Sap Erp in The Cloud

An Oracle White Paper
April 2010
SAP ERP in the Cloud
Oracle White PaperSAP ERP in the Cloud

Introduction ........................................................................................ 1
Key Characteristics of the Cloud ........................................................ 2
Cloud Services ............................................................................... 2
The Cloud Provider View ............................................................... 5
Public Clouds ................................................................................. 5
Private Clouds ................................................................................ 6
Hybrid Clouds ................................................................................ 7
The Cloud Consumer View ............................................................ 8
Cloud Technology .......................................................................... 9
Security in the Cloud .................................................................... 19
Cloud Summary ........................................................................... 20
Enterprise Resource Planning in the Cloud .................................. 22
SAP Security in the Cloud ............................................................ 37
Oracles Infrastructure for the SAP Cloud ........................................ 38
SAP Virtualization from Oracle ..................................................... 39
SAP Server Virtualization ............................................................. 41
SAP Storage Virtualization ........................................................... 42
Securing Access to Virtualized SAP Application Components ..... 43
Summary ......................................................................................... 48
Oracles Global SAP Service Portfolio .......................................... 48
Oracles Sun Solution Center for SAP .......................................... 49
Sun Joint Support Center for SAP Applications ............................ 49
Oracle Virtualization Services ...................................................... 49
Oracle Storage Virtualization Services ......................................... 49
Global Oracle Support .................................................................. 50
For More Information ........................................................................ 50

1
Introduction
What is Cloud Computing? Cloud Computing is one of the hype topics in the high-tech industry
today. Almost every IT company offers some kind of cloud product or services and almost
every IT expert uses a different definition of the term Cloud Computing. For a typical private
end-user, Cloud Computing means to use a Web-based service, for instance online services
for data storage, email, word-processing, spreadsheets, collaboration, file conversation, social
media, etc. There is no magic behind these Web services, other than the fact that the end-user
does not need to deploy or install dedicated applications on their home PC system anymore.
The only prerequisite is the existence of a working internet connection. Most of the mentioned
services are free and for others, end-customers pay a monthly fee, usually on a per user basis.
The general concept of Cloud Computing from a private end-users point of view is:
To plug into the internet from anywhere access processing, applications, and data services
whenever needed
To only pay for what is used or needed
However, private cloud usage is only one aspect of the overall cloud story. Companies have
realized that Cloud Computing might be a good avenue to reduce internal IT costs by spending
less money on software licenses, hardware, storage, training, and the needed maintenance of
the mentioned areas. Small and medium sized enterprises might especially gain large
advantages by using a cloud-based IT approach instead of building internal datacenters. An
outsourcing model can help to extend IT services step by step depending on the growth of the
individual business.
This white paper provides a general overview of the term Cloud Computing from an enterprise
point of view. In addition, the topic of Enterprise Resource Planning (ERP) in the cloud is
covered with a dedicated focus on the SAP ERP stack deployed on cloud technology
components from Oracle.

2
Key Characteristics of the Cloud
1he general understanding o Cloud Computing is related to an on-demand serice model by which
arious dierent resources ,hardware, sotware, and serices, are combined on an on-the-ly basis
,ligure 1,. 1he serice,s, are deliered oer the network, which could be the intranet o a company or
the internet when the serice is ordered rom an external proider. Neertheless, the term network
always includes Internet-based technology such as the 1CP,IP protocol stack that is used to
communicate between the cloud proider and the cloud consumer.

Figure 1. Cloud Computing relates to on-demand service model
Cloud Services
1he serice aspect o the cloud includes three dierent components - applications, hardware, and
systems sotware - which can be combined to build a cloud-speciic serice package or oering
,ligure 2,. Depending on how a cloud proider combines these components within a cloud oering,
there are a number o dierent cloud serice layers.

3

Figure 2. Definition of Cloud Computing
Currently, there are our possible cloud serice layers that can be used in combination to build a ull
end-to-end cloud oering as described below and in ligures 3 and 4.
Sotware as a Serice ,SaaS, - oers an application, such as LRP, on demand oer the network or
internet
Platorm as a Serice ,PaaS, - proiders sell a complete deelopment platorm including the
necessary built-in serices, such as MySQL databsase, Glasslish application serer, LDAP,
NetBeans sotware, and Oracle Solaris Studio, on demand oer the network.
Inrastructure as a Serice ,IaaS, - a serice oering that supplies hardware and sotware
inrastructure components, such as compute, storage, systems, Oracle Lnterprise Manager Ops
Center, Sun Management Center and Sun Identity Manager rom Oracle, and more.
Desktop as a Serice ,DaaS, - moes the desktop enironment o a cloud consumer into the cloud
and proides secure remote access to the serer-based applications. It helps to reduce administration
costs and establishes higher security standards as I1 sta can proision applications rom a central
console to end users who hae assigned appropriate access rights based on indiidual or group
criteria.

4

Figure 3. Iaas and PaaS layers

Figure 4. SaaS and DaaS layers

5
1he layers are highly lexible, enabling arious proiders to work together but still ocus on an
indiidual area o expertise. lor example, one partner might proide the underlying inrastructure
serices ,IaaS, while another partner is responsible or the deeloper and application platorm ,PaaS or
SaaS,.
The Cloud Provider View
A cloud proider owns the arious cloud serices ,IaaS, PaaS, SaaS, and the related capital risks.
Currently there are three cloud models: public, priate, and hybrid. 1he dierences between priate
and public are described in ligure 5.

Figure 5. Definition of cloud provider view
Public Clouds
A public cloud proider oers serices to anyone in the general public that might be interested in using
the serice ,ligure 6,. In other words, anyone who has access to an internet connection, is able to pay,
and is aware o the speciic cloud serice oering can use it on demand. 1here are no consumer
restrictions or speciic user groups, communities, or certain company types. 1hereore, this type o
cloud oering is reerred to as public. Practically eeryone on the \eb can take adantage o public
cloud serices.

6

Figure 6. Cloud provider view of a public cloud
Private Clouds
Also called enterprise or in-house clouds, priate clouds do not hae a public character. Cloud
proiders and cloud consumers are part o the same company. 1he I1 department o a company acts
as the cloud proider and oers a cloud serice that can be used by internal units to deploy and run
business applications ,ligure ,. 1his diers rom traditional I1 support in that I1 utilizes the on-the-
ly lexibility o cloud technologies to proide compute resources as needed.

Figure 7. Cloud provider view of a private cloud

7
Hybrid Clouds
lybrid clouds represent a combination o both priate and public cloud models. lor example, a
company implements a priate cloud to support business-critical serices and utilizes the public cloud
in an on-demand ashion or non-critical serices, as illustrated in ligure 8. Lxternal and temporary
cloud serices can be less expensie rom a cost,beneit perspectie than proiding the same serice
internally. 1hereore, this type o cloud model might be o interest to large, global enterprises with a
periodic temporary demand or speciic cloud resources. It also proides much better data security or
the company itsel ,well-guarded internal network, in comparison to a public cloud approach where the
cloud consumer completely relies on the security mechanisms o the selected proider.

Figure 8. View of a public cloud
ligure 9 summarizes the key acts about the three cloud proider models.

Figure 9. Differences between cloud types

8
The Cloud Consumer View
A cloud consumer ,a company, must irst identiy which cloud serices ,IaaS, PaaS, SaaS, and DaaS,
best suit the existing business requirements ,ligure 10,. 1he decision o whether to use or to build an
in-house cloud serice depends strongly on the aailable internal resources, such as human resources,
and the necessary knowledge and experience in the arious I1 areas ,applications, security, systems, or
storage specialists,. Other actors that inluence the decision are existing I1 budget and competitie
market aspects. 1he lexibility to grow and shrink depending on existing market demand and business
orecasts, as well as the agility to react almost in real time in a highly competitie market space such as
\eb 2.0, makes Cloud Computing ery attractie to startups and small- and mid-sized companies.
Larger enterprises with a dierent business model might hae other reasons to use internal or external
cloud serices. Most o these companies need to reduce I1 budgets by replacing cost-intensie I1 tasks
with comparable cloud-based, on-demand serices.
Lspecially in diicult economic times it is in eery organization`s interest to ind the right balance
between operating expenses and related earnings. 1hereore, Cloud Computing has the potential to
play a major role or eery kind o business within the next seeral years.

Figure 10. Definition of the cloud consumer view
As a consumer o a public cloud it is important to keep in mind that the same enironment is shared
with many other unknown cloud users at the same point in time. 1he network, serer compute power,
storage deices, and depending on the serice contract the application instance,s, might be shared with
many other users. 1he ability to shared resources is why cloud proiders are able to oer standardized
serices or less than it would cost to implement and maintain the serices in house. 1his might not be

9
the right solution or eeryone as indiidual customization o the oered serices within the cloud can
be limited. Cloud serices hae a strong standardized character today and are built to meet the needs o
the majority o users, which also helps to keep the administration and maintenance o the enironment
at an acceptable leel. 1hus, it is ery important to closely analyze existing internal serices beore
moing a particular serice to an external cloud serice contract.
A cloud consumer could be interested in all o the oered serice layers or only in the layers where
there is a lack o dedicated internal knowledge, making it less expensie to buy this serice and the
related hardware and sotware support rom a cloud proider who is able to oer exactly the
standardized setup needed based on gien business requirements.
Consumers o a priate cloud model do not hae to care about sharing resources with other unknown
users. 1he arious business departments can access aailable hardware and sotware resources on an
on-demand basis similar to a public cloud enironment. 1he big dierence is that resources are shared
only with other internal colleagues and highly critical business data is stored on a secure storage deice
within the intranet o the company. In addition, it also makes sense to use a standardized cloud
architecture with standardized systems, inrastructure components, and management processes to
achiee the positie cost eects o using cloud technology. 1hus, a priate cloud oers similar
adantages as a public cloud enironment without the attendant security and priacy issues. In
addition, there is still enough lexibility to add or extend speciic eatures that are not aailable in a
public cloud stack, such as business logic or LRP unctions. 1he dierences between cloud types as
experienced by a cloud consumer are summarized in ligure 11.

Figure 11. Cloud consumer view across cloud types
Cloud Technology
1he key technologies used in a cloud-based landscape are irtualization, \eb serices, and NaaS.

10
Virtualization
Virtualization is not a new component in this technology mix. It is a proen and widely accepted way
to consolidate existing serer and application landscapes, and is deined in ligure 12. Virtualization
helps to realize greater eiciency and cost saings, and helps in maintaining or exceeding serice-leel
agreements ,SLAs, in all o the described cloud scenarios. 1here are currently three irtualization types:
desktop, serer, and storage.

Figure 12. Definition of virtualization
Desktop Virtualization
Desktop irtualization is the concept o separating a personal computer desktop enironment rom the
physical machine through a client-serer computing model. 1he resulting irtualized desktop is stored
on a remote serer in the cloud instead o on the local disk o the remote client machine. 1hus, when
users work rom their remote desktop clients-PCs, smart phones, laptops, or thin client systems-all
o the programs, applications, processes, and data are stored and run centrally in the cloud. A irtual
desktop inrastructure uses irtual machines to enable multiple network subscribers to maintain
indiidualized desktops on a single, centrally located serer enironment. Users might be
geographically scattered, but all can be connected to the central machine by a local area or a wide area
network or through public networks such as the internet. \hen desktop irtualization is implemented
within a cloud it is also called Desktop-as-a-Serice ,DaaS,.
Server Virtualization
Serer irtualization masks serer resources - including the number and identity o indiidual physical
serers, processors, and operating systems - rom the users and applications. 1he serer administrator
uses an application to diide one physical serer into multiple isolated irtual enironments. 1hese
enironments are called guests, irtual instances, containers, or emulations. 1oday there are our
dierent irtualization types:

11
Virtual machine model
Parairtual machine model
lardware emulation model
Virtualization at the OS layer
Storage Virtualization
Storage irtualization pools physical storage rom multiple network storage deices into what appears
to be a single storage deice that is managed rom a central console rom within the cloud ,ligure 13,.
Storage irtualization is commonly used in a storage area network ,SAN,. It helps storage
administrators to perorm backup, archie, and recoery tasks more easily and in less time. 1his all
helps to sole the data explosion problems-many applications generate more data than can be stored
physically on a single serer, and many applications hae multiple machines that need to access the
same data-and improes data management eiciency.

Figure 13. Storage virtualization
Goals of Cloud-Based Virtualization
1he main goals accomplished by using irtualization technology in a cloud-based enironment are:
Separate the hardware rom the serice, application, and OS ,an abstraction rom physical resources,
lost multiple guest systems on a single physical serer
Increase serer and storage utilization, increase agility, and reduce energy costs
Create copies o existing enironments quickly and easily
Moe irtual machines between physical serers

12
Combine aailable network resources by splitting aailable bandwidth into channels, each o which is
independent rom the others
Pool physical storage rom multiple network storage deices into what appears to be a single storage
deice that is managed rom a central console
Web Services
\eb serices are the cloud components with which cloud proiders are able to oer in-house created
and deeloped application unctionality in a standardized way to the outside world. \eb serices also
enable eatures rom one application to be integrated into another application which can be stored in a
\eb serices repository as a reusable component or other applications that might not yet be
deeloped.
\eb serices represent one possible implementation approach or a serice-oriented architecture
,SOA,. \eb serices are unctional serices that are based on internet protocols and are transported
oer the internet inrastructure. 1hey can hae a manual or automated character. As \eb-based
sotware components they rely on XML standards to exchange data.
\ithin a typical \eb serices SOA model there are three role types: serice proider, serice
repository, and client ,ligure 14,. 1he serice proider oers serices oer a programmable interace.
1he serice repository is used to store and to oer the exposed \eb serices to the serice users that
integrate and consume the oered \eb serices based on XML-based messages and internet protocol
standards.

Figure 14. Web services-SOA
1he key eatures o \eb serices are:
Reachable oer programmable interaces on an XML-based message exchange process, such as
SOAP and \SDL.

13
Based on the internet protocol suite. Operations and messages can support arious dierent
protocols, such l11P and SM1P.
Capsuled and loosely coupled character-a clearly deined task with the implementation details
hidden rom consumers.
Composition and reusable character-can be combined with other \eb serices to proide a new
more complex serice.
Location-independent and can be actiated rom eerywhere. 1he consumer must hae the needed
access rights and authorization.
Can hae an inormatie or a transactional character. lor example, the \eb serice can be part o a
business transaction.
One o today`s trends in the cloud arena is to use \eb serices based on the restul or
RLpresentational State 1ranser Architecture ,RLS1,. 1his type o \eb serice ully relies on the
methods o the l11P protocol stack. Under the terms o RLS1, eery \eb application consists o a
collection o resources or resource objects that are reachable oer l11P. In other words, \eb sites,
pictures ,gis, jpegs, etc.,, CGI scripts, serlets, and more are RLS1 resources that can be reached oer
a dedicated URL or URI. 1he l11P methods ,GL1, PU1, POS1 and DLLL1L, are the erbs
applied to the substanties ,the resources, and thereore represent the interaces to the RLS1 resource
objects. lunctions o the methods are listed in 1able 1 and a conceptual diagram o RLS1 is shown in
ligure 15.
TABLE 1. HTTP METHOD FUNCTIONS
GET Retrial the representation of the resource (display format: HTML, plain text, jpeg, etc.)
POST Start process on the server (e.g., modify or add database fields)
PUT Create new resource or replace an existing one
DELETE Erase an existing resource

1he key adantages o restul \eb serices are:
Lightweight \eb serice integration
A RLS1 back-end serer does not know the state o the client ,stateless session,
Reduces the load on the back-end serer
Allows load-balancing and serice interruptions
Clients manage their own status ,e.g, the sequence o the l11P methods,calls,
Simple deelopment model,approach ,no dedicated tools required,
Lery resource object can be reached by a URL,URI request

14
URL,URI includes all o the needed inormation,containing all o the inormation necessary to
understand that request
As the URL,URI is the trigger or a resource, it can easily be cached at a proxy, gateway, or load-
balancer site and thereore reduces the load on the back-end serer
Incoming client requests can be handled much aster because there is no need or SOAP enelope
extractions ,less payload,
Ideal solution or scenarios with a high number o parallel \eb serices requests - proides higher
scalability than SOAP-based \eb serices

Figure 15. Conceptual diagram of REST
Key Issues Today
\eb serices as they are deined today hae some disadantages. 1here are more than 100 \eb
serices speciications aailable, which sometimes contradict each other. 1he current situation -
where eery cloud proider relies on a dierent \eb serices speciication - presents a high risk
actor. 1here is a need or standardization in this technology area. 1he issue o standardization needs
to be addressed beore integration between dierent \eb serices-based cloud serices - oered and
hosted by arious cloud proiders - can be started by the growing cloud consumer community within
their hosted cloud-based system and application landscapes.
Relying on a market leading cloud proider such as Google or Amazon might reduce the risk because
the leaders always set and push their own standards. Since these proiders hae a large market share,
they are able to deine their own \eb serices speciications, which are more likely to be automatically
adopted by the other market players.
1he typical elements o today`s cloud \eb serices enironment is illustrated in ligure 16.

15

Figure 16. Typical elements of todays Web services environment
Network as a Service (NaaS)
NaaS is a airly new term in the cloud sphere and can be deined in the ollowing ways:
Proides a dynamic sotware-based and sotware-controlled re-coniguration o network resources
and new bandwidth management system or cloud-based applications
Uses an intelligent, automated, and serice-oriented network model or paradigm
Controls the aggregate network bandwidth used by a cloud-based serice
Includes network irtualization as the underlying technology
Is part o the next big cloud deelopment step
As cloud consumers relocate their home enironment into cloud proider datacenters and the internet,
network traic and network load and utilization increases. New solutions such as intelligent network
limiters need to be deeloped and deployed to mitigate challenges such as bandwidth limitations, 1CP
latency, and talkatieness o applications, as shown in ligure 1.

16

Figure 17. Relocating network traffic
1here are still a ew open questions to be answered beore cloud customers are able to moe a
complete LRP stack into a public cloud-based enironment:
Does the internet hae enough bandwidth and traic management to support this data moement
Can resources be eiciently and dynamically proisioned to support increases or intermittent
changes in demand
low will addressing stateully moe rom one autonomous system to another
low will the security policy bound to a particular object ,re: VM, stay consistent and coherent as a
VM moes across the network and rom one network to another
\hen will open standards be deined and accepted to codiy the solutions to these problems \ill
the current inrastructure run these open standards in a scalable manner
low will rate limiting be distributed to proide the critical ability or cloud proiders to control the
use o network bandwidth as i it were all sourced rom a single site
It seems that NaaS represents one o the cloud areas where cloud endors need to inest more
resources in the near uture to eliminate some o the most critical roadblocks. 1hus, the main driers
or new NaaS technologies are:
1ime-to-market - ast serice establishment, actiation, and allocation
Serice dierentiation - the ability to oer dierent SLAs depending on a customer`s requirement
proile
llexible and scalable network bandwidths - bandwidth on-demand ,BoD, capability to quickly and
lexibly react to unknown luctuations ,on-demand serices,

17
Lxchange o monitoring inormation to agree on what to monitor, where to monitor, and to whom
the data should be isible
Serice communications across monitoring domains should include dierent business partners to
deal with multiparty interactions to sole an issue
One solution that is a possible irst step in resoling the issues aboe is called 1hinPrint ,ligure 18,.
1hinPrint is a irtual deice drier or printers in a irtualized serer and storage landscape that
includes a connection-oriented bandwidth control mechanism to limit the bandwidth or a single
network connection, user group, or single workplaces. 1hinPrint`s eatures include:
Virtual deice drier or printers ,1hinPrint V-Layer,
Deploy on each VM ,DaaS,
Install endor-speciic deice driers on central print
serers only
Connection-oriented bandwidth control
Limit bandwidth or single network connections, user
groups, or single workplaces
Data compression rate up to 98
Optimized print data throughput on a network based on a
protocol extension

Figure 18. ThinPrint
Internet Traffic Control
One downside with public Cloud Computing is that users access applications through the internet,
which can be slower than using a priate cloud. 1hus, the question or many cloud consumers
interested in LRP is: are cloud proiders and their related internet partners able to oer guarantees in
regard to the aailability and the round-trip times o 1CP packets Or in other words, what is the
expected aerage network latency
1his might not be an important question or commonly used \eb applications based on Joomla or
Drupal. It is, howeer, an essential question or cloud consumers with an LRP ocus. Such consumers
need certain response time guarantees or their business-critical LRP transactions.
1oday, cloud proiders and their related partners ,internet proiders, are only able to gie this
guarantee or the internet connection itsel, but not or the 1CP latency ,response times, when the
internet is used as an additional transport layer between the proider and the cloud consumer`s
network. I guaranteed response times or speciic business transactions are a critical requirement, it is
probably better to build an in-house cloud ,priate cloud,. 1raic control dierences between cloud
proiders and consumers are listed in ligure 19.


18

Figure 19. Internet traffic control
NaaS Management Frameworks
NaaS management rameworks are also going to play a signiicant role in the next phase o Cloud
Computing. A NaaS management ramework ,ligure 20, is a central administration and interaction
utility or tool that can be used by cloud proiders and their customers - the consumers - to proide
the ollowing unctions:

Lnable coordinated policing o a cloud-based
serice`s network traic
Dynamic bandwidth control and bandwidth on
demand
Control network bandwidth use and associated
costs using rate limiters or proider and
consumer
Distributed rate limiting could proide a powerul
tool or managing access to client content
Distributed rate limiting could bring the
bandwidth crisis under control, e.g., peak times-
based bandwidth split
Figure 20. NaaS management framework

19
\eb serices -based traic control unctions,eatures ,switches, irewalls, etc.,
Direct integration into existing administration tools and utilities
Integrated ticket support and tracking system at the consumer and proider layers
1ransport protocol extension ,e.g., compression algorithms,
A cloud proider can centrally control all network-related actiities, as well as distribute administration
tasks to customers as a kind o sel-serice oering as shown in ligure 21.

Figure 21. NaaS management frameworks
Security in the Cloud
Security in the cloud is more o a trust issue between the players in the cloud than a real security issue.
1he necessary security inrastructure already is aailable and just needs to be adopted rom the
enterprise layer into the cloud arena. But there are additional risk actors introduced when irtual
machine images are moed within a cloud rom one physical system or network component to another
system or network component. 1hereore, it might make sense to enhance existing security protocols
so that they also can be used within in the irtualization layer. lor example, enable VMs to take their
dedicated security policies with them when they moe around within the cloud.
\eb serices are connected with each other ,customer - proider network, oer the internet or
between the speciic partner networks in a priate cloud setup. \eb serices are used to share
inormation or to customize the cloud setup through a \eb interace. 1hereore, cloud proiders must
establish the required security standards, because they oer the serices on an on-demand basis to their
customers. 1his also includes implementing well-known security practices such as data encryption,

20
authentication, authorization, and raud detection against all possible internal and external attacks. lor
example, an internal administrator should neer be able to make a copy o an installed customer VM.
It is also essential to proide all customers and interns with a method to securely establish a cross-
enterprise Single Sign-On ,SSO, connection to their irtualized datacenter OS images and the
applications running on top o these images. lederated identity management technologies such as
SAML- an XML-based standard or exchanging authentication and authorization inormation
between arious dierent business partners-oer a good solution and also allow the necessary trust
policies or the arious end-user types to be implemented.
Another important point that needs to be mentioned is multitenancy. 1he cloud proider is
responsible or isolating all tenants ,customers, companies, end users, that share the same physical
enironment ,computing, storage, network, and must proo this to customers by collecting and
oering related reports and log iles. Additional NaaS-related applications that are capable o
monitoring the data in transer in a irtual network should be used to complete the cloud serices in
that space.
Clear segregation o duty rules or all users, especially or those with administration rights, should be
established as well. 1his is a strong actor in saeguarding the cloud enironments rom unauthorized
access. In general it is important that all cloud participants and players enorce and comply with the
same security rules and policies - centralized identity management, authentication, authorization,
monitoring standards - to maintain an equal leel o trust, because a chain is only as strong as the
weakest link. In addition, the authentication process can be strengthened by using risk-based eatures
,risk-based authentication approach, to enhance the leel o security proided by an access
management solution stack. 1his strong orm o authentication can protect access to a cloud based on
!"#$%&'( *('+&,&-., an additional analysis o past user behaior. Any actiities that dier rom the normal
behaioral pattern lead to an adanced authentication process in which users must answer additional
security questions, such as: \hat is the name o your manager \hich department do you belong to
And so on. Another way to protect the cloud enironment rom attackers, hackers, and intruders is to
use transparent authentication methods that rely on a deice recognition process in which user deices
are identiied through their speciic deice parameters such as Lthernet-address, IP geographic
location, and so on.
Cloud Summary
In general, Cloud Computing oers the ollowing key beneits:
Reduce runtime
Batch jobs: Use 100 serers in parallel instead o a single one to accomplish a task in 1,100 the
time.
Optimize response times - true or priate cloud, uncertain or public cloud
Scale out on-demand to meet customer demands.
Minimize inrastructure risk

21
Public clouds: cloud proider owns the capital,inancial risk o the inrastructure.
Priate clouds: send oerlow work to a public cloud.
Lower cost o entry
Inrastructure is rented, not purchased, the cost is controlled, and the capital inrastructure
inestment can be zero.
Applications are deeloped more by assembly than programming.
lelps reduce time to market ,competitie actor,.
Increase the pace o innoation
Lnables start-up companies to deploy new products quickly and at low cost.
Lnables small companies to compete more eectiely than traditional organizations that deploy
serices in enterprise datacenters, which can take signiicantly longer.
1he key challenges o Cloud Computing are:
Data goernance and compliance
Lnterprises must comply with many o the regulations that require data goernance.
By moing data into the cloud, enterprises might lose some capabilities to goern their own data.
Serice proiders must oer guarantees.
Manageability ,e.g., NaaS,
Most raw inrastructures and platorms lack adanced management capabilities. lor example,
Amazon`s LC2 does not automatically scale an application as the serer becomes heaily loaded. It
is still up to the deeloper to manage scalability problems.
Monitoring
CPU and memory usage o irtual machine enironments can be misleading.
Lack o monitoring tools or \eb serices and underlying layers ,e.g., sotware, irtual machines,
hardware,.
Inability to measure transaction process time and latency.
Reliability and aailability
Lnterprises today cannot rely on the cloud inrastructures,platorms to run critical businesses in
public cloud enironments.
1here are almost no SLAs oered by the cloud proiders today.
Virtualization security

22
Need to apply standard enterprise security policies goerning access control, actiity monitoring,
patch management, etc., to irtual enironments. lor example, need the ability to control and
monitor the moement o irtual machines using lie migration or VMotion.
Enterprise Resource Planning in the Cloud
LRP in the cloud means to moe existing LRP enironments into cloud-based system and sotware
landscapes. It could simply mean to use cloud technology to optimize the 1CO o an in-house hosted
LRP enironment or to outsource the complete stack into a cloud,SaaS proider`s datacenter. It could
also mean to implement a hybrid cloud approach where LRP users are able to leerage the beneits o
both the priate and public cloud models.
LRP systems are critical to successul businesses because they integrate, automate, and create processes
that capture how the business works. It is thereore important to ensure the data is correct and that
there is adequate computing resources and bandwidth to proide timely results. An ideal enironment
would hae the company concentrating on the data and o-loading the inrastructure to a cloud
proider. 1his is called sotware as a serice ,SaaS,. Unlike application serice proiders ,ASPs,, SaaS
endors typically oer sotware that is designed rom the ground up to be hosted and deliered oer
the \eb. Based on this deliery mechanism, most SaaS proiders expect beneits o lowered 1CO,
eortless upgrades, minimized end-user training, and no in-house datacenter and administration tasks
or their customers. 1he cost saings alone are probably not reason enough to start migrating business
applications into a public cloud. 1here are other reasons that should be considered beore initiating
such a moe. lor example, typical SaaS cloud oerings today are highly standardized, and while this
standardization might sole the business issues o small and mid-sized companies, it lacks the
customization lexibility that might be required by larger enterprises.
Another topic is business diersiication. I a company is highly diersiied and is actie in arious
dierent industries it might turn out that a SaaS cloud solution that oers the needed LRP
unctionality on an on-demand basis oer the Internet is simply not aailable. 1his makes sense, as the
nature o Cloud Computing is to optimize, standardize, and reduce costs, rather than oer process
integration and diersiication that is typical in LRP enironments. 1his does preclude companies rom
implementing internal priate cloud enironments to reduce time-consuming administration tasks, or
to use irtualization to achiee higher system utilization. Public cloud,SaaS oerings also apply highly
standardized processes to the application layer ,business process layer, and are thereore limited in the
indiidual design steps o consumers` LRP setups.
SaaS and SOA seem to be prerequisites or most endors oering sustainable systems integration. I all
o a company`s I1-applications are serice-enabled - whether deeloped internally or by leeraging
SOA support rom a endor - the inrastructure can be upgraded without necessarily touching eery
single piece o integration work that has eer been done. \eb serices - as one part o the SOA
paradigm - are one o the key technologies to \eb-enable LRP cloud enironments or an internet-
based, on-demand model. loweer, not all existing LRP unctions - as they are known today - are
aailable out o the box as \eb serices or can easily be implemented as \eb serices oerings to end
consumers.

23
Moing business applications into a public cloud oers the beneit o always running on current
sotware as the cloud proider is responsible or keeping sotware leels and patches up to date. 1he
danger is that critical business transactions are completely under the control o the cloud proider,
which also includes any inancial data stored in the cloud. Another risk that should not be
underestimated is the possibility o the cloud proider going out o business or moing to another
serice model that makes it necessary to migrate back to an in-house-based LRP solution stack.
1he public cloud oerings aailable today, such as salesorce.com, are ideal solutions or small- and
mid-sized enterprises that lack I1 and application experience and are interested in a low-cost solution
that enable them to easily grow and shrink with their own businesses. 1he highly standardized business
applications o a public cloud SaaS oering can be a good starting point or these companies, enabling
them to experience LRP sotware at a low cost and to ind i the public cloud oering suits their
business requirements. I in the uture the business grows dramatically and the business diersiication
process starts it might eentually be necessary to migrate rom a public to a priate or hybrid cloud
model. 1he dierences between public and priate clouds or LRP enironments are listed in
ligure 22.

Figure 22. ERP in the cloud: SaaS
ERP in the Cloud: Main Concerns Today
ligure 23 shows the main concerns LRP users ace today when inestigating a moe o LRP
stack,business transactions into a public cloud.

24

Figure 23. Main concerns today of ERP in the cloud
1he security serices oered through a cloud proider that hosts LRP applications on an on-demand
basis oer the Internet is illustrated in ligure 24 and should include:
Centralized identity management unctions
User proisioning, user authentication, and authorization serices, delegated administration
serices, etc.
Reliable and strong encryption methods or data access and exchange processes.
OS hardening
System and application updates with the most recent security patches
Use o security domains to group irtual machines
Port iltering
Stateul package iltering
Use o network admission control ,NAC, to keep the cloud enironment clean and to automate
regulatory compliance processes o remote deices

25

Figure 24. Security
Compliance plays a major role when moing business processes into the cloud because dierent
countries enact dierent goernmental regulations and dierent industries hae arying compliance
requirements and standards. lor a consumer it is essential to ind out i the selected cloud proider has
the needed compliance experience and related certiications in the arious areas ,datacenter, hardware,
sotware, etc., oered.
lor example, today it is not allowed to moe auditable business critical data rom a company located in
Lurope, e.g., Germany, into a cloud enironment that is hosted in the USA ,ligure 25,. 1his kind o
data moement iolates local German laws due to a lack o international standards and goernmental
regulations in that space.

Figure 25. Data storage moving data from the EU to the USA might violate local laws

26
Moing business processes and related business data into the cloud does not negate a company`s
compliance responsibilities ,ligure 26,. 1hereore it is important to ensure that the cloud proider
oers the right set o tools to enable an external audit without any open regulatory compliance issues.
lor example, there should be a system aailable that allows users to see and monitor where their
business-critical data is stored and with which they can remotely handle the segregation o duty ,SoD,
issues by themseles.

Figure 26. Segregation of Duties
1he biggest compliance-related dierences between LRP stacks such as SAP or Oracle and standard
\eb-based application enironments inole managing authorization. In an LRP stack, there are
unlikely to be uncritical entitlements as all o the captured data has a business critical background in an
LRP system. Lery stored piece o inormation is collected based on a speciic business-related
unction and is used to execute, prepare, or document business transactions. 1hereore, losing such
important data - representing a business-critical unction - creates high risk or eery company. 1his
is why eery captured piece o inormation on an LRP system needs to be protected against data loss
and possible internal or external security intrusions.
It is important or eery public SaaS cloud proider to implement and oer an identity management
system that allows a 100 identiication and mapping o all business users and their related technical
user accounts ,system and application accounts,. 1his correlation between business user and technical
users needs to be proen eery time when an audit is going to take place. 1his is a diicult challenge
or eery I1 department, but een more diicult to ulill in an enironment like a public cloud where
seeral customers share the same application and database instances at the same point in time. 1hus, a
good identity management system is needed to sole this kind o issue and to separate user
management or each customer. In addition, another system,sotware component is required that

27
proides the dedicated unctions to certiy which person has done what with which technical user
account,s, at which point in time in regards to all audit-releant inancial business transactions.
A global-acting cloud LRP proider also needs to oer a centralized authorization system that allows
customers to indiidually customize security based on local or country-speciic laws. 1oday, this
capability might only be possible in a priate cloud enironment.
lrom a network point o iew, keep in mind that today, cloud endors do not oer bandwidth or
response time guarantees or Internet-enabled business transactions ,ligure 2,. 1his is critical issue
or companies that rely on speciic response times or some o their most critical business processes. In
this case it might be worth thinking about a priate or hybrid cloud implementation rather than a
public cloud stack.

Figure 27. Network
ERP Cloud Service Level Agreements
Gien the current state o oerings, good serice leel agreements rom LRP cloud implementations
should include the areas listed in ligure 28 and below:
Secure \eb access management
Acceptable authentication and authorization methods used to secure the cloud proiders network
Lncryption standards
Datacenter security
Redundant systems, storage, and networks

28
Security o the datacenter itsel, identity o cloud endor sta that has access to the irtual
enironment, documented procedures that state how the enironment is controlled and
monitored
Network security
Multiple internet connections
Multiple irewalls and intrusion detection systems
Protected segments
Reerse Proxies
1hird-party audits
Authentication,authorization
L.g., role-based access control
Compliance
SoD checks
Business monitoring
Change history or business critical transactions
Detailed documentation on how and where data is stored
Certiied according to standards appropriate or the oered applications

Figure 28. Service level agreements are key

29
Good serice leel agreements illustrate that the cloud proider o choice understands the dierences
between hosting a comprehensie LRP landscape and standard \eb applications.
1here are currently our dierent cloud oerings or SAP applications:
SAP Business ByDesign
SAP On-demand solutions or the SAP Business Suite
SAP Business Suite
SAP BusinessObjects OnDemand
All SAP cloud oerings are deliered through the SaaS model, as illustrated in ligure 29.

Figure 29. SAP ERP in the cloud
SAP Business ByDesign
SAP Business ByDesign is a typical SaaS package or small and mid-sized companies that proides a
single, integrated application to manage the entire business rom the cloud oer the internet. According
to SAP documentation about Business ByDesign, this solution ocuses on enterprises with a maximum
o 100 parallel users. It includes the ollowing key eatures:
lull unction business applications to adance isibility and control oer key business areas
On-demand applications - SaaS
Deliered in modules, such as BusinessObjects shown in ligure 30 ,start small and add modules as
the business grows,
Managed, monitored, and maintained by SAP AG

30
Requires only a standard \eb browser
Proider-based operational complexity, reliable security, priacy protection, and high aailability
Current coniguration: Linux with MaxDB as the database platorm

1he standard SLAs o this cloud solution include all o the mentioned
actors o a reliable and secure public LRP cloud oering:
Secure \eb-based access
Physical on-site link,VPN to a connectiity appliance that controls
access rom browsers to on-demand proprietary inormation
User IDs and passwords
Part o up-to-date client operating systems and browsers, i.e., client
operating systems and browsers are updated with latest security
patches
Datacenter
Multiple saeguards or physical data security and integrity
Figure 30. SAP BusinessObjects on-demand
ligh aailability o business data proided by redundant networks and power systems
Redundant hardware storage system perorms regular backups
Network security
Reerse proxy arms that hide the network topology rom the outside world
Multiple Internet connections to minimize the impact o distributed denial o serice ,DDoS,
attacks
Adanced intrusion detection system that continuously monitors solution traic or possible
attacks
Multiple irewalls that diide the network into protected segments and shield the internal network
rom unauthorized Internet traic
1hird-party audits perormed throughout the year to support early detection o any newly
introduced security issues
Role-based access and security
Accesses through SoD implemented through role-based access management
line-tuned access to relect the areas o responsibility o indiidual users
attacks

31
User types:
Key users - conigure the solution and grant and reoke access
Lnd users - standard day -to-day business
Support users - maintenance only
Remote logon to the customer`s solution in the datacenter is also monitored and recorded
Compliance
Journal entries that carry all inormation necessary to identiy the respectie business transaction
and trace it through reerences to the underlying source documents
By deault, accounting-releant data cannot be deleted, and all changes made to inancially releant
data are recorded in a change-history log
attacks
Documentation o the sotware solution
Procedure and task descriptions or end users
Detailed technical descriptions explaining how data is processed and stored
SAP On-Demand Solutions for the SAP Business Suite
1he second key cloud oering by SAP AG is based a hybrid cloud approach. 1his solution ocuses on
large enterprises and represents an add-on kind o eature or unction set that can be integrated and
used on an on-demand basis oer the Internet. Additional new unctions such as e-sourcing ,supplier
selection,, CRM, expense management, and CO2 emission management can be deliered as \eb
serices oer the internet and directly integrated into an existing SAP Business Suite landscape.
1he irst oering aailable is the SAP CRM on-demand solution. It allows a \eb-based subscription
on a pay-as-you-go basis and it can be ully integrated into an existing in-house SAP LRP sotware
stack. 1his hybrid cloud package relies on SAP CRM ersion 200 and the underlying SAP Net\eaer
application ramework. It includes all components o a typical CRM system: Sales ,sales reporting and
orecasting,, serice ,customer serice and help desk,, and marketing ,campaign management,.
Coniguration o this solution is perormed oer the Internet by using a standardized and user riendly
\eb-interace, which also needs to be used or all administration tasks.
SAP AG oers global enterprise-class support or this new cloud oering:
Lasy-to-use CRM unctionality on a pay-as-you-go basis
Clear and comprehensie serice leel agreements
99 system aailability
Compliance with data protection standards worldwide

32
Single endor iability and accountability
24, global production support
SAP BusinesObjects OnDemand
1his is another public cloud oering by SAP AG based on BusinessObjects Crystal Reports ,ligure
31, that includes the ollowing eatures:
A cloud-based business intelligence solution
Business intelligence on demand
O load business intelligence and data warehouse inrastructure onto a hosted platorm
Data analyzing on demand, oer the \eb
Inormation on demand
Lnhanced business intelligence with external inormation ,\eb serices integration,
BusinessObjects partner API
Data quality on demand
Cleanse and eriy addresses in existing operational systems
Insert crystalreports.com ,CRDC, unctions into third-party applications such as salesorce.com
Distribute iles and reports that proide intelligence or sales quoting, sales tracking, and support
tracking

Figure 31. BusinessObjects on-demand services

33
SAP Business Suite
SAP Business Suite is the basis or an LRP enterprise cloud enironment as it acts as a construction kit
to deelop an in-house SaaS-LRP cloud stack. It deliers all o the necessary business and technology
components - which can be used by a company`s internal I1 department - to build an indiidual
SaaS oering based on the needs o the arious business units within an enterprise ,ligure 32,. In
addition, with the unique capabilities o SAP Net\eaer, SAP Business Suite proides the openness to
automate business processes rom end-to-end, across company boundaries and heterogeneous system
landscapes. 1he adantages o hosting an in-house SAP LRP solution on a priate cloud model are:

Priate and secure application instances as opposed to sharing
an instance with other unknown customers
llexibility to customize the solution based on indiidual
business needs, including industry speciic solutions ersus
standard-based conigurations with limited customizable
capabilities
1he ability to use standardization where eer possible, while
staying lexible enough to support indiidual changes
,architecture, systems, high aailability, irtualization
technology, \eb serices, etc.,
Figure 32. SAP Business Suite
Store business and compliance-critical data in house
1he SAP Business Suite is a amily o business applications that oer a rich unction set or almost
eery business sector:
LRP core business components ,lI, lR, SD, MM, etc.,
Customer Relationship Management
Product Lie-cycle Management
Supply Chain Management
Supplier Relationship Management
SAP Business Suite is built on the standards-based deelopment and runtime enironment o SAP
Net\eaer, a technology stack that deliers the lexibility to start small and grow as needed. SAP
Net\eaer includes arious technologies, programs, and toolkits to:
Proide a reliable and scalable runtime enironment or SAPs business applications
Allow applications to work together
Build new applications on top o existing applications
Support common security standards, e.g., SAML, JAAS

34
Delier SAP Business Suite unctionality as a set o reusable \eb serices ,SAP composite
application,
Lower the 1CO o applications
SAP recognizes the need to extend the enterprise, and oers composite, \eb serices-based
applications to sole the speciic needs o priate enterprise cloud enironments. SAP Net\eaer
allows businesses to build and manage composite, collaboratie business serices that are aailable
wheneer and whereer they are needed by a community o users that extends beyond corporate
boundaries to suppliers, customers, and employees. 1hese serices can also be oered on an on-
demand basis as cloud serices to the internal and external business units o companies.
SAP Net\eaer enables access to a broader scope o applications and inormation by a wider range o
users, deliering game-changing beneits to the enterprise. Products ship aster, productiity climbs,
and customer satisaction increases. 1he challenge is to open up the enterprise to new ways o
conducting business as well as more users in a cost-eectie manner, while simultaneously ensuring
that inormation assets remain secure. SAP Net\eaer proides the basic technology and tools to
build indiidual enterprise SAP cloud enironments.
1he main integration components o the SAP Net\eaer stack are:
SAP Lnterprise Portal
SAP Mobile Inrastructure
SAP Business \arehouse
SAP Master Data Management
SAP Process Integration
SAP \eb Application Serer
1he related primary deelopment and management tools o SAP Net\eaer are:
SAP Net\eaer Deeloper Studio
SAP Visual Composer
SAP Composite Application lramework ,CAl,
SAP Solution Manager
1he main eatures o the SAP Composite Applications ,CAl, are below and in ligure 33:
Build new applications out o existing applications using \eb serices
Integrate one application with another based on an industry standard
Use an independent programming language approach
Based on the SOA approach or a coherent blueprint design o the \eb serices interaction and
integration process

35
SAP Net\eaer as the construction platorm or composite applications based on \eb serices
SAP Business Suite proides the business unctions to be accessible through \eb serices
Composite Application lramework proides the model-drien deelopment ramework or SAP
\eb serices-based applications

Figure 33. SAP CAF features
In addition, SAP oers an administration component to ully manage an SAP irtualized I1
enironment called Adaptie Computing Controller ,ACC,, which proides a single, centralized
console to operate, obsere, and manage irtualized ,adaptie, SAP computing landscapes without
haing deep technical knowledge o the underlying I1 inrastructure ,ligure 34,.

Figure 34. SAP Adaptive Computing Controller

36
Goernance, risk, and compliance ,GRC, is another area where SAP AG oers a comprehensie stack
o applications. 1wo o the most important components in this solution area are SAP BusinessObjects
Process and BusinessObjects Access Control.
SAP BusinessObject Process Control is a control management solution to automate monitoring,
testing, assessment, remediation, and certiication o enterprise-wide inancial compliance actiities.
SAP BusinessObjects Access Control is the oicial SAP risk analysis and remediation tool with which
any SAP related SoD issue can be identiied and addressed.
Oerall, SAP BusinessObjects Access Control consists o our components ,ligure 35, that interact
with each other on a \eb serices basis:
Risk analysis and remediation
Superuser priilege management
Lnterprise role management
Compliant user proisioning

Figure 35. SAP BusinessObjects Access Control
1he ability to build an in-house SAP LRP cloud enironment is adantageous, but the other cloud
layers should be considered. A cloud solution does not only rely on a comprehensie and lexible
sotware stack that includes all o the expected business unctionalities demanded by the arious
internal business units. It should also include the preiously mentioned inrastructure serices that
make out an LRP oering a real cloud-SaaS oering. Only by combining the business sotware with
the inrastructure parts, such as IaaS or DaaS, can I1 departments oer in-house consumers a
complete cloud stack with all o the releant eatures such as a pay-by-use model, on-demand serices,
irtualized SAP instances, centralized identity management, and compliance.

37
SAP Security in the Cloud
LRP systems are gaining in importance in the uture o cloud markets. SAP is one major player in this
ield and has already started its irst cloud initiaties. 1his section o the paper examines the existing
security model o the SAP LRP stack that is used to saeguard business data rom unauthorized access
or attacks during the transit phase within a cloud-based enironment.
A typical SAP landscape consists o seeral dierent SAP LRP components ,e.g., LCC, CRM, SRM,
etc.,. All o these components need to ollow the same architectural concept o a clear separation
between the production and the non-production application instances. 1his separation is the irst
important step in saeguarding an LRP enironment. In addition, it proides a secure change and
transport system that allows transer o system settings and business-related data rom one application
instance to another without running into security issues. Also the instance-to-instance communication
can be protected by the SAP speciic Secure Network Communication ,SNC, eature, which encrypts
all o the data that is transerred. 1he disadantage o this solution is that it represents a proprietary
technology that is speciically deeloped or and used in the SAP world only.
Another network-related security component is the SAP Gateway, which is an SAP dedicated irewall
product. On the authentication site, the SAP Net\eaer application ramework - which is the
runtime enironment or almost all SAP components - accepts seeral dierent authentication
methods. It starts with basic authentication ,UID - password, and can lead to the digital certiicate-
based authentication process. In addition, it is also possible to deelop custom or product-speciic
authentication modules that can then be used to extend SAP \eb application serer security unctions
to integrate an existing SAP landscape into a commonly used enterprise access management solution
such as Oracle OpenSSO.
But what about securing the program-to-program communication or \eb serices-based
communication processes that use the Internet or Internet technology as a transport medium Does
SAP support common standards to ulill authentication and authorization requirements that also allow
access o users rom other partner organizations or integration into an existing circle o trust o users
and \eb applications hosted within a cloud 1he good news it that SAP supports the standard
authentication and authorization protocol ,SAML, used or this kind o \eb-drien interaction
processes. Unortunately, SAP does not currently support the latest ersion o the SAML protocol
stack, which reduces the unctional options during the implementation phase o a SAML-based
authentication,authorization solution with other business partners in or outside o a cloud.
SAP LRP user management is another important component o the SAP security model. It oers the
highest granularity to customize user account proiles based on roles and their assigned
transactions,transaction objects. 1his allows lexibility during the role deinition phase and prohibits
the ability to gie users a higher authorization leel than needed in their day-to-day business. But an
extensie leel o lexibility also increases complexity, especially in an SAP LLC system that might
hae seeral hundred pre-conigured roles aailable in a single system.
1he SAP compliance or risk management-related issues that might come up in any kind o cloud-
drien SAP landscape can be soled by using the SAP Goernance, Risk, and Compliance ,GRC,
solution stack ,e.g., SAP BusinessObjects Access Control product, or all SoD-speciic issues in an

38
SAP enironment. Cloud proiders that oer SAP BusinessObjects Access Control as an on-demand
serice must support a single irtualized Access Control instance or each tenant because the product is
not yet able to proide SAP multiclient support.
Cloud-based user access can be oered rather than irtual desktop solutions, which can already be
integrated and combined with many aailable identity management stacks and encryption standards
that proide a secure data transit,user interaction process. 1hese solutions allow a complete
irtualization o the end-users` desktops, now hosted in the cloud and accessed oer a standard
Internet connection with a standard \eb browser such as Mozilla. 1hereore, it is also possible to
oer typical SAP power users almost the same secure work enironment - based on the SAP GUI
installed within the irtualized client OS on a hosted serer in the cloud - to the SAP LRP back-end
as they use it today. In addition, irtual desktops also allow the integration o other application
components such as Microsot Oice, which are then also aailable on a \eb basis rom any place
around the world.
Oracles Infrastructure for the SAP Cloud
1he main goal behind using an enterprise cloud approach in the SAP space is to establish an agile, end-
to-end platorm or running SAP applications eiciently, economically, and securely in a completely
irtualized application landscape. A cloud enironment enables SAP instances to moe rom one
physical serer to another to sole the issue o under-utilized system resources. A cloud enironment
also helps to establish a ital and lexible change management process that can be used to support a
company in adapting, growing, and responding to market changes in an almost real-time behaior to
gain adantages against other competitors. Another important aspect o enterprise Cloud Computing is
the need to enorce business goernance, compliance, and data security to protect the business against
errors, rauds, tax ines, and penalties. Oracle addresses these challenges with comprehensie hardware
and sotware stack, a community o internal specialists, and business partners that understand the
demands o implementing, deploying, and hardening enterprise cloud deployments ,ligure 36,.

Figure 36. One-stop shopping for Cloud Computing

39
1he main business adantages o Oracle`s strong combination o leading-edge cloud technology and
highly experienced people are:
Improing the way people work by easily and quickly changing and adapting the SAP inrastructure
to gain competitie adantages
Reducing carbon ootprint and administratie costs with an open, interoperable inrastructure that
eiciently uses computer resources
Improing security, compliance, and goernance with secure single-sign-on ,SSO, and automated
process to control access and reduce errors
Improing inrastructure lexibility by simpliying, standardizing, and automating computer resources
to achiee high serice leels to end-users, and to support growth and change
Supporting enterprises in implementing an enterprise cloud enironment that grows with business
needs and that has a strong ocus on the system, storage, and application enironment as a whole

SAP Virtualization from Oracle
Virtualization technologies rom Oracle dramatically reduce energy costs, simpliy
administration, and improe lexibility, rom the edge o the network to back-end
inormation management, to enable businesses to adapt and grow ,ligure 3,. 1o
make an enironment cloud-ready, irtualization works by pooling resources and
centralizing administration, and enables applications to run anywhere, regardless o the
underlying architecture. Users gain desktop access rom any browser in a
heterogeneous hardware and sotware enironment that adapts easily to business
needs and processes. Lco-responsible irtualized storage proides ast access to data
when it is needed, lowers costs across the board, and deliers huge energy saings.
Oracle technologies or irtualization include:
Dynamic Domains - hardware partitions on Sun SPARC Lnterprise M-Series
serers
Oracle Solaris Containers - Separate, priate Oracle Solaris enironments on a
single Oracle Solaris operating system instance, natie perormance irtualization
or Oracle Solaris on SPARC or x86

Figure 37. Oracle technologies


40
Oracle VM Serer or SPARC ,preiously called Sun Logical Domains, - Multiple Oracle Solaris
instances on the same Sun SPARC Lnterprise 1-Series serer
Sun Storage - Consolidate management o all heterogeneous storage through irtualization, greater
utilization through thin proisioning and irtual olumes
Sun Storage1ek Virtual 1ape Library Systems - Separate Sun Storage1ek 1ape Libraries on a single
irtual tape, better tape utilization and management ease
Oracle Lnterprise Manager Ops Center - Manage more than one physical or irtual serer
including patch management
Sun Q-Layer - Deine and build irtual datacenter inrastructures using drag and drop
Oracle VM VirtualBox - Programmer productiity or \indow, Linux, and Oracle Solaris guest on
x86
Oracle Virtual Desktop Inrastructure - Oracle`s Desktop as a Serice solution
Desktop Virtualization
It is possible to establish a complete Desktop as a Serice approach or SAP ,SAP GUI, SAP at client,
and non-SAP client applications. Desktop irtualization alone dramatically cuts energy consumption
and lowers maintenance costs. 1he core o Orcle`s desktop irtualization solution is the Oracle Virtual
Desktop Inrastructure running on irtualized serers in the datacenter, as illustrated in ligure 38.
lrom industry-standard PCs, Macs, or thin clients throughout the enterprise, users can access irtual
desktops running on industry-standard operating systems - \indows, Linux, and Oracle Solaris.
Since the desktop enironment is centrally managed, the cost o maintaining enironments on eery
desktop is nearly eliminated. Replacing desktop PCs with Oracle`s Sun Ray thin clients results in
signiicant energy saings. A typical PC uses about 150 to 350 watts while a Sun Ray thin client uses
only 4 watts. lor an aerage scenario, replacing PCs with thin clients, considering power, cooling, and
inrastructure needs, you can reduce power consumption by 24 and decrease CO2 emission by 23.
On aerage, thin clients use 55 less electronics and 36 less plastic, and outlast PCs by three years,
resulting in reduced eco waste. In a irtualized workplace, authorized users can gain secure access to
any Sun Ray client on the network.

41

Figure 38. Sun Secure Global Desktop
\ith a key card, users can instantly display their own enironment on any system. Because eerything
is maintained in the datacenter, I1 sta can quickly change, adapt, or upgrade resources as business
needs change. Sun Ray clients are also ideal or training, where a irtualized classroom is energy-
eicient and lexible. A teaching enironment is easy and ast to set up on the serer, so there`s no
need to maintain and replicate the enironment on separate desktop computers. Students can gain
secure access to their enironment instantly, anywhere.
SAP Server Virtualization
\ith tightening budgets, I1 departments are aced with eliminating serer sprawl through
consolidation and better utilization. Oracle`s serer irtualization technology - which diides one
serer into multiple enironments - simpliies administration, increases system uptime, dramatically
reduces energy costs, and improes resource utilization or SAP applications ,ligure 39,. Oracle`s
irtualization technologies are generally included with the hardware or OS, proiding signiicant cost
saings on licensing ees. 1he easiest way to irtualize serers is OS irtualization. Virtualization
technology enabled by Oracle Solaris Containers is highly lexible.

42

Figure 39. SAP virtualization example
Containers can be used or consolidation and to enable rapid response to business needs. \ith
containers, quick experimentation or testing o new SAP eatures is simple. SAP applications can be
easily deployed on-the-ly without adding hardware. Legacy SAP applications can be hosted in
containers on existing serers. Because the SAP Adaptie Computing Controller supports Oracle
Solaris Containers, applications can be monitored and proisioned within containers quickly and
automatically. Also, containers enable ast data backup and upgrades, resulting in zero downtime.
Oracle oers irtual machine technologies to maximize the choice o platorms and operating
systems - \indows, and Linux, and Oracle Solaris - so irtualization can it into any SAP
enironment easily:
Dynamic Domains on Oracle`s Sun SPARC Lnterprise M-series serers running Oracle Solaris
Oracle VM Serer on SPARC on systerms with UltraSPARC processors running Oracle Solaris or
Linux ,BrandZ zones,
VMware hyperisor on Oracle`s x64 systems
1hese irtuazliation technologies enable a lexible, secure, scalable, and reliable enironment to run
mission-critical applications while more ully utilizing resources and presering existing assets.
SAP Storage Virtualization
Oracle understands that data is the lieblood o eery SAP enironment. Companies must store and
access more data with ewer resources than eer beore, and oten cope with a heterogeneous storage
enironment with dierent types o storage in dierent geographic locations. Oracle`s energy-eicient
irtualization solutions reduce storage complexity, proide ast access to data, and enable I1
departments to manage a rich mixture o systems, solutions, processes, and interaces eiciently and
cost-eectiely. 1he tiered storage approach yields highly eicient utilization o resources and aster
access.

43
Storage irtualization, powered by the Oracle Solaris Zettabyte lile System ,ZlS,, centralizes and pools
storage into a single resource that can grow or shrink according to application demands, potentially
yielding cost and energy saings o 90. 1his approach simpliies and streamlines the entire storage
enironment and applies the most cost-eectie resources or each task. lor example, in Sun Storage
000 Uniied Storage Systems, Oracle Solaris ZlS transparently manages data placement, copying
requently used data to ast SSD cache or aster access, so data can be stored on slower, less expensie
mechanical disks and tape without sacriicing perormance.
lor long-term data storage, backup, and recoery, Oracle`s tape library solutions proide an
economical way to archie increasing olumes o data quickly, saely, and cost-eectiely. \ith
irtualized storage, access to archied data is orders o magnitude aster than with traditional tape
storage. Products like Oracle Solaris ZlS and Oracle`s Sun Storage1ek Virtual Storage pool resources
manage storage as a single resource, which decreases the burden o managing large tape libraries,
increases system usage and eiciency, and reduces the oerall cost o protecting SAP data through
improed tape utilization, shared tape resources, and reduced complexity. Oracle Solaris ZlS also
proides ast, easy recoery or low-cost business continuance. Used with Oracles Solaris Containers,
an administrator can store a snapshot o the enironment, then reert back to the snapshot rather than
restore data rom tape. 1his approach streamlines the disaster recoery ,DR, process and reduces
downtime to almost zero. Oracle`s irtualized storage solutions delier manageable, secure storage o
all types ,llash SSD, SA1A, iSCSI, SAS, NAS, libre Channel, tape,, dramatically lower energy costs,
and proide an inrastructure that quickly adapts to uture storage needs.
Securing Access to Virtualized SAP Application Components
\ith highly utilized, irtualized desktops, serers, and storage, enterprises can support more users.
Opening up the SAP enironment in a \eb-based world leerages the alue o a irtual enterprise,
with applications sering employees, customers, endors, suppliers, and business partners. 1o enable a
sae, collaboratie enironment, the open SAP Net\eaer application platorm helps companies build
and manage business serices that reach beyond the business boundary. Users can access SAP rom
any SAP browser on a mobile deice, PC, or thin client. 1he beneits o this open enironment are
immeasurable, but so are the risks - identity thet, corporate espionage, and raud.
Keeping track o user identities in a complex organization inoles manual, risky, costly tasks. \ith
Oracle`s identity management solutions or SAP, companies can create a secure and extended SAP
enterprise where users inside and outside the company hae secure, single sign-on access to SAP and
non SAP \eb applications anywhere, anytime ,ligure 40,. Automation eatures include the ability to
create sel-serice password systems or end users, reducing help desk calls and improing both user
and I1 productiity. Passwords are automatically synchronized eerywhere - across hardware
platorms, sotware applications, and databases. \ith Oracle`s identity management suite,
administrators can easily manage identity data stored in widely distributed systems throughout the user
lie cycle. Capabilities include automated proisioning o new users, reproisioning to relect changes
in user status, and deproisioning when a relationship within the organization ends. Authentication and
authorization serices are proided across internal and external computing domains. Lnterprises also
beneit rom automated auditing o segregation o duties ,SoD, or non SAP applications.

44

Figure 40. Secure identity and compliance
Managing Identities in a Private Cloud
1he general goals o identity management do not change in a priate cloud. Liciently and cost-
eectiely managing access and identities to proide secure access or the users in an SAP based
priate cloud requires a centralized approach. 1o maintain or increase productiity, users need a single
point o entry and sign-on capability, which implies a single point o administration or all users,
including operating systems, SAP solutions, databases, and other applications. I1 managers need the
ability to quickly and automatically add users to all o the applications and serices they require, as well
as the ability to modiy access and priileges and delete users rom all systems when they leae, in order
to deal with the diersity o users and their changing roles. In addition, businesses must also comply
with security-related regulations such as controlling access to sensitie inancial inormation. 1his
requires the ability to detect dormant accounts, enorce consistent corporate security policies, and
ensure that data is accurate and consistent across applications and data stores. Another critical issue or
I1 managers is 1CO. In a large enironment, supporting technology that increases costs by requiring
additional sta and training can oset the beneits o the solution itsel.
Identity Management as a Cloud Infrastructure Component
1he irst step in proiding identity management is to centralize identity data. Oracle Directory Serer
deliers a secure, highly aailable, scalable, and easy-to-manage directory inrastructure or storing and
using identity data. It centralizes and separates identity inormation and makes that data aailable to
multiple applications including Microsot Actie Directory, rather than requiring applications to store
and maintain data in multiple locations, thus proiding consistency and lowering costs. Password
synchronization with Microsot Actie Directory increases security by helping to ensure password
policies enorced on the network operating system are also enorced in key strategic directories in the
enterprise. Its extreme scalability helps reduce costs by decreasing the number o systems deployed. In

45
addition, proxy serices proide irewall-like protection against denial-o serices and unauthorized
access. Multimaster replication, load balancing, and automatic ailoer help proide directory serices
around the clock. \ith oer 1.5 billion entries, the Oracle Directory Serer is the most widely deployed
general-purpose, LDAP-based directory serer in the marketplace.
Oracle Waveset Identity Manager
Oracle \aeset Identity Manager proides the core user proisioning and identity synchronization
serices o Sun`s identity management solution, as well as password management and proile
management. It uses role-based access control mechanisms to centrally create and manage users, and
delegate user administration. Using a common identity inrastructure, administration that normally
occurs across many applications by multiple administrators, including OS, database, and SAP, can be
consolidated into a single management console. 1his makes it possible to consistently delegate
management tasks and sel-serice unctionality to partners, customers, and internal company
departments based on business requirements. It automatically synchronizes identity data across a wide
range o heterogeneous applications, databases, and other data stores such as Oracle Directory Serer,
Microsot Directory, and Lotus Domino. 1his helps ensure that identity data is accurate and consistent
both within and outside the boundaries o the SAP Net\eaer enironment.
Oracle OpenSSO for SAP
Oracle OpenSSO is a security oundation that helps organizations manage secure access to \eb
applications and \eb serices. It is designed to proide authentication and authorization serices
across internal and external computing domains and helps ensure that appropriate authentication
credentials are required o users depending on the alue o the protected resources. It also presents
streamlined naigation across \eb applications and \eb serices through single sign-on capabilities.
Oracle OpenSSO can be integrated with the SAP Net\eaer Lnterprise Portal through an Oracle
deeloped and supplied policy agent ,based on the Jaa Authentication and Authorization Serices
login module o the SAP Net\eaer Application Serer Jaa,. In addition it is possible to use the
SAML authentication module o the latest SAP Net\eaer Application Serer Jaa to smoothly
integrate a highly accepted authentication standard deined by the OASIS, which is a common
technology used to securely authenticate users or \eb serices within a \eb-drien cloud
enironment.
By using a central point o authentication, role-based access control, and single sign-on, Oracle
OpenSSO proides a scalable \eb access management model or SAP Net\eaer, other \eb-based
applications and \eb serices. In this way, it simpliies exchange o inormation and transactions while
protecting the priacy and security o ital identity inormation. It also allows administrators to audit
any intrusion or unauthorized access in real time.
End-to-End Governance and Compliance
Ler-increasing legislatie and global regulations mean compliance and identity management go hand
in hand. 1he integrated Oracle \aeset Identity Manager sotware and SAP BusinessObjects Access
Control ,GRC, solution - based on \eb serices and Jaa technology - proides automated, system

46
wide auditing and reporting capabilities that coer business compliance and inancial or LRP
requirements, plus I1 inrastructure compliance, like OS and user proisioning, networking, storage
and archiing, and data management. 1he solution, illustrated in ligure 41, enables companies to
streamline corporate policy and legislatie compliance or mission-critical SAP applications and other
enterprise I1 resources.

Figure 41. Cloud end-to-end IT compliance (SoD)
1he industry-leading Oracle \aeset Identity Manager sotware helps ensure that access to sensitie
inormation is subject to the most secure control possible by enorcing security policy and global
standards through repeatable and sustainable processes. SAP BusinessObjects Access Control ,GRC,
proides eatures such as risk analysis and remediation, compliant user proisioning, enterprise role
management, and superuser priilege management capabilities. 1he scalability o proisioning rom
Oracle \aeset Identity Manager sotware, combined with the risk analysis and remediation o SAP
GRC Access Control, is designed to preent cross-application proisioning conlicts. As priate SAP
cloud enironments grow, Oracle and SAP`s lexible, scalable security solutions can grow to take on
the toughest security challenges.
Oracle Identity Analytics
\ith the growing demand or cloud-based computing landscapes - whether these enironments are
public or in-house hosted solutions - the olume o network communications increase, use o
irtualization technology increase, and \eb-enabled application unctionality increases. 1o support
these enironments identity management components need to be implemented to standardize how
people access and are authorized to such enironments. 1his will lead to unprecedented challenges in
the area o access goernance and access control compliance.
\ith Oracle Identity Analytics, companies can eectiely manage access and consistently achiee
access control compliance when the number and nature o users is in constant lux by managing access
based on the users roles within an enterprise cloud rather than on an indiidual, user-by-user basis.

47
Creating roles based on usage and enterprise policies enables greater isibility into access and the ability
to manage access in a more eicient, secure, and compliant manner.
Role-based access control, particularly in combination with identity proisioning, enables enterprises to
improe eiciency and security by always:
Knowing who is accessing what data and which applications
Understanding who approed the access assigned to users
Laluating the assigned access against access-control policies
1he comprehensie role lie-cycle management and identity compliance capabilities o Oracle Identity
Analytics can streamline operations, enhance compliance, and reduce costs within a cloud-drien
application and system landscape.
Oracle Identity Analytics proides the ollowing unique eatures:
Integrated set o technologies and methodologies or role-based access control and identity-based
controls automation
Continuous monitoring to scan or role ersus actual assignments, segregation o duties, and other
access-related exceptions that might signal potential policy or regulatory iolations
Lxtensie analysis and reporting on role changes, policy iolations, and potential role reinements
Integration with market-leading proisioning solutions
Lxtract, transorm, and load ,L1L, capabilities to pull data rom any enterprise resource without the
time and cost o using connectors
Oracle Identity Analytics improes operational eiciency by simpliying and automating access-related
processes and bridging the gap between the I1 inrastructure and the business organization.
Oracle Identity Analytics brings the I1 inrastructure and the business organization closer together and
proides a common ocabulary. 1his is the result o mapping business roles ,business iew, to the
underlying entitlements ,technical iew, that are granted within enterprise applications such as SAP or
Oracle LRP systems. A common ocabulary helps ensure that the roles relect how responsibilities are
assigned within an organization, which makes it easier or employees to request the access necessary to
perorm their jobs.
Oracle Identity Analytics continuously monitors the users` actual access to resources rather than just
reporting on the access to which their roles entitle them. By reducing the risk o improper access,
organizations are less likely to iolate enterprise security policies or external regulatory requirements.
Speciically, Oracle Identity Analytics can alert management to issues with problem areas such as
segregation o duties iolations, which can occur when a user has conlicting roles or accounts that
iolate internal policies or external regulations. lor example, a user whose job includes setting up
endors should hae to gie up the access priileges associated with that role i that user assumes a
new position that inoles writing checks to those endors.

48
\ith this special eature set, Oracle Identity Analytics completes the cloud identity management stack
and proides the ability to implement a ully integrated end-to-end role management, user
administration, account proisioning, and compliance solution. 1his solution allows a combined SoD
risk analysis - starting on the OS layer up to the LRP layer - using Oracle Identity Analytics as the
interace component between Oracle Identity Analytics and SAP BusinessObjects Access Control.
Summary
Oracle solutions or SAP in a cloud span the enterprise - rom browser to datacenter to storage -
giing users access to SAP anywhere, keeping businesses competitie, reducing costs, saing energy,
and maximizing ROI. Based on market-tested, industry-leading cloud technology, Oracle`s end-to-end
solutions or SAP proide a high-perormance, robust, open, lexible SAP architecture that leerages
irtualization to reduce costs and increase agility ,ligure 42,. Nobody deliers irtualization throughout
the enterprise like Oracle does - with proen technologies that dramatically reduce energy costs. 1he
solutions open up the potential o global collaboratie computing or businesses o any size while
keeping data sae, complying with goernment policies, and proiding ast access to business
inormation.

Figure 42. Sun cloud technology for SAP
Oracles Global SAP Service Portfolio
Reducing power consumption, oering on-demand SaaS cloud serices, implementing irtualization,
increasing security and compliance, and managing it all is a huge endeaor. Oracle can help with
eerything rom designing clouds, to perorming upgrades, to operating and managing priate SAP
cloud enironments.

49
Oracles Sun Solution Center for SAP
Oracle`s Sun Solution Center or SAP has SAP application architects and Oracle and SAP solution
experts that proide world-class serice around the globe to address unique SAP requirements. Among
the many serices oered, the SAP Competency at the solution center proides the ollowing serices:
Architecture design and capacity planning
lardware sizing tools or business partners
SAP on Oracle solutions
Reerence architectures
SAP on Oracle workshops
1o ind solution centers, see ///012-03'451',26&'-3"-6"(15,'3$6&'-15&-7"8091*
Sun Joint Support Center for SAP Applications
Sun Joint Support Center or SAP Applications proides round-the-clock, worldwide support to
resole interoperability issues between Oracle serer platorms and SAP sotware running in irtualized
or non-irtualized enironments. SAP has expertise in resoling complex integration issues between
the Sun sotware stack and SAP application components such as Oracle Identity Analytics and SAP
back-end components. Support teams are located on-site nearby the SAP headquarters in \alldor,
Germany to streamline inormation transer and problem resolution. In addition, SAP trained support
teams are located in the United States and Asia to oer aster, more specialized worldwide problem
resolution.
Oracle Virtualization Services
Oracle oers a complete set o irtualization serices across computer, networking, and inrastructure
components to help sae power, space, and cooling costs, improe serice leels, increase utilization,
and acilitate proisioning to maximize ROI. Proessional serices sta can help run datacenters more
eiciently - recommending the appropriate mix o irtualization technology and I1 processes to
achiee speciic goals. Oracle estimates the 1CO and ROI beneits that an I1 project can achiee and
helps create business alue.
Oracle Storage Virtualization Services
Starting with an ealuation o a company`s current storage issues, Oracle`s storage irtualization
serices help determine and implement a irtualization strategy that enables companies to achiee
ongoing business and technological goals. Oracle consults on areas to help reduce costs and optimize
resources and recommends the appropriate mix o irtualization technology and I1 processes. Sun
Managed Serices or Storage can proide best practices to irtualize, monitor, and manage storage
utilization, sta resources, and system processes. Oracle helps irtualize across all SSD,llash, arious
disk, and tape-based storage and maximize the aailability o distributed, heterogeneous disk, backup,
and archie inrastructure.

50
Global Oracle Support
Oracle oers integrated packages o support serices that delier comprehensie Oracle hardware and
sotware support or SAP users with mission-critical and business-critical applications. 1hese serices
are designed to handle urgent business requirements. As part o the oerings, enterprises gain access to
Sun Vendor Integration Program Interop Support. 1hrough this program, Oracle and SAP collaborate
to identiy, isolate, and resole complex interoperability issues.
For More Information
lor more inormation about Oracle solutions or SAP enironments, please isit oracle.com,sun or
call -1.800.86.0404 to speak to an Oracle representatie. Additional inormation can be ound at:
http:,,www.sun.com,sap
http:,,www.sap.com,solutions,business-suite,crm,crmondemand,index.epx
http:,,www.sap.com,solutions,sapbusinessobjects,ondemand,index.epx

April 2010
Author: Timm Seitz

Oracle Corporation
World Headquarters
500 Oracle Parkway
Redwood Shores, CA 94065
U.S.A.

Worldwide Inquiries:
Phone: +1.650.506.7000
Fax: +1.650.506.7200
oracle.com
Copyright 2010, Oracle and/or its affiliates. All rights reserved.
This document is provided for information purposes only and the contents hereof are subject to change without notice.
This document is not warranted to be error-free, nor subject to any other warranties or conditions, whether expressed
orally or implied in law, including implied warranties and conditions of merchantability or fitness for a particular purpose.
We specifically disclaim any liability with respect to this document and no contractual obligations are formed either
directly or indirectly by this document. This document may not be reproduced or transmitted in any form or by any
means, electronic or mechanical, for any purpose, without our prior written permission.

Oracle and Java are registered trademarks of Oracle and/or its affiliates. Other names may be trademarks of their
respective owners.

AMD, Opteron, the AMD logo, and the AMD Opteron logo are trademarks or registered trademarks of Advanced Micro
Devices. Intel and Intel Xeon are trademarks or registered trademarks of Intel Corporation. All SPARC trademarks are
used under license and are trademarks or registered trademarks of SPARC International, Inc. UNIX is a registered
trademark licensed through X/Open Company, Ltd. 0310

Sap Erp in The Cloud

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Sap Erp in The Cloud

Uploaded by

Copyright:

Available Formats

An Oracle White Paper

You might also like