At SAP NS2, we frequently say FedRAMP® authorization is not a static state, a one-time certification, or a standard. It’s a process. Once our customers have authority to operate a cloud-based solution that handles government data, the journey has only just begun. They must also consider who will handle their data to maintain and support their cloud operations. This concept refers to the data access controls applied and the operational autonomy of a cloud solution. It works hand in glove with concepts like data sovereignty (the laws which govern the data) and data residency (where the data is stored).
SAP NS2 restricts data access to local, credentialed cloud specialists
Today, I want to focus on the significance of data access controls. For regulated organizations in particular, the resources who support and access their cloud solution are just as important as the solution itself. Often times, regulated organizations can’t adopt commercial cloud solutions, because support tickets and system responses are handled by global resources. While many operations in the cloud are automated, such as firewalls, encryption, and security tooling, there are instances in which cloud solutions must be managed by human beings.
Human influence and error are large exposure points for organizations, and it’s increasingly important that regulated organizations place higher security measures around those who are responsible for cloud operations. When the personnel who manage data are not geographically located in the customer’s country of residence, there can be limited insight into their location or background.
Our customers should never have to question who is managing their cloud solutions. At SAP NS2, we ensure cloud solutions are supported by resources located within our customer’s region. This local support model ensures resources adhere to the regulations put in place by a customer’s local jurisdiction and helps them adopt a sovereign cloud solution.
Data security for regulated industries
Highly regulated industries, such as aerospace & defense, need to implement additional security requirements that restrict their cloud operations from global support models. For heightened protection, they must follow strict data access requirements to ensure all data is maintained and handled by in-country resources.
At SAP NS2, we recognize the importance of data access by providing our customers with local, credentialed cloud resources. From the support provided at SAP NS2 to the resources who manage solutions, we securely vet each individual to verify they meet the standards our regulated customers deserve and demand. Through security attestations, such as International Traffic in Arms Regulations (ITAR), we restrict our cloud solutions to only be managed by US persons located on US soil. Whether a customer’s data is at rest or in transit, we ensure the resources who manage the cloud solution are fully credentialed, certified in high-level cybersecurity, and have been approved through our stringent security controls – such as extensive background and reference checks. We incorporate enhanced controls into our cloud offerings by utilizing tools that enforce role-based access control (RBAC), both on the customer and within our SAP NS2 operations. Our use of RBAC guarantee only individuals located and managed within the Network Operation and Support Center (NOSC) can access a customer’s solution. These practices mitigate the amount of data access points within a customer’s solution, and in turn, this reduces the risk of exposure from bad actors.
SAP NS2 meets the highest security standards of cloud-based technology and the strictest requirements of data access
Data in the 21st century is a proven commodity—it is one of our customers’ most valuable and vulnerable assets. SAP NS2’s local talent model represents a breakthrough approach for SAP’s cloud-based innovation. We provide support that not only meets the highest security standards of cloud-based technology, but also meets the strictest requirements of data access.
