analysis with Amazon GuardDuty.
2. Identify Root Cause and suspicious with Amazon Detective.
3. Classify and Protect Sensitive Data with Amazon Macie.
4. Stay Tested and Protected with Amazon Inspector.
5. Get a Single Unified View with AWS SecurityHub.
6. Follow Best Practices with AWS TrustedAdvisor.
7. Know Your Configurations with AWS Config.
8. Patch frequently with AWS Systems Manager.

Vincent Doux from SAP, Steve Quinn from AWS EMEA and Benoit Ohron from Syntax, discussed during that webinar how to secure SAP systems data on the AWS platform, the session can be accessed here.

Following the below links you can also access to the rest of those post series based on SAP on AWS security:

• AWS Security Solutions for SAP S/4HANA (I): Identity and Access Management
• AWS Security Solutions for SAP S/4HANA (II): Detective Controls and Incidents
• AWS Security Solutions for SAP S/4HANA (III): Infrastructure Protection
• AWS Security Solutions for SAP S/4HANA (IV): Data Protection

The post AWS Security Solutions for SAP S/4HANA (V): Application Protection appeared first on Syntax Europe.

In 2006, AWS began providing IT infrastructure services in the cloud, and since then the company has steadily evolved its services and introduced enhancements to its platform to increase the benefits, in terms of cost, scalability and flexibility, that can be gained from the model.

2021 has been a prolific year for new developments and we have asked our specialists to select the most relevant ones, based on the value contribution they can offer our customers and how they contribute to improving the operation of SAP systems, and this is their choice.

Four new high memory EC2 instances

One of the most relevant news for SAP users on AWS is the four new high-memory configurations for EC2 instances: u-6tb1.56xlarge, u-6tb1.112xlarge, u-9tb1.112xlarge and u-12tb1.112xlarge. Resources with 6TB, 9TB and 12TB of memory. In this case, he pointed out, they could be ordered both on demand and reserved.

Why is this important for SAP customers? For one thing, these instances are based on AWS Nytro System, a hypervisor that frees up additional memory for SAP HANA workloads, improving performance and lowering USD/GB costs. They are very useful for testing or bug-fixing systems because of the ability to choose an on-demand mode and switch to an extended period, if required, with AWS Saving Plans.

These high memory Amazon EC2 instances are certified by SAP to run Business Suite on HANA, SAP S/4HANA, Data Mart Solutions on HANA, Business Warehouse on HANA and SAP BW/4HANA.

EBS io2 Block Express volumes

During the ReInvent 2020 event, AWS gave the first details of a new generation of architecture for storage in EC2 instances, and in July of this year announced the general availability of Amazon EBS io2 Block Express volumes that are designed to host intensive workloads that require the deployment of large databases such as Microsoft SQL Server, SAP HANA and SAS Analytics, among others.

With this announcement, enterprises can scale to petabyte capacity in minutes at half the cost of a traditional SAN system, and the storage is managed by AWS, without having to procure, scale and maintain the on-premises system.

New One Zone storage classes

In March, the public cloud platform announced new One Zone storage classes for Amazon EFS (Elastic File Systems) that reduce costs by 47% compared to those already offered by the company. These store data redundantly within a single Availability Zone (AZ), and are used by enterprises when they need cost-optimized file storage options for their workloads and applications that do not require the level of availability and durability offered by AWS within its Amazon EFS service.

With One Zone, there are no minimum commitments or upfront fees, and customers pay only for the amount of file system storage used. Customers using Amazon EFS for their business-critical applications, such as SAP, can realize significant savings when it comes to managing these types of loads.

Upcoming opening of Israel and UAE regions

During May and June, AWS announced that in the first half of 2022, the United Arab Emirates will become the home of the AWS Middle East (UAE) region, and that the AWS Israel (Tel Aviv) region will launch in the first half of 2023, making it easier for businesses in these areas to run workloads and store their information in local data centers, with lower latency. Undoubtedly, these new data centers are good news for our customers in these geographies.

AWS currently has 80 availability zones in 25 geographies and, in addition to these two new regions, has plans for new openings in Australia, India, Indonesia, Switzerland and Spain.

These new developments in the public cloud platform are important for our experts to help organizations take advantage of all the benefits of moving SAP systems to the cloud.

Following this link we explain the five advantages of moving your SAP systems to AWS. Our consultants help customers around the world to take advantage of the benefits of this cloud platform through our migration services.

The post AWS announcements in 2021 that benefit SAP customers appeared first on Syntax Europe.

PortAventura World operates two theme parks and a water park, six hotels totaling more than 2,300 rooms, and a 12,000-square-meter convention center with capacity for up to 4,000 people, and manages the operations of each business with different systems.

All the data generated by each one are consolidated in SAP on a daily basis, and are essential for the different business units and the Management Control area if they have a dynamic and flexible system that allows them to analyze the information quickly and agilely. For this reason, the organization decided to evolve from a static model in which the data was aggregated and which made it difficult to process the data, to another, based on the cloud, with which to achieve more visibility, analytical capacity and agility.

To seize the full value of that information, it consolidated data from multiple sources using the AWS service, Amazon S3, as a centralized repository to extract the full value of the information for its business. With Syntax as a partner, the organization migrated its transactional systems data to the cloud. This was an essential step to improve its analytics and reporting system and provide the organization with the intelligence needed to optimize management and, at the same time, improve the customer experience.

The initiative consisted of implementing an ETL solution that collects various data sources in Amazon S3 and, through AWS serverless services, homogenizes the data that is consumed and analyzed in the Board advanced analytics platform.

Currently, data from many of the main transactional systems are already in the cloud and, as of today, the organization uploads around three million records from its various transactional systems to the AWS cloud every day, which gives an idea of the scale of the project.

The benefits

PortAventura World is already reaping tangible benefits from this technological project, which has enabled the company to make a qualitative leap in its analysis capacity. Some of the benefits are:

• The organization now has homogenized information, with data from different systems that it can analyze in detail, reaching levels of detail that were previously impossible. In addition, by having it in a single repository, it can cross-reference data from different sources and departments, which speeds up its decision-making process.
• It has gained immediacy both in terms of access to information and in the preparation of reports, which are now automated and dynamic. This has made it possible to avoid manual processes and reduce preparation time from hours to minutes.
• Increased visibility and analytical capabilities enable cost control, resulting in improved management and optimization of resources.
• With greater visibility and customer insight, they can offer more personalized services and redefine your product offerings based on the needs of the moment, resulting in a better customer experience and satisfaction, while facilitating revenue growth.

The technology initiative continues to evolve, as new data is moved to the cloud platform repository to gain more analytical capabilities and turn information into value.

Following the link, you will find this success story, a document in which Robert Magí, CIO of PortAventura World, and Albert Mellado, its Project Manager, offer all the keys to this strategic project that is allowing the company to obtain the competitive advantages of the data economy.

The post The road to smart business: this is how PortAventura World has achieved it appeared first on Syntax Europe.

Following the three previous blogpost, focused on Identity and Access Management, Detective Controls and Incident Response and Infrastructure Protection, this week’s review is about Data Protection.

In AWS, there are a number of different approaches to consider when addressing data protection. They are:

1. Data Classification.
2. Encryption/tokenization.
3. Protecting data at rest.
4. Protecting data in transit.
5. Data backup/replication/recovery.

Data Classification

Data classification provides a way to categorize organizational data based on levels of sensitivity. This includes understanding what data types are available, where the data is located, and access levels and protection of the data (for example, through encryption access control).

Understanding and using resource tags is often ignored by AWS users but they are a simple and powerful method of organizing our AWS assets.

Tagging is applied to cloud resources providing a bespoke metadata schema to logically organise and group resources. This is critical for automation, security, and financial reporting purposes.

All cloud resources, that can be tagged, must be configured with tags. There should be no exception to this standard and tags should be applied at build time. An example of Tagging requisites.

 Besides resource tags, the primary data classification tool offered by AWS is Macie:

Amazon Macie

Amazon Macie is a security service that uses machine learning to automatically discover, classify, and protect sensitive data in AWS. Macie recognizes sensitive data such as personally identifiable information (PII) or intellectual property and provides you with dashboards and alerts that give visibility into how this data is being accessed or moved.

Encryption/Tokenization

Data protection refers to protecting data while in-transit (as it travels to and from Amazon S3) and at rest (while it is stored on disk in Amazon S3). AWS Key Management Service (KMS) gives a centralized control over the encryption keys used to protect your data.

We can create, import, rotate, disable, delete, define usage policies for, and audit the use of encryption keys used to encrypt your data. AWS Key Management Service is integrated with most other AWS services making it easy to encrypt the data you store in these services with encryption keys you control.

Encrypting Amazon resources such as, EBS volumes for data and databases, S3 for objects or backups is a must and also required to comply with regulations including the General Data Protection Regulation, or GDPR, with key management capabilities that include regional isolation.

Also, SAP provides Data Custodian Key Management Service, a Cloud-Ready Encryption and Key Management as a Service offering. SAP Data Custodian is described and presented by our experts on this article.

We don’t want to close this chapter without bringing one topic into account, it’s a good practice disabling IMDSv1 on our EC2 instances to prevent a Capital One-like data breach. IMDSv2, the  Amazon Instance Metadata Service is used by agents, such AWS Data Provider for SAP, to collect performance-related data from AWS services. It makes this data available to SAP applications to help monitor and improve the performance of business transactions.

Provide SSL inspection

Most HTTP traffic is SSL encrypted, and SAP has embraced HTTP as a modern protocol for users to access S/4 applications. Today more than 60% of malware is encrypted though. In SAP, Web Dispatchers are used by SAP to load balance SAP’s Fiori systems. The Web Dispatchers create a larger attack surface and vulnerabilities for common Open Web Application Security Project (OWASP) attacks.

An Application Load Balancer is normally placed as an external zone acting as the entry point for Web Dispatcher’s HTTP/HTTPS requests. AWS Shield can protect the Web Dispatcher and SAP NetWeaver Gateway from common web exploits, especially if it’s used in conjunction with AWS WAF in the load balancer. AWS Shield is a managed distributed denial of service (DDoS) protection service that safeguards web applications running on AWS.

Securing Data at Rest

Data at rest includes inactive data that is stored physically in any digital form (e.g. databases, data warehouses, spreadsheets, archives, tapes, off-site backups, mobile devices, etc.). Multiple AWS services provide built-in integration with AWS KMS to allow easy encryption of your persistent storage.

Again with SAP Data Custodian, using Data Custodian, customers can leverage Customer-controlled encryption keys for SAP HANA and SAP applications at rest SAP Data Custodian key management service has native integration with the SAP HANA database , starting with HANA 2.0 SP05, aiming to lock our database for any unauthorized access.

Securing Data in Transit

Data in transit is any data that gets transmitted from one system to another. This includes communication between servers within your environment as well as communication between other services and your end users. By providing the appropriate level of protection for your data in transit, you protect the confidentiality of your application’s content. When protecting your data in transit, selecting protocols that implement the latest version of Transport Layer Security (TLS) is a common best practice.

AWS services provide many HTTPS endpoints for communication, thus providing encryption in transit when communicating with the AWS APIs. AWS Certificate Manager (ACM) service provides you the ability to manage and deploy certificates for your domains.

AWS Certificate Manager (ACM) is a service that lets you easily provision, manage, and deploy public and private Secure Sockets Layer/Transport Layer Security (SSL/TLS) certificates for use with AWS services and your internal connected resources. SSL/TLS certificates are used to secure network communications for key SAP products like Web Dispatcher, SAP ICM or SAP Gateway, it’s one of the required steps to setup a Fiori environment

You can checkout this blogpost from AWS architects Ferry Mulyadi and Yoshihisa Nakatani to setup such an architecture.

Data Backup/Replication/Recovery

“If you store 10,000 objects with us, on average we may lose one of them every 10 million years or so” that’s Amazon describing S3 capabilities. Amazon S3 and Glacier are a secure, durable, and extremely low-cost cloud storage service for data archiving and long-term backup.

SAP-certified backup and restore solutions include HANA DB running in the cloud or on-prem directly to S3. CxLink Backup, listed on AWS Marketplace and SAP Store include HANA, Oracle and Sybase full, incremental, and differential backup.

At additional cost compared to S3, EBS Snapshots also provide backup and recovery possibilities, Snapshots let you back up your volumes attached to EC2 instances.

As SAP experts on AWS, we are committed to helping organisations achieve high levels of security, bringing the benefits of the cloud to those SAP workloads. If you want to know more about innovative and cloud-native solutions in terms of security, you can watch this webinar on demand.

The post AWS Security Solutions for SAP S/4HANA (IV): Data Protection appeared first on Syntax Europe.

After the two previous blogposts, focused on Identity and Access Management and Detective Controls and Incident Response, it is time to delve into how to safeguard the cloud infrastructure. 

AWS breaks Infrastructure Protection down into three broad categories:

1. Protecting network and host-level boundaries
2. System security configuration and maintenance.
3. Enforcing service-level protection.

Protecting Network and Host-Level Boundaries 

Protecting Network ensures the first commandment for SAP architectures; Segment SAP workloads with low latency.

Segmenting SAP from other workloads ensures a minimum boundary of trust and inspection. The internal segmentation of application servers, front ends, and databases prevents lateral attacks through impersonation or privilege escalation. Network segmentation is deeply described in these AWS blogs for the VPC setup and configuration of a SAP landscape.

• VPC Subnet Zoning Patterns for SAP on AWS, Part 1: Internal-Only Access
• VPC Subnet Zoning Patterns for SAP on AWS, Part 2: Network Zoning
• VPC Subnet Zoning Patterns for SAP on AWS, Part 3: Internal and External Access

In this series of blog posts, Solution Architects Somckit Khemmanivanh, Harpreet Singh and Derek Ewell introduced Amazon Virtual Private Cloud (Amazon VPC) subnet zoning patterns for SAP applications, demonstrating their use through examples. They describe several architectural design patterns based on access routes, and then follow up with detailed diagrams based on potential customer scenarios, along with configuration details for security groups, route tables, and network access control lists (ACLs).

The extensive AWS documentation helps us understand how to apply the shared responsibility model when using Amazon VPC. The following topics show us how to configure Amazon VPC to meet our security and compliance objectives. We also learn how to use other AWS services that help us to monitor and secure our Amazon VPC resources.

The following recent AWS services will help improving the network setup of our SAP environments:

AWS Network Firewall 

Brand new, Released Nov 2020, AWS Network Firewall is a stateful, managed, network firewall and intrusion detection and prevention service for our virtual private cloud (VPC).

With Network Firewall, we can filter traffic at the perimeter of our VPC. This includes filtering traffic going to and coming from an internet gateway, NAT gateway, or over VPN or AWS Direct Connect. 

Network Firewall is supported by AWS Firewall Manager. 

AWS WAF 

WAF is a web application firewall that lets us monitor the HTTP and HTTPS requests that are forwarded to an Amazon CloudFront distribution, an Amazon API Gateway REST API, or an Application Load Balancer AWS WAF also lets us control access to our content. Based on conditions that we specify, such as the IP addresses that requests originate from or the values of query strings or different Amazon responds to requests either with the requested content or with an HTTP 403 status code (Forbidden). AWS WAF is a very important service for HTTP SAP services such as Web Dispatcher or SAP Fiori & SAPUI5 components

AWS Shield

We can use AWS WAF web access control lists (web ACLs) to help minimize the effects of a distributed denial of service (DDoS) attack. For additional protection against DDoS attacks, AWS also provides AWS Shield Standard and AWS Shield Advanced. AWS Shield Standard is automatically included at no extra cost beyond what we already pay for AWS WAF and our other AWS services. AWS Shield Advanced provides expanded DDoS attack protection for our Amazon EC2 instances, Elastic Load Balancing load balancers, CloudFront distributions, Route 53 hosted zones, and AWS Global Accelerator accelerators. AWS Shield Advanced incurs additional charges.

AWS Firewall Manager

AWS Firewall Manager simplifies our administration and maintenance tasks across multiple accounts and resources for AWS WAF rules, AWS Shield Advanced protections, and Amazon VPC security groups. The Firewall Manager service automatically applies our rules and other security protections across our accounts and resources, even as we add new accounts and resources.

We can use AWS WAF, AWS Firewall Manager, and AWS Shield together to create a comprehensive security solution for our SAP environment

System Security Configuration and Maintenance

Patching SAP environments, at both the Application, Database and OS level plays a critical role and the most important vulnerabilities have also been discovered and fixed with patches.

AWS Systems Manager

Systems Manager plays a critical role, it allows us to centralize operational data from multiple AWS services and automate tasks across our AWS resources. We can create logical groups of resources such as applications, different layers of an application stack, or production versus development environments. Systems Manager provides a central place to view and manage our AWS resources, so we can have complete visibility and control over our operations.

Amazon Inspector

Amazon Inspector is an automated security assessment service that helps improve the security and compliance of applications deployed on AWS. Amazon Inspector automatically assesses applications for vulnerabilities or deviations from best practices. After performing an assessment, Amazon Inspector produces a detailed list of security findings prioritized by level of severity. These findings can be reviewed directly or as part of detailed assessment reports which are available via the Amazon Inspector console or API.

A holistic understanding of SAP resources’ risk posture and compliance levels is critical as SAP is deployed, most important topics where we can use Inspector include locking down OS configuration, administrator with root credentials or HANA services disabling.

AWS Patch Manager

AWS Systems Manager Patch Manager automates the process of patching managed instances with security-related updates. For Linux-based instances, we can also install patches for non-security updates. We can patch fleets of Amazon EC2 instances or our on-premises servers and virtual machines (VMs) by operating system type. This includes supported versions of Windows, Ubuntu Server, Red Hat Enterprise Linux (RHEL), SUSE Linux Enterprise Server (SLES), and Amazon Linux. We can scan instances to see only a report of missing patches, or we can scan and automatically install all missing patches.

SAP Security Updates are periodically released. Customers are recommended to implement patches promptly. However, SAP systems’ uptime requirements create a burden to the SAP basis team to upload, test, and validate every SAP patch. Security-driven networking can help mitigate many risks. Action; get up to date with released SAP security notes frequently, and use above services to automatically patch the SAP systems.

AWS Audit Manager

Introduced just a few months ago, AWS Audit Manager helps us continuously audit our AWS usage to simplify how we manage risk and compliance with regulations and industry standards. AWS Audit Manager automates evidence collection to make it easier to assess whether our policies, procedures, and activities—also known as controls—are operating effectively. When it is time for an audit, AWS Audit Manager helps us manage stakeholder reviews of our controls, which means we can build audit-ready reports like GDPR or GxP with much less manual effort.

AWS Security Hub 

Security Hub is designed to give us a comprehensive view of our security posture across our AWS accounts. With Security Hub, we have a single service that aggregates, organizes, and prioritizes our security alerts or findings from multiple AWS services, such as Amazon GuardDuty, Amazon Inspector, Amazon Macie, AWS Firewall Manager, AWS System Manager Patch Manager, and AWS IAM Access Analyzer. 

AWS Security Hub also integrated with AWS Audit Manager, which helps simplify how we assess risk and monitor our compliance with regulations and industry standards. 

Enforcing Service-Level Protection

We can protect AWS service endpoints by defining policies using IAM, described in part 1 of this blog series. IAM can help us define policies for access to services and operations. However, for some services, we can also define fine-grained controls to specific resources within those services. Additionally, some resources have their own resource-level policies.

AWS Key Management Service (KMS)

AWS Key Management Service (KMS) is a managed service that makes it easy for us to create and control the encryption keys used to encrypt our data and uses FIPS 140-2 validated hardware security modules to protect the security of our keys. KMS will be more extensively be explained during the Data Protection series of this blog series.

As SAP experts on AWS, we are committed to helping organisations achieve high levels of security, bringing the benefits of the cloud to those SAP workloads. If you want to know more about innovative and cloud-native solutions in terms of security,  you can watch this webinar on demand.

The post AWS Security Solutions for SAP S/4HANA (III): Infrastructure Protection appeared first on Syntax Europe.

This new certification, the first achieved by a local AWS partner in Spain, certifies that the company has the knowledge, qualified personnel and experience to offer design, deployment and maintenance services for solutions based on Amazon Connect, the contact center solution in the AWS public cloud that allows companies to provide customers with a complete multichannel experience (voice, chat, telephone, etc.) at a lower cost than traditional systems.

Benefits of Amazon Connect for transforming contact center services

For those companies that want to transform the experience they offer to their customers, this is a very powerful omnichannel solution that can be operational in a matter of minutes, with unlimited scalability depending on the demand of each moment and that benefits from all the capabilities of a cloud solution: no specific hardware to implement (only microphone and headset are needed) and the only software needed is the browser (Google Chrome or Mozilla Firefox); it is only paid on a pay-per-use basis and, in addition, it is designed to integrate with the rest of the systems used by the organization.

In addition to these features, it allows you to automate customer interactions and improve response times for contact center agents.

Since its launch in 2017, AWS has provided Amazon Connect with new functionalities that, today, make it unbeatable as a contact center solution. As we discussed in a recent post, it now has advanced learning capabilities to detect customer needs and resolve incidents in real time; enables unified customer profiles to provide a more personalized service; analyze the customer experience in real time; automate agent management tasks; and authenticate the customer instantly through voice recognition, without having to ask questions.

Proven experience

Our experts have already implemented this solution in companies in the catering and utilities sectors. For example, we have been the technology partner that has accompanied Madrileña Red de Gas, the third largest gas distributor in Spain with almost 1,000,000 customers, to implement Amazon Connect as a contact center solution, a key initiative within its digital strategy with which it wanted to enhance the relationship with its customers through all its interaction channels.

“The project has allowed us to have continuous monitoring of our customer service, establish metrics and react with optimization measures that are very quick to implement. “With this project we have been able to make processes more flexible, gain speed and have control of customer service,” explains Héctor Morán, head of the company’s Customer Experience, Systems and Telecommunications department.

By joining the AWS Service Delivery Program for Amazon Connect, we now have eleven qualifications between competencies, programs and AWS services that we have achieved. We have different AWS certifications that validate our competencies in SAP consulting, Migrations and DevOps, in addition to being an AWS Well-Architected Partner, which guarantees that our consulting services are prepared to evaluate cloud architectures and help customers get the most out of their investments in this environment. We are also certified to execute projects for the public sector and Nonprofit Consulting, which certifies our expertise in supporting non-profit organizations in their cloud initiatives.

Whatever your contact center’s current situation, Amazon Connect can adapt to your needs. Follow the link if you want to learn more about this solution and how we can help you implement it and get your free proof of concept.

The post New specialization: AWS validates our expertise with Amazon Connect appeared first on Syntax Europe.

After a first article focused on Identity and Access Management, this new post is about Detective Controls and Incident Response, services that share the same objective. AWS refers to “Detective Controls” the actions we do to gain visibility to spot issues before they happen, improve our security posture and reduce the risk profile of our environment.

It’s much about monitoring. We can use logging features in AWS to determine the actions users have taken in our account and the resources that were used. The log files show the time and date of actions, the source IP for an action, which actions failed due to inadequate permissions, and more.

These are some of the keylogging features available in AWS:

• Amazon CloudWatch is the most important monitoring solution in AWS. It monitors our AWS Cloud resources and the SAP applications running AWS. We can set Amazon CloudWatch Monitoring for SAP NetWeaver ABAP-based environments and SAP HANA environments. Please see blog post SAP Monitoring: A serverless approach using Amazon CloudWatch by AWS Engineer Marcel Toerpe for more details.

• AWS CloudTrail logs every AWS API call and related events made by or on behalf of an AWS account. The AWS API call history produced by CloudTrail enables security analysis, resource change tracking, and compliance auditing. Also for every notification on access, we can use Amazon Simple Notification Service (Amazon SNS) to set up notifications on SSH login to our email address or mobile phone.
• AWS Config provides detailed historical information about the configuration of our AWS resources, including IAM users, groups, roles, and policies. For example, we can use AWS Config to determine the permissions that belonged to a user or group at a specific time. Brilliant post from AWS engineers Chris Grudzinski and Kaustubh Kulkarni, Audit your SAP systems with AWS Config, shows how customers validate that the SAP systems are configured according to best practices, meet the requirements for vendor support, and meet internal audit requirements using AWS Config. AWS Config provides over 160 managed rules, which are rules that have been authored by AWS. We provide a list of the most common rules for SAP workloads to ensure your SAP systems are well architected on AWS below.
• AWS Config Rules allow us to immediate take action after an event has happened, such as isolating resources, enriching the data with additional values or restoring environments to a known-state.
• AWS Trusted Advisor offers a one-view snapshot of our service and helps identify common security misconfigurations, suggestions for improving system performance, and underutilized resources.

 And below we have probably most important services for any AWS secure configuration.

• Amazon GuardDuty uses integrated threat intelligence such as lists of known malicious IP addresses, anomaly detection, and machine learning to identify activity associated with threats, such as compromised EC2 instances mining cryptos or an attacker scanning the web servers for known vulnerabilities. It also monitors AWS account access behavior for signs of compromise, such as detecting an atypical instance type deployed by a user from an unusual geo-location, or an attempt to disable CloudTrail logging or to snapshot a database from a suspicious IP address. Escalations of privileges, uses of exposed credentials, or communication with malicious IP addresses are some examples for the detected activities.
•  AWS Security Hub provides a single place that aggregates, organizes, and prioritizes our security alerts, or findings, from multiple AWS services and optional third-party products to give you a comprehensive view of security alerts and compliance status.

The combination of GuardDuty and Security Hub provide aggregation, deduplication, and analysis mechanisms for log records coming via other AWS services. GuardDuty ingests, aggregates and analyses information from the VPC DNS service and information.

Security Hub can ingest, aggregate and analyze output from GuardDuty, AWS Config, Amazon Inspector, Amazon Macie, AWS Firewall Manager, among others. Security Hub is often used in combination with world class SIEM solutions as an AWS-side log and alert preprocessor and aggregator.

As SAP experts on AWS, we are committed to helping organisations achieve high levels of security, bringing the benefits of the cloud to those SAP workloads. If you want to know more about innovative and cloud-native solutions in terms of security, you can watch this webinar on demand. 

The post AWS Security Solutions for SAP S/4HANA (II): Detective Controls and Incident Response appeared first on Syntax Europe.