SAP ERP in the Cloud - Oracle

An Oracle White Paper
April 2010
SAP ERP in the Cloud

Oracle White Paper—SAP ERP in the Cloud
Introduction ........................................................................................ 1
Key Characteristics of the Cloud ........................................................ 2
Cloud Services ............................................................................... 2
The Cloud Provider View ............................................................... 5
Public Clouds ................................................................................. 5
Private Clouds ................................................................................ 6
Hybrid Clouds ................................................................................ 7
The Cloud Consumer View ............................................................ 8
Cloud Technology .......................................................................... 9
Security in the Cloud .................................................................... 19
Cloud Summary ........................................................................... 20
Enterprise Resource Planning in the Cloud .................................. 22
SAP Security in the Cloud ............................................................ 37
Oracle’s Infrastructure for the SAP Cloud ........................................ 38
SAP Virtualization from Oracle ..................................................... 39
SAP Server Virtualization ............................................................. 41
SAP Storage Virtualization ........................................................... 42
Securing Access to Virtualized SAP Application Components ..... 43
Summary ......................................................................................... 48
Oracle’s Global SAP Service Portfolio .......................................... 48
Oracle’s Sun Solution Center for SAP .......................................... 49
Sun Joint Support Center for SAP Applications ............................ 49
Oracle Virtualization Services ...................................................... 49
Oracle Storage Virtualization Services ......................................... 49
Global Oracle Support .................................................................. 50
For More Information ........................................................................ 50

Introduction
Oracle White Paper—SAP ERP in the Cloud
What is Cloud Computing? Cloud Computing is one of the hype topics in the high-tech industry
today. Almost every IT company offers some kind of cloud product or services and almost
every IT expert uses a different definition of the term Cloud Computing. For a typical private
end-user, Cloud Computing means to use a Web-based service, for instance online services
for data storage, email, word-processing, spreadsheets, collaboration, file conversation, social
media, etc. There is no magic behind these Web services, other than the fact that the end-user
does not need to deploy or install dedicated applications on their home PC system anymore.
The only prerequisite is the existence of a working internet connection. Most of the mentioned
services are free and for others, end-customers pay a monthly fee, usually on a per user basis.
The general concept of Cloud Computing from a private end-user’s point of view is:
To plug into the internet from anywhere access processing, applications, and data services
whenever needed
To only pay for what is used or needed
However, private cloud usage is only one aspect of the overall cloud story. Companies have
realized that Cloud Computing might be a good avenue to reduce internal IT costs by spending
less money on software licenses, hardware, storage, training, and the needed maintenance of
the mentioned areas. Small and medium sized enterprises might especially gain large
advantages by using a cloud-based IT approach instead of building internal datacenters. An
outsourcing model can help to extend IT services step by step depending on the growth of the
individual business.
This white paper provides a general overview of the term Cloud Computing from an enterprise
point of view. In addition, the topic of Enterprise Resource Planning (ERP) in the cloud is
covered with a dedicated focus on the SAP ERP stack deployed on cloud technology
components from Oracle.
1

Key Characteristics of the Cloud
Oracle White Paper—SAP ERP in the Cloud
The general understanding of Cloud Computing is related to an on-demand service model by which
various different resources (hardware, software, and services) are combined on an on-the-fly basis
(Figure 1). The service(s) are delivered over the network, which could be the intranet of a company or
the internet when the service is ordered from an external provider. Nevertheless, the term network
always includes Internet-based technology such as the TCP/IP protocol stack that is used to
communicate between the cloud provider and the cloud consumer.
Figure 1. Cloud Computing relates to on-demand service model
Cloud Services
The service aspect of the cloud includes three different components — applications, hardware, and
systems software — which can be combined to build a cloud-specific service package or offering
(Figure 2). Depending on how a cloud provider combines these components within a cloud offering,
there are a number of different cloud service layers.
2

Figure 2. Definition of Cloud Computing
Oracle White Paper—SAP ERP in the Cloud
Currently, there are four possible cloud service layers that can be used in combination to build a full
end-to-end cloud offering as described below and in Figures 3 and 4.
Software as a Service (SaaS) — offers an application, such as ERP, on demand over the network or
internet
Platform as a Service (PaaS) — providers sell a complete development platform including the
necessary built-in services, such as MySQL databsase, GlassFish application server, LDAP,
NetBeans software, and Oracle Solaris Studio, on demand over the network.
Infrastructure as a Service (IaaS) — a service offering that supplies hardware and software
infrastructure components, such as compute, storage, systems, Oracle Enterprise Manager Ops
Center, Sun Management Center and Sun Identity Manager from Oracle, and more.
Desktop as a Service (DaaS) — moves the desktop environment of a cloud consumer into the cloud
and provides secure remote access to the server-based applications. It helps to reduce administration
costs and establishes higher security standards as IT staff can provision applications from a central
console to end users who have assigned appropriate access rights based on individual or group
criteria.
3

Figure 3. Iaas and PaaS layers
Figure 4. SaaS and DaaS layers
Oracle White Paper—SAP ERP in the Cloud
4

Oracle White Paper—SAP ERP in the Cloud
The layers are highly flexible, enabling various providers to work together but still focus on an
individual area of expertise. For example, one partner might provide the underlying infrastructure
services (IaaS) while another partner is responsible for the developer and application platform (PaaS or
SaaS).
The Cloud Provider View
A cloud provider owns the various cloud services (IaaS, PaaS, SaaS) and the related capital risks.
Currently there are three cloud models: public, private, and hybrid. The differences between private
and public are described in Figure 5.
Figure 5. Definition of cloud provider view
Public Clouds
A public cloud provider offers services to anyone in the general public that might be interested in using
the service (Figure 6). In other words, anyone who has access to an internet connection, is able to pay,
and is aware of the specific cloud service offering can use it on demand. There are no consumer
restrictions for specific user groups, communities, or certain company types. Therefore, this type of
cloud offering is referred to as public. Practically everyone on the Web can take advantage of public
cloud services.
5

Figure 6. Cloud provider view of a public cloud
Private Clouds
Oracle White Paper—SAP ERP in the Cloud
Also called enterprise or in-house clouds, private clouds do not have a public character. Cloud
providers and cloud consumers are part of the same company. The IT department of a company acts
as the cloud provider and offers a cloud service that can be used by internal units to deploy and run
business applications (Figure 7). This differs from traditional IT support in that IT utilizes the on-thefly
flexibility of cloud technologies to provide compute resources as needed.
Figure 7. Cloud provider view of a private cloud
6

Hybrid Clouds
Oracle White Paper—SAP ERP in the Cloud
Hybrid clouds represent a combination of both private and public cloud models. For example, a
company implements a private cloud to support business-critical services and utilizes the public cloud
in an on-demand fashion for non-critical services, as illustrated in Figure 8. External and temporary
cloud services can be less expensive from a cost/benefit perspective than providing the same service
internally. Therefore, this type of cloud model might be of interest to large, global enterprises with a
periodic temporary demand for specific cloud resources. It also provides much better data security for
the company itself (well-guarded internal network) in comparison to a public cloud approach where the
cloud consumer completely relies on the security mechanisms of the selected provider.
Figure 8. View of a public cloud
Figure 9 summarizes the key facts about the three cloud provider models.
Figure 9. Differences between cloud types
7

The Cloud Consumer View
Oracle White Paper—SAP ERP in the Cloud
A cloud consumer (a company) must first identify which cloud services (IaaS, PaaS, SaaS, and DaaS)
best suit the existing business requirements (Figure 10). The decision of whether to use or to build an
in-house cloud service depends strongly on the available internal resources, such as human resources,
and the necessary knowledge and experience in the various IT areas (applications, security, systems, or
storage specialists). Other factors that influence the decision are existing IT budget and competitive
market aspects. The flexibility to grow and shrink depending on existing market demand and business
forecasts, as well as the agility to react almost in real time in a highly competitive market space such as
Web 2.0, makes Cloud Computing very attractive to startups and small- and mid-sized companies.
Larger enterprises with a different business model might have other reasons to use internal or external
cloud services. Most of these companies need to reduce IT budgets by replacing cost-intensive IT tasks
with comparable cloud-based, on-demand services.
Especially in difficult economic times it is in every organization’s interest to find the right balance
between operating expenses and related earnings. Therefore, Cloud Computing has the potential to
play a major role for every kind of business within the next several years.
Figure 10. Definition of the cloud consumer view
As a consumer of a public cloud it is important to keep in mind that the same environment is shared
with many other unknown cloud users at the same point in time. The network, server compute power,
storage devices, and depending on the service contract the application instance(s) might be shared with
many other users. The ability to shared resources is why cloud providers are able to offer standardized
services for less than it would cost to implement and maintain the services in house. This might not be
8

Oracle White Paper—SAP ERP in the Cloud
the right solution for everyone as individual customization of the offered services within the cloud can
be limited. Cloud services have a strong standardized character today and are built to meet the needs of
the majority of users, which also helps to keep the administration and maintenance of the environment
at an acceptable level. Thus, it is very important to closely analyze existing internal services before
moving a particular service to an external cloud service contract.
A cloud consumer could be interested in all of the offered service layers or only in the layers where
there is a lack of dedicated internal knowledge, making it less expensive to buy this service and the
related hardware and software support from a cloud provider who is able to offer exactly the
standardized setup needed based on given business requirements.
Consumers of a private cloud model do not have to care about sharing resources with other unknown
users. The various business departments can access available hardware and software resources on an
on-demand basis similar to a public cloud environment. The big difference is that resources are shared
only with other internal colleagues and highly critical business data is stored on a secure storage device
within the intranet of the company. In addition, it also makes sense to use a standardized cloud
architecture with standardized systems, infrastructure components, and management processes to
achieve the positive cost effects of using cloud technology. Thus, a private cloud offers similar
advantages as a public cloud environment without the attendant security and privacy issues. In
addition, there is still enough flexibility to add or extend specific features that are not available in a
public cloud stack, such as business logic or ERP functions. The differences between cloud types as
experienced by a cloud consumer are summarized in Figure 11.
Figure 11. Cloud consumer view across cloud types
Cloud Technology
The key technologies used in a cloud-based landscape are virtualization, Web services, and NaaS.
9

Virtualization
Oracle White Paper—SAP ERP in the Cloud
Virtualization is not a new component in this technology mix. It is a proven and widely accepted way
to consolidate existing server and application landscapes, and is defined in Figure 12. Virtualization
helps to realize greater efficiency and cost savings, and helps in maintaining or exceeding service-level
agreements (SLAs) in all of the described cloud scenarios. There are currently three virtualization types:
desktop, server, and storage.
Figure 12. Definition of virtualization
Desktop Virtualization
Desktop virtualization is the concept of separating a personal computer desktop environment from the
physical machine through a client-server computing model. The resulting virtualized desktop is stored
on a remote server in the cloud instead of on the local disk of the remote client machine. Thus, when
users work from their remote desktop clients—PCs, smart phones, laptops, or thin client systems—all
of the programs, applications, processes, and data are stored and run centrally in the cloud. A virtual
desktop infrastructure uses virtual machines to enable multiple network subscribers to maintain
individualized desktops on a single, centrally located server environment. Users might be
geographically scattered, but all can be connected to the central machine by a local area or a wide area
network or through public networks such as the internet. When desktop virtualization is implemented
within a cloud it is also called Desktop-as-a-Service (DaaS).
Server Virtualization
Server virtualization masks server resources — including the number and identity of individual physical
servers, processors, and operating systems — from the users and applications. The server administrator
uses an application to divide one physical server into multiple isolated virtual environments. These
environments are called guests, virtual instances, containers, or emulations. Today there are four
different virtualization types:
10

Virtual machine model
Paravirtual machine model
Hardware emulation model
Virtualization at the OS layer
Storage Virtualization
Oracle White Paper—SAP ERP in the Cloud
Storage virtualization pools physical storage from multiple network storage devices into what appears
to be a single storage device that is managed from a central console from within the cloud (Figure 13).
Storage virtualization is commonly used in a storage area network (SAN). It helps storage
administrators to perform backup, archive, and recovery tasks more easily and in less time. This all
helps to solve the data explosion problems—many applications generate more data than can be stored
physically on a single server, and many applications have multiple machines that need to access the
same data—and improves data management efficiency.
Figure 13. Storage virtualization
Goals of Cloud-Based Virtualization
The main goals accomplished by using virtualization technology in a cloud-based environment are:
Separate the hardware from the service, application, and OS (an abstraction from physical resources)
Host multiple guest systems on a single physical server
Increase server and storage utilization, increase agility, and reduce energy costs
Create copies of existing environments quickly and easily
Move virtual machines between physical servers
11

Oracle White Paper—SAP ERP in the Cloud
Combine available network resources by splitting available bandwidth into channels, each of which is
independent from the others
Pool physical storage from multiple network storage devices into what appears to be a single storage
device that is managed from a central console
Web Services
Web services are the cloud components with which cloud providers are able to offer in-house created
and developed application functionality in a standardized way to the outside world. Web services also
enable features from one application to be integrated into another application which can be stored in a
Web services repository as a reusable component for other applications that might not yet be
developed.
Web services represent one possible implementation approach for a service-oriented architecture
(SOA). Web services are functional services that are based on internet protocols and are transported
over the internet infrastructure. They can have a manual or automated character. As Web-based
software components they rely on XML standards to exchange data.
Within a typical Web services SOA model there are three role types: service provider, service
repository, and client (Figure 14). The service provider offers services over a programmable interface.
The service repository is used to store and to offer the exposed Web services to the service users that
integrate and consume the offered Web services based on XML-based messages and internet protocol
standards.
Figure 14. Web services-SOA
The key features of Web services are:
Reachable over programmable interfaces on an XML-based message exchange process, such as
SOAP and WSDL.
12

Oracle White Paper—SAP ERP in the Cloud
Based on the internet protocol suite. Operations and messages can support various different
protocols, such HTTP and SMTP.
Capsuled and loosely coupled character—a clearly defined task with the implementation details
hidden from consumers.
Composition and reusable character—can be combined with other Web services to provide a new
more complex service.
Location-independent and can be activated from everywhere. The consumer must have the needed
access rights and authorization.
Can have an informative or a transactional character. For example, the Web service can be part of a
business transaction.
One of today’s trends in the cloud arena is to use Web services based on the restful or
REpresentational State Transfer Architecture (REST). This type of Web service fully relies on the
methods of the HTTP protocol stack. Under the terms of REST, every Web application consists of a
collection of resources or resource objects that are reachable over HTTP. In other words, Web sites,
pictures (gifs, jpegs, etc.), CGI scripts, servlets, and more are REST resources that can be reached over
a dedicated URL or URI. The HTTP methods (GET, PUT, POST and DELETE) are the verbs
applied to the substantives (the resources) and therefore represent the interfaces to the REST resource
objects. Functions of the methods are listed in Table 1 and a conceptual diagram of REST is shown in
Figure 15.
TABLE 1. HTTP METHOD FUNCTIONS
GET Retrial the representation of the resource (display format: HTML, plain text, jpeg, etc.)
POST Start process on the server (e.g., modify or add database fields)
PUT Create new resource or replace an existing one
DELETE Erase an existing resource
The key advantages of restful Web services are:
Lightweight Web service integration
A REST back-end server does not know the state of the client (stateless session)
Reduces the load on the back-end server
Allows load-balancing and service interruptions
Clients manage their own status (e.g, the sequence of the HTTP methods/calls)
Simple development model/approach (no dedicated tools required)
Every resource object can be reached by a URL/URI request
13

Oracle White Paper—SAP ERP in the Cloud
URL/URI includes all of the needed information/containing all of the information necessary to
understand that request
As the URL/URI is the trigger for a resource, it can easily be cached at a proxy, gateway, or loadbalancer
site and therefore reduces the load on the back-end server
Incoming client requests can be handled much faster because there is no need for SOAP envelope
extractions (less payload)
Ideal solution for scenarios with a high number of parallel Web services requests — provides higher
scalability than SOAP-based Web services
Figure 15. Conceptual diagram of REST
Key Issues Today
Web services as they are defined today have some disadvantages. There are more than 100 Web
services specifications available, which sometimes contradict each other. The current situation —
where every cloud provider relies on a different Web services specification — presents a high risk
factor. There is a need for standardization in this technology area. The issue of standardization needs
to be addressed before integration between different Web services-based cloud services — offered and
hosted by various cloud providers — can be started by the growing cloud consumer community within
their hosted cloud-based system and application landscapes.
Relying on a market leading cloud provider such as Google or Amazon might reduce the risk because
the leaders always set and push their own standards. Since these providers have a large market share,
they are able to define their own Web services specifications, which are more likely to be automatically
adopted by the other market players.
The typical elements of today’s cloud Web services environment is illustrated in Figure 16.
14

Figure 16. Typical elements of today’s Web services environment
Network as a Service (NaaS)
NaaS is a fairly new term in the cloud sphere and can be defined in the following ways:
Oracle White Paper—SAP ERP in the Cloud
Provides a dynamic software-based and software-controlled re-configuration of network resources
and new bandwidth management system for cloud-based applications
Uses an intelligent, automated, and service-oriented network model or paradigm
Controls the aggregate network bandwidth used by a cloud-based service
Includes network virtualization as the underlying technology
Is part of the next big cloud development step
As cloud consumers relocate their home environment into cloud provider datacenters and the internet,
network traffic and network load and utilization increases. New solutions such as intelligent network
limiters need to be developed and deployed to mitigate challenges such as bandwidth limitations, TCP
latency, and talkativeness of applications, as shown in Figure 17.
15

Figure 17. Relocating network traffic
Oracle White Paper—SAP ERP in the Cloud
There are still a few open questions to be answered before cloud customers are able to move a
complete ERP stack into a public cloud-based environment:
Does the internet have enough bandwidth and traffic management to support this data movement?
Can resources be efficiently and dynamically provisioned to support increases or intermittent
changes in demand?
How will addressing statefully move from one autonomous system to another?
How will the security policy bound to a particular object (re: VM) stay consistent and coherent as a
VM moves across the network and from one network to another?
When will open standards be defined and accepted to codify the solutions to these problems? Will
the current infrastructure run these open standards in a scalable manner?
How will rate limiting be distributed to provide the critical ability for cloud providers to control the
use of network bandwidth as if it were all sourced from a single site?
It seems that NaaS represents one of the cloud areas where cloud vendors need to invest more
resources in the near future to eliminate some of the most critical roadblocks. Thus, the main drivers
for new NaaS technologies are:
Time-to-market — fast service establishment, activation, and allocation
Service differentiation — the ability to offer different SLAs depending on a customer’s requirement
profile
Flexible and scalable network bandwidths — bandwidth on-demand (BoD) capability to quickly and
flexibly react to unknown fluctuations (on-demand services)
16

Oracle White Paper—SAP ERP in the Cloud
Exchange of monitoring information to agree on what to monitor, where to monitor, and to whom
the data should be visible
Service communications across monitoring domains should include different business partners to
deal with multiparty interactions to solve an issue
One solution that is a possible first step in resolving the issues above is called ThinPrint (Figure 18).
ThinPrint is a virtual device driver for printers in a virtualized server and storage landscape that
includes a connection-oriented bandwidth control mechanism to limit the bandwidth for a single
network connection, user group, or single workplaces. ThinPrint’s features include:
Figure 18. ThinPrint
Internet Traffic Control
Virtual device driver for printers (ThinPrint V-Layer)
Deploy on each VM (DaaS)
Install vendor-specific device drivers on central print
servers only
Connection-oriented bandwidth control
Limit bandwidth for single network connections, user
groups, or single workplaces
Data compression rate up to 98%
Optimized print data throughput on a network based on a
protocol extension
One downside with public Cloud Computing is that users access applications through the internet,
which can be slower than using a private cloud. Thus, the question for many cloud consumers
interested in ERP is: are cloud providers and their related internet partners able to offer guarantees in
regard to the availability and the round-trip times of TCP packets? Or in other words, what is the
expected average network latency?
This might not be an important question for commonly used Web applications based on Joomla or
Drupal. It is, however, an essential question for cloud consumers with an ERP focus. Such consumers
need certain response time guarantees for their business-critical ERP transactions.
Today, cloud providers and their related partners (internet providers) are only able to give this
guarantee for the internet connection itself, but not for the TCP latency (response times) when the
internet is used as an additional transport layer between the provider and the cloud consumer’s
network. If guaranteed response times for specific business transactions are a critical requirement, it is
probably better to build an in-house cloud (private cloud). Traffic control differences between cloud
providers and consumers are listed in Figure 19.
17

Figure 19. Internet traffic control
NaaS Management Frameworks
Oracle White Paper—SAP ERP in the Cloud
NaaS management frameworks are also going to play a significant role in the next phase of Cloud
Computing. A NaaS management framework (Figure 20) is a central administration and interaction
utility or tool that can be used by cloud providers and their customers — the consumers — to provide
the following functions:
Figure 20. NaaS management framework
Enable coordinated policing of a cloud-based
service’s network traffic
Dynamic bandwidth control and bandwidth on
demand
Control network bandwidth use and associated
costs using rate limiters for provider and
consumer
Distributed rate limiting could provide a powerful
tool for managing access to client content
Distributed rate limiting could bring the
bandwidth crisis under control, e.g., peak timesbased
bandwidth split
18

Web services -based traffic control functions/features (switches, firewalls, etc.)
Direct integration into existing administration tools and utilities
Integrated ticket support and tracking system at the consumer and provider layers
Transport protocol extension (e.g., compression algorithms)
Oracle White Paper—SAP ERP in the Cloud
A cloud provider can centrally control all network-related activities, as well as distribute administration
tasks to customers as a kind of self-service offering as shown in Figure 21.
Figure 21. NaaS management frameworks
Security in the Cloud
Security in the cloud is more of a trust issue between the players in the cloud than a real security issue.
The necessary security infrastructure already is available and just needs to be adopted from the
enterprise layer into the cloud arena. But there are additional risk factors introduced when virtual
machine images are moved within a cloud from one physical system or network component to another
system or network component. Therefore, it might make sense to enhance existing security protocols
so that they also can be used within in the virtualization layer. For example, enable VMs to take their
dedicated security policies with them when they move around within the cloud.
Web services are connected with each other (customer — provider network) over the internet or
between the specific partner networks in a private cloud setup. Web services are used to share
information or to customize the cloud setup through a Web interface. Therefore, cloud providers must
establish the required security standards, because they offer the services on an on-demand basis to their
customers. This also includes implementing well-known security practices such as data encryption,
19

Oracle White Paper—SAP ERP in the Cloud
authentication, authorization, and fraud detection against all possible internal and external attacks. For
example, an internal administrator should never be able to make a copy of an installed customer VM.
It is also essential to provide all customers and interns with a method to securely establish a crossenterprise
Single Sign-On (SSO) connection to their virtualized datacenter OS images and the
applications running on top of these images. Federated identity management technologies such as
SAML— an XML-based standard for exchanging authentication and authorization information
between various different business partners—offer a good solution and also allow the necessary trust
policies for the various end-user types to be implemented.
Another important point that needs to be mentioned is multitenancy. The cloud provider is
responsible for isolating all tenants (customers, companies, end users) that share the same physical
environment (computing, storage, network) and must proof this to customers by collecting and
offering related reports and log files. Additional NaaS-related applications that are capable of
monitoring the data in transfer in a virtual network should be used to complete the cloud services in
that space.
Clear segregation of duty rules for all users, especially for those with administration rights, should be
established as well. This is a strong factor in safeguarding the cloud environments from unauthorized
access. In general it is important that all cloud participants and players enforce and comply with the
same security rules and policies — centralized identity management, authentication, authorization,
monitoring standards — to maintain an equal level of trust, because a chain is only as strong as the
weakest link. In addition, the authentication process can be strengthened by using risk-based features
(risk-based authentication approach) to enhance the level of security provided by an access
management solution stack. This strong form of authentication can protect access to a cloud based on
behavior profiling, an additional analysis of past user behavior. Any activities that differ from the normal
behavioral pattern lead to an advanced authentication process in which users must answer additional
security questions, such as: What is the name of your manager? Which department do you belong to?
And so on. Another way to protect the cloud environment from attackers, hackers, and intruders is to
use transparent authentication methods that rely on a device recognition process in which user devices
are identified through their specific device parameters such as Ethernet-address, IP geographic
location, and so on.
Cloud Summary
In general, Cloud Computing offers the following key benefits:
Reduce runtime
Batch jobs: Use 100 servers in parallel instead of a single one to accomplish a task in 1/100 the
time.
Optimize response times — true for private cloud, uncertain for public cloud
Scale out on-demand to meet customer demands.
Minimize infrastructure risk
20

Public clouds: cloud provider owns the capital/financial risk of the infrastructure.
Private clouds: send overflow work to a public cloud.
Lower cost of entry
Oracle White Paper—SAP ERP in the Cloud
Infrastructure is rented, not purchased, the cost is controlled, and the capital infrastructure
investment can be zero.
Applications are developed more by assembly than programming.
Helps reduce time to market (competitive factor).
Increase the pace of innovation
Enables start-up companies to deploy new products quickly and at low cost.
Enables small companies to compete more effectively than traditional organizations that deploy
services in enterprise datacenters, which can take significantly longer.
The key challenges of Cloud Computing are:
Data governance and compliance
Enterprises must comply with many of the regulations that require data governance.
By moving data into the cloud, enterprises might lose some capabilities to govern their own data.
Service providers must offer guarantees.
Manageability (e.g., NaaS)
Most raw infrastructures and platforms lack advanced management capabilities. For example,
Amazon’s EC2 does not automatically scale an application as the server becomes heavily loaded. It
is still up to the developer to manage scalability problems.
Monitoring
CPU and memory usage of virtual machine environments can be misleading.
Lack of monitoring tools for Web services and underlying layers (e.g., software, virtual machines,
hardware).
Inability to measure transaction process time and latency.
Reliability and availability
Enterprises today cannot rely on the cloud infrastructures/platforms to run critical businesses in
public cloud environments.
There are almost no SLAs offered by the cloud providers today.
Virtualization security
21

Oracle White Paper—SAP ERP in the Cloud
Need to apply standard enterprise security policies governing access control, activity monitoring,
patch management, etc., to virtual environments. For example, need the ability to control and
monitor the movement of virtual machines using live migration or VMotion.
Enterprise Resource Planning in the Cloud
ERP in the cloud means to move existing ERP environments into cloud-based system and software
landscapes. It could simply mean to use cloud technology to optimize the TCO of an in-house hosted
ERP environment or to outsource the complete stack into a cloud/SaaS provider’s datacenter. It could
also mean to implement a hybrid cloud approach where ERP users are able to leverage the benefits of
both the private and public cloud models.
ERP systems are critical to successful businesses because they integrate, automate, and create processes
that capture how the business works. It is therefore important to ensure the data is correct and that
there is adequate computing resources and bandwidth to provide timely results. An ideal environment
would have the company concentrating on the data and off-loading the infrastructure to a cloud
provider. This is called software as a service (SaaS). Unlike application service providers (ASPs), SaaS
vendors typically offer software that is designed from the ground up to be hosted and delivered over
the Web. Based on this delivery mechanism, most SaaS providers expect benefits of lowered TCO,
effortless upgrades, minimized end-user training, and no in-house datacenter and administration tasks
for their customers. The cost savings alone are probably not reason enough to start migrating business
applications into a public cloud. There are other reasons that should be considered before initiating
such a move. For example, typical SaaS cloud offerings today are highly standardized, and while this
standardization might solve the business issues of small and mid-sized companies, it lacks the
customization flexibility that might be required by larger enterprises.
Another topic is business diversification. If a company is highly diversified and is active in various
different industries it might turn out that a SaaS cloud solution that offers the needed ERP
functionality on an on-demand basis over the Internet is simply not available. This makes sense, as the
nature of Cloud Computing is to optimize, standardize, and reduce costs, rather than offer process
integration and diversification that is typical in ERP environments. This does preclude companies from
implementing internal private cloud environments to reduce time-consuming administration tasks, or
to use virtualization to achieve higher system utilization. Public cloud/SaaS offerings also apply highly
standardized processes to the application layer (business process layer) and are therefore limited in the
individual design steps of consumers’ ERP setups.
SaaS and SOA seem to be prerequisites for most vendors offering sustainable systems integration. If all
of a company’s IT-applications are service-enabled — whether developed internally or by leveraging
SOA support from a vendor — the infrastructure can be upgraded without necessarily touching every
single piece of integration work that has ever been done. Web services — as one part of the SOA
paradigm — are one of the key technologies to Web-enable ERP cloud environments for an internetbased,
on-demand model. However, not all existing ERP functions — as they are known today — are
available out of the box as Web services or can easily be implemented as Web services offerings to end
consumers.
22

Oracle White Paper—SAP ERP in the Cloud
Moving business applications into a public cloud offers the benefit of always running on current
software as the cloud provider is responsible for keeping software levels and patches up to date. The
danger is that critical business transactions are completely under the control of the cloud provider,
which also includes any financial data stored in the cloud. Another risk that should not be
underestimated is the possibility of the cloud provider going out of business or moving to another
service model that makes it necessary to migrate back to an in-house-based ERP solution stack.
The public cloud offerings available today, such as salesforce.com, are ideal solutions for small- and
mid-sized enterprises that lack IT and application experience and are interested in a low-cost solution
that enable them to easily grow and shrink with their own businesses. The highly standardized business
applications of a public cloud SaaS offering can be a good starting point for these companies, enabling
them to experience ERP software at a low cost and to find if the public cloud offering suits their
business requirements. If in the future the business grows dramatically and the business diversification
process starts it might eventually be necessary to migrate from a public to a private or hybrid cloud
model. The differences between public and private clouds for ERP environments are listed in
Figure 22.
Figure 22. ERP in the cloud: SaaS
ERP in the Cloud: Main Concerns Today
Figure 23 shows the main concerns ERP users face today when investigating a move of ERP
stack/business transactions into a public cloud.
23

Figure 23. Main concerns today of ERP in the cloud
Oracle White Paper—SAP ERP in the Cloud
The security services offered through a cloud provider that hosts ERP applications on an on-demand
basis over the Internet is illustrated in Figure 24 and should include:
Centralized identity management functions
User provisioning, user authentication, and authorization services, delegated administration
services, etc.
Reliable and strong encryption methods for data access and exchange processes.
OS hardening
System and application updates with the most recent security patches
Use of security domains to group virtual machines
Port filtering
Stateful package filtering
Use of network admission control (NAC) to keep the cloud environment clean and to automate
regulatory compliance processes of remote devices
24

Figure 24. Security
Oracle White Paper—SAP ERP in the Cloud
Compliance plays a major role when moving business processes into the cloud because different
countries enact different governmental regulations and different industries have varying compliance
requirements and standards. For a consumer it is essential to find out if the selected cloud provider has
the needed compliance experience and related certifications in the various areas (datacenter, hardware,
software, etc.) offered.
For example, today it is not allowed to move auditable business critical data from a company located in
Europe, e.g., Germany, into a cloud environment that is hosted in the USA (Figure 25). This kind of
data movement violates local German laws due to a lack of international standards and governmental
regulations in that space.
Figure 25. Data storage — moving data from the EU to the USA might violate local laws
25

Oracle White Paper—SAP ERP in the Cloud
Moving business processes and related business data into the cloud does not negate a company’s
compliance responsibilities (Figure 26). Therefore it is important to ensure that the cloud provider
offers the right set of tools to enable an external audit without any open regulatory compliance issues.
For example, there should be a system available that allows users to see and monitor where their
business-critical data is stored and with which they can remotely handle the segregation of duty (SoD)
issues by themselves.
Figure 26. Segregation of Duties
The biggest compliance-related differences between ERP stacks such as SAP or Oracle and standard
Web-based application environments involve managing authorization. In an ERP stack, there are
unlikely to be uncritical entitlements as all of the captured data has a business critical background in an
ERP system. Every stored piece of information is collected based on a specific business-related
function and is used to execute, prepare, or document business transactions. Therefore, losing such
important data — representing a business-critical function — creates high risk for every company. This
is why every captured piece of information on an ERP system needs to be protected against data loss
and possible internal or external security intrusions.
It is important for every public SaaS cloud provider to implement and offer an identity management
system that allows a 100% identification and mapping of all business users and their related technical
user accounts (system and application accounts). This correlation between business user and technical
users needs to be proven every time when an audit is going to take place. This is a difficult challenge
for every IT department, but even more difficult to fulfill in an environment like a public cloud where
several customers share the same application and database instances at the same point in time. Thus, a
good identity management system is needed to solve this kind of issue and to separate user
management for each customer. In addition, another system/software component is required that
26

Oracle White Paper—SAP ERP in the Cloud
provides the dedicated functions to certify which person has done what with which technical user
account(s) at which point in time in regards to all audit-relevant financial business transactions.
A global-acting cloud ERP provider also needs to offer a centralized authorization system that allows
customers to individually customize security based on local or country-specific laws. Today, this
capability might only be possible in a private cloud environment.
From a network point of view, keep in mind that today, cloud vendors do not offer bandwidth or
response time guarantees for Internet-enabled business transactions (Figure 27). This is critical issue
for companies that rely on specific response times for some of their most critical business processes. In
this case it might be worth thinking about a private or hybrid cloud implementation rather than a
public cloud stack.
Figure 27. Network
ERP Cloud Service Level Agreements
Given the current state of offerings, good service level agreements from ERP cloud implementations
should include the areas listed in Figure 28 and below:
Secure Web access management
Acceptable authentication and authorization methods used to secure the cloud providers network
Encryption standards
Datacenter security
Redundant systems, storage, and networks
27

Oracle White Paper—SAP ERP in the Cloud
Security of the datacenter itself, identity of cloud vendor staff that has access to the virtual
environment, documented procedures that state how the environment is controlled and
monitored
Network security
Multiple internet connections
Multiple firewalls and intrusion detection systems
Protected segments
Reverse Proxies
Third-party audits
Authentication/authorization
E.g., role-based access control
Compliance
SoD checks
Business monitoring
Change history for business critical transactions
Detailed documentation on how and where data is stored
Certified according to standards appropriate for the offered applications
Figure 28. Service level agreements are key
28

Oracle White Paper—SAP ERP in the Cloud
Good service level agreements illustrate that the cloud provider of choice understands the differences
between hosting a comprehensive ERP landscape and standard Web applications.
SAP ERP in the Cloud
There are currently four different cloud offerings for SAP applications:
SAP Business ByDesign
SAP On-demand solutions for the SAP Business Suite
SAP Business Suite
SAP BusinessObjects OnDemand
All SAP cloud offerings are delivered through the SaaS model, as illustrated in Figure 29.
Figure 29. SAP ERP in the cloud
SAP Business ByDesign
SAP Business ByDesign is a typical SaaS package for small and mid-sized companies that provides a
single, integrated application to manage the entire business from the cloud over the internet. According
to SAP documentation about Business ByDesign, this solution focuses on enterprises with a maximum
of 100 parallel users. It includes the following key features:
Full function business applications to advance visibility and control over key business areas
On-demand applications — SaaS
Delivered in modules, such as BusinessObjects shown in Figure 30 (start small and add modules as
the business grows)
Managed, monitored, and maintained by SAP AG
29

Requires only a standard Web browser
Oracle White Paper—SAP ERP in the Cloud
Provider-based operational complexity, reliable security, privacy protection, and high availability
Current configuration: Linux with MaxDB as the database platform
Figure 30. SAP BusinessObjects on-demand
The standard SLAs of this cloud solution include all of the mentioned
factors of a reliable and secure public ERP cloud offering:
Secure Web-based access
Physical on-site link/VPN to a connectivity appliance that controls
access from browsers to on-demand proprietary information
User IDs and passwords
Part of up-to-date client operating systems and browsers, i.e., client
operating systems and browsers are updated with latest security
patches
Datacenter
Multiple safeguards for physical data security and integrity
High availability of business data provided by redundant networks and power systems
Redundant hardware storage system performs regular backups
Network security
Reverse proxy farms that hide the network topology from the outside world
Multiple Internet connections to minimize the impact of distributed denial of service (DDoS)
attacks
Advanced intrusion detection system that continuously monitors solution traffic for possible
attacks
Multiple firewalls that divide the network into protected segments and shield the internal network
from unauthorized Internet traffic
Third-party audits performed throughout the year to support early detection of any newly
introduced security issues
Role-based access and security
Accesses through SoD implemented through role-based access management
Fine-tuned access to reflect the areas of responsibility of individual users
Advanced intrusion detection system that continuously monitors solution traffic for possible
attacks
30

User types:
Key users — configure the solution and grant and revoke access
End users — standard day -to-day business
Support users — maintenance only
Oracle White Paper—SAP ERP in the Cloud
Remote logon to the customer’s solution in the datacenter is also monitored and recorded
Compliance
Journal entries that carry all information necessary to identify the respective business transaction
and trace it through references to the underlying source documents
By default, accounting-relevant data cannot be deleted, and all changes made to financially relevant
data are recorded in a change-history log
Advanced intrusion detection system that continuously monitors solution traffic for possible
attacks
Documentation of the software solution
Procedure and task descriptions for end users
Detailed technical descriptions explaining how data is processed and stored
SAP On-Demand Solutions for the SAP Business Suite
The second key cloud offering by SAP AG is based a hybrid cloud approach. This solution focuses on
large enterprises and represents an add-on kind of feature or function set that can be integrated and
used on an on-demand basis over the Internet. Additional new functions such as e-sourcing (supplier
selection), CRM, expense management, and CO2 emission management can be delivered as Web
services over the internet and directly integrated into an existing SAP Business Suite landscape.
The first offering available is the SAP CRM on-demand solution. It allows a Web-based subscription
on a pay-as-you-go basis and it can be fully integrated into an existing in-house SAP ERP software
stack. This hybrid cloud package relies on SAP CRM version 2007 and the underlying SAP NetWeaver
application framework. It includes all components of a typical CRM system: Sales (sales reporting and
forecasting), service (customer service and help desk), and marketing (campaign management).
Configuration of this solution is performed over the Internet by using a standardized and user friendly
Web-interface, which also needs to be used for all administration tasks.
SAP AG offers global enterprise-class support for this new cloud offering:
Easy-to-use CRM functionality on a pay-as-you-go basis
Clear and comprehensive service level agreements
99% system availability
Compliance with data protection standards worldwide
31

Single vendor viability and accountability
24/7 global production support
SAP BusinesObjects OnDemand
Oracle White Paper—SAP ERP in the Cloud
This is another public cloud offering by SAP AG based on BusinessObjects Crystal Reports (Figure
31) that includes the following features:
A cloud-based business intelligence solution
Business intelligence on demand
Off load business intelligence and data warehouse infrastructure onto a hosted platform
Data analyzing on demand, over the Web
Information on demand
Enhanced business intelligence with external information (Web services integration)
BusinessObjects partner API
Data quality on demand
Cleanse and verify addresses in existing operational systems
Insert crystalreports.com (CRDC) functions into third-party applications such as salesforce.com
Distribute files and reports that provide intelligence for sales quoting, sales tracking, and support
tracking
Figure 31. BusinessObjects on-demand services
32

SAP Business Suite
Oracle White Paper—SAP ERP in the Cloud
SAP Business Suite is the basis for an ERP enterprise cloud environment as it acts as a construction kit
to develop an in-house SaaS-ERP cloud stack. It delivers all of the necessary business and technology
components — which can be used by a company’s internal IT department — to build an individual
SaaS offering based on the needs of the various business units within an enterprise (Figure 32). In
addition, with the unique capabilities of SAP NetWeaver, SAP Business Suite provides the openness to
automate business processes from end-to-end, across company boundaries and heterogeneous system
landscapes. The advantages of hosting an in-house SAP ERP solution on a private cloud model are:
Figure 32. SAP Business Suite
Store business and compliance-critical data in house
Private and secure application instances as opposed to sharing
an instance with other unknown customers
Flexibility to customize the solution based on individual
business needs, including industry specific solutions versus
standard-based configurations with limited customizable
capabilities
The ability to use standardization where ever possible, while
staying flexible enough to support individual changes
(architecture, systems, high availability, virtualization
technology, Web services, etc.)
The SAP Business Suite is a family of business applications that offer a rich function set for almost
every business sector:
ERP core business components (FI, HR, SD, MM, etc.)
Customer Relationship Management
Product Life-cycle Management
Supply Chain Management
Supplier Relationship Management
SAP Business Suite is built on the standards-based development and runtime environment of SAP
NetWeaver, a technology stack that delivers the flexibility to start small and grow as needed. SAP
NetWeaver includes various technologies, programs, and toolkits to:
Provide a reliable and scalable runtime environment for SAP´s business applications
Allow applications to work together
Build new applications on top of existing applications
Support common security standards, e.g., SAML, JAAS
33

Oracle White Paper—SAP ERP in the Cloud
Deliver SAP Business Suite functionality as a set of reusable Web services (SAP composite
application)
Lower the TCO of applications
SAP recognizes the need to extend the enterprise, and offers composite, Web services-based
applications to solve the specific needs of private enterprise cloud environments. SAP NetWeaver
allows businesses to build and manage composite, collaborative business services that are available
whenever and wherever they are needed by a community of users that extends beyond corporate
boundaries to suppliers, customers, and employees. These services can also be offered on an ondemand
basis as cloud services to the internal and external business units of companies.
SAP NetWeaver enables access to a broader scope of applications and information by a wider range of
users, delivering game-changing benefits to the enterprise. Products ship faster, productivity climbs,
and customer satisfaction increases. The challenge is to open up the enterprise to new ways of
conducting business as well as more users in a cost-effective manner, while simultaneously ensuring
that information assets remain secure. SAP NetWeaver provides the basic technology and tools to
build individual enterprise SAP cloud environments.
The main integration components of the SAP NetWeaver stack are:
SAP Enterprise Portal
SAP Mobile Infrastructure
SAP Business Warehouse
SAP Master Data Management
SAP Process Integration
SAP Web Application Server
The related primary development and management tools of SAP NetWeaver are:
SAP NetWeaver Developer Studio
SAP Visual Composer
SAP Composite Application Framework (CAF)
SAP Solution Manager
The main features of the SAP Composite Applications (CAF) are below and in Figure 33:
Build new applications out of existing applications using Web services
Integrate one application with another based on an industry standard
Use an independent programming language approach
Based on the SOA approach for a coherent blueprint design of the Web services interaction and
integration process
34

Oracle White Paper—SAP ERP in the Cloud
SAP NetWeaver as the construction platform for composite applications based on Web services
SAP Business Suite provides the business functions to be accessible through Web services
Composite Application Framework provides the model-driven development framework for SAP
Web services-based applications
Figure 33. SAP CAF features
In addition, SAP offers an administration component to fully manage an SAP virtualized IT
environment called Adaptive Computing Controller (ACC), which provides a single, centralized
console to operate, observe, and manage virtualized (adaptive) SAP computing landscapes without
having deep technical knowledge of the underlying IT infrastructure (Figure 34).
Figure 34. SAP Adaptive Computing Controller
35

Oracle White Paper—SAP ERP in the Cloud
Governance, risk, and compliance (GRC) is another area where SAP AG offers a comprehensive stack
of applications. Two of the most important components in this solution area are SAP BusinessObjects
Process and BusinessObjects Access Control.
SAP BusinessObject Process Control is a control management solution to automate monitoring,
testing, assessment, remediation, and certification of enterprise-wide financial compliance activities.
SAP BusinessObjects Access Control is the official SAP risk analysis and remediation tool with which
any SAP related SoD issue can be identified and addressed.
Overall, SAP BusinessObjects Access Control consists of four components (Figure 35) that interact
with each other on a Web services basis:
Risk analysis and remediation
Superuser privilege management
Enterprise role management
Compliant user provisioning
Figure 35. SAP BusinessObjects Access Control
The ability to build an in-house SAP ERP cloud environment is advantageous, but the other cloud
layers should be considered. A cloud solution does not only rely on a comprehensive and flexible
software stack that includes all of the expected business functionalities demanded by the various
internal business units. It should also include the previously mentioned infrastructure services that
make out an ERP offering a real cloud-SaaS offering. Only by combining the business software with
the infrastructure parts, such as IaaS or DaaS, can IT departments offer in-house consumers a
complete cloud stack with all of the relevant features such as a pay-by-use model, on-demand services,
virtualized SAP instances, centralized identity management, and compliance.
36

SAP Security in the Cloud
Oracle White Paper—SAP ERP in the Cloud
ERP systems are gaining in importance in the future of cloud markets. SAP is one major player in this
field and has already started its first cloud initiatives. This section of the paper examines the existing
security model of the SAP ERP stack that is used to safeguard business data from unauthorized access
or attacks during the transit phase within a cloud-based environment.
A typical SAP landscape consists of several different SAP ERP components (e.g., ECC, CRM, SRM,
etc.). All of these components need to follow the same architectural concept of a clear separation
between the production and the non-production application instances. This separation is the first
important step in safeguarding an ERP environment. In addition, it provides a secure change and
transport system that allows transfer of system settings and business-related data from one application
instance to another without running into security issues. Also the instance-to-instance communication
can be protected by the SAP specific Secure Network Communication (SNC) feature, which encrypts
all of the data that is transferred. The disadvantage of this solution is that it represents a proprietary
technology that is specifically developed for and used in the SAP world only.
Another network-related security component is the SAP Gateway, which is an SAP dedicated firewall
product. On the authentication site, the SAP NetWeaver application framework — which is the
runtime environment for almost all SAP components — accepts several different authentication
methods. It starts with basic authentication (UID + password) and can lead to the digital certificatebased
authentication process. In addition, it is also possible to develop custom or product-specific
authentication modules that can then be used to extend SAP Web application server security functions
to integrate an existing SAP landscape into a commonly used enterprise access management solution
such as Oracle OpenSSO.
But what about securing the program-to-program communication or Web services-based
communication processes that use the Internet or Internet technology as a transport medium? Does
SAP support common standards to fulfill authentication and authorization requirements that also allow
access of users from other partner organizations or integration into an existing circle of trust of users
and Web applications hosted within a cloud? The good news it that SAP supports the standard
authentication and authorization protocol (SAML) used for this kind of Web-driven interaction
processes. Unfortunately, SAP does not currently support the latest version of the SAML protocol
stack, which reduces the functional options during the implementation phase of a SAML-based
authentication/authorization solution with other business partners in or outside of a cloud.
SAP ERP user management is another important component of the SAP security model. It offers the
highest granularity to customize user account profiles based on roles and their assigned
transactions/transaction objects. This allows flexibility during the role definition phase and prohibits
the ability to give users a higher authorization level than needed in their day-to-day business. But an
extensive level of flexibility also increases complexity, especially in an SAP EEC system that might
have several hundred pre-configured roles available in a single system.
The SAP compliance or risk management-related issues that might come up in any kind of clouddriven
SAP landscape can be solved by using the SAP Governance, Risk, and Compliance (GRC)
solution stack (e.g., SAP BusinessObjects Access Control product) for all SoD-specific issues in an
37

Oracle White Paper—SAP ERP in the Cloud
SAP environment. Cloud providers that offer SAP BusinessObjects Access Control as an on-demand
service must support a single virtualized Access Control instance for each tenant because the product is
not yet able to provide SAP multiclient support.
Cloud-based user access can be offered rather than virtual desktop solutions, which can already be
integrated and combined with many available identity management stacks and encryption standards
that provide a secure data transit/user interaction process. These solutions allow a complete
virtualization of the end-users’ desktops, now hosted in the cloud and accessed over a standard
Internet connection with a standard Web browser such as Mozilla. Therefore, it is also possible to
offer typical SAP power users almost the same secure work environment — based on the SAP GUI
installed within the virtualized client OS on a hosted server in the cloud — to the SAP ERP back-end
as they use it today. In addition, virtual desktops also allow the integration of other application
components such as Microsoft Office, which are then also available on a Web basis from any place
around the world.
Oracle’s Infrastructure for the SAP Cloud
The main goal behind using an enterprise cloud approach in the SAP space is to establish an agile, endto-end
platform for running SAP applications efficiently, economically, and securely in a completely
virtualized application landscape. A cloud environment enables SAP instances to move from one
physical server to another to solve the issue of under-utilized system resources. A cloud environment
also helps to establish a vital and flexible change management process that can be used to support a
company in adapting, growing, and responding to market changes in an almost real-time behavior to
gain advantages against other competitors. Another important aspect of enterprise Cloud Computing is
the need to enforce business governance, compliance, and data security to protect the business against
errors, frauds, tax fines, and penalties. Oracle addresses these challenges with comprehensive hardware
and software stack, a community of internal specialists, and business partners that understand the
demands of implementing, deploying, and hardening enterprise cloud deployments (Figure 36).
Figure 36. One-stop shopping for Cloud Computing
38

Oracle White Paper—SAP ERP in the Cloud
The main business advantages of Oracle’s strong combination of leading-edge cloud technology and
highly experienced people are:
Improving the way people work by easily and quickly changing and adapting the SAP infrastructure
to gain competitive advantages
Reducing carbon footprint and administrative costs with an open, interoperable infrastructure that
efficiently uses computer resources
Improving security, compliance, and governance with secure single-sign-on (SSO) and automated
process to control access and reduce errors
Improving infrastructure flexibility by simplifying, standardizing, and automating computer resources
to achieve high service levels to end-users, and to support growth and change
Supporting enterprises in implementing an enterprise cloud environment that grows with business
needs and that has a strong focus on the system, storage, and application environment as a whole
Figure 37. Oracle technologies
SAP Virtualization from Oracle
Virtualization technologies from Oracle dramatically reduce energy costs, simplify
administration, and improve flexibility, from the edge of the network to back-end
information management, to enable businesses to adapt and grow (Figure 37). To
make an environment cloud-ready, virtualization works by pooling resources and
centralizing administration, and enables applications to run anywhere, regardless of the
underlying architecture. Users gain desktop access from any browser in a
heterogeneous hardware and software environment that adapts easily to business
needs and processes. Eco-responsible virtualized storage provides fast access to data
when it is needed, lowers costs across the board, and delivers huge energy savings.
Oracle technologies for virtualization include:
Dynamic Domains — hardware partitions on Sun SPARC Enterprise® M-Series
servers
Oracle Solaris Containers — Separate, private Oracle Solaris environments on a
single Oracle Solaris operating system instance, native performance virtualization
for Oracle Solaris on SPARC or x86
39

Oracle White Paper—SAP ERP in the Cloud
Oracle VM Server for SPARC (previously called Sun Logical Domains) — Multiple Oracle Solaris
instances on the same Sun SPARC Enterprise T-Series server
Sun Storage — Consolidate management of all heterogeneous storage through virtualization, greater
utilization through thin provisioning and virtual volumes
Sun StorageTek Virtual Tape Library Systems — Separate Sun StorageTek Tape Libraries on a single
virtual tape, better tape utilization and management ease
Oracle Enterprise Manager Ops Center — Manage more than one physical or virtual server
including patch management
Sun Q-Layer — Define and build virtual datacenter infrastructures using drag and drop
Oracle VM VirtualBox — Programmer productivity for Window, Linux, and Oracle Solaris guest on
x86
Oracle Virtual Desktop Infrastructure — Oracle’s Desktop as a Service solution
Desktop Virtualization
It is possible to establish a complete Desktop as a Service approach for SAP (SAP GUI, SAP fat client)
and non-SAP client applications. Desktop virtualization alone dramatically cuts energy consumption
and lowers maintenance costs. The core of Orcle’s desktop virtualization solution is the Oracle Virtual
Desktop Infrastructure running on virtualized servers in the datacenter, as illustrated in Figure 38.
From industry-standard PCs, Macs, or thin clients throughout the enterprise, users can access virtual
desktops running on industry-standard operating systems — Windows, Linux, and Oracle Solaris.
Since the desktop environment is centrally managed, the cost of maintaining environments on every
desktop is nearly eliminated. Replacing desktop PCs with Oracle’s Sun Ray thin clients results in
significant energy savings. A typical PC uses about 150 to 350 watts while a Sun Ray thin client uses
only 4 watts. For an average scenario, replacing PCs with thin clients, considering power, cooling, and
infrastructure needs, you can reduce power consumption by 24% and decrease CO2 emission by 23%.
On average, thin clients use 55% less electronics and 36% less plastic, and outlast PCs by three years,
resulting in reduced eco waste. In a virtualized workplace, authorized users can gain secure access to
any Sun Ray client on the network.
40

Figure 38. Sun Secure Global Desktop
Oracle White Paper—SAP ERP in the Cloud
With a key card, users can instantly display their own environment on any system. Because everything
is maintained in the datacenter, IT staff can quickly change, adapt, or upgrade resources as business
needs change. Sun Ray clients are also ideal for training, where a virtualized classroom is energyefficient
and flexible. A teaching environment is easy and fast to set up on the server, so there’s no
need to maintain and replicate the environment on separate desktop computers. Students can gain
secure access to their environment instantly, anywhere.
SAP Server Virtualization
With tightening budgets, IT departments are faced with eliminating server sprawl through
consolidation and better utilization. Oracle’s server virtualization technology — which divides one
server into multiple environments — simplifies administration, increases system uptime, dramatically
reduces energy costs, and improves resource utilization for SAP applications (Figure 39). Oracle’s
virtualization technologies are generally included with the hardware or OS, providing significant cost
savings on licensing fees. The easiest way to virtualize servers is OS virtualization. Virtualization
technology enabled by Oracle Solaris Containers is highly flexible.
41

Figure 39. SAP virtualization example
Oracle White Paper—SAP ERP in the Cloud
Containers can be used for consolidation and to enable rapid response to business needs. With
containers, quick experimentation or testing of new SAP features is simple. SAP applications can be
easily deployed on-the-fly without adding hardware. Legacy SAP applications can be hosted in
containers on existing servers. Because the SAP Adaptive Computing Controller supports Oracle
Solaris Containers, applications can be monitored and provisioned within containers quickly and
automatically. Also, containers enable fast data backup and upgrades, resulting in zero downtime.
Oracle offers virtual machine technologies to maximize the choice of platforms and operating
systems — Windows, and Linux, and Oracle Solaris — so virtualization can fit into any SAP
environment easily:
Dynamic Domains on Oracle’s Sun SPARC Enterprise M-series servers running Oracle Solaris
Oracle VM Server on SPARC on systerms with UltraSPARC® processors running Oracle Solaris or
Linux (BrandZ zones)
VMware hypervisor on Oracle’s x64 systems
These virtuazliation technologies enable a flexible, secure, scalable, and reliable environment to run
mission-critical applications while more fully utilizing resources and preserving existing assets.
SAP Storage Virtualization
Oracle understands that data is the lifeblood of every SAP environment. Companies must store and
access more data with fewer resources than ever before, and often cope with a heterogeneous storage
environment with different types of storage in different geographic locations. Oracle’s energy-efficient
virtualization solutions reduce storage complexity, provide fast access to data, and enable IT
departments to manage a rich mixture of systems, solutions, processes, and interfaces efficiently and
cost-effectively. The tiered storage approach yields highly efficient utilization of resources and faster
access.
42

Oracle White Paper—SAP ERP in the Cloud
Storage virtualization, powered by the Oracle Solaris Zettabyte File System (ZFS), centralizes and pools
storage into a single resource that can grow or shrink according to application demands, potentially
yielding cost and energy savings of 90%. This approach simplifies and streamlines the entire storage
environment and applies the most cost-effective resources for each task. For example, in Sun Storage
7000 Unified Storage Systems, Oracle Solaris ZFS transparently manages data placement, copying
frequently used data to fast SSD cache for faster access, so data can be stored on slower, less expensive
mechanical disks and tape without sacrificing performance.
For long-term data storage, backup, and recovery, Oracle’s tape library solutions provide an
economical way to archive increasing volumes of data quickly, safely, and cost-effectively. With
virtualized storage, access to archived data is orders of magnitude faster than with traditional tape
storage. Products like Oracle Solaris ZFS and Oracle’s Sun StorageTek Virtual Storage pool resources
manage storage as a single resource, which decreases the burden of managing large tape libraries,
increases system usage and efficiency, and reduces the overall cost of protecting SAP data through
improved tape utilization, shared tape resources, and reduced complexity. Oracle Solaris ZFS also
provides fast, easy recovery for low-cost business continuance. Used with Oracles Solaris Containers,
an administrator can store a snapshot of the environment, then revert back to the snapshot rather than
restore data from tape. This approach streamlines the disaster recovery (DR) process and reduces
downtime to almost zero. Oracle’s virtualized storage solutions deliver manageable, secure storage of
all types (Flash SSD, SATA, iSCSI, SAS, NAS, Fibre Channel, tape), dramatically lower energy costs,
and provide an infrastructure that quickly adapts to future storage needs.
Securing Access to Virtualized SAP Application Components
With highly utilized, virtualized desktops, servers, and storage, enterprises can support more users.
Opening up the SAP environment in a Web-based world leverages the value of a virtual enterprise,
with applications serving employees, customers, vendors, suppliers, and business partners. To enable a
safe, collaborative environment, the open SAP NetWeaver application platform helps companies build
and manage business services that reach beyond the business boundary. Users can access SAP from
any SAP browser on a mobile device, PC, or thin client. The benefits of this open environment are
immeasurable, but so are the risks — identity theft, corporate espionage, and fraud.
Keeping track of user identities in a complex organization involves manual, risky, costly tasks. With
Oracle’s identity management solutions for SAP, companies can create a secure and extended SAP
enterprise where users inside and outside the company have secure, single sign-on access to SAP and
non SAP Web applications anywhere, anytime (Figure 40). Automation features include the ability to
create self-service password systems for end users, reducing help desk calls and improving both user
and IT productivity. Passwords are automatically synchronized everywhere — across hardware
platforms, software applications, and databases. With Oracle’s identity management suite,
administrators can easily manage identity data stored in widely distributed systems throughout the user
life cycle. Capabilities include automated provisioning of new users, reprovisioning to reflect changes
in user status, and deprovisioning when a relationship within the organization ends. Authentication and
authorization services are provided across internal and external computing domains. Enterprises also
benefit from automated auditing of segregation of duties (SoD) for non SAP applications.
43

Figure 40. Secure identity and compliance
Managing Identities in a Private Cloud
Oracle White Paper—SAP ERP in the Cloud
The general goals of identity management do not change in a private cloud. Efficiently and costeffectively
managing access and identities to provide secure access for the users in an SAP based
private cloud requires a centralized approach. To maintain or increase productivity, users need a single
point of entry and sign-on capability, which implies a single point of administration for all users,
including operating systems, SAP solutions, databases, and other applications. IT managers need the
ability to quickly and automatically add users to all of the applications and services they require, as well
as the ability to modify access and privileges and delete users from all systems when they leave, in order
to deal with the diversity of users and their changing roles. In addition, businesses must also comply
with security-related regulations such as controlling access to sensitive financial information. This
requires the ability to detect dormant accounts, enforce consistent corporate security policies, and
ensure that data is accurate and consistent across applications and data stores. Another critical issue for
IT managers is TCO. In a large environment, supporting technology that increases costs by requiring
additional staff and training can offset the benefits of the solution itself.
Identity Management as a Cloud Infrastructure Component
The first step in providing identity management is to centralize identity data. Oracle Directory Server
delivers a secure, highly available, scalable, and easy-to-manage directory infrastructure for storing and
using identity data. It centralizes and separates identity information and makes that data available to
multiple applications including Microsoft Active Directory, rather than requiring applications to store
and maintain data in multiple locations, thus providing consistency and lowering costs. Password
synchronization with Microsoft Active Directory increases security by helping to ensure password
policies enforced on the network operating system are also enforced in key strategic directories in the
enterprise. Its extreme scalability helps reduce costs by decreasing the number of systems deployed. In
44

Oracle White Paper—SAP ERP in the Cloud
addition, proxy services provide firewall-like protection against denial-of services and unauthorized
access. Multimaster replication, load balancing, and automatic failover help provide directory services
around the clock. With over 1.5 billion entries, the Oracle Directory Server is the most widely deployed
general-purpose, LDAP-based directory server in the marketplace.
Oracle Waveset Identity Manager
Oracle Waveset Identity Manager provides the core user provisioning and identity synchronization
services of Sun’s identity management solution, as well as password management and profile
management. It uses role-based access control mechanisms to centrally create and manage users, and
delegate user administration. Using a common identity infrastructure, administration that normally
occurs across many applications by multiple administrators, including OS, database, and SAP, can be
consolidated into a single management console. This makes it possible to consistently delegate
management tasks and self-service functionality to partners, customers, and internal company
departments based on business requirements. It automatically synchronizes identity data across a wide
range of heterogeneous applications, databases, and other data stores such as Oracle Directory Server,
Microsoft Directory, and Lotus Domino. This helps ensure that identity data is accurate and consistent
both within and outside the boundaries of the SAP NetWeaver environment.
Oracle OpenSSO for SAP
Oracle OpenSSO is a security foundation that helps organizations manage secure access to Web
applications and Web services. It is designed to provide authentication and authorization services
across internal and external computing domains and helps ensure that appropriate authentication
credentials are required of users depending on the value of the protected resources. It also presents
streamlined navigation across Web applications and Web services through single sign-on capabilities.
Oracle OpenSSO can be integrated with the SAP NetWeaver Enterprise Portal through an Oracle
developed and supplied policy agent (based on the Java Authentication and Authorization Services
login module of the SAP NetWeaver Application Server Java). In addition it is possible to use the
SAML authentication module of the latest SAP NetWeaver Application Server Java to smoothly
integrate a highly accepted authentication standard defined by the OASIS, which is a common
technology used to securely authenticate users or Web services within a Web-driven cloud
environment.
By using a central point of authentication, role-based access control, and single sign-on, Oracle
OpenSSO provides a scalable Web access management model for SAP NetWeaver, other Web-based
applications and Web services. In this way, it simplifies exchange of information and transactions while
protecting the privacy and security of vital identity information. It also allows administrators to audit
any intrusion or unauthorized access in real time.
End-to-End Governance and Compliance
Ever-increasing legislative and global regulations mean compliance and identity management go hand
in hand. The integrated Oracle Waveset Identity Manager software and SAP BusinessObjects Access
Control (GRC) solution — based on Web services and Java technology — provides automated, system
45

Oracle White Paper—SAP ERP in the Cloud
wide auditing and reporting capabilities that cover business compliance and financial or ERP
requirements, plus IT infrastructure compliance, like OS and user provisioning, networking, storage
and archiving, and data management. The solution, illustrated in Figure 41, enables companies to
streamline corporate policy and legislative compliance for mission-critical SAP applications and other
enterprise IT resources.
Figure 41. Cloud end-to-end IT compliance (SoD)
The industry-leading Oracle Waveset Identity Manager software helps ensure that access to sensitive
information is subject to the most secure control possible by enforcing security policy and global
standards through repeatable and sustainable processes. SAP BusinessObjects Access Control (GRC)
provides features such as risk analysis and remediation, compliant user provisioning, enterprise role
management, and superuser privilege management capabilities. The scalability of provisioning from
Oracle Waveset Identity Manager software, combined with the risk analysis and remediation of SAP
GRC Access Control, is designed to prevent cross-application provisioning conflicts. As private SAP
cloud environments grow, Oracle and SAP’s flexible, scalable security solutions can grow to take on
the toughest security challenges.
Oracle Identity Analytics
With the growing demand for cloud-based computing landscapes — whether these environments are
public or in-house hosted solutions — the volume of network communications increase, use of
virtualization technology increase, and Web-enabled application functionality increases. To support
these environments identity management components need to be implemented to standardize how
people access and are authorized to such environments. This will lead to unprecedented challenges in
the area of access governance and access control compliance.
With Oracle Identity Analytics, companies can effectively manage access and consistently achieve
access control compliance when the number and nature of users is in constant flux by managing access
based on the users roles within an enterprise cloud rather than on an individual, user-by-user basis.
46

Oracle White Paper—SAP ERP in the Cloud
Creating roles based on usage and enterprise policies enables greater visibility into access and the ability
to manage access in a more efficient, secure, and compliant manner.
Role-based access control, particularly in combination with identity provisioning, enables enterprises to
improve efficiency and security by always:
Knowing who is accessing what data and which applications
Understanding who approved the access assigned to users
Evaluating the assigned access against access-control policies
The comprehensive role life-cycle management and identity compliance capabilities of Oracle Identity
Analytics can streamline operations, enhance compliance, and reduce costs within a cloud-driven
application and system landscape.
Oracle Identity Analytics provides the following unique features:
Integrated set of technologies and methodologies for role-based access control and identity-based
controls automation
Continuous monitoring to scan for role versus actual assignments, segregation of duties, and other
access-related exceptions that might signal potential policy or regulatory violations
Extensive analysis and reporting on role changes, policy violations, and potential role refinements
Integration with market-leading provisioning solutions
Extract, transform, and load (ETL) capabilities to pull data from any enterprise resource without the
time and cost of using connectors
Oracle Identity Analytics improves operational efficiency by simplifying and automating access-related
processes and bridging the gap between the IT infrastructure and the business organization.
Oracle Identity Analytics brings the IT infrastructure and the business organization closer together and
provides a common vocabulary. This is the result of mapping business roles (business view) to the
underlying entitlements (technical view) that are granted within enterprise applications such as SAP or
Oracle ERP systems. A common vocabulary helps ensure that the roles reflect how responsibilities are
assigned within an organization, which makes it easier for employees to request the access necessary to
perform their jobs.
Oracle Identity Analytics continuously monitors the users’ actual access to resources rather than just
reporting on the access to which their roles entitle them. By reducing the risk of improper access,
organizations are less likely to violate enterprise security policies or external regulatory requirements.
Specifically, Oracle Identity Analytics can alert management to issues with problem areas such as
segregation of duties violations, which can occur when a user has conflicting roles or accounts that
violate internal policies or external regulations. For example, a user whose job includes setting up
vendors should have to give up the access privileges associated with that role if that user assumes a
new position that involves writing checks to those vendors.
47

Oracle White Paper—SAP ERP in the Cloud
With this special feature set, Oracle Identity Analytics completes the cloud identity management stack
and provides the ability to implement a fully integrated end-to-end role management, user
administration, account provisioning, and compliance solution. This solution allows a combined SoD
risk analysis — starting on the OS layer up to the ERP layer — using Oracle Identity Analytics as the
interface component between Oracle Identity Analytics and SAP BusinessObjects Access Control.
Summary
Oracle solutions for SAP in a cloud span the enterprise — from browser to datacenter to storage —
giving users access to SAP anywhere, keeping businesses competitive, reducing costs, saving energy,
and maximizing ROI. Based on market-tested, industry-leading cloud technology, Oracle’s end-to-end
solutions for SAP provide a high-performance, robust, open, flexible SAP architecture that leverages
virtualization to reduce costs and increase agility (Figure 42). Nobody delivers virtualization throughout
the enterprise like Oracle does — with proven technologies that dramatically reduce energy costs. The
solutions open up the potential of global collaborative computing for businesses of any size while
keeping data safe, complying with government policies, and providing fast access to business
information.
Figure 42. Sun cloud technology for SAP
Oracle’s Global SAP Service Portfolio
Reducing power consumption, offering on-demand SaaS cloud services, implementing virtualization,
increasing security and compliance, and managing it all is a huge endeavor. Oracle can help with
everything from designing clouds, to performing upgrades, to operating and managing private SAP
cloud environments.
48

Oracle’s Sun Solution Center for SAP
Oracle White Paper—SAP ERP in the Cloud
Oracle’s Sun Solution Center for SAP has SAP application architects and Oracle and SAP solution
experts that provide world-class service around the globe to address unique SAP requirements. Among
the many services offered, the SAP Competency at the solution center provides the following services:
Architecture design and capacity planning
Hardware sizing tools for business partners
SAP on Oracle solutions
Reference architectures
SAP on Oracle workshops
To find solution centers, see www.sun.com/solutioncenters/locations/index.jsp
Sun Joint Support Center for SAP Applications
Sun Joint Support Center for SAP Applications provides round-the-clock, worldwide support to
resolve interoperability issues between Oracle server platforms and SAP software running in virtualized
or non-virtualized environments. SAP has expertise in resolving complex integration issues between
the Sun software stack and SAP application components such as Oracle Identity Analytics and SAP
back-end components. Support teams are located on-site nearby the SAP headquarters in Walldorf,
Germany to streamline information transfer and problem resolution. In addition, SAP trained support
teams are located in the United States and Asia to offer faster, more specialized worldwide problem
resolution.
Oracle Virtualization Services
Oracle offers a complete set of virtualization services across computer, networking, and infrastructure
components to help save power, space, and cooling costs, improve service levels, increase utilization,
and facilitate provisioning to maximize ROI. Professional services staff can help run datacenters more
efficiently — recommending the appropriate mix of virtualization technology and IT processes to
achieve specific goals. Oracle estimates the TCO and ROI benefits that an IT project can achieve and
helps create business value.
Oracle Storage Virtualization Services
Starting with an evaluation of a company’s current storage issues, Oracle’s storage virtualization
services help determine and implement a virtualization strategy that enables companies to achieve
ongoing business and technological goals. Oracle consults on areas to help reduce costs and optimize
resources and recommends the appropriate mix of virtualization technology and IT processes. Sun
Managed Services for Storage can provide best practices to virtualize, monitor, and manage storage
utilization, staff resources, and system processes. Oracle helps virtualize across all SSD/Flash, various
disk, and tape-based storage and maximize the availability of distributed, heterogeneous disk, backup,
and archive infrastructure.
49

Global Oracle Support
Oracle White Paper—SAP ERP in the Cloud
Oracle offers integrated packages of support services that deliver comprehensive Oracle hardware and
software support for SAP users with mission-critical and business-critical applications. These services
are designed to handle urgent business requirements. As part of the offerings, enterprises gain access to
Sun Vendor Integration Program Interop Support. Through this program, Oracle and SAP collaborate
to identify, isolate, and resolve complex interoperability issues.
For More Information
For more information about Oracle solutions for SAP environments, please visit oracle.com/sun or
call +1.800.786.0404 to speak to an Oracle representative. Additional information can be found at:
http://www.sun.com/sap
http://www.sap.com/solutions/business-suite/crm/crmondemand/index.epx
http://www.sap.com/solutions/sapbusinessobjects/ondemand/index.epx
50

SAP ERP in the Cloud
April 2010
Author: Timm Seitz
Oracle Corporation
World Headquarters
500 Oracle Parkway
Redwood Shores, CA 94065
U.S.A.
Worldwide Inquiries:
Phone: +1.650.506.7000
Fax: +1.650.506.7200
oracle.com
Copyright © 2010, Oracle and/or its affiliates. All rights reserved.
This document is provided for information purposes only and the contents hereof are subject to change without notice.
This document is not warranted to be error-free, nor subject to any other warranties or conditions, whether expressed
orally or implied in law, including implied warranties and conditions of merchantability or fitness for a particular purpose.
We specifically disclaim any liability with respect to this document and no contractual obligations are formed either
directly or indirectly by this document. This document may not be reproduced or transmitted in any form or by any
means, electronic or mechanical, for any purpose, without our prior written permission.
Oracle and Java are registered trademarks of Oracle and/or its affiliates. Other names may be trademarks of their
respective owners.
AMD, Opteron, the AMD logo, and the AMD Opteron logo are trademarks or registered trademarks of Advanced Micro
Devices. Intel and Intel Xeon are trademarks or registered trademarks of Intel Corporation. All SPARC trademarks are
used under license and are trademarks or registered trademarks of SPARC International, Inc. UNIX is a registered
trademark licensed through X/Open Company, Ltd. 0310