Best Practice 5.1 – Define security
roles and responsibilities
By defining the requirements to secure your SAP workloads, you can identify risks that must be addressed and ensure that security-related roles and responsibilities are appropriately assigned. In the suggestions, we discuss standards for AWS, SAP, and any service providers to form a baseline on which you can build your security strategy.
Suggestion 5.1.1 - Understand the AWS shared responsibility model
AWS is responsible for security of the cloud and you, as the customer, are responsible for security in the cloud. Be aware of and understand the following resources:
-
AWS Documentation: AWS Shared Responsibility Model
-
AWS Documentation:AWS Response to Abuse and Compromise
-
AWS Documentation: AWS Acceptable Use Policy
Understand the division of responsibilities between you and your partners in the context of the AWS shared responsibility model
Suggestion 5.1.2 - Understand the security foundations across SAP and AWS including compliance certificates, reports, and attestations
Understand the security standards and compliance certifications that SAP and AWS support. Determine which are relevant to your industry and country (for example, PCI-DSS, GDPR, HIPAA). These controls can help strengthen your own compliance and certification programs, and reduce the effort required to meet your security standards.
Refer to the SAP and AWS documentation for more details:
-
AWS Documentation: AWS Compliance
-
AWS Documentation: AWS Compliance Center
-
AWS Documentation: Compliance Programs
-
AWS Documentation: Compliance Services in Scope
-
SAP Documentation: Trust Center
Suggestion 5.1.3 - Assess the security foundation of the service providers that support your SAP workload
If you are dependent on third-party organizations to manage all or part of your SAP workload, assess the ability of the third party to meet the required security controls. This includes the legal and regulatory requirements mandated by your enterprise.
