Architecture decisions for security
The following tables summarize the security architecture decisions for SAP on IBM Cloud VMware Cloud Foundation (VCF) for Classic.
Security architecture decisions for data
| Architecture decision | Requirement | Decision | Rationale |
|---|---|---|---|
| Data: Encryption at Rest | |||
| Primary Storage | Ability to encrypt data at rest | Endurance Network File Storage(NFS) with VMware vSphere encryption | VMware vSphere encryption applies to all types of VMware storage, including NFS. |
| Backup storage and archive storage | Ability to encrypt backups | IBM Cloud Object Storage encryption | By default, all objects that are stored in IBM Cloud Object Storage are encrypted by using randomly generated keys and an all-or-nothing-transform (AONT). |
| SAP HANA data encryption | Ability to encrypt SAP HANA data at rest | SAP HANA Data Volume Encryption (DVE) | DVE encrypts SAP HANA data at the persistence layer, protecting data stored on disk from unauthorized access at operating system level. |
| Data: Encryption in transit | Ability to encrypt data while in transit, to servers, between servers, and any attached storage secure management and production VMs while at-rest or in-transit. | FTPs and HTTPs protocols (client to server) VMware vSphere® encryption | Secure client requests over HTTPs and FTPs Secure management and production VMs while at-rest or in-transit. |
Security architecture decisions for Identity and Access
| Architecture decision | Requirement | Decision | Rationale |
|---|---|---|---|
| Identity and Access Management(IAM) | Securely authenticate users for platform services and control access to resources consistently across IBM Cloud | Cloud Identity and Access Management(IAM) | Use IAM access policies to assign users, service IDs, and trusted profiles access to resources within the IBM Cloud account. |
| Privileged Identity and Access Management | Privileged access management (PAM) services for administrative purposes | Bring you own bastion host with PAM software that is deployed on underlay private Vlan 2FA authentication through IBM® security verify | Securely access remote resources over the private network for management purposes; bastion accessed by SSH. Session recording that tracks all activities, successful or not, to note any potential threats |
Security architecture decisions for core network protection
| Architecture decision | Requirement | Decision | Rationale |
|---|---|---|---|
| Core Network Protection | Strict separation of duties Isolated security zones between environments Isolated, private cloud environment |
NSX-T™ (Overlay) IBM Cloud® Juniper vSRX with content security bundle (Underlay) |
A design combination that uses both NSX-T™ and IBM Cloud® Juniper vSRX to isolate VLANas and network traffic Separate VLANs and NSX-T™ VXLANs and the use of firewall capabilities. |
Security architecture decisions for threat detection
| Architecture decision | Requirement | Decision | Rationale |
|---|---|---|---|
| Threat detection | Boundary protection: The highest level of isolation from external network threats intrusion prevention and detection at all ingress and egress Unified Threat Management (UTM) Firewall |
IBM Cloud® Juniper vSRX with content security bundle | Advanced FW Features (Intrusion Prevention System(IPS) and Intrusion Detection System(IDS), Unified Threat Management(UTM), Policy Routing, SSL Proxy) |