AI-generated image of a highway with guardrails running through the clouds

One of the most powerful security controls we have in place at SAP are our cloud guardrails, or preventative controls applied to our public cloud landscape (see this blog, April 2021). These are controls such as AWS’s service control policies and their equivalents that apply to all cloud accounts, subscriptions and projects collected in an organization in each public cloud provider. Implementing such guardrails is a powerful approach that makes your cloud accounts more secure-by-default and prevents common misconfigurations that regularly prove to be the source of security breaches and data leaks. This is especially important because in the cloud developer teams, the actual users of cloud accounts, have much more autonomy than more traditional data centers with its variety of gatekeepers such as Change Control Boards or network security teams.

SAP structured its cloud accounts into cloud provider organizations in 2018-2019. That was the precondition for our preventive controls to be feasible and practical. Speaking to peers and customers, we know that for many, such consolidation is not necessarily the case. Cloud guardrails can be implemented in multiple organizations, but the more organizations you have, the harder it becomes to manage these policies across all of them and leave gaps.

SAP’s first cloud guardrails went into effect in 2020 before most of the current landscape even existed. We have expanded on them ever since while the landscape continued to grow from ~4,000 cloud accounts to over four times that today. These guardrails are baseline security controls that prevent or auto-remediate common security misconfigurations that can occur in our cloud infrastructure. The automatic enforcement of these baseline security controls allows teams in the organization to focus on more complex and ambiguous security challenges higher up the stack, such as VMs, containers, IAM and application logic.

Our guardrails have formed the core of our cloud security compliance success. Moreover, by taking care of “the basics” they have cascading effects elsewhere. When we deployed a Cloud Native Application Protection Platform (CNAPP) in July 2022, we could see the effect on our vulnerability management program as well. 99.6% of our open vulnerabilities were classified as “Informational” (instead of High, Medium or Low), indicating that they didn’t pose an immediate risk to be addressed. This percentage lined up directly with the compliance rates of our cloud network security controls enforced by these guardrails, ensuring that these vulnerabilities were not exposed to the internet.

Endless “state of cloud security” reports from any of the vendors in the market say the same thing: that organizations struggle to keep cloud misconfigurations under control. Cloud guardrails such as these are among the most effective measures to improve your cloud security and compliance posture.

The cloud guardrails are part of a larger SAP security policy framework for public cloud. The vast majority of these policies break down in high and medium severity which we scan for using a Cloud Security Posture Management (CSPM) solution to verify compliance with these policies. A subset of the high severity policies are implemented as organizational service control policies that apply as preventive controls to all cloud accounts in each cloud provider.

To prevent disruption, in some cases controls only apply to new or updated resource configurations, which can leave you a legacy problem to work through. To reduce the scale of that – to stop the bleeding, if you will – the sooner you can implement such guardrails in your landscape, the better. Other controls, such as enforced logging, are non-disruptive and can be safely rolled out across the landscape.

List of Guardrails in Place

Below is the list of cloud guardrails in place in SAP’s global landscape (AWS, Azure and GCP). Due to the capabilities of cloud service providers there, the situation is more nuanced in China where a subset is implemented.

• Enforce SAP password policy
• Setup SAP AD integration for all accounts
• Prevent the use of non-SAP domain users for all IAM admin users
• Enforce MFA for all accounts
• API logging cannot be deactivated
• API logging centrally collected and stored
• API logging must be stored for at least 6 months
• API logging central storage location must not be publicly accessible
• Storage access logging centrally collected and stored
• Ensure logging on Kubernetes master node is activated
• Ensure container registries are private
• Ensure only the latest 3 major Kubernetes versions can be started/deployed
• Security groups cannot have blocklisted ports (22, 23, 135, 111, 5500, 5900, 3389, 1433, 1434, 4333, 3306, 1521, 5432, 27017) exposed to the internet (0.0.0.0/0)
• Enforce SSL policies of TLS1.2+ for storage
• Enforce SSL policies of TLS1.2+ for load balancers
• Enforce SSL policies of TLS1.2+ for CDN services
• Enforce SSL policies of TLS1.2+ for fully managed database services
• Enforce encryption on disk volumes for new volumes and ensure encryption cannot be removed
• Enforce disk volumes and snapshots are not publicly accessible for everyone
• Enforce encryption on storage buckets
• Enforce storage buckets private by default
• Enforce secure storage transfer is enabled
• Enforce encryption of managed database services snapshots
• Ensure secure KMS/Key Vault configuration (key rotation active, access control and key policies, strong keys)

All of these we can agree on are things you should be doing in cloud landscapes. All of these have associated NIST 800-53 controls or a Cloud Information Security (CIS) benchmark. These are not controversial. Unfortunately, these earlier mentioned vendor reports show that in many cases, cloud users struggle to meet these baseline controls.

By implementing such baseline controls as cloud guardrails, we prevent our teams from getting it wrong. At the same time, they prevent malicious users from accessing what they shouldn’t, or turn off logs we rely on to detect them. Ask your cloud service provider how you can deploy such guardrails in your landscape, too, to improve your security and compliance posture.