A Balancing Act: SAP in the Cloud
SAP customers know the cloud can help them innovate and find new opportunities but are also concerned with compliance and risk. Recently, we spoke with SAPinsider’s Chief Research Officer Riz Ahmed about how SAP customers can find a balance whereby they realize cloud’s innovation opportunities while managing cloud’s risks. Here’s a recap of our conversation.
Innovation and the art of the possible
Better than 85 percent of SAP customers surveyed are already running at least some of their SAP workloads in the cloud. Protiviti’s annual Finance Trends Survey results confirm that SAP organizations continue to push applications to the cloud, or are planning to migrate to the cloud shortly, and there is a reduction in on-premise systems. They may have chosen private, public or hybrid models of cloud infrastructure. (Because the public cloud offers maximum flexibility, new SAP cloud implementations are trending toward public cloud infrastructure.)
No matter which infrastructure model they’ve chosen, SAP customers are finding opportunities to innovate in the cloud, where it’s faster, easier and less expensive to test new ideas.
How does cloud infrastructure facilitate the art of the possible? The availability of information in the cloud and the ability to access that information has exploded, empowering organizations to take that data and use it to innovate at a fast and furious pace. In one example, an SAP customer wanted to resolve a ten-million-dollar accrual on their books. In the cloud, they could rapidly test a new approach: compare general ledger data to transaction detail rather than pulling data directly from SAP. In the cloud, capacity was immediately available and would have been easy to abandon if their experiment didn’t work out – but their innovation yielded immediate answers to their accrual problem. Without a way to experiment rapidly, they might have spent days uncovering the causes of that accrual by conventional means. From this more venturesome mindset, the business developed a repeatable process to resolve future accruals immediately. Instead of waiting days, this SAP customer’s leaders are getting answers nearly as quickly as questions come up.
Innovation is how businesses differentiate, and it’s as true of back-office operations as it is of new product offerings. Using the cloud to experiment and develop ground-breaking solutions is a shift via which leaders learn confidence that information they want is going to be available and quickly. Organizations that have made that mindset shift already are formidable competitors.
Embracing innovation while managing risk
In our conversation with SAPInsider, we emphasized the importance of keeping innovation in the forefront of organizational priorities. Innovation is the source of critical competitive differentiators. In the context of the cloud, however, innovation should – and can – be balanced with cloud’s very real risks. We drew from our experience to offer advice on striking the balance.
As a starting point, leaders will want to establish metrics for cloud-related risk. It’s essential for businesses to understand their unique security landscapes when establishing targets related to risks. Targets will differ from one company to the next based on factors like legal structure, industry and stage of organizational growth.
Our clients have experienced a variety of risks and threats related to cloud. While targets depend on a business’ characteristics, regulatory requirements figure prominently, as do contractual liabilities and financial and tax risk. Every business must remain concerned about factors beyond their control, like natural disasters, civil unrest and war. In this regard, the location of the cloud hosting environment is the source of vulnerability.
Businesses will also want to consider how cloud migrations are secured and how they could drive changes to their disaster recovery and business continuity planning.
When contemplating risk, businesses need to consider their technologies, products, intellectual property and acquisitions. These are dynamic factors that change over time. The answer to the question “What risks are we facing?” is not a static one. It’s typical to see SAP customers who operate in the cloud monitor 30 or 40 key performance indicators (KPIs) to govern cloud environment operations from a security perspective.
It’s also important to note that many of the risks experienced in the cloud appear similar to those experienced in an on-premise environment, yet may not be top of mind once you’ve migrated to a hosted cloud environment. A common misconception is that regulatory risk is being thrown over the wall to the vendor, when in fact full accountability resides.
Leaders will also want to understand the organization’s responsibilities in any cloud hosting relationship. Typically, cloud vendors assume responsibility for managing and monitoring the network and ensuring database security, but customers can check contract language to be sure. Cloud customers will want to institute well-defined controls for the system changes they’ll be responsible for managing as new technologies and solutions move into the cloud. Between vendor and customer, ensure all roles and responsibilities are clearly understood.
SAP cloud customers will want to have a clear picture of their security landscapes overall. For instance, what applications are being hosted on the cloud? Is theirs public (multitenant) cloud infrastructure, private or a hybrid of the two? Which users have access to these applications and environments? Is the access scheme as sensitive as it needs to be? Assembling this information establishes the baseline to help teams monitor where changes are occurring.
As SAP customers move to the cloud, they’ll also want to think about service level agreements (SLAs) related to operational controls and security. For instance, if they experience system unavailability, poor performance, natural disaster: what is their escalation process? What is their fallback plan?
Governance for the cloud
The discussion about effective management of cloud risk will already have suggested the desirability of a governance committee for cloud operations. For many organizations, this might be a mere expansion of the existing information technology governance committee’s role. For others, a cloud governance program might begin with coalescing cloud risk and data risk, then looking at controls around both risk types together.
Success in balancing cloud innovation opportunities with cloud risk management ultimately depends on a corporate culture and leadership team that are ready to embrace a more innovative mindset and a more agile way of working. It isn’t unusual for organizations to hire external experts to set a foundation for effective cloud governance. We often hear from leaders eager to embrace what the cloud can do – they’re well aware of its possibilities. Both mindset and skillset are essential to establishing structures and process to balance the cloud’s risk and opportunity.