SAP ERP in the Cloud - Oracle
SAP ERP in the Cloud - Oracle
SAP ERP in the Cloud - Oracle
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
An <strong>Oracle</strong> White Paper<br />
April 2010<br />
<strong>SAP</strong> <strong>ERP</strong> <strong>in</strong> <strong>the</strong> <strong>Cloud</strong>
<strong>Oracle</strong> White Paper—<strong>SAP</strong> <strong>ERP</strong> <strong>in</strong> <strong>the</strong> <strong>Cloud</strong><br />
Introduction ........................................................................................ 1<br />
Key Characteristics of <strong>the</strong> <strong>Cloud</strong> ........................................................ 2<br />
<strong>Cloud</strong> Services ............................................................................... 2<br />
The <strong>Cloud</strong> Provider View ............................................................... 5<br />
Public <strong>Cloud</strong>s ................................................................................. 5<br />
Private <strong>Cloud</strong>s ................................................................................ 6<br />
Hybrid <strong>Cloud</strong>s ................................................................................ 7<br />
The <strong>Cloud</strong> Consumer View ............................................................ 8<br />
<strong>Cloud</strong> Technology .......................................................................... 9<br />
Security <strong>in</strong> <strong>the</strong> <strong>Cloud</strong> .................................................................... 19<br />
<strong>Cloud</strong> Summary ........................................................................... 20<br />
Enterprise Resource Plann<strong>in</strong>g <strong>in</strong> <strong>the</strong> <strong>Cloud</strong> .................................. 22<br />
<strong>SAP</strong> Security <strong>in</strong> <strong>the</strong> <strong>Cloud</strong> ............................................................ 37<br />
<strong>Oracle</strong>’s Infrastructure for <strong>the</strong> <strong>SAP</strong> <strong>Cloud</strong> ........................................ 38<br />
<strong>SAP</strong> Virtualization from <strong>Oracle</strong> ..................................................... 39<br />
<strong>SAP</strong> Server Virtualization ............................................................. 41<br />
<strong>SAP</strong> Storage Virtualization ........................................................... 42<br />
Secur<strong>in</strong>g Access to Virtualized <strong>SAP</strong> Application Components ..... 43<br />
Summary ......................................................................................... 48<br />
<strong>Oracle</strong>’s Global <strong>SAP</strong> Service Portfolio .......................................... 48<br />
<strong>Oracle</strong>’s Sun Solution Center for <strong>SAP</strong> .......................................... 49<br />
Sun Jo<strong>in</strong>t Support Center for <strong>SAP</strong> Applications ............................ 49<br />
<strong>Oracle</strong> Virtualization Services ...................................................... 49<br />
<strong>Oracle</strong> Storage Virtualization Services ......................................... 49<br />
Global <strong>Oracle</strong> Support .................................................................. 50<br />
For More Information ........................................................................ 50
Introduction<br />
<strong>Oracle</strong> White Paper—<strong>SAP</strong> <strong>ERP</strong> <strong>in</strong> <strong>the</strong> <strong>Cloud</strong><br />
What is <strong>Cloud</strong> Comput<strong>in</strong>g? <strong>Cloud</strong> Comput<strong>in</strong>g is one of <strong>the</strong> hype topics <strong>in</strong> <strong>the</strong> high-tech <strong>in</strong>dustry<br />
today. Almost every IT company offers some k<strong>in</strong>d of cloud product or services and almost<br />
every IT expert uses a different def<strong>in</strong>ition of <strong>the</strong> term <strong>Cloud</strong> Comput<strong>in</strong>g. For a typical private<br />
end-user, <strong>Cloud</strong> Comput<strong>in</strong>g means to use a Web-based service, for <strong>in</strong>stance onl<strong>in</strong>e services<br />
for data storage, email, word-process<strong>in</strong>g, spreadsheets, collaboration, file conversation, social<br />
media, etc. There is no magic beh<strong>in</strong>d <strong>the</strong>se Web services, o<strong>the</strong>r than <strong>the</strong> fact that <strong>the</strong> end-user<br />
does not need to deploy or <strong>in</strong>stall dedicated applications on <strong>the</strong>ir home PC system anymore.<br />
The only prerequisite is <strong>the</strong> existence of a work<strong>in</strong>g <strong>in</strong>ternet connection. Most of <strong>the</strong> mentioned<br />
services are free and for o<strong>the</strong>rs, end-customers pay a monthly fee, usually on a per user basis.<br />
The general concept of <strong>Cloud</strong> Comput<strong>in</strong>g from a private end-user’s po<strong>in</strong>t of view is:<br />
To plug <strong>in</strong>to <strong>the</strong> <strong>in</strong>ternet from anywhere access process<strong>in</strong>g, applications, and data services<br />
whenever needed<br />
To only pay for what is used or needed<br />
However, private cloud usage is only one aspect of <strong>the</strong> overall cloud story. Companies have<br />
realized that <strong>Cloud</strong> Comput<strong>in</strong>g might be a good avenue to reduce <strong>in</strong>ternal IT costs by spend<strong>in</strong>g<br />
less money on software licenses, hardware, storage, tra<strong>in</strong><strong>in</strong>g, and <strong>the</strong> needed ma<strong>in</strong>tenance of<br />
<strong>the</strong> mentioned areas. Small and medium sized enterprises might especially ga<strong>in</strong> large<br />
advantages by us<strong>in</strong>g a cloud-based IT approach <strong>in</strong>stead of build<strong>in</strong>g <strong>in</strong>ternal datacenters. An<br />
outsourc<strong>in</strong>g model can help to extend IT services step by step depend<strong>in</strong>g on <strong>the</strong> growth of <strong>the</strong><br />
<strong>in</strong>dividual bus<strong>in</strong>ess.<br />
This white paper provides a general overview of <strong>the</strong> term <strong>Cloud</strong> Comput<strong>in</strong>g from an enterprise<br />
po<strong>in</strong>t of view. In addition, <strong>the</strong> topic of Enterprise Resource Plann<strong>in</strong>g (<strong>ERP</strong>) <strong>in</strong> <strong>the</strong> cloud is<br />
covered with a dedicated focus on <strong>the</strong> <strong>SAP</strong> <strong>ERP</strong> stack deployed on cloud technology<br />
components from <strong>Oracle</strong>.<br />
1
Key Characteristics of <strong>the</strong> <strong>Cloud</strong><br />
<strong>Oracle</strong> White Paper—<strong>SAP</strong> <strong>ERP</strong> <strong>in</strong> <strong>the</strong> <strong>Cloud</strong><br />
The general understand<strong>in</strong>g of <strong>Cloud</strong> Comput<strong>in</strong>g is related to an on-demand service model by which<br />
various different resources (hardware, software, and services) are comb<strong>in</strong>ed on an on-<strong>the</strong>-fly basis<br />
(Figure 1). The service(s) are delivered over <strong>the</strong> network, which could be <strong>the</strong> <strong>in</strong>tranet of a company or<br />
<strong>the</strong> <strong>in</strong>ternet when <strong>the</strong> service is ordered from an external provider. Never<strong>the</strong>less, <strong>the</strong> term network<br />
always <strong>in</strong>cludes Internet-based technology such as <strong>the</strong> TCP/IP protocol stack that is used to<br />
communicate between <strong>the</strong> cloud provider and <strong>the</strong> cloud consumer.<br />
Figure 1. <strong>Cloud</strong> Comput<strong>in</strong>g relates to on-demand service model<br />
<strong>Cloud</strong> Services<br />
The service aspect of <strong>the</strong> cloud <strong>in</strong>cludes three different components — applications, hardware, and<br />
systems software — which can be comb<strong>in</strong>ed to build a cloud-specific service package or offer<strong>in</strong>g<br />
(Figure 2). Depend<strong>in</strong>g on how a cloud provider comb<strong>in</strong>es <strong>the</strong>se components with<strong>in</strong> a cloud offer<strong>in</strong>g,<br />
<strong>the</strong>re are a number of different cloud service layers.<br />
2
Figure 2. Def<strong>in</strong>ition of <strong>Cloud</strong> Comput<strong>in</strong>g<br />
<strong>Oracle</strong> White Paper—<strong>SAP</strong> <strong>ERP</strong> <strong>in</strong> <strong>the</strong> <strong>Cloud</strong><br />
Currently, <strong>the</strong>re are four possible cloud service layers that can be used <strong>in</strong> comb<strong>in</strong>ation to build a full<br />
end-to-end cloud offer<strong>in</strong>g as described below and <strong>in</strong> Figures 3 and 4.<br />
Software as a Service (SaaS) — offers an application, such as <strong>ERP</strong>, on demand over <strong>the</strong> network or<br />
<strong>in</strong>ternet<br />
Platform as a Service (PaaS) — providers sell a complete development platform <strong>in</strong>clud<strong>in</strong>g <strong>the</strong><br />
necessary built-<strong>in</strong> services, such as MySQL databsase, GlassFish application server, LDAP,<br />
NetBeans software, and <strong>Oracle</strong> Solaris Studio, on demand over <strong>the</strong> network.<br />
Infrastructure as a Service (IaaS) — a service offer<strong>in</strong>g that supplies hardware and software<br />
<strong>in</strong>frastructure components, such as compute, storage, systems, <strong>Oracle</strong> Enterprise Manager Ops<br />
Center, Sun Management Center and Sun Identity Manager from <strong>Oracle</strong>, and more.<br />
Desktop as a Service (DaaS) — moves <strong>the</strong> desktop environment of a cloud consumer <strong>in</strong>to <strong>the</strong> cloud<br />
and provides secure remote access to <strong>the</strong> server-based applications. It helps to reduce adm<strong>in</strong>istration<br />
costs and establishes higher security standards as IT staff can provision applications from a central<br />
console to end users who have assigned appropriate access rights based on <strong>in</strong>dividual or group<br />
criteria.<br />
3
Figure 3. Iaas and PaaS layers<br />
Figure 4. SaaS and DaaS layers<br />
<strong>Oracle</strong> White Paper—<strong>SAP</strong> <strong>ERP</strong> <strong>in</strong> <strong>the</strong> <strong>Cloud</strong><br />
4
<strong>Oracle</strong> White Paper—<strong>SAP</strong> <strong>ERP</strong> <strong>in</strong> <strong>the</strong> <strong>Cloud</strong><br />
The layers are highly flexible, enabl<strong>in</strong>g various providers to work toge<strong>the</strong>r but still focus on an<br />
<strong>in</strong>dividual area of expertise. For example, one partner might provide <strong>the</strong> underly<strong>in</strong>g <strong>in</strong>frastructure<br />
services (IaaS) while ano<strong>the</strong>r partner is responsible for <strong>the</strong> developer and application platform (PaaS or<br />
SaaS).<br />
The <strong>Cloud</strong> Provider View<br />
A cloud provider owns <strong>the</strong> various cloud services (IaaS, PaaS, SaaS) and <strong>the</strong> related capital risks.<br />
Currently <strong>the</strong>re are three cloud models: public, private, and hybrid. The differences between private<br />
and public are described <strong>in</strong> Figure 5.<br />
Figure 5. Def<strong>in</strong>ition of cloud provider view<br />
Public <strong>Cloud</strong>s<br />
A public cloud provider offers services to anyone <strong>in</strong> <strong>the</strong> general public that might be <strong>in</strong>terested <strong>in</strong> us<strong>in</strong>g<br />
<strong>the</strong> service (Figure 6). In o<strong>the</strong>r words, anyone who has access to an <strong>in</strong>ternet connection, is able to pay,<br />
and is aware of <strong>the</strong> specific cloud service offer<strong>in</strong>g can use it on demand. There are no consumer<br />
restrictions for specific user groups, communities, or certa<strong>in</strong> company types. Therefore, this type of<br />
cloud offer<strong>in</strong>g is referred to as public. Practically everyone on <strong>the</strong> Web can take advantage of public<br />
cloud services.<br />
5
Figure 6. <strong>Cloud</strong> provider view of a public cloud<br />
Private <strong>Cloud</strong>s<br />
<strong>Oracle</strong> White Paper—<strong>SAP</strong> <strong>ERP</strong> <strong>in</strong> <strong>the</strong> <strong>Cloud</strong><br />
Also called enterprise or <strong>in</strong>-house clouds, private clouds do not have a public character. <strong>Cloud</strong><br />
providers and cloud consumers are part of <strong>the</strong> same company. The IT department of a company acts<br />
as <strong>the</strong> cloud provider and offers a cloud service that can be used by <strong>in</strong>ternal units to deploy and run<br />
bus<strong>in</strong>ess applications (Figure 7). This differs from traditional IT support <strong>in</strong> that IT utilizes <strong>the</strong> on-<strong>the</strong>fly<br />
flexibility of cloud technologies to provide compute resources as needed.<br />
Figure 7. <strong>Cloud</strong> provider view of a private cloud<br />
6
Hybrid <strong>Cloud</strong>s<br />
<strong>Oracle</strong> White Paper—<strong>SAP</strong> <strong>ERP</strong> <strong>in</strong> <strong>the</strong> <strong>Cloud</strong><br />
Hybrid clouds represent a comb<strong>in</strong>ation of both private and public cloud models. For example, a<br />
company implements a private cloud to support bus<strong>in</strong>ess-critical services and utilizes <strong>the</strong> public cloud<br />
<strong>in</strong> an on-demand fashion for non-critical services, as illustrated <strong>in</strong> Figure 8. External and temporary<br />
cloud services can be less expensive from a cost/benefit perspective than provid<strong>in</strong>g <strong>the</strong> same service<br />
<strong>in</strong>ternally. Therefore, this type of cloud model might be of <strong>in</strong>terest to large, global enterprises with a<br />
periodic temporary demand for specific cloud resources. It also provides much better data security for<br />
<strong>the</strong> company itself (well-guarded <strong>in</strong>ternal network) <strong>in</strong> comparison to a public cloud approach where <strong>the</strong><br />
cloud consumer completely relies on <strong>the</strong> security mechanisms of <strong>the</strong> selected provider.<br />
Figure 8. View of a public cloud<br />
Figure 9 summarizes <strong>the</strong> key facts about <strong>the</strong> three cloud provider models.<br />
Figure 9. Differences between cloud types<br />
7
The <strong>Cloud</strong> Consumer View<br />
<strong>Oracle</strong> White Paper—<strong>SAP</strong> <strong>ERP</strong> <strong>in</strong> <strong>the</strong> <strong>Cloud</strong><br />
A cloud consumer (a company) must first identify which cloud services (IaaS, PaaS, SaaS, and DaaS)<br />
best suit <strong>the</strong> exist<strong>in</strong>g bus<strong>in</strong>ess requirements (Figure 10). The decision of whe<strong>the</strong>r to use or to build an<br />
<strong>in</strong>-house cloud service depends strongly on <strong>the</strong> available <strong>in</strong>ternal resources, such as human resources,<br />
and <strong>the</strong> necessary knowledge and experience <strong>in</strong> <strong>the</strong> various IT areas (applications, security, systems, or<br />
storage specialists). O<strong>the</strong>r factors that <strong>in</strong>fluence <strong>the</strong> decision are exist<strong>in</strong>g IT budget and competitive<br />
market aspects. The flexibility to grow and shr<strong>in</strong>k depend<strong>in</strong>g on exist<strong>in</strong>g market demand and bus<strong>in</strong>ess<br />
forecasts, as well as <strong>the</strong> agility to react almost <strong>in</strong> real time <strong>in</strong> a highly competitive market space such as<br />
Web 2.0, makes <strong>Cloud</strong> Comput<strong>in</strong>g very attractive to startups and small- and mid-sized companies.<br />
Larger enterprises with a different bus<strong>in</strong>ess model might have o<strong>the</strong>r reasons to use <strong>in</strong>ternal or external<br />
cloud services. Most of <strong>the</strong>se companies need to reduce IT budgets by replac<strong>in</strong>g cost-<strong>in</strong>tensive IT tasks<br />
with comparable cloud-based, on-demand services.<br />
Especially <strong>in</strong> difficult economic times it is <strong>in</strong> every organization’s <strong>in</strong>terest to f<strong>in</strong>d <strong>the</strong> right balance<br />
between operat<strong>in</strong>g expenses and related earn<strong>in</strong>gs. Therefore, <strong>Cloud</strong> Comput<strong>in</strong>g has <strong>the</strong> potential to<br />
play a major role for every k<strong>in</strong>d of bus<strong>in</strong>ess with<strong>in</strong> <strong>the</strong> next several years.<br />
Figure 10. Def<strong>in</strong>ition of <strong>the</strong> cloud consumer view<br />
As a consumer of a public cloud it is important to keep <strong>in</strong> m<strong>in</strong>d that <strong>the</strong> same environment is shared<br />
with many o<strong>the</strong>r unknown cloud users at <strong>the</strong> same po<strong>in</strong>t <strong>in</strong> time. The network, server compute power,<br />
storage devices, and depend<strong>in</strong>g on <strong>the</strong> service contract <strong>the</strong> application <strong>in</strong>stance(s) might be shared with<br />
many o<strong>the</strong>r users. The ability to shared resources is why cloud providers are able to offer standardized<br />
services for less than it would cost to implement and ma<strong>in</strong>ta<strong>in</strong> <strong>the</strong> services <strong>in</strong> house. This might not be<br />
8
<strong>Oracle</strong> White Paper—<strong>SAP</strong> <strong>ERP</strong> <strong>in</strong> <strong>the</strong> <strong>Cloud</strong><br />
<strong>the</strong> right solution for everyone as <strong>in</strong>dividual customization of <strong>the</strong> offered services with<strong>in</strong> <strong>the</strong> cloud can<br />
be limited. <strong>Cloud</strong> services have a strong standardized character today and are built to meet <strong>the</strong> needs of<br />
<strong>the</strong> majority of users, which also helps to keep <strong>the</strong> adm<strong>in</strong>istration and ma<strong>in</strong>tenance of <strong>the</strong> environment<br />
at an acceptable level. Thus, it is very important to closely analyze exist<strong>in</strong>g <strong>in</strong>ternal services before<br />
mov<strong>in</strong>g a particular service to an external cloud service contract.<br />
A cloud consumer could be <strong>in</strong>terested <strong>in</strong> all of <strong>the</strong> offered service layers or only <strong>in</strong> <strong>the</strong> layers where<br />
<strong>the</strong>re is a lack of dedicated <strong>in</strong>ternal knowledge, mak<strong>in</strong>g it less expensive to buy this service and <strong>the</strong><br />
related hardware and software support from a cloud provider who is able to offer exactly <strong>the</strong><br />
standardized setup needed based on given bus<strong>in</strong>ess requirements.<br />
Consumers of a private cloud model do not have to care about shar<strong>in</strong>g resources with o<strong>the</strong>r unknown<br />
users. The various bus<strong>in</strong>ess departments can access available hardware and software resources on an<br />
on-demand basis similar to a public cloud environment. The big difference is that resources are shared<br />
only with o<strong>the</strong>r <strong>in</strong>ternal colleagues and highly critical bus<strong>in</strong>ess data is stored on a secure storage device<br />
with<strong>in</strong> <strong>the</strong> <strong>in</strong>tranet of <strong>the</strong> company. In addition, it also makes sense to use a standardized cloud<br />
architecture with standardized systems, <strong>in</strong>frastructure components, and management processes to<br />
achieve <strong>the</strong> positive cost effects of us<strong>in</strong>g cloud technology. Thus, a private cloud offers similar<br />
advantages as a public cloud environment without <strong>the</strong> attendant security and privacy issues. In<br />
addition, <strong>the</strong>re is still enough flexibility to add or extend specific features that are not available <strong>in</strong> a<br />
public cloud stack, such as bus<strong>in</strong>ess logic or <strong>ERP</strong> functions. The differences between cloud types as<br />
experienced by a cloud consumer are summarized <strong>in</strong> Figure 11.<br />
Figure 11. <strong>Cloud</strong> consumer view across cloud types<br />
<strong>Cloud</strong> Technology<br />
The key technologies used <strong>in</strong> a cloud-based landscape are virtualization, Web services, and NaaS.<br />
9
Virtualization<br />
<strong>Oracle</strong> White Paper—<strong>SAP</strong> <strong>ERP</strong> <strong>in</strong> <strong>the</strong> <strong>Cloud</strong><br />
Virtualization is not a new component <strong>in</strong> this technology mix. It is a proven and widely accepted way<br />
to consolidate exist<strong>in</strong>g server and application landscapes, and is def<strong>in</strong>ed <strong>in</strong> Figure 12. Virtualization<br />
helps to realize greater efficiency and cost sav<strong>in</strong>gs, and helps <strong>in</strong> ma<strong>in</strong>ta<strong>in</strong><strong>in</strong>g or exceed<strong>in</strong>g service-level<br />
agreements (SLAs) <strong>in</strong> all of <strong>the</strong> described cloud scenarios. There are currently three virtualization types:<br />
desktop, server, and storage.<br />
Figure 12. Def<strong>in</strong>ition of virtualization<br />
Desktop Virtualization<br />
Desktop virtualization is <strong>the</strong> concept of separat<strong>in</strong>g a personal computer desktop environment from <strong>the</strong><br />
physical mach<strong>in</strong>e through a client-server comput<strong>in</strong>g model. The result<strong>in</strong>g virtualized desktop is stored<br />
on a remote server <strong>in</strong> <strong>the</strong> cloud <strong>in</strong>stead of on <strong>the</strong> local disk of <strong>the</strong> remote client mach<strong>in</strong>e. Thus, when<br />
users work from <strong>the</strong>ir remote desktop clients—PCs, smart phones, laptops, or th<strong>in</strong> client systems—all<br />
of <strong>the</strong> programs, applications, processes, and data are stored and run centrally <strong>in</strong> <strong>the</strong> cloud. A virtual<br />
desktop <strong>in</strong>frastructure uses virtual mach<strong>in</strong>es to enable multiple network subscribers to ma<strong>in</strong>ta<strong>in</strong><br />
<strong>in</strong>dividualized desktops on a s<strong>in</strong>gle, centrally located server environment. Users might be<br />
geographically scattered, but all can be connected to <strong>the</strong> central mach<strong>in</strong>e by a local area or a wide area<br />
network or through public networks such as <strong>the</strong> <strong>in</strong>ternet. When desktop virtualization is implemented<br />
with<strong>in</strong> a cloud it is also called Desktop-as-a-Service (DaaS).<br />
Server Virtualization<br />
Server virtualization masks server resources — <strong>in</strong>clud<strong>in</strong>g <strong>the</strong> number and identity of <strong>in</strong>dividual physical<br />
servers, processors, and operat<strong>in</strong>g systems — from <strong>the</strong> users and applications. The server adm<strong>in</strong>istrator<br />
uses an application to divide one physical server <strong>in</strong>to multiple isolated virtual environments. These<br />
environments are called guests, virtual <strong>in</strong>stances, conta<strong>in</strong>ers, or emulations. Today <strong>the</strong>re are four<br />
different virtualization types:<br />
10
Virtual mach<strong>in</strong>e model<br />
Paravirtual mach<strong>in</strong>e model<br />
Hardware emulation model<br />
Virtualization at <strong>the</strong> OS layer<br />
Storage Virtualization<br />
<strong>Oracle</strong> White Paper—<strong>SAP</strong> <strong>ERP</strong> <strong>in</strong> <strong>the</strong> <strong>Cloud</strong><br />
Storage virtualization pools physical storage from multiple network storage devices <strong>in</strong>to what appears<br />
to be a s<strong>in</strong>gle storage device that is managed from a central console from with<strong>in</strong> <strong>the</strong> cloud (Figure 13).<br />
Storage virtualization is commonly used <strong>in</strong> a storage area network (SAN). It helps storage<br />
adm<strong>in</strong>istrators to perform backup, archive, and recovery tasks more easily and <strong>in</strong> less time. This all<br />
helps to solve <strong>the</strong> data explosion problems—many applications generate more data than can be stored<br />
physically on a s<strong>in</strong>gle server, and many applications have multiple mach<strong>in</strong>es that need to access <strong>the</strong><br />
same data—and improves data management efficiency.<br />
Figure 13. Storage virtualization<br />
Goals of <strong>Cloud</strong>-Based Virtualization<br />
The ma<strong>in</strong> goals accomplished by us<strong>in</strong>g virtualization technology <strong>in</strong> a cloud-based environment are:<br />
Separate <strong>the</strong> hardware from <strong>the</strong> service, application, and OS (an abstraction from physical resources)<br />
Host multiple guest systems on a s<strong>in</strong>gle physical server<br />
Increase server and storage utilization, <strong>in</strong>crease agility, and reduce energy costs<br />
Create copies of exist<strong>in</strong>g environments quickly and easily<br />
Move virtual mach<strong>in</strong>es between physical servers<br />
11
<strong>Oracle</strong> White Paper—<strong>SAP</strong> <strong>ERP</strong> <strong>in</strong> <strong>the</strong> <strong>Cloud</strong><br />
Comb<strong>in</strong>e available network resources by splitt<strong>in</strong>g available bandwidth <strong>in</strong>to channels, each of which is<br />
<strong>in</strong>dependent from <strong>the</strong> o<strong>the</strong>rs<br />
Pool physical storage from multiple network storage devices <strong>in</strong>to what appears to be a s<strong>in</strong>gle storage<br />
device that is managed from a central console<br />
Web Services<br />
Web services are <strong>the</strong> cloud components with which cloud providers are able to offer <strong>in</strong>-house created<br />
and developed application functionality <strong>in</strong> a standardized way to <strong>the</strong> outside world. Web services also<br />
enable features from one application to be <strong>in</strong>tegrated <strong>in</strong>to ano<strong>the</strong>r application which can be stored <strong>in</strong> a<br />
Web services repository as a reusable component for o<strong>the</strong>r applications that might not yet be<br />
developed.<br />
Web services represent one possible implementation approach for a service-oriented architecture<br />
(SOA). Web services are functional services that are based on <strong>in</strong>ternet protocols and are transported<br />
over <strong>the</strong> <strong>in</strong>ternet <strong>in</strong>frastructure. They can have a manual or automated character. As Web-based<br />
software components <strong>the</strong>y rely on XML standards to exchange data.<br />
With<strong>in</strong> a typical Web services SOA model <strong>the</strong>re are three role types: service provider, service<br />
repository, and client (Figure 14). The service provider offers services over a programmable <strong>in</strong>terface.<br />
The service repository is used to store and to offer <strong>the</strong> exposed Web services to <strong>the</strong> service users that<br />
<strong>in</strong>tegrate and consume <strong>the</strong> offered Web services based on XML-based messages and <strong>in</strong>ternet protocol<br />
standards.<br />
Figure 14. Web services-SOA<br />
The key features of Web services are:<br />
Reachable over programmable <strong>in</strong>terfaces on an XML-based message exchange process, such as<br />
SOAP and WSDL.<br />
12
<strong>Oracle</strong> White Paper—<strong>SAP</strong> <strong>ERP</strong> <strong>in</strong> <strong>the</strong> <strong>Cloud</strong><br />
Based on <strong>the</strong> <strong>in</strong>ternet protocol suite. Operations and messages can support various different<br />
protocols, such HTTP and SMTP.<br />
Capsuled and loosely coupled character—a clearly def<strong>in</strong>ed task with <strong>the</strong> implementation details<br />
hidden from consumers.<br />
Composition and reusable character—can be comb<strong>in</strong>ed with o<strong>the</strong>r Web services to provide a new<br />
more complex service.<br />
Location-<strong>in</strong>dependent and can be activated from everywhere. The consumer must have <strong>the</strong> needed<br />
access rights and authorization.<br />
Can have an <strong>in</strong>formative or a transactional character. For example, <strong>the</strong> Web service can be part of a<br />
bus<strong>in</strong>ess transaction.<br />
One of today’s trends <strong>in</strong> <strong>the</strong> cloud arena is to use Web services based on <strong>the</strong> restful or<br />
REpresentational State Transfer Architecture (REST). This type of Web service fully relies on <strong>the</strong><br />
methods of <strong>the</strong> HTTP protocol stack. Under <strong>the</strong> terms of REST, every Web application consists of a<br />
collection of resources or resource objects that are reachable over HTTP. In o<strong>the</strong>r words, Web sites,<br />
pictures (gifs, jpegs, etc.), CGI scripts, servlets, and more are REST resources that can be reached over<br />
a dedicated URL or URI. The HTTP methods (GET, PUT, POST and DELETE) are <strong>the</strong> verbs<br />
applied to <strong>the</strong> substantives (<strong>the</strong> resources) and <strong>the</strong>refore represent <strong>the</strong> <strong>in</strong>terfaces to <strong>the</strong> REST resource<br />
objects. Functions of <strong>the</strong> methods are listed <strong>in</strong> Table 1 and a conceptual diagram of REST is shown <strong>in</strong><br />
Figure 15.<br />
TABLE 1. HTTP METHOD FUNCTIONS<br />
GET Retrial <strong>the</strong> representation of <strong>the</strong> resource (display format: HTML, pla<strong>in</strong> text, jpeg, etc.)<br />
POST Start process on <strong>the</strong> server (e.g., modify or add database fields)<br />
PUT Create new resource or replace an exist<strong>in</strong>g one<br />
DELETE Erase an exist<strong>in</strong>g resource<br />
The key advantages of restful Web services are:<br />
Lightweight Web service <strong>in</strong>tegration<br />
A REST back-end server does not know <strong>the</strong> state of <strong>the</strong> client (stateless session)<br />
Reduces <strong>the</strong> load on <strong>the</strong> back-end server<br />
Allows load-balanc<strong>in</strong>g and service <strong>in</strong>terruptions<br />
Clients manage <strong>the</strong>ir own status (e.g, <strong>the</strong> sequence of <strong>the</strong> HTTP methods/calls)<br />
Simple development model/approach (no dedicated tools required)<br />
Every resource object can be reached by a URL/URI request<br />
13
<strong>Oracle</strong> White Paper—<strong>SAP</strong> <strong>ERP</strong> <strong>in</strong> <strong>the</strong> <strong>Cloud</strong><br />
URL/URI <strong>in</strong>cludes all of <strong>the</strong> needed <strong>in</strong>formation/conta<strong>in</strong><strong>in</strong>g all of <strong>the</strong> <strong>in</strong>formation necessary to<br />
understand that request<br />
As <strong>the</strong> URL/URI is <strong>the</strong> trigger for a resource, it can easily be cached at a proxy, gateway, or loadbalancer<br />
site and <strong>the</strong>refore reduces <strong>the</strong> load on <strong>the</strong> back-end server<br />
Incom<strong>in</strong>g client requests can be handled much faster because <strong>the</strong>re is no need for SOAP envelope<br />
extractions (less payload)<br />
Ideal solution for scenarios with a high number of parallel Web services requests — provides higher<br />
scalability than SOAP-based Web services<br />
Figure 15. Conceptual diagram of REST<br />
Key Issues Today<br />
Web services as <strong>the</strong>y are def<strong>in</strong>ed today have some disadvantages. There are more than 100 Web<br />
services specifications available, which sometimes contradict each o<strong>the</strong>r. The current situation —<br />
where every cloud provider relies on a different Web services specification — presents a high risk<br />
factor. There is a need for standardization <strong>in</strong> this technology area. The issue of standardization needs<br />
to be addressed before <strong>in</strong>tegration between different Web services-based cloud services — offered and<br />
hosted by various cloud providers — can be started by <strong>the</strong> grow<strong>in</strong>g cloud consumer community with<strong>in</strong><br />
<strong>the</strong>ir hosted cloud-based system and application landscapes.<br />
Rely<strong>in</strong>g on a market lead<strong>in</strong>g cloud provider such as Google or Amazon might reduce <strong>the</strong> risk because<br />
<strong>the</strong> leaders always set and push <strong>the</strong>ir own standards. S<strong>in</strong>ce <strong>the</strong>se providers have a large market share,<br />
<strong>the</strong>y are able to def<strong>in</strong>e <strong>the</strong>ir own Web services specifications, which are more likely to be automatically<br />
adopted by <strong>the</strong> o<strong>the</strong>r market players.<br />
The typical elements of today’s cloud Web services environment is illustrated <strong>in</strong> Figure 16.<br />
14
Figure 16. Typical elements of today’s Web services environment<br />
Network as a Service (NaaS)<br />
NaaS is a fairly new term <strong>in</strong> <strong>the</strong> cloud sphere and can be def<strong>in</strong>ed <strong>in</strong> <strong>the</strong> follow<strong>in</strong>g ways:<br />
<strong>Oracle</strong> White Paper—<strong>SAP</strong> <strong>ERP</strong> <strong>in</strong> <strong>the</strong> <strong>Cloud</strong><br />
Provides a dynamic software-based and software-controlled re-configuration of network resources<br />
and new bandwidth management system for cloud-based applications<br />
Uses an <strong>in</strong>telligent, automated, and service-oriented network model or paradigm<br />
Controls <strong>the</strong> aggregate network bandwidth used by a cloud-based service<br />
Includes network virtualization as <strong>the</strong> underly<strong>in</strong>g technology<br />
Is part of <strong>the</strong> next big cloud development step<br />
As cloud consumers relocate <strong>the</strong>ir home environment <strong>in</strong>to cloud provider datacenters and <strong>the</strong> <strong>in</strong>ternet,<br />
network traffic and network load and utilization <strong>in</strong>creases. New solutions such as <strong>in</strong>telligent network<br />
limiters need to be developed and deployed to mitigate challenges such as bandwidth limitations, TCP<br />
latency, and talkativeness of applications, as shown <strong>in</strong> Figure 17.<br />
15
Figure 17. Relocat<strong>in</strong>g network traffic<br />
<strong>Oracle</strong> White Paper—<strong>SAP</strong> <strong>ERP</strong> <strong>in</strong> <strong>the</strong> <strong>Cloud</strong><br />
There are still a few open questions to be answered before cloud customers are able to move a<br />
complete <strong>ERP</strong> stack <strong>in</strong>to a public cloud-based environment:<br />
Does <strong>the</strong> <strong>in</strong>ternet have enough bandwidth and traffic management to support this data movement?<br />
Can resources be efficiently and dynamically provisioned to support <strong>in</strong>creases or <strong>in</strong>termittent<br />
changes <strong>in</strong> demand?<br />
How will address<strong>in</strong>g statefully move from one autonomous system to ano<strong>the</strong>r?<br />
How will <strong>the</strong> security policy bound to a particular object (re: VM) stay consistent and coherent as a<br />
VM moves across <strong>the</strong> network and from one network to ano<strong>the</strong>r?<br />
When will open standards be def<strong>in</strong>ed and accepted to codify <strong>the</strong> solutions to <strong>the</strong>se problems? Will<br />
<strong>the</strong> current <strong>in</strong>frastructure run <strong>the</strong>se open standards <strong>in</strong> a scalable manner?<br />
How will rate limit<strong>in</strong>g be distributed to provide <strong>the</strong> critical ability for cloud providers to control <strong>the</strong><br />
use of network bandwidth as if it were all sourced from a s<strong>in</strong>gle site?<br />
It seems that NaaS represents one of <strong>the</strong> cloud areas where cloud vendors need to <strong>in</strong>vest more<br />
resources <strong>in</strong> <strong>the</strong> near future to elim<strong>in</strong>ate some of <strong>the</strong> most critical roadblocks. Thus, <strong>the</strong> ma<strong>in</strong> drivers<br />
for new NaaS technologies are:<br />
Time-to-market — fast service establishment, activation, and allocation<br />
Service differentiation — <strong>the</strong> ability to offer different SLAs depend<strong>in</strong>g on a customer’s requirement<br />
profile<br />
Flexible and scalable network bandwidths — bandwidth on-demand (BoD) capability to quickly and<br />
flexibly react to unknown fluctuations (on-demand services)<br />
16
<strong>Oracle</strong> White Paper—<strong>SAP</strong> <strong>ERP</strong> <strong>in</strong> <strong>the</strong> <strong>Cloud</strong><br />
Exchange of monitor<strong>in</strong>g <strong>in</strong>formation to agree on what to monitor, where to monitor, and to whom<br />
<strong>the</strong> data should be visible<br />
Service communications across monitor<strong>in</strong>g doma<strong>in</strong>s should <strong>in</strong>clude different bus<strong>in</strong>ess partners to<br />
deal with multiparty <strong>in</strong>teractions to solve an issue<br />
One solution that is a possible first step <strong>in</strong> resolv<strong>in</strong>g <strong>the</strong> issues above is called Th<strong>in</strong>Pr<strong>in</strong>t (Figure 18).<br />
Th<strong>in</strong>Pr<strong>in</strong>t is a virtual device driver for pr<strong>in</strong>ters <strong>in</strong> a virtualized server and storage landscape that<br />
<strong>in</strong>cludes a connection-oriented bandwidth control mechanism to limit <strong>the</strong> bandwidth for a s<strong>in</strong>gle<br />
network connection, user group, or s<strong>in</strong>gle workplaces. Th<strong>in</strong>Pr<strong>in</strong>t’s features <strong>in</strong>clude:<br />
Figure 18. Th<strong>in</strong>Pr<strong>in</strong>t<br />
Internet Traffic Control<br />
Virtual device driver for pr<strong>in</strong>ters (Th<strong>in</strong>Pr<strong>in</strong>t V-Layer)<br />
Deploy on each VM (DaaS)<br />
Install vendor-specific device drivers on central pr<strong>in</strong>t<br />
servers only<br />
Connection-oriented bandwidth control<br />
Limit bandwidth for s<strong>in</strong>gle network connections, user<br />
groups, or s<strong>in</strong>gle workplaces<br />
Data compression rate up to 98%<br />
Optimized pr<strong>in</strong>t data throughput on a network based on a<br />
protocol extension<br />
One downside with public <strong>Cloud</strong> Comput<strong>in</strong>g is that users access applications through <strong>the</strong> <strong>in</strong>ternet,<br />
which can be slower than us<strong>in</strong>g a private cloud. Thus, <strong>the</strong> question for many cloud consumers<br />
<strong>in</strong>terested <strong>in</strong> <strong>ERP</strong> is: are cloud providers and <strong>the</strong>ir related <strong>in</strong>ternet partners able to offer guarantees <strong>in</strong><br />
regard to <strong>the</strong> availability and <strong>the</strong> round-trip times of TCP packets? Or <strong>in</strong> o<strong>the</strong>r words, what is <strong>the</strong><br />
expected average network latency?<br />
This might not be an important question for commonly used Web applications based on Joomla or<br />
Drupal. It is, however, an essential question for cloud consumers with an <strong>ERP</strong> focus. Such consumers<br />
need certa<strong>in</strong> response time guarantees for <strong>the</strong>ir bus<strong>in</strong>ess-critical <strong>ERP</strong> transactions.<br />
Today, cloud providers and <strong>the</strong>ir related partners (<strong>in</strong>ternet providers) are only able to give this<br />
guarantee for <strong>the</strong> <strong>in</strong>ternet connection itself, but not for <strong>the</strong> TCP latency (response times) when <strong>the</strong><br />
<strong>in</strong>ternet is used as an additional transport layer between <strong>the</strong> provider and <strong>the</strong> cloud consumer’s<br />
network. If guaranteed response times for specific bus<strong>in</strong>ess transactions are a critical requirement, it is<br />
probably better to build an <strong>in</strong>-house cloud (private cloud). Traffic control differences between cloud<br />
providers and consumers are listed <strong>in</strong> Figure 19.<br />
17
Figure 19. Internet traffic control<br />
NaaS Management Frameworks<br />
<strong>Oracle</strong> White Paper—<strong>SAP</strong> <strong>ERP</strong> <strong>in</strong> <strong>the</strong> <strong>Cloud</strong><br />
NaaS management frameworks are also go<strong>in</strong>g to play a significant role <strong>in</strong> <strong>the</strong> next phase of <strong>Cloud</strong><br />
Comput<strong>in</strong>g. A NaaS management framework (Figure 20) is a central adm<strong>in</strong>istration and <strong>in</strong>teraction<br />
utility or tool that can be used by cloud providers and <strong>the</strong>ir customers — <strong>the</strong> consumers — to provide<br />
<strong>the</strong> follow<strong>in</strong>g functions:<br />
Figure 20. NaaS management framework<br />
Enable coord<strong>in</strong>ated polic<strong>in</strong>g of a cloud-based<br />
service’s network traffic<br />
Dynamic bandwidth control and bandwidth on<br />
demand<br />
Control network bandwidth use and associated<br />
costs us<strong>in</strong>g rate limiters for provider and<br />
consumer<br />
Distributed rate limit<strong>in</strong>g could provide a powerful<br />
tool for manag<strong>in</strong>g access to client content<br />
Distributed rate limit<strong>in</strong>g could br<strong>in</strong>g <strong>the</strong><br />
bandwidth crisis under control, e.g., peak timesbased<br />
bandwidth split<br />
18
Web services -based traffic control functions/features (switches, firewalls, etc.)<br />
Direct <strong>in</strong>tegration <strong>in</strong>to exist<strong>in</strong>g adm<strong>in</strong>istration tools and utilities<br />
Integrated ticket support and track<strong>in</strong>g system at <strong>the</strong> consumer and provider layers<br />
Transport protocol extension (e.g., compression algorithms)<br />
<strong>Oracle</strong> White Paper—<strong>SAP</strong> <strong>ERP</strong> <strong>in</strong> <strong>the</strong> <strong>Cloud</strong><br />
A cloud provider can centrally control all network-related activities, as well as distribute adm<strong>in</strong>istration<br />
tasks to customers as a k<strong>in</strong>d of self-service offer<strong>in</strong>g as shown <strong>in</strong> Figure 21.<br />
Figure 21. NaaS management frameworks<br />
Security <strong>in</strong> <strong>the</strong> <strong>Cloud</strong><br />
Security <strong>in</strong> <strong>the</strong> cloud is more of a trust issue between <strong>the</strong> players <strong>in</strong> <strong>the</strong> cloud than a real security issue.<br />
The necessary security <strong>in</strong>frastructure already is available and just needs to be adopted from <strong>the</strong><br />
enterprise layer <strong>in</strong>to <strong>the</strong> cloud arena. But <strong>the</strong>re are additional risk factors <strong>in</strong>troduced when virtual<br />
mach<strong>in</strong>e images are moved with<strong>in</strong> a cloud from one physical system or network component to ano<strong>the</strong>r<br />
system or network component. Therefore, it might make sense to enhance exist<strong>in</strong>g security protocols<br />
so that <strong>the</strong>y also can be used with<strong>in</strong> <strong>in</strong> <strong>the</strong> virtualization layer. For example, enable VMs to take <strong>the</strong>ir<br />
dedicated security policies with <strong>the</strong>m when <strong>the</strong>y move around with<strong>in</strong> <strong>the</strong> cloud.<br />
Web services are connected with each o<strong>the</strong>r (customer — provider network) over <strong>the</strong> <strong>in</strong>ternet or<br />
between <strong>the</strong> specific partner networks <strong>in</strong> a private cloud setup. Web services are used to share<br />
<strong>in</strong>formation or to customize <strong>the</strong> cloud setup through a Web <strong>in</strong>terface. Therefore, cloud providers must<br />
establish <strong>the</strong> required security standards, because <strong>the</strong>y offer <strong>the</strong> services on an on-demand basis to <strong>the</strong>ir<br />
customers. This also <strong>in</strong>cludes implement<strong>in</strong>g well-known security practices such as data encryption,<br />
19
<strong>Oracle</strong> White Paper—<strong>SAP</strong> <strong>ERP</strong> <strong>in</strong> <strong>the</strong> <strong>Cloud</strong><br />
au<strong>the</strong>ntication, authorization, and fraud detection aga<strong>in</strong>st all possible <strong>in</strong>ternal and external attacks. For<br />
example, an <strong>in</strong>ternal adm<strong>in</strong>istrator should never be able to make a copy of an <strong>in</strong>stalled customer VM.<br />
It is also essential to provide all customers and <strong>in</strong>terns with a method to securely establish a crossenterprise<br />
S<strong>in</strong>gle Sign-On (SSO) connection to <strong>the</strong>ir virtualized datacenter OS images and <strong>the</strong><br />
applications runn<strong>in</strong>g on top of <strong>the</strong>se images. Federated identity management technologies such as<br />
SAML— an XML-based standard for exchang<strong>in</strong>g au<strong>the</strong>ntication and authorization <strong>in</strong>formation<br />
between various different bus<strong>in</strong>ess partners—offer a good solution and also allow <strong>the</strong> necessary trust<br />
policies for <strong>the</strong> various end-user types to be implemented.<br />
Ano<strong>the</strong>r important po<strong>in</strong>t that needs to be mentioned is multitenancy. The cloud provider is<br />
responsible for isolat<strong>in</strong>g all tenants (customers, companies, end users) that share <strong>the</strong> same physical<br />
environment (comput<strong>in</strong>g, storage, network) and must proof this to customers by collect<strong>in</strong>g and<br />
offer<strong>in</strong>g related reports and log files. Additional NaaS-related applications that are capable of<br />
monitor<strong>in</strong>g <strong>the</strong> data <strong>in</strong> transfer <strong>in</strong> a virtual network should be used to complete <strong>the</strong> cloud services <strong>in</strong><br />
that space.<br />
Clear segregation of duty rules for all users, especially for those with adm<strong>in</strong>istration rights, should be<br />
established as well. This is a strong factor <strong>in</strong> safeguard<strong>in</strong>g <strong>the</strong> cloud environments from unauthorized<br />
access. In general it is important that all cloud participants and players enforce and comply with <strong>the</strong><br />
same security rules and policies — centralized identity management, au<strong>the</strong>ntication, authorization,<br />
monitor<strong>in</strong>g standards — to ma<strong>in</strong>ta<strong>in</strong> an equal level of trust, because a cha<strong>in</strong> is only as strong as <strong>the</strong><br />
weakest l<strong>in</strong>k. In addition, <strong>the</strong> au<strong>the</strong>ntication process can be streng<strong>the</strong>ned by us<strong>in</strong>g risk-based features<br />
(risk-based au<strong>the</strong>ntication approach) to enhance <strong>the</strong> level of security provided by an access<br />
management solution stack. This strong form of au<strong>the</strong>ntication can protect access to a cloud based on<br />
behavior profil<strong>in</strong>g, an additional analysis of past user behavior. Any activities that differ from <strong>the</strong> normal<br />
behavioral pattern lead to an advanced au<strong>the</strong>ntication process <strong>in</strong> which users must answer additional<br />
security questions, such as: What is <strong>the</strong> name of your manager? Which department do you belong to?<br />
And so on. Ano<strong>the</strong>r way to protect <strong>the</strong> cloud environment from attackers, hackers, and <strong>in</strong>truders is to<br />
use transparent au<strong>the</strong>ntication methods that rely on a device recognition process <strong>in</strong> which user devices<br />
are identified through <strong>the</strong>ir specific device parameters such as E<strong>the</strong>rnet-address, IP geographic<br />
location, and so on.<br />
<strong>Cloud</strong> Summary<br />
In general, <strong>Cloud</strong> Comput<strong>in</strong>g offers <strong>the</strong> follow<strong>in</strong>g key benefits:<br />
Reduce runtime<br />
Batch jobs: Use 100 servers <strong>in</strong> parallel <strong>in</strong>stead of a s<strong>in</strong>gle one to accomplish a task <strong>in</strong> 1/100 <strong>the</strong><br />
time.<br />
Optimize response times — true for private cloud, uncerta<strong>in</strong> for public cloud<br />
Scale out on-demand to meet customer demands.<br />
M<strong>in</strong>imize <strong>in</strong>frastructure risk<br />
20
Public clouds: cloud provider owns <strong>the</strong> capital/f<strong>in</strong>ancial risk of <strong>the</strong> <strong>in</strong>frastructure.<br />
Private clouds: send overflow work to a public cloud.<br />
Lower cost of entry<br />
<strong>Oracle</strong> White Paper—<strong>SAP</strong> <strong>ERP</strong> <strong>in</strong> <strong>the</strong> <strong>Cloud</strong><br />
Infrastructure is rented, not purchased, <strong>the</strong> cost is controlled, and <strong>the</strong> capital <strong>in</strong>frastructure<br />
<strong>in</strong>vestment can be zero.<br />
Applications are developed more by assembly than programm<strong>in</strong>g.<br />
Helps reduce time to market (competitive factor).<br />
Increase <strong>the</strong> pace of <strong>in</strong>novation<br />
Enables start-up companies to deploy new products quickly and at low cost.<br />
Enables small companies to compete more effectively than traditional organizations that deploy<br />
services <strong>in</strong> enterprise datacenters, which can take significantly longer.<br />
The key challenges of <strong>Cloud</strong> Comput<strong>in</strong>g are:<br />
Data governance and compliance<br />
Enterprises must comply with many of <strong>the</strong> regulations that require data governance.<br />
By mov<strong>in</strong>g data <strong>in</strong>to <strong>the</strong> cloud, enterprises might lose some capabilities to govern <strong>the</strong>ir own data.<br />
Service providers must offer guarantees.<br />
Manageability (e.g., NaaS)<br />
Most raw <strong>in</strong>frastructures and platforms lack advanced management capabilities. For example,<br />
Amazon’s EC2 does not automatically scale an application as <strong>the</strong> server becomes heavily loaded. It<br />
is still up to <strong>the</strong> developer to manage scalability problems.<br />
Monitor<strong>in</strong>g<br />
CPU and memory usage of virtual mach<strong>in</strong>e environments can be mislead<strong>in</strong>g.<br />
Lack of monitor<strong>in</strong>g tools for Web services and underly<strong>in</strong>g layers (e.g., software, virtual mach<strong>in</strong>es,<br />
hardware).<br />
Inability to measure transaction process time and latency.<br />
Reliability and availability<br />
Enterprises today cannot rely on <strong>the</strong> cloud <strong>in</strong>frastructures/platforms to run critical bus<strong>in</strong>esses <strong>in</strong><br />
public cloud environments.<br />
There are almost no SLAs offered by <strong>the</strong> cloud providers today.<br />
Virtualization security<br />
21
<strong>Oracle</strong> White Paper—<strong>SAP</strong> <strong>ERP</strong> <strong>in</strong> <strong>the</strong> <strong>Cloud</strong><br />
Need to apply standard enterprise security policies govern<strong>in</strong>g access control, activity monitor<strong>in</strong>g,<br />
patch management, etc., to virtual environments. For example, need <strong>the</strong> ability to control and<br />
monitor <strong>the</strong> movement of virtual mach<strong>in</strong>es us<strong>in</strong>g live migration or VMotion.<br />
Enterprise Resource Plann<strong>in</strong>g <strong>in</strong> <strong>the</strong> <strong>Cloud</strong><br />
<strong>ERP</strong> <strong>in</strong> <strong>the</strong> cloud means to move exist<strong>in</strong>g <strong>ERP</strong> environments <strong>in</strong>to cloud-based system and software<br />
landscapes. It could simply mean to use cloud technology to optimize <strong>the</strong> TCO of an <strong>in</strong>-house hosted<br />
<strong>ERP</strong> environment or to outsource <strong>the</strong> complete stack <strong>in</strong>to a cloud/SaaS provider’s datacenter. It could<br />
also mean to implement a hybrid cloud approach where <strong>ERP</strong> users are able to leverage <strong>the</strong> benefits of<br />
both <strong>the</strong> private and public cloud models.<br />
<strong>ERP</strong> systems are critical to successful bus<strong>in</strong>esses because <strong>the</strong>y <strong>in</strong>tegrate, automate, and create processes<br />
that capture how <strong>the</strong> bus<strong>in</strong>ess works. It is <strong>the</strong>refore important to ensure <strong>the</strong> data is correct and that<br />
<strong>the</strong>re is adequate comput<strong>in</strong>g resources and bandwidth to provide timely results. An ideal environment<br />
would have <strong>the</strong> company concentrat<strong>in</strong>g on <strong>the</strong> data and off-load<strong>in</strong>g <strong>the</strong> <strong>in</strong>frastructure to a cloud<br />
provider. This is called software as a service (SaaS). Unlike application service providers (ASPs), SaaS<br />
vendors typically offer software that is designed from <strong>the</strong> ground up to be hosted and delivered over<br />
<strong>the</strong> Web. Based on this delivery mechanism, most SaaS providers expect benefits of lowered TCO,<br />
effortless upgrades, m<strong>in</strong>imized end-user tra<strong>in</strong><strong>in</strong>g, and no <strong>in</strong>-house datacenter and adm<strong>in</strong>istration tasks<br />
for <strong>the</strong>ir customers. The cost sav<strong>in</strong>gs alone are probably not reason enough to start migrat<strong>in</strong>g bus<strong>in</strong>ess<br />
applications <strong>in</strong>to a public cloud. There are o<strong>the</strong>r reasons that should be considered before <strong>in</strong>itiat<strong>in</strong>g<br />
such a move. For example, typical SaaS cloud offer<strong>in</strong>gs today are highly standardized, and while this<br />
standardization might solve <strong>the</strong> bus<strong>in</strong>ess issues of small and mid-sized companies, it lacks <strong>the</strong><br />
customization flexibility that might be required by larger enterprises.<br />
Ano<strong>the</strong>r topic is bus<strong>in</strong>ess diversification. If a company is highly diversified and is active <strong>in</strong> various<br />
different <strong>in</strong>dustries it might turn out that a SaaS cloud solution that offers <strong>the</strong> needed <strong>ERP</strong><br />
functionality on an on-demand basis over <strong>the</strong> Internet is simply not available. This makes sense, as <strong>the</strong><br />
nature of <strong>Cloud</strong> Comput<strong>in</strong>g is to optimize, standardize, and reduce costs, ra<strong>the</strong>r than offer process<br />
<strong>in</strong>tegration and diversification that is typical <strong>in</strong> <strong>ERP</strong> environments. This does preclude companies from<br />
implement<strong>in</strong>g <strong>in</strong>ternal private cloud environments to reduce time-consum<strong>in</strong>g adm<strong>in</strong>istration tasks, or<br />
to use virtualization to achieve higher system utilization. Public cloud/SaaS offer<strong>in</strong>gs also apply highly<br />
standardized processes to <strong>the</strong> application layer (bus<strong>in</strong>ess process layer) and are <strong>the</strong>refore limited <strong>in</strong> <strong>the</strong><br />
<strong>in</strong>dividual design steps of consumers’ <strong>ERP</strong> setups.<br />
SaaS and SOA seem to be prerequisites for most vendors offer<strong>in</strong>g susta<strong>in</strong>able systems <strong>in</strong>tegration. If all<br />
of a company’s IT-applications are service-enabled — whe<strong>the</strong>r developed <strong>in</strong>ternally or by leverag<strong>in</strong>g<br />
SOA support from a vendor — <strong>the</strong> <strong>in</strong>frastructure can be upgraded without necessarily touch<strong>in</strong>g every<br />
s<strong>in</strong>gle piece of <strong>in</strong>tegration work that has ever been done. Web services — as one part of <strong>the</strong> SOA<br />
paradigm — are one of <strong>the</strong> key technologies to Web-enable <strong>ERP</strong> cloud environments for an <strong>in</strong>ternetbased,<br />
on-demand model. However, not all exist<strong>in</strong>g <strong>ERP</strong> functions — as <strong>the</strong>y are known today — are<br />
available out of <strong>the</strong> box as Web services or can easily be implemented as Web services offer<strong>in</strong>gs to end<br />
consumers.<br />
22
<strong>Oracle</strong> White Paper—<strong>SAP</strong> <strong>ERP</strong> <strong>in</strong> <strong>the</strong> <strong>Cloud</strong><br />
Mov<strong>in</strong>g bus<strong>in</strong>ess applications <strong>in</strong>to a public cloud offers <strong>the</strong> benefit of always runn<strong>in</strong>g on current<br />
software as <strong>the</strong> cloud provider is responsible for keep<strong>in</strong>g software levels and patches up to date. The<br />
danger is that critical bus<strong>in</strong>ess transactions are completely under <strong>the</strong> control of <strong>the</strong> cloud provider,<br />
which also <strong>in</strong>cludes any f<strong>in</strong>ancial data stored <strong>in</strong> <strong>the</strong> cloud. Ano<strong>the</strong>r risk that should not be<br />
underestimated is <strong>the</strong> possibility of <strong>the</strong> cloud provider go<strong>in</strong>g out of bus<strong>in</strong>ess or mov<strong>in</strong>g to ano<strong>the</strong>r<br />
service model that makes it necessary to migrate back to an <strong>in</strong>-house-based <strong>ERP</strong> solution stack.<br />
The public cloud offer<strong>in</strong>gs available today, such as salesforce.com, are ideal solutions for small- and<br />
mid-sized enterprises that lack IT and application experience and are <strong>in</strong>terested <strong>in</strong> a low-cost solution<br />
that enable <strong>the</strong>m to easily grow and shr<strong>in</strong>k with <strong>the</strong>ir own bus<strong>in</strong>esses. The highly standardized bus<strong>in</strong>ess<br />
applications of a public cloud SaaS offer<strong>in</strong>g can be a good start<strong>in</strong>g po<strong>in</strong>t for <strong>the</strong>se companies, enabl<strong>in</strong>g<br />
<strong>the</strong>m to experience <strong>ERP</strong> software at a low cost and to f<strong>in</strong>d if <strong>the</strong> public cloud offer<strong>in</strong>g suits <strong>the</strong>ir<br />
bus<strong>in</strong>ess requirements. If <strong>in</strong> <strong>the</strong> future <strong>the</strong> bus<strong>in</strong>ess grows dramatically and <strong>the</strong> bus<strong>in</strong>ess diversification<br />
process starts it might eventually be necessary to migrate from a public to a private or hybrid cloud<br />
model. The differences between public and private clouds for <strong>ERP</strong> environments are listed <strong>in</strong><br />
Figure 22.<br />
Figure 22. <strong>ERP</strong> <strong>in</strong> <strong>the</strong> cloud: SaaS<br />
<strong>ERP</strong> <strong>in</strong> <strong>the</strong> <strong>Cloud</strong>: Ma<strong>in</strong> Concerns Today<br />
Figure 23 shows <strong>the</strong> ma<strong>in</strong> concerns <strong>ERP</strong> users face today when <strong>in</strong>vestigat<strong>in</strong>g a move of <strong>ERP</strong><br />
stack/bus<strong>in</strong>ess transactions <strong>in</strong>to a public cloud.<br />
23
Figure 23. Ma<strong>in</strong> concerns today of <strong>ERP</strong> <strong>in</strong> <strong>the</strong> cloud<br />
<strong>Oracle</strong> White Paper—<strong>SAP</strong> <strong>ERP</strong> <strong>in</strong> <strong>the</strong> <strong>Cloud</strong><br />
The security services offered through a cloud provider that hosts <strong>ERP</strong> applications on an on-demand<br />
basis over <strong>the</strong> Internet is illustrated <strong>in</strong> Figure 24 and should <strong>in</strong>clude:<br />
Centralized identity management functions<br />
User provision<strong>in</strong>g, user au<strong>the</strong>ntication, and authorization services, delegated adm<strong>in</strong>istration<br />
services, etc.<br />
Reliable and strong encryption methods for data access and exchange processes.<br />
OS harden<strong>in</strong>g<br />
System and application updates with <strong>the</strong> most recent security patches<br />
Use of security doma<strong>in</strong>s to group virtual mach<strong>in</strong>es<br />
Port filter<strong>in</strong>g<br />
Stateful package filter<strong>in</strong>g<br />
Use of network admission control (NAC) to keep <strong>the</strong> cloud environment clean and to automate<br />
regulatory compliance processes of remote devices<br />
24
Figure 24. Security<br />
<strong>Oracle</strong> White Paper—<strong>SAP</strong> <strong>ERP</strong> <strong>in</strong> <strong>the</strong> <strong>Cloud</strong><br />
Compliance plays a major role when mov<strong>in</strong>g bus<strong>in</strong>ess processes <strong>in</strong>to <strong>the</strong> cloud because different<br />
countries enact different governmental regulations and different <strong>in</strong>dustries have vary<strong>in</strong>g compliance<br />
requirements and standards. For a consumer it is essential to f<strong>in</strong>d out if <strong>the</strong> selected cloud provider has<br />
<strong>the</strong> needed compliance experience and related certifications <strong>in</strong> <strong>the</strong> various areas (datacenter, hardware,<br />
software, etc.) offered.<br />
For example, today it is not allowed to move auditable bus<strong>in</strong>ess critical data from a company located <strong>in</strong><br />
Europe, e.g., Germany, <strong>in</strong>to a cloud environment that is hosted <strong>in</strong> <strong>the</strong> USA (Figure 25). This k<strong>in</strong>d of<br />
data movement violates local German laws due to a lack of <strong>in</strong>ternational standards and governmental<br />
regulations <strong>in</strong> that space.<br />
Figure 25. Data storage — mov<strong>in</strong>g data from <strong>the</strong> EU to <strong>the</strong> USA might violate local laws<br />
25
<strong>Oracle</strong> White Paper—<strong>SAP</strong> <strong>ERP</strong> <strong>in</strong> <strong>the</strong> <strong>Cloud</strong><br />
Mov<strong>in</strong>g bus<strong>in</strong>ess processes and related bus<strong>in</strong>ess data <strong>in</strong>to <strong>the</strong> cloud does not negate a company’s<br />
compliance responsibilities (Figure 26). Therefore it is important to ensure that <strong>the</strong> cloud provider<br />
offers <strong>the</strong> right set of tools to enable an external audit without any open regulatory compliance issues.<br />
For example, <strong>the</strong>re should be a system available that allows users to see and monitor where <strong>the</strong>ir<br />
bus<strong>in</strong>ess-critical data is stored and with which <strong>the</strong>y can remotely handle <strong>the</strong> segregation of duty (SoD)<br />
issues by <strong>the</strong>mselves.<br />
Figure 26. Segregation of Duties<br />
The biggest compliance-related differences between <strong>ERP</strong> stacks such as <strong>SAP</strong> or <strong>Oracle</strong> and standard<br />
Web-based application environments <strong>in</strong>volve manag<strong>in</strong>g authorization. In an <strong>ERP</strong> stack, <strong>the</strong>re are<br />
unlikely to be uncritical entitlements as all of <strong>the</strong> captured data has a bus<strong>in</strong>ess critical background <strong>in</strong> an<br />
<strong>ERP</strong> system. Every stored piece of <strong>in</strong>formation is collected based on a specific bus<strong>in</strong>ess-related<br />
function and is used to execute, prepare, or document bus<strong>in</strong>ess transactions. Therefore, los<strong>in</strong>g such<br />
important data — represent<strong>in</strong>g a bus<strong>in</strong>ess-critical function — creates high risk for every company. This<br />
is why every captured piece of <strong>in</strong>formation on an <strong>ERP</strong> system needs to be protected aga<strong>in</strong>st data loss<br />
and possible <strong>in</strong>ternal or external security <strong>in</strong>trusions.<br />
It is important for every public SaaS cloud provider to implement and offer an identity management<br />
system that allows a 100% identification and mapp<strong>in</strong>g of all bus<strong>in</strong>ess users and <strong>the</strong>ir related technical<br />
user accounts (system and application accounts). This correlation between bus<strong>in</strong>ess user and technical<br />
users needs to be proven every time when an audit is go<strong>in</strong>g to take place. This is a difficult challenge<br />
for every IT department, but even more difficult to fulfill <strong>in</strong> an environment like a public cloud where<br />
several customers share <strong>the</strong> same application and database <strong>in</strong>stances at <strong>the</strong> same po<strong>in</strong>t <strong>in</strong> time. Thus, a<br />
good identity management system is needed to solve this k<strong>in</strong>d of issue and to separate user<br />
management for each customer. In addition, ano<strong>the</strong>r system/software component is required that<br />
26
<strong>Oracle</strong> White Paper—<strong>SAP</strong> <strong>ERP</strong> <strong>in</strong> <strong>the</strong> <strong>Cloud</strong><br />
provides <strong>the</strong> dedicated functions to certify which person has done what with which technical user<br />
account(s) at which po<strong>in</strong>t <strong>in</strong> time <strong>in</strong> regards to all audit-relevant f<strong>in</strong>ancial bus<strong>in</strong>ess transactions.<br />
A global-act<strong>in</strong>g cloud <strong>ERP</strong> provider also needs to offer a centralized authorization system that allows<br />
customers to <strong>in</strong>dividually customize security based on local or country-specific laws. Today, this<br />
capability might only be possible <strong>in</strong> a private cloud environment.<br />
From a network po<strong>in</strong>t of view, keep <strong>in</strong> m<strong>in</strong>d that today, cloud vendors do not offer bandwidth or<br />
response time guarantees for Internet-enabled bus<strong>in</strong>ess transactions (Figure 27). This is critical issue<br />
for companies that rely on specific response times for some of <strong>the</strong>ir most critical bus<strong>in</strong>ess processes. In<br />
this case it might be worth th<strong>in</strong>k<strong>in</strong>g about a private or hybrid cloud implementation ra<strong>the</strong>r than a<br />
public cloud stack.<br />
Figure 27. Network<br />
<strong>ERP</strong> <strong>Cloud</strong> Service Level Agreements<br />
Given <strong>the</strong> current state of offer<strong>in</strong>gs, good service level agreements from <strong>ERP</strong> cloud implementations<br />
should <strong>in</strong>clude <strong>the</strong> areas listed <strong>in</strong> Figure 28 and below:<br />
Secure Web access management<br />
Acceptable au<strong>the</strong>ntication and authorization methods used to secure <strong>the</strong> cloud providers network<br />
Encryption standards<br />
Datacenter security<br />
Redundant systems, storage, and networks<br />
27
<strong>Oracle</strong> White Paper—<strong>SAP</strong> <strong>ERP</strong> <strong>in</strong> <strong>the</strong> <strong>Cloud</strong><br />
Security of <strong>the</strong> datacenter itself, identity of cloud vendor staff that has access to <strong>the</strong> virtual<br />
environment, documented procedures that state how <strong>the</strong> environment is controlled and<br />
monitored<br />
Network security<br />
Multiple <strong>in</strong>ternet connections<br />
Multiple firewalls and <strong>in</strong>trusion detection systems<br />
Protected segments<br />
Reverse Proxies<br />
Third-party audits<br />
Au<strong>the</strong>ntication/authorization<br />
E.g., role-based access control<br />
Compliance<br />
SoD checks<br />
Bus<strong>in</strong>ess monitor<strong>in</strong>g<br />
Change history for bus<strong>in</strong>ess critical transactions<br />
Detailed documentation on how and where data is stored<br />
Certified accord<strong>in</strong>g to standards appropriate for <strong>the</strong> offered applications<br />
Figure 28. Service level agreements are key<br />
28
<strong>Oracle</strong> White Paper—<strong>SAP</strong> <strong>ERP</strong> <strong>in</strong> <strong>the</strong> <strong>Cloud</strong><br />
Good service level agreements illustrate that <strong>the</strong> cloud provider of choice understands <strong>the</strong> differences<br />
between host<strong>in</strong>g a comprehensive <strong>ERP</strong> landscape and standard Web applications.<br />
<strong>SAP</strong> <strong>ERP</strong> <strong>in</strong> <strong>the</strong> <strong>Cloud</strong><br />
There are currently four different cloud offer<strong>in</strong>gs for <strong>SAP</strong> applications:<br />
<strong>SAP</strong> Bus<strong>in</strong>ess ByDesign<br />
<strong>SAP</strong> On-demand solutions for <strong>the</strong> <strong>SAP</strong> Bus<strong>in</strong>ess Suite<br />
<strong>SAP</strong> Bus<strong>in</strong>ess Suite<br />
<strong>SAP</strong> Bus<strong>in</strong>essObjects OnDemand<br />
All <strong>SAP</strong> cloud offer<strong>in</strong>gs are delivered through <strong>the</strong> SaaS model, as illustrated <strong>in</strong> Figure 29.<br />
Figure 29. <strong>SAP</strong> <strong>ERP</strong> <strong>in</strong> <strong>the</strong> cloud<br />
<strong>SAP</strong> Bus<strong>in</strong>ess ByDesign<br />
<strong>SAP</strong> Bus<strong>in</strong>ess ByDesign is a typical SaaS package for small and mid-sized companies that provides a<br />
s<strong>in</strong>gle, <strong>in</strong>tegrated application to manage <strong>the</strong> entire bus<strong>in</strong>ess from <strong>the</strong> cloud over <strong>the</strong> <strong>in</strong>ternet. Accord<strong>in</strong>g<br />
to <strong>SAP</strong> documentation about Bus<strong>in</strong>ess ByDesign, this solution focuses on enterprises with a maximum<br />
of 100 parallel users. It <strong>in</strong>cludes <strong>the</strong> follow<strong>in</strong>g key features:<br />
Full function bus<strong>in</strong>ess applications to advance visibility and control over key bus<strong>in</strong>ess areas<br />
On-demand applications — SaaS<br />
Delivered <strong>in</strong> modules, such as Bus<strong>in</strong>essObjects shown <strong>in</strong> Figure 30 (start small and add modules as<br />
<strong>the</strong> bus<strong>in</strong>ess grows)<br />
Managed, monitored, and ma<strong>in</strong>ta<strong>in</strong>ed by <strong>SAP</strong> AG<br />
29
Requires only a standard Web browser<br />
<strong>Oracle</strong> White Paper—<strong>SAP</strong> <strong>ERP</strong> <strong>in</strong> <strong>the</strong> <strong>Cloud</strong><br />
Provider-based operational complexity, reliable security, privacy protection, and high availability<br />
Current configuration: L<strong>in</strong>ux with MaxDB as <strong>the</strong> database platform<br />
Figure 30. <strong>SAP</strong> Bus<strong>in</strong>essObjects on-demand<br />
The standard SLAs of this cloud solution <strong>in</strong>clude all of <strong>the</strong> mentioned<br />
factors of a reliable and secure public <strong>ERP</strong> cloud offer<strong>in</strong>g:<br />
Secure Web-based access<br />
Physical on-site l<strong>in</strong>k/VPN to a connectivity appliance that controls<br />
access from browsers to on-demand proprietary <strong>in</strong>formation<br />
User IDs and passwords<br />
Part of up-to-date client operat<strong>in</strong>g systems and browsers, i.e., client<br />
operat<strong>in</strong>g systems and browsers are updated with latest security<br />
patches<br />
Datacenter<br />
Multiple safeguards for physical data security and <strong>in</strong>tegrity<br />
High availability of bus<strong>in</strong>ess data provided by redundant networks and power systems<br />
Redundant hardware storage system performs regular backups<br />
Network security<br />
Reverse proxy farms that hide <strong>the</strong> network topology from <strong>the</strong> outside world<br />
Multiple Internet connections to m<strong>in</strong>imize <strong>the</strong> impact of distributed denial of service (DDoS)<br />
attacks<br />
Advanced <strong>in</strong>trusion detection system that cont<strong>in</strong>uously monitors solution traffic for possible<br />
attacks<br />
Multiple firewalls that divide <strong>the</strong> network <strong>in</strong>to protected segments and shield <strong>the</strong> <strong>in</strong>ternal network<br />
from unauthorized Internet traffic<br />
Third-party audits performed throughout <strong>the</strong> year to support early detection of any newly<br />
<strong>in</strong>troduced security issues<br />
Role-based access and security<br />
Accesses through SoD implemented through role-based access management<br />
F<strong>in</strong>e-tuned access to reflect <strong>the</strong> areas of responsibility of <strong>in</strong>dividual users<br />
Advanced <strong>in</strong>trusion detection system that cont<strong>in</strong>uously monitors solution traffic for possible<br />
attacks<br />
30
User types:<br />
Key users — configure <strong>the</strong> solution and grant and revoke access<br />
End users — standard day -to-day bus<strong>in</strong>ess<br />
Support users — ma<strong>in</strong>tenance only<br />
<strong>Oracle</strong> White Paper—<strong>SAP</strong> <strong>ERP</strong> <strong>in</strong> <strong>the</strong> <strong>Cloud</strong><br />
Remote logon to <strong>the</strong> customer’s solution <strong>in</strong> <strong>the</strong> datacenter is also monitored and recorded<br />
Compliance<br />
Journal entries that carry all <strong>in</strong>formation necessary to identify <strong>the</strong> respective bus<strong>in</strong>ess transaction<br />
and trace it through references to <strong>the</strong> underly<strong>in</strong>g source documents<br />
By default, account<strong>in</strong>g-relevant data cannot be deleted, and all changes made to f<strong>in</strong>ancially relevant<br />
data are recorded <strong>in</strong> a change-history log<br />
Advanced <strong>in</strong>trusion detection system that cont<strong>in</strong>uously monitors solution traffic for possible<br />
attacks<br />
Documentation of <strong>the</strong> software solution<br />
Procedure and task descriptions for end users<br />
Detailed technical descriptions expla<strong>in</strong><strong>in</strong>g how data is processed and stored<br />
<strong>SAP</strong> On-Demand Solutions for <strong>the</strong> <strong>SAP</strong> Bus<strong>in</strong>ess Suite<br />
The second key cloud offer<strong>in</strong>g by <strong>SAP</strong> AG is based a hybrid cloud approach. This solution focuses on<br />
large enterprises and represents an add-on k<strong>in</strong>d of feature or function set that can be <strong>in</strong>tegrated and<br />
used on an on-demand basis over <strong>the</strong> Internet. Additional new functions such as e-sourc<strong>in</strong>g (supplier<br />
selection), CRM, expense management, and CO2 emission management can be delivered as Web<br />
services over <strong>the</strong> <strong>in</strong>ternet and directly <strong>in</strong>tegrated <strong>in</strong>to an exist<strong>in</strong>g <strong>SAP</strong> Bus<strong>in</strong>ess Suite landscape.<br />
The first offer<strong>in</strong>g available is <strong>the</strong> <strong>SAP</strong> CRM on-demand solution. It allows a Web-based subscription<br />
on a pay-as-you-go basis and it can be fully <strong>in</strong>tegrated <strong>in</strong>to an exist<strong>in</strong>g <strong>in</strong>-house <strong>SAP</strong> <strong>ERP</strong> software<br />
stack. This hybrid cloud package relies on <strong>SAP</strong> CRM version 2007 and <strong>the</strong> underly<strong>in</strong>g <strong>SAP</strong> NetWeaver<br />
application framework. It <strong>in</strong>cludes all components of a typical CRM system: Sales (sales report<strong>in</strong>g and<br />
forecast<strong>in</strong>g), service (customer service and help desk), and market<strong>in</strong>g (campaign management).<br />
Configuration of this solution is performed over <strong>the</strong> Internet by us<strong>in</strong>g a standardized and user friendly<br />
Web-<strong>in</strong>terface, which also needs to be used for all adm<strong>in</strong>istration tasks.<br />
<strong>SAP</strong> AG offers global enterprise-class support for this new cloud offer<strong>in</strong>g:<br />
Easy-to-use CRM functionality on a pay-as-you-go basis<br />
Clear and comprehensive service level agreements<br />
99% system availability<br />
Compliance with data protection standards worldwide<br />
31
S<strong>in</strong>gle vendor viability and accountability<br />
24/7 global production support<br />
<strong>SAP</strong> Bus<strong>in</strong>esObjects OnDemand<br />
<strong>Oracle</strong> White Paper—<strong>SAP</strong> <strong>ERP</strong> <strong>in</strong> <strong>the</strong> <strong>Cloud</strong><br />
This is ano<strong>the</strong>r public cloud offer<strong>in</strong>g by <strong>SAP</strong> AG based on Bus<strong>in</strong>essObjects Crystal Reports (Figure<br />
31) that <strong>in</strong>cludes <strong>the</strong> follow<strong>in</strong>g features:<br />
A cloud-based bus<strong>in</strong>ess <strong>in</strong>telligence solution<br />
Bus<strong>in</strong>ess <strong>in</strong>telligence on demand<br />
Off load bus<strong>in</strong>ess <strong>in</strong>telligence and data warehouse <strong>in</strong>frastructure onto a hosted platform<br />
Data analyz<strong>in</strong>g on demand, over <strong>the</strong> Web<br />
Information on demand<br />
Enhanced bus<strong>in</strong>ess <strong>in</strong>telligence with external <strong>in</strong>formation (Web services <strong>in</strong>tegration)<br />
Bus<strong>in</strong>essObjects partner API<br />
Data quality on demand<br />
Cleanse and verify addresses <strong>in</strong> exist<strong>in</strong>g operational systems<br />
Insert crystalreports.com (CRDC) functions <strong>in</strong>to third-party applications such as salesforce.com<br />
Distribute files and reports that provide <strong>in</strong>telligence for sales quot<strong>in</strong>g, sales track<strong>in</strong>g, and support<br />
track<strong>in</strong>g<br />
Figure 31. Bus<strong>in</strong>essObjects on-demand services<br />
32
<strong>SAP</strong> Bus<strong>in</strong>ess Suite<br />
<strong>Oracle</strong> White Paper—<strong>SAP</strong> <strong>ERP</strong> <strong>in</strong> <strong>the</strong> <strong>Cloud</strong><br />
<strong>SAP</strong> Bus<strong>in</strong>ess Suite is <strong>the</strong> basis for an <strong>ERP</strong> enterprise cloud environment as it acts as a construction kit<br />
to develop an <strong>in</strong>-house SaaS-<strong>ERP</strong> cloud stack. It delivers all of <strong>the</strong> necessary bus<strong>in</strong>ess and technology<br />
components — which can be used by a company’s <strong>in</strong>ternal IT department — to build an <strong>in</strong>dividual<br />
SaaS offer<strong>in</strong>g based on <strong>the</strong> needs of <strong>the</strong> various bus<strong>in</strong>ess units with<strong>in</strong> an enterprise (Figure 32). In<br />
addition, with <strong>the</strong> unique capabilities of <strong>SAP</strong> NetWeaver, <strong>SAP</strong> Bus<strong>in</strong>ess Suite provides <strong>the</strong> openness to<br />
automate bus<strong>in</strong>ess processes from end-to-end, across company boundaries and heterogeneous system<br />
landscapes. The advantages of host<strong>in</strong>g an <strong>in</strong>-house <strong>SAP</strong> <strong>ERP</strong> solution on a private cloud model are:<br />
Figure 32. <strong>SAP</strong> Bus<strong>in</strong>ess Suite<br />
Store bus<strong>in</strong>ess and compliance-critical data <strong>in</strong> house<br />
Private and secure application <strong>in</strong>stances as opposed to shar<strong>in</strong>g<br />
an <strong>in</strong>stance with o<strong>the</strong>r unknown customers<br />
Flexibility to customize <strong>the</strong> solution based on <strong>in</strong>dividual<br />
bus<strong>in</strong>ess needs, <strong>in</strong>clud<strong>in</strong>g <strong>in</strong>dustry specific solutions versus<br />
standard-based configurations with limited customizable<br />
capabilities<br />
The ability to use standardization where ever possible, while<br />
stay<strong>in</strong>g flexible enough to support <strong>in</strong>dividual changes<br />
(architecture, systems, high availability, virtualization<br />
technology, Web services, etc.)<br />
The <strong>SAP</strong> Bus<strong>in</strong>ess Suite is a family of bus<strong>in</strong>ess applications that offer a rich function set for almost<br />
every bus<strong>in</strong>ess sector:<br />
<strong>ERP</strong> core bus<strong>in</strong>ess components (FI, HR, SD, MM, etc.)<br />
Customer Relationship Management<br />
Product Life-cycle Management<br />
Supply Cha<strong>in</strong> Management<br />
Supplier Relationship Management<br />
<strong>SAP</strong> Bus<strong>in</strong>ess Suite is built on <strong>the</strong> standards-based development and runtime environment of <strong>SAP</strong><br />
NetWeaver, a technology stack that delivers <strong>the</strong> flexibility to start small and grow as needed. <strong>SAP</strong><br />
NetWeaver <strong>in</strong>cludes various technologies, programs, and toolkits to:<br />
Provide a reliable and scalable runtime environment for <strong>SAP</strong>´s bus<strong>in</strong>ess applications<br />
Allow applications to work toge<strong>the</strong>r<br />
Build new applications on top of exist<strong>in</strong>g applications<br />
Support common security standards, e.g., SAML, JAAS<br />
33
<strong>Oracle</strong> White Paper—<strong>SAP</strong> <strong>ERP</strong> <strong>in</strong> <strong>the</strong> <strong>Cloud</strong><br />
Deliver <strong>SAP</strong> Bus<strong>in</strong>ess Suite functionality as a set of reusable Web services (<strong>SAP</strong> composite<br />
application)<br />
Lower <strong>the</strong> TCO of applications<br />
<strong>SAP</strong> recognizes <strong>the</strong> need to extend <strong>the</strong> enterprise, and offers composite, Web services-based<br />
applications to solve <strong>the</strong> specific needs of private enterprise cloud environments. <strong>SAP</strong> NetWeaver<br />
allows bus<strong>in</strong>esses to build and manage composite, collaborative bus<strong>in</strong>ess services that are available<br />
whenever and wherever <strong>the</strong>y are needed by a community of users that extends beyond corporate<br />
boundaries to suppliers, customers, and employees. These services can also be offered on an ondemand<br />
basis as cloud services to <strong>the</strong> <strong>in</strong>ternal and external bus<strong>in</strong>ess units of companies.<br />
<strong>SAP</strong> NetWeaver enables access to a broader scope of applications and <strong>in</strong>formation by a wider range of<br />
users, deliver<strong>in</strong>g game-chang<strong>in</strong>g benefits to <strong>the</strong> enterprise. Products ship faster, productivity climbs,<br />
and customer satisfaction <strong>in</strong>creases. The challenge is to open up <strong>the</strong> enterprise to new ways of<br />
conduct<strong>in</strong>g bus<strong>in</strong>ess as well as more users <strong>in</strong> a cost-effective manner, while simultaneously ensur<strong>in</strong>g<br />
that <strong>in</strong>formation assets rema<strong>in</strong> secure. <strong>SAP</strong> NetWeaver provides <strong>the</strong> basic technology and tools to<br />
build <strong>in</strong>dividual enterprise <strong>SAP</strong> cloud environments.<br />
The ma<strong>in</strong> <strong>in</strong>tegration components of <strong>the</strong> <strong>SAP</strong> NetWeaver stack are:<br />
<strong>SAP</strong> Enterprise Portal<br />
<strong>SAP</strong> Mobile Infrastructure<br />
<strong>SAP</strong> Bus<strong>in</strong>ess Warehouse<br />
<strong>SAP</strong> Master Data Management<br />
<strong>SAP</strong> Process Integration<br />
<strong>SAP</strong> Web Application Server<br />
The related primary development and management tools of <strong>SAP</strong> NetWeaver are:<br />
<strong>SAP</strong> NetWeaver Developer Studio<br />
<strong>SAP</strong> Visual Composer<br />
<strong>SAP</strong> Composite Application Framework (CAF)<br />
<strong>SAP</strong> Solution Manager<br />
The ma<strong>in</strong> features of <strong>the</strong> <strong>SAP</strong> Composite Applications (CAF) are below and <strong>in</strong> Figure 33:<br />
Build new applications out of exist<strong>in</strong>g applications us<strong>in</strong>g Web services<br />
Integrate one application with ano<strong>the</strong>r based on an <strong>in</strong>dustry standard<br />
Use an <strong>in</strong>dependent programm<strong>in</strong>g language approach<br />
Based on <strong>the</strong> SOA approach for a coherent bluepr<strong>in</strong>t design of <strong>the</strong> Web services <strong>in</strong>teraction and<br />
<strong>in</strong>tegration process<br />
34
<strong>Oracle</strong> White Paper—<strong>SAP</strong> <strong>ERP</strong> <strong>in</strong> <strong>the</strong> <strong>Cloud</strong><br />
<strong>SAP</strong> NetWeaver as <strong>the</strong> construction platform for composite applications based on Web services<br />
<strong>SAP</strong> Bus<strong>in</strong>ess Suite provides <strong>the</strong> bus<strong>in</strong>ess functions to be accessible through Web services<br />
Composite Application Framework provides <strong>the</strong> model-driven development framework for <strong>SAP</strong><br />
Web services-based applications<br />
Figure 33. <strong>SAP</strong> CAF features<br />
In addition, <strong>SAP</strong> offers an adm<strong>in</strong>istration component to fully manage an <strong>SAP</strong> virtualized IT<br />
environment called Adaptive Comput<strong>in</strong>g Controller (ACC), which provides a s<strong>in</strong>gle, centralized<br />
console to operate, observe, and manage virtualized (adaptive) <strong>SAP</strong> comput<strong>in</strong>g landscapes without<br />
hav<strong>in</strong>g deep technical knowledge of <strong>the</strong> underly<strong>in</strong>g IT <strong>in</strong>frastructure (Figure 34).<br />
Figure 34. <strong>SAP</strong> Adaptive Comput<strong>in</strong>g Controller<br />
35
<strong>Oracle</strong> White Paper—<strong>SAP</strong> <strong>ERP</strong> <strong>in</strong> <strong>the</strong> <strong>Cloud</strong><br />
Governance, risk, and compliance (GRC) is ano<strong>the</strong>r area where <strong>SAP</strong> AG offers a comprehensive stack<br />
of applications. Two of <strong>the</strong> most important components <strong>in</strong> this solution area are <strong>SAP</strong> Bus<strong>in</strong>essObjects<br />
Process and Bus<strong>in</strong>essObjects Access Control.<br />
<strong>SAP</strong> Bus<strong>in</strong>essObject Process Control is a control management solution to automate monitor<strong>in</strong>g,<br />
test<strong>in</strong>g, assessment, remediation, and certification of enterprise-wide f<strong>in</strong>ancial compliance activities.<br />
<strong>SAP</strong> Bus<strong>in</strong>essObjects Access Control is <strong>the</strong> official <strong>SAP</strong> risk analysis and remediation tool with which<br />
any <strong>SAP</strong> related SoD issue can be identified and addressed.<br />
Overall, <strong>SAP</strong> Bus<strong>in</strong>essObjects Access Control consists of four components (Figure 35) that <strong>in</strong>teract<br />
with each o<strong>the</strong>r on a Web services basis:<br />
Risk analysis and remediation<br />
Superuser privilege management<br />
Enterprise role management<br />
Compliant user provision<strong>in</strong>g<br />
Figure 35. <strong>SAP</strong> Bus<strong>in</strong>essObjects Access Control<br />
The ability to build an <strong>in</strong>-house <strong>SAP</strong> <strong>ERP</strong> cloud environment is advantageous, but <strong>the</strong> o<strong>the</strong>r cloud<br />
layers should be considered. A cloud solution does not only rely on a comprehensive and flexible<br />
software stack that <strong>in</strong>cludes all of <strong>the</strong> expected bus<strong>in</strong>ess functionalities demanded by <strong>the</strong> various<br />
<strong>in</strong>ternal bus<strong>in</strong>ess units. It should also <strong>in</strong>clude <strong>the</strong> previously mentioned <strong>in</strong>frastructure services that<br />
make out an <strong>ERP</strong> offer<strong>in</strong>g a real cloud-SaaS offer<strong>in</strong>g. Only by comb<strong>in</strong><strong>in</strong>g <strong>the</strong> bus<strong>in</strong>ess software with<br />
<strong>the</strong> <strong>in</strong>frastructure parts, such as IaaS or DaaS, can IT departments offer <strong>in</strong>-house consumers a<br />
complete cloud stack with all of <strong>the</strong> relevant features such as a pay-by-use model, on-demand services,<br />
virtualized <strong>SAP</strong> <strong>in</strong>stances, centralized identity management, and compliance.<br />
36
<strong>SAP</strong> Security <strong>in</strong> <strong>the</strong> <strong>Cloud</strong><br />
<strong>Oracle</strong> White Paper—<strong>SAP</strong> <strong>ERP</strong> <strong>in</strong> <strong>the</strong> <strong>Cloud</strong><br />
<strong>ERP</strong> systems are ga<strong>in</strong><strong>in</strong>g <strong>in</strong> importance <strong>in</strong> <strong>the</strong> future of cloud markets. <strong>SAP</strong> is one major player <strong>in</strong> this<br />
field and has already started its first cloud <strong>in</strong>itiatives. This section of <strong>the</strong> paper exam<strong>in</strong>es <strong>the</strong> exist<strong>in</strong>g<br />
security model of <strong>the</strong> <strong>SAP</strong> <strong>ERP</strong> stack that is used to safeguard bus<strong>in</strong>ess data from unauthorized access<br />
or attacks dur<strong>in</strong>g <strong>the</strong> transit phase with<strong>in</strong> a cloud-based environment.<br />
A typical <strong>SAP</strong> landscape consists of several different <strong>SAP</strong> <strong>ERP</strong> components (e.g., ECC, CRM, SRM,<br />
etc.). All of <strong>the</strong>se components need to follow <strong>the</strong> same architectural concept of a clear separation<br />
between <strong>the</strong> production and <strong>the</strong> non-production application <strong>in</strong>stances. This separation is <strong>the</strong> first<br />
important step <strong>in</strong> safeguard<strong>in</strong>g an <strong>ERP</strong> environment. In addition, it provides a secure change and<br />
transport system that allows transfer of system sett<strong>in</strong>gs and bus<strong>in</strong>ess-related data from one application<br />
<strong>in</strong>stance to ano<strong>the</strong>r without runn<strong>in</strong>g <strong>in</strong>to security issues. Also <strong>the</strong> <strong>in</strong>stance-to-<strong>in</strong>stance communication<br />
can be protected by <strong>the</strong> <strong>SAP</strong> specific Secure Network Communication (SNC) feature, which encrypts<br />
all of <strong>the</strong> data that is transferred. The disadvantage of this solution is that it represents a proprietary<br />
technology that is specifically developed for and used <strong>in</strong> <strong>the</strong> <strong>SAP</strong> world only.<br />
Ano<strong>the</strong>r network-related security component is <strong>the</strong> <strong>SAP</strong> Gateway, which is an <strong>SAP</strong> dedicated firewall<br />
product. On <strong>the</strong> au<strong>the</strong>ntication site, <strong>the</strong> <strong>SAP</strong> NetWeaver application framework — which is <strong>the</strong><br />
runtime environment for almost all <strong>SAP</strong> components — accepts several different au<strong>the</strong>ntication<br />
methods. It starts with basic au<strong>the</strong>ntication (UID + password) and can lead to <strong>the</strong> digital certificatebased<br />
au<strong>the</strong>ntication process. In addition, it is also possible to develop custom or product-specific<br />
au<strong>the</strong>ntication modules that can <strong>the</strong>n be used to extend <strong>SAP</strong> Web application server security functions<br />
to <strong>in</strong>tegrate an exist<strong>in</strong>g <strong>SAP</strong> landscape <strong>in</strong>to a commonly used enterprise access management solution<br />
such as <strong>Oracle</strong> OpenSSO.<br />
But what about secur<strong>in</strong>g <strong>the</strong> program-to-program communication or Web services-based<br />
communication processes that use <strong>the</strong> Internet or Internet technology as a transport medium? Does<br />
<strong>SAP</strong> support common standards to fulfill au<strong>the</strong>ntication and authorization requirements that also allow<br />
access of users from o<strong>the</strong>r partner organizations or <strong>in</strong>tegration <strong>in</strong>to an exist<strong>in</strong>g circle of trust of users<br />
and Web applications hosted with<strong>in</strong> a cloud? The good news it that <strong>SAP</strong> supports <strong>the</strong> standard<br />
au<strong>the</strong>ntication and authorization protocol (SAML) used for this k<strong>in</strong>d of Web-driven <strong>in</strong>teraction<br />
processes. Unfortunately, <strong>SAP</strong> does not currently support <strong>the</strong> latest version of <strong>the</strong> SAML protocol<br />
stack, which reduces <strong>the</strong> functional options dur<strong>in</strong>g <strong>the</strong> implementation phase of a SAML-based<br />
au<strong>the</strong>ntication/authorization solution with o<strong>the</strong>r bus<strong>in</strong>ess partners <strong>in</strong> or outside of a cloud.<br />
<strong>SAP</strong> <strong>ERP</strong> user management is ano<strong>the</strong>r important component of <strong>the</strong> <strong>SAP</strong> security model. It offers <strong>the</strong><br />
highest granularity to customize user account profiles based on roles and <strong>the</strong>ir assigned<br />
transactions/transaction objects. This allows flexibility dur<strong>in</strong>g <strong>the</strong> role def<strong>in</strong>ition phase and prohibits<br />
<strong>the</strong> ability to give users a higher authorization level than needed <strong>in</strong> <strong>the</strong>ir day-to-day bus<strong>in</strong>ess. But an<br />
extensive level of flexibility also <strong>in</strong>creases complexity, especially <strong>in</strong> an <strong>SAP</strong> EEC system that might<br />
have several hundred pre-configured roles available <strong>in</strong> a s<strong>in</strong>gle system.<br />
The <strong>SAP</strong> compliance or risk management-related issues that might come up <strong>in</strong> any k<strong>in</strong>d of clouddriven<br />
<strong>SAP</strong> landscape can be solved by us<strong>in</strong>g <strong>the</strong> <strong>SAP</strong> Governance, Risk, and Compliance (GRC)<br />
solution stack (e.g., <strong>SAP</strong> Bus<strong>in</strong>essObjects Access Control product) for all SoD-specific issues <strong>in</strong> an<br />
37
<strong>Oracle</strong> White Paper—<strong>SAP</strong> <strong>ERP</strong> <strong>in</strong> <strong>the</strong> <strong>Cloud</strong><br />
<strong>SAP</strong> environment. <strong>Cloud</strong> providers that offer <strong>SAP</strong> Bus<strong>in</strong>essObjects Access Control as an on-demand<br />
service must support a s<strong>in</strong>gle virtualized Access Control <strong>in</strong>stance for each tenant because <strong>the</strong> product is<br />
not yet able to provide <strong>SAP</strong> multiclient support.<br />
<strong>Cloud</strong>-based user access can be offered ra<strong>the</strong>r than virtual desktop solutions, which can already be<br />
<strong>in</strong>tegrated and comb<strong>in</strong>ed with many available identity management stacks and encryption standards<br />
that provide a secure data transit/user <strong>in</strong>teraction process. These solutions allow a complete<br />
virtualization of <strong>the</strong> end-users’ desktops, now hosted <strong>in</strong> <strong>the</strong> cloud and accessed over a standard<br />
Internet connection with a standard Web browser such as Mozilla. Therefore, it is also possible to<br />
offer typical <strong>SAP</strong> power users almost <strong>the</strong> same secure work environment — based on <strong>the</strong> <strong>SAP</strong> GUI<br />
<strong>in</strong>stalled with<strong>in</strong> <strong>the</strong> virtualized client OS on a hosted server <strong>in</strong> <strong>the</strong> cloud — to <strong>the</strong> <strong>SAP</strong> <strong>ERP</strong> back-end<br />
as <strong>the</strong>y use it today. In addition, virtual desktops also allow <strong>the</strong> <strong>in</strong>tegration of o<strong>the</strong>r application<br />
components such as Microsoft Office, which are <strong>the</strong>n also available on a Web basis from any place<br />
around <strong>the</strong> world.<br />
<strong>Oracle</strong>’s Infrastructure for <strong>the</strong> <strong>SAP</strong> <strong>Cloud</strong><br />
The ma<strong>in</strong> goal beh<strong>in</strong>d us<strong>in</strong>g an enterprise cloud approach <strong>in</strong> <strong>the</strong> <strong>SAP</strong> space is to establish an agile, endto-end<br />
platform for runn<strong>in</strong>g <strong>SAP</strong> applications efficiently, economically, and securely <strong>in</strong> a completely<br />
virtualized application landscape. A cloud environment enables <strong>SAP</strong> <strong>in</strong>stances to move from one<br />
physical server to ano<strong>the</strong>r to solve <strong>the</strong> issue of under-utilized system resources. A cloud environment<br />
also helps to establish a vital and flexible change management process that can be used to support a<br />
company <strong>in</strong> adapt<strong>in</strong>g, grow<strong>in</strong>g, and respond<strong>in</strong>g to market changes <strong>in</strong> an almost real-time behavior to<br />
ga<strong>in</strong> advantages aga<strong>in</strong>st o<strong>the</strong>r competitors. Ano<strong>the</strong>r important aspect of enterprise <strong>Cloud</strong> Comput<strong>in</strong>g is<br />
<strong>the</strong> need to enforce bus<strong>in</strong>ess governance, compliance, and data security to protect <strong>the</strong> bus<strong>in</strong>ess aga<strong>in</strong>st<br />
errors, frauds, tax f<strong>in</strong>es, and penalties. <strong>Oracle</strong> addresses <strong>the</strong>se challenges with comprehensive hardware<br />
and software stack, a community of <strong>in</strong>ternal specialists, and bus<strong>in</strong>ess partners that understand <strong>the</strong><br />
demands of implement<strong>in</strong>g, deploy<strong>in</strong>g, and harden<strong>in</strong>g enterprise cloud deployments (Figure 36).<br />
Figure 36. One-stop shopp<strong>in</strong>g for <strong>Cloud</strong> Comput<strong>in</strong>g<br />
38
<strong>Oracle</strong> White Paper—<strong>SAP</strong> <strong>ERP</strong> <strong>in</strong> <strong>the</strong> <strong>Cloud</strong><br />
The ma<strong>in</strong> bus<strong>in</strong>ess advantages of <strong>Oracle</strong>’s strong comb<strong>in</strong>ation of lead<strong>in</strong>g-edge cloud technology and<br />
highly experienced people are:<br />
Improv<strong>in</strong>g <strong>the</strong> way people work by easily and quickly chang<strong>in</strong>g and adapt<strong>in</strong>g <strong>the</strong> <strong>SAP</strong> <strong>in</strong>frastructure<br />
to ga<strong>in</strong> competitive advantages<br />
Reduc<strong>in</strong>g carbon footpr<strong>in</strong>t and adm<strong>in</strong>istrative costs with an open, <strong>in</strong>teroperable <strong>in</strong>frastructure that<br />
efficiently uses computer resources<br />
Improv<strong>in</strong>g security, compliance, and governance with secure s<strong>in</strong>gle-sign-on (SSO) and automated<br />
process to control access and reduce errors<br />
Improv<strong>in</strong>g <strong>in</strong>frastructure flexibility by simplify<strong>in</strong>g, standardiz<strong>in</strong>g, and automat<strong>in</strong>g computer resources<br />
to achieve high service levels to end-users, and to support growth and change<br />
Support<strong>in</strong>g enterprises <strong>in</strong> implement<strong>in</strong>g an enterprise cloud environment that grows with bus<strong>in</strong>ess<br />
needs and that has a strong focus on <strong>the</strong> system, storage, and application environment as a whole<br />
Figure 37. <strong>Oracle</strong> technologies<br />
<strong>SAP</strong> Virtualization from <strong>Oracle</strong><br />
Virtualization technologies from <strong>Oracle</strong> dramatically reduce energy costs, simplify<br />
adm<strong>in</strong>istration, and improve flexibility, from <strong>the</strong> edge of <strong>the</strong> network to back-end<br />
<strong>in</strong>formation management, to enable bus<strong>in</strong>esses to adapt and grow (Figure 37). To<br />
make an environment cloud-ready, virtualization works by pool<strong>in</strong>g resources and<br />
centraliz<strong>in</strong>g adm<strong>in</strong>istration, and enables applications to run anywhere, regardless of <strong>the</strong><br />
underly<strong>in</strong>g architecture. Users ga<strong>in</strong> desktop access from any browser <strong>in</strong> a<br />
heterogeneous hardware and software environment that adapts easily to bus<strong>in</strong>ess<br />
needs and processes. Eco-responsible virtualized storage provides fast access to data<br />
when it is needed, lowers costs across <strong>the</strong> board, and delivers huge energy sav<strong>in</strong>gs.<br />
<strong>Oracle</strong> technologies for virtualization <strong>in</strong>clude:<br />
Dynamic Doma<strong>in</strong>s — hardware partitions on Sun SPARC Enterprise® M-Series<br />
servers<br />
<strong>Oracle</strong> Solaris Conta<strong>in</strong>ers — Separate, private <strong>Oracle</strong> Solaris environments on a<br />
s<strong>in</strong>gle <strong>Oracle</strong> Solaris operat<strong>in</strong>g system <strong>in</strong>stance, native performance virtualization<br />
for <strong>Oracle</strong> Solaris on SPARC or x86<br />
39
<strong>Oracle</strong> White Paper—<strong>SAP</strong> <strong>ERP</strong> <strong>in</strong> <strong>the</strong> <strong>Cloud</strong><br />
<strong>Oracle</strong> VM Server for SPARC (previously called Sun Logical Doma<strong>in</strong>s) — Multiple <strong>Oracle</strong> Solaris<br />
<strong>in</strong>stances on <strong>the</strong> same Sun SPARC Enterprise T-Series server<br />
Sun Storage — Consolidate management of all heterogeneous storage through virtualization, greater<br />
utilization through th<strong>in</strong> provision<strong>in</strong>g and virtual volumes<br />
Sun StorageTek Virtual Tape Library Systems — Separate Sun StorageTek Tape Libraries on a s<strong>in</strong>gle<br />
virtual tape, better tape utilization and management ease<br />
<strong>Oracle</strong> Enterprise Manager Ops Center — Manage more than one physical or virtual server<br />
<strong>in</strong>clud<strong>in</strong>g patch management<br />
Sun Q-Layer — Def<strong>in</strong>e and build virtual datacenter <strong>in</strong>frastructures us<strong>in</strong>g drag and drop<br />
<strong>Oracle</strong> VM VirtualBox — Programmer productivity for W<strong>in</strong>dow, L<strong>in</strong>ux, and <strong>Oracle</strong> Solaris guest on<br />
x86<br />
<strong>Oracle</strong> Virtual Desktop Infrastructure — <strong>Oracle</strong>’s Desktop as a Service solution<br />
Desktop Virtualization<br />
It is possible to establish a complete Desktop as a Service approach for <strong>SAP</strong> (<strong>SAP</strong> GUI, <strong>SAP</strong> fat client)<br />
and non-<strong>SAP</strong> client applications. Desktop virtualization alone dramatically cuts energy consumption<br />
and lowers ma<strong>in</strong>tenance costs. The core of Orcle’s desktop virtualization solution is <strong>the</strong> <strong>Oracle</strong> Virtual<br />
Desktop Infrastructure runn<strong>in</strong>g on virtualized servers <strong>in</strong> <strong>the</strong> datacenter, as illustrated <strong>in</strong> Figure 38.<br />
From <strong>in</strong>dustry-standard PCs, Macs, or th<strong>in</strong> clients throughout <strong>the</strong> enterprise, users can access virtual<br />
desktops runn<strong>in</strong>g on <strong>in</strong>dustry-standard operat<strong>in</strong>g systems — W<strong>in</strong>dows, L<strong>in</strong>ux, and <strong>Oracle</strong> Solaris.<br />
S<strong>in</strong>ce <strong>the</strong> desktop environment is centrally managed, <strong>the</strong> cost of ma<strong>in</strong>ta<strong>in</strong><strong>in</strong>g environments on every<br />
desktop is nearly elim<strong>in</strong>ated. Replac<strong>in</strong>g desktop PCs with <strong>Oracle</strong>’s Sun Ray th<strong>in</strong> clients results <strong>in</strong><br />
significant energy sav<strong>in</strong>gs. A typical PC uses about 150 to 350 watts while a Sun Ray th<strong>in</strong> client uses<br />
only 4 watts. For an average scenario, replac<strong>in</strong>g PCs with th<strong>in</strong> clients, consider<strong>in</strong>g power, cool<strong>in</strong>g, and<br />
<strong>in</strong>frastructure needs, you can reduce power consumption by 24% and decrease CO2 emission by 23%.<br />
On average, th<strong>in</strong> clients use 55% less electronics and 36% less plastic, and outlast PCs by three years,<br />
result<strong>in</strong>g <strong>in</strong> reduced eco waste. In a virtualized workplace, authorized users can ga<strong>in</strong> secure access to<br />
any Sun Ray client on <strong>the</strong> network.<br />
40
Figure 38. Sun Secure Global Desktop<br />
<strong>Oracle</strong> White Paper—<strong>SAP</strong> <strong>ERP</strong> <strong>in</strong> <strong>the</strong> <strong>Cloud</strong><br />
With a key card, users can <strong>in</strong>stantly display <strong>the</strong>ir own environment on any system. Because everyth<strong>in</strong>g<br />
is ma<strong>in</strong>ta<strong>in</strong>ed <strong>in</strong> <strong>the</strong> datacenter, IT staff can quickly change, adapt, or upgrade resources as bus<strong>in</strong>ess<br />
needs change. Sun Ray clients are also ideal for tra<strong>in</strong><strong>in</strong>g, where a virtualized classroom is energyefficient<br />
and flexible. A teach<strong>in</strong>g environment is easy and fast to set up on <strong>the</strong> server, so <strong>the</strong>re’s no<br />
need to ma<strong>in</strong>ta<strong>in</strong> and replicate <strong>the</strong> environment on separate desktop computers. Students can ga<strong>in</strong><br />
secure access to <strong>the</strong>ir environment <strong>in</strong>stantly, anywhere.<br />
<strong>SAP</strong> Server Virtualization<br />
With tighten<strong>in</strong>g budgets, IT departments are faced with elim<strong>in</strong>at<strong>in</strong>g server sprawl through<br />
consolidation and better utilization. <strong>Oracle</strong>’s server virtualization technology — which divides one<br />
server <strong>in</strong>to multiple environments — simplifies adm<strong>in</strong>istration, <strong>in</strong>creases system uptime, dramatically<br />
reduces energy costs, and improves resource utilization for <strong>SAP</strong> applications (Figure 39). <strong>Oracle</strong>’s<br />
virtualization technologies are generally <strong>in</strong>cluded with <strong>the</strong> hardware or OS, provid<strong>in</strong>g significant cost<br />
sav<strong>in</strong>gs on licens<strong>in</strong>g fees. The easiest way to virtualize servers is OS virtualization. Virtualization<br />
technology enabled by <strong>Oracle</strong> Solaris Conta<strong>in</strong>ers is highly flexible.<br />
41
Figure 39. <strong>SAP</strong> virtualization example<br />
<strong>Oracle</strong> White Paper—<strong>SAP</strong> <strong>ERP</strong> <strong>in</strong> <strong>the</strong> <strong>Cloud</strong><br />
Conta<strong>in</strong>ers can be used for consolidation and to enable rapid response to bus<strong>in</strong>ess needs. With<br />
conta<strong>in</strong>ers, quick experimentation or test<strong>in</strong>g of new <strong>SAP</strong> features is simple. <strong>SAP</strong> applications can be<br />
easily deployed on-<strong>the</strong>-fly without add<strong>in</strong>g hardware. Legacy <strong>SAP</strong> applications can be hosted <strong>in</strong><br />
conta<strong>in</strong>ers on exist<strong>in</strong>g servers. Because <strong>the</strong> <strong>SAP</strong> Adaptive Comput<strong>in</strong>g Controller supports <strong>Oracle</strong><br />
Solaris Conta<strong>in</strong>ers, applications can be monitored and provisioned with<strong>in</strong> conta<strong>in</strong>ers quickly and<br />
automatically. Also, conta<strong>in</strong>ers enable fast data backup and upgrades, result<strong>in</strong>g <strong>in</strong> zero downtime.<br />
<strong>Oracle</strong> offers virtual mach<strong>in</strong>e technologies to maximize <strong>the</strong> choice of platforms and operat<strong>in</strong>g<br />
systems — W<strong>in</strong>dows, and L<strong>in</strong>ux, and <strong>Oracle</strong> Solaris — so virtualization can fit <strong>in</strong>to any <strong>SAP</strong><br />
environment easily:<br />
Dynamic Doma<strong>in</strong>s on <strong>Oracle</strong>’s Sun SPARC Enterprise M-series servers runn<strong>in</strong>g <strong>Oracle</strong> Solaris<br />
<strong>Oracle</strong> VM Server on SPARC on systerms with UltraSPARC® processors runn<strong>in</strong>g <strong>Oracle</strong> Solaris or<br />
L<strong>in</strong>ux (BrandZ zones)<br />
VMware hypervisor on <strong>Oracle</strong>’s x64 systems<br />
These virtuazliation technologies enable a flexible, secure, scalable, and reliable environment to run<br />
mission-critical applications while more fully utiliz<strong>in</strong>g resources and preserv<strong>in</strong>g exist<strong>in</strong>g assets.<br />
<strong>SAP</strong> Storage Virtualization<br />
<strong>Oracle</strong> understands that data is <strong>the</strong> lifeblood of every <strong>SAP</strong> environment. Companies must store and<br />
access more data with fewer resources than ever before, and often cope with a heterogeneous storage<br />
environment with different types of storage <strong>in</strong> different geographic locations. <strong>Oracle</strong>’s energy-efficient<br />
virtualization solutions reduce storage complexity, provide fast access to data, and enable IT<br />
departments to manage a rich mixture of systems, solutions, processes, and <strong>in</strong>terfaces efficiently and<br />
cost-effectively. The tiered storage approach yields highly efficient utilization of resources and faster<br />
access.<br />
42
<strong>Oracle</strong> White Paper—<strong>SAP</strong> <strong>ERP</strong> <strong>in</strong> <strong>the</strong> <strong>Cloud</strong><br />
Storage virtualization, powered by <strong>the</strong> <strong>Oracle</strong> Solaris Zettabyte File System (ZFS), centralizes and pools<br />
storage <strong>in</strong>to a s<strong>in</strong>gle resource that can grow or shr<strong>in</strong>k accord<strong>in</strong>g to application demands, potentially<br />
yield<strong>in</strong>g cost and energy sav<strong>in</strong>gs of 90%. This approach simplifies and streaml<strong>in</strong>es <strong>the</strong> entire storage<br />
environment and applies <strong>the</strong> most cost-effective resources for each task. For example, <strong>in</strong> Sun Storage<br />
7000 Unified Storage Systems, <strong>Oracle</strong> Solaris ZFS transparently manages data placement, copy<strong>in</strong>g<br />
frequently used data to fast SSD cache for faster access, so data can be stored on slower, less expensive<br />
mechanical disks and tape without sacrific<strong>in</strong>g performance.<br />
For long-term data storage, backup, and recovery, <strong>Oracle</strong>’s tape library solutions provide an<br />
economical way to archive <strong>in</strong>creas<strong>in</strong>g volumes of data quickly, safely, and cost-effectively. With<br />
virtualized storage, access to archived data is orders of magnitude faster than with traditional tape<br />
storage. Products like <strong>Oracle</strong> Solaris ZFS and <strong>Oracle</strong>’s Sun StorageTek Virtual Storage pool resources<br />
manage storage as a s<strong>in</strong>gle resource, which decreases <strong>the</strong> burden of manag<strong>in</strong>g large tape libraries,<br />
<strong>in</strong>creases system usage and efficiency, and reduces <strong>the</strong> overall cost of protect<strong>in</strong>g <strong>SAP</strong> data through<br />
improved tape utilization, shared tape resources, and reduced complexity. <strong>Oracle</strong> Solaris ZFS also<br />
provides fast, easy recovery for low-cost bus<strong>in</strong>ess cont<strong>in</strong>uance. Used with <strong>Oracle</strong>s Solaris Conta<strong>in</strong>ers,<br />
an adm<strong>in</strong>istrator can store a snapshot of <strong>the</strong> environment, <strong>the</strong>n revert back to <strong>the</strong> snapshot ra<strong>the</strong>r than<br />
restore data from tape. This approach streaml<strong>in</strong>es <strong>the</strong> disaster recovery (DR) process and reduces<br />
downtime to almost zero. <strong>Oracle</strong>’s virtualized storage solutions deliver manageable, secure storage of<br />
all types (Flash SSD, SATA, iSCSI, SAS, NAS, Fibre Channel, tape), dramatically lower energy costs,<br />
and provide an <strong>in</strong>frastructure that quickly adapts to future storage needs.<br />
Secur<strong>in</strong>g Access to Virtualized <strong>SAP</strong> Application Components<br />
With highly utilized, virtualized desktops, servers, and storage, enterprises can support more users.<br />
Open<strong>in</strong>g up <strong>the</strong> <strong>SAP</strong> environment <strong>in</strong> a Web-based world leverages <strong>the</strong> value of a virtual enterprise,<br />
with applications serv<strong>in</strong>g employees, customers, vendors, suppliers, and bus<strong>in</strong>ess partners. To enable a<br />
safe, collaborative environment, <strong>the</strong> open <strong>SAP</strong> NetWeaver application platform helps companies build<br />
and manage bus<strong>in</strong>ess services that reach beyond <strong>the</strong> bus<strong>in</strong>ess boundary. Users can access <strong>SAP</strong> from<br />
any <strong>SAP</strong> browser on a mobile device, PC, or th<strong>in</strong> client. The benefits of this open environment are<br />
immeasurable, but so are <strong>the</strong> risks — identity <strong>the</strong>ft, corporate espionage, and fraud.<br />
Keep<strong>in</strong>g track of user identities <strong>in</strong> a complex organization <strong>in</strong>volves manual, risky, costly tasks. With<br />
<strong>Oracle</strong>’s identity management solutions for <strong>SAP</strong>, companies can create a secure and extended <strong>SAP</strong><br />
enterprise where users <strong>in</strong>side and outside <strong>the</strong> company have secure, s<strong>in</strong>gle sign-on access to <strong>SAP</strong> and<br />
non <strong>SAP</strong> Web applications anywhere, anytime (Figure 40). Automation features <strong>in</strong>clude <strong>the</strong> ability to<br />
create self-service password systems for end users, reduc<strong>in</strong>g help desk calls and improv<strong>in</strong>g both user<br />
and IT productivity. Passwords are automatically synchronized everywhere — across hardware<br />
platforms, software applications, and databases. With <strong>Oracle</strong>’s identity management suite,<br />
adm<strong>in</strong>istrators can easily manage identity data stored <strong>in</strong> widely distributed systems throughout <strong>the</strong> user<br />
life cycle. Capabilities <strong>in</strong>clude automated provision<strong>in</strong>g of new users, reprovision<strong>in</strong>g to reflect changes<br />
<strong>in</strong> user status, and deprovision<strong>in</strong>g when a relationship with<strong>in</strong> <strong>the</strong> organization ends. Au<strong>the</strong>ntication and<br />
authorization services are provided across <strong>in</strong>ternal and external comput<strong>in</strong>g doma<strong>in</strong>s. Enterprises also<br />
benefit from automated audit<strong>in</strong>g of segregation of duties (SoD) for non <strong>SAP</strong> applications.<br />
43
Figure 40. Secure identity and compliance<br />
Manag<strong>in</strong>g Identities <strong>in</strong> a Private <strong>Cloud</strong><br />
<strong>Oracle</strong> White Paper—<strong>SAP</strong> <strong>ERP</strong> <strong>in</strong> <strong>the</strong> <strong>Cloud</strong><br />
The general goals of identity management do not change <strong>in</strong> a private cloud. Efficiently and costeffectively<br />
manag<strong>in</strong>g access and identities to provide secure access for <strong>the</strong> users <strong>in</strong> an <strong>SAP</strong> based<br />
private cloud requires a centralized approach. To ma<strong>in</strong>ta<strong>in</strong> or <strong>in</strong>crease productivity, users need a s<strong>in</strong>gle<br />
po<strong>in</strong>t of entry and sign-on capability, which implies a s<strong>in</strong>gle po<strong>in</strong>t of adm<strong>in</strong>istration for all users,<br />
<strong>in</strong>clud<strong>in</strong>g operat<strong>in</strong>g systems, <strong>SAP</strong> solutions, databases, and o<strong>the</strong>r applications. IT managers need <strong>the</strong><br />
ability to quickly and automatically add users to all of <strong>the</strong> applications and services <strong>the</strong>y require, as well<br />
as <strong>the</strong> ability to modify access and privileges and delete users from all systems when <strong>the</strong>y leave, <strong>in</strong> order<br />
to deal with <strong>the</strong> diversity of users and <strong>the</strong>ir chang<strong>in</strong>g roles. In addition, bus<strong>in</strong>esses must also comply<br />
with security-related regulations such as controll<strong>in</strong>g access to sensitive f<strong>in</strong>ancial <strong>in</strong>formation. This<br />
requires <strong>the</strong> ability to detect dormant accounts, enforce consistent corporate security policies, and<br />
ensure that data is accurate and consistent across applications and data stores. Ano<strong>the</strong>r critical issue for<br />
IT managers is TCO. In a large environment, support<strong>in</strong>g technology that <strong>in</strong>creases costs by requir<strong>in</strong>g<br />
additional staff and tra<strong>in</strong><strong>in</strong>g can offset <strong>the</strong> benefits of <strong>the</strong> solution itself.<br />
Identity Management as a <strong>Cloud</strong> Infrastructure Component<br />
The first step <strong>in</strong> provid<strong>in</strong>g identity management is to centralize identity data. <strong>Oracle</strong> Directory Server<br />
delivers a secure, highly available, scalable, and easy-to-manage directory <strong>in</strong>frastructure for stor<strong>in</strong>g and<br />
us<strong>in</strong>g identity data. It centralizes and separates identity <strong>in</strong>formation and makes that data available to<br />
multiple applications <strong>in</strong>clud<strong>in</strong>g Microsoft Active Directory, ra<strong>the</strong>r than requir<strong>in</strong>g applications to store<br />
and ma<strong>in</strong>ta<strong>in</strong> data <strong>in</strong> multiple locations, thus provid<strong>in</strong>g consistency and lower<strong>in</strong>g costs. Password<br />
synchronization with Microsoft Active Directory <strong>in</strong>creases security by help<strong>in</strong>g to ensure password<br />
policies enforced on <strong>the</strong> network operat<strong>in</strong>g system are also enforced <strong>in</strong> key strategic directories <strong>in</strong> <strong>the</strong><br />
enterprise. Its extreme scalability helps reduce costs by decreas<strong>in</strong>g <strong>the</strong> number of systems deployed. In<br />
44
<strong>Oracle</strong> White Paper—<strong>SAP</strong> <strong>ERP</strong> <strong>in</strong> <strong>the</strong> <strong>Cloud</strong><br />
addition, proxy services provide firewall-like protection aga<strong>in</strong>st denial-of services and unauthorized<br />
access. Multimaster replication, load balanc<strong>in</strong>g, and automatic failover help provide directory services<br />
around <strong>the</strong> clock. With over 1.5 billion entries, <strong>the</strong> <strong>Oracle</strong> Directory Server is <strong>the</strong> most widely deployed<br />
general-purpose, LDAP-based directory server <strong>in</strong> <strong>the</strong> marketplace.<br />
<strong>Oracle</strong> Waveset Identity Manager<br />
<strong>Oracle</strong> Waveset Identity Manager provides <strong>the</strong> core user provision<strong>in</strong>g and identity synchronization<br />
services of Sun’s identity management solution, as well as password management and profile<br />
management. It uses role-based access control mechanisms to centrally create and manage users, and<br />
delegate user adm<strong>in</strong>istration. Us<strong>in</strong>g a common identity <strong>in</strong>frastructure, adm<strong>in</strong>istration that normally<br />
occurs across many applications by multiple adm<strong>in</strong>istrators, <strong>in</strong>clud<strong>in</strong>g OS, database, and <strong>SAP</strong>, can be<br />
consolidated <strong>in</strong>to a s<strong>in</strong>gle management console. This makes it possible to consistently delegate<br />
management tasks and self-service functionality to partners, customers, and <strong>in</strong>ternal company<br />
departments based on bus<strong>in</strong>ess requirements. It automatically synchronizes identity data across a wide<br />
range of heterogeneous applications, databases, and o<strong>the</strong>r data stores such as <strong>Oracle</strong> Directory Server,<br />
Microsoft Directory, and Lotus Dom<strong>in</strong>o. This helps ensure that identity data is accurate and consistent<br />
both with<strong>in</strong> and outside <strong>the</strong> boundaries of <strong>the</strong> <strong>SAP</strong> NetWeaver environment.<br />
<strong>Oracle</strong> OpenSSO for <strong>SAP</strong><br />
<strong>Oracle</strong> OpenSSO is a security foundation that helps organizations manage secure access to Web<br />
applications and Web services. It is designed to provide au<strong>the</strong>ntication and authorization services<br />
across <strong>in</strong>ternal and external comput<strong>in</strong>g doma<strong>in</strong>s and helps ensure that appropriate au<strong>the</strong>ntication<br />
credentials are required of users depend<strong>in</strong>g on <strong>the</strong> value of <strong>the</strong> protected resources. It also presents<br />
streaml<strong>in</strong>ed navigation across Web applications and Web services through s<strong>in</strong>gle sign-on capabilities.<br />
<strong>Oracle</strong> OpenSSO can be <strong>in</strong>tegrated with <strong>the</strong> <strong>SAP</strong> NetWeaver Enterprise Portal through an <strong>Oracle</strong><br />
developed and supplied policy agent (based on <strong>the</strong> Java Au<strong>the</strong>ntication and Authorization Services<br />
log<strong>in</strong> module of <strong>the</strong> <strong>SAP</strong> NetWeaver Application Server Java). In addition it is possible to use <strong>the</strong><br />
SAML au<strong>the</strong>ntication module of <strong>the</strong> latest <strong>SAP</strong> NetWeaver Application Server Java to smoothly<br />
<strong>in</strong>tegrate a highly accepted au<strong>the</strong>ntication standard def<strong>in</strong>ed by <strong>the</strong> OASIS, which is a common<br />
technology used to securely au<strong>the</strong>nticate users or Web services with<strong>in</strong> a Web-driven cloud<br />
environment.<br />
By us<strong>in</strong>g a central po<strong>in</strong>t of au<strong>the</strong>ntication, role-based access control, and s<strong>in</strong>gle sign-on, <strong>Oracle</strong><br />
OpenSSO provides a scalable Web access management model for <strong>SAP</strong> NetWeaver, o<strong>the</strong>r Web-based<br />
applications and Web services. In this way, it simplifies exchange of <strong>in</strong>formation and transactions while<br />
protect<strong>in</strong>g <strong>the</strong> privacy and security of vital identity <strong>in</strong>formation. It also allows adm<strong>in</strong>istrators to audit<br />
any <strong>in</strong>trusion or unauthorized access <strong>in</strong> real time.<br />
End-to-End Governance and Compliance<br />
Ever-<strong>in</strong>creas<strong>in</strong>g legislative and global regulations mean compliance and identity management go hand<br />
<strong>in</strong> hand. The <strong>in</strong>tegrated <strong>Oracle</strong> Waveset Identity Manager software and <strong>SAP</strong> Bus<strong>in</strong>essObjects Access<br />
Control (GRC) solution — based on Web services and Java technology — provides automated, system<br />
45
<strong>Oracle</strong> White Paper—<strong>SAP</strong> <strong>ERP</strong> <strong>in</strong> <strong>the</strong> <strong>Cloud</strong><br />
wide audit<strong>in</strong>g and report<strong>in</strong>g capabilities that cover bus<strong>in</strong>ess compliance and f<strong>in</strong>ancial or <strong>ERP</strong><br />
requirements, plus IT <strong>in</strong>frastructure compliance, like OS and user provision<strong>in</strong>g, network<strong>in</strong>g, storage<br />
and archiv<strong>in</strong>g, and data management. The solution, illustrated <strong>in</strong> Figure 41, enables companies to<br />
streaml<strong>in</strong>e corporate policy and legislative compliance for mission-critical <strong>SAP</strong> applications and o<strong>the</strong>r<br />
enterprise IT resources.<br />
Figure 41. <strong>Cloud</strong> end-to-end IT compliance (SoD)<br />
The <strong>in</strong>dustry-lead<strong>in</strong>g <strong>Oracle</strong> Waveset Identity Manager software helps ensure that access to sensitive<br />
<strong>in</strong>formation is subject to <strong>the</strong> most secure control possible by enforc<strong>in</strong>g security policy and global<br />
standards through repeatable and susta<strong>in</strong>able processes. <strong>SAP</strong> Bus<strong>in</strong>essObjects Access Control (GRC)<br />
provides features such as risk analysis and remediation, compliant user provision<strong>in</strong>g, enterprise role<br />
management, and superuser privilege management capabilities. The scalability of provision<strong>in</strong>g from<br />
<strong>Oracle</strong> Waveset Identity Manager software, comb<strong>in</strong>ed with <strong>the</strong> risk analysis and remediation of <strong>SAP</strong><br />
GRC Access Control, is designed to prevent cross-application provision<strong>in</strong>g conflicts. As private <strong>SAP</strong><br />
cloud environments grow, <strong>Oracle</strong> and <strong>SAP</strong>’s flexible, scalable security solutions can grow to take on<br />
<strong>the</strong> toughest security challenges.<br />
<strong>Oracle</strong> Identity Analytics<br />
With <strong>the</strong> grow<strong>in</strong>g demand for cloud-based comput<strong>in</strong>g landscapes — whe<strong>the</strong>r <strong>the</strong>se environments are<br />
public or <strong>in</strong>-house hosted solutions — <strong>the</strong> volume of network communications <strong>in</strong>crease, use of<br />
virtualization technology <strong>in</strong>crease, and Web-enabled application functionality <strong>in</strong>creases. To support<br />
<strong>the</strong>se environments identity management components need to be implemented to standardize how<br />
people access and are authorized to such environments. This will lead to unprecedented challenges <strong>in</strong><br />
<strong>the</strong> area of access governance and access control compliance.<br />
With <strong>Oracle</strong> Identity Analytics, companies can effectively manage access and consistently achieve<br />
access control compliance when <strong>the</strong> number and nature of users is <strong>in</strong> constant flux by manag<strong>in</strong>g access<br />
based on <strong>the</strong> users roles with<strong>in</strong> an enterprise cloud ra<strong>the</strong>r than on an <strong>in</strong>dividual, user-by-user basis.<br />
46
<strong>Oracle</strong> White Paper—<strong>SAP</strong> <strong>ERP</strong> <strong>in</strong> <strong>the</strong> <strong>Cloud</strong><br />
Creat<strong>in</strong>g roles based on usage and enterprise policies enables greater visibility <strong>in</strong>to access and <strong>the</strong> ability<br />
to manage access <strong>in</strong> a more efficient, secure, and compliant manner.<br />
Role-based access control, particularly <strong>in</strong> comb<strong>in</strong>ation with identity provision<strong>in</strong>g, enables enterprises to<br />
improve efficiency and security by always:<br />
Know<strong>in</strong>g who is access<strong>in</strong>g what data and which applications<br />
Understand<strong>in</strong>g who approved <strong>the</strong> access assigned to users<br />
Evaluat<strong>in</strong>g <strong>the</strong> assigned access aga<strong>in</strong>st access-control policies<br />
The comprehensive role life-cycle management and identity compliance capabilities of <strong>Oracle</strong> Identity<br />
Analytics can streaml<strong>in</strong>e operations, enhance compliance, and reduce costs with<strong>in</strong> a cloud-driven<br />
application and system landscape.<br />
<strong>Oracle</strong> Identity Analytics provides <strong>the</strong> follow<strong>in</strong>g unique features:<br />
Integrated set of technologies and methodologies for role-based access control and identity-based<br />
controls automation<br />
Cont<strong>in</strong>uous monitor<strong>in</strong>g to scan for role versus actual assignments, segregation of duties, and o<strong>the</strong>r<br />
access-related exceptions that might signal potential policy or regulatory violations<br />
Extensive analysis and report<strong>in</strong>g on role changes, policy violations, and potential role ref<strong>in</strong>ements<br />
Integration with market-lead<strong>in</strong>g provision<strong>in</strong>g solutions<br />
Extract, transform, and load (ETL) capabilities to pull data from any enterprise resource without <strong>the</strong><br />
time and cost of us<strong>in</strong>g connectors<br />
<strong>Oracle</strong> Identity Analytics improves operational efficiency by simplify<strong>in</strong>g and automat<strong>in</strong>g access-related<br />
processes and bridg<strong>in</strong>g <strong>the</strong> gap between <strong>the</strong> IT <strong>in</strong>frastructure and <strong>the</strong> bus<strong>in</strong>ess organization.<br />
<strong>Oracle</strong> Identity Analytics br<strong>in</strong>gs <strong>the</strong> IT <strong>in</strong>frastructure and <strong>the</strong> bus<strong>in</strong>ess organization closer toge<strong>the</strong>r and<br />
provides a common vocabulary. This is <strong>the</strong> result of mapp<strong>in</strong>g bus<strong>in</strong>ess roles (bus<strong>in</strong>ess view) to <strong>the</strong><br />
underly<strong>in</strong>g entitlements (technical view) that are granted with<strong>in</strong> enterprise applications such as <strong>SAP</strong> or<br />
<strong>Oracle</strong> <strong>ERP</strong> systems. A common vocabulary helps ensure that <strong>the</strong> roles reflect how responsibilities are<br />
assigned with<strong>in</strong> an organization, which makes it easier for employees to request <strong>the</strong> access necessary to<br />
perform <strong>the</strong>ir jobs.<br />
<strong>Oracle</strong> Identity Analytics cont<strong>in</strong>uously monitors <strong>the</strong> users’ actual access to resources ra<strong>the</strong>r than just<br />
report<strong>in</strong>g on <strong>the</strong> access to which <strong>the</strong>ir roles entitle <strong>the</strong>m. By reduc<strong>in</strong>g <strong>the</strong> risk of improper access,<br />
organizations are less likely to violate enterprise security policies or external regulatory requirements.<br />
Specifically, <strong>Oracle</strong> Identity Analytics can alert management to issues with problem areas such as<br />
segregation of duties violations, which can occur when a user has conflict<strong>in</strong>g roles or accounts that<br />
violate <strong>in</strong>ternal policies or external regulations. For example, a user whose job <strong>in</strong>cludes sett<strong>in</strong>g up<br />
vendors should have to give up <strong>the</strong> access privileges associated with that role if that user assumes a<br />
new position that <strong>in</strong>volves writ<strong>in</strong>g checks to those vendors.<br />
47
<strong>Oracle</strong> White Paper—<strong>SAP</strong> <strong>ERP</strong> <strong>in</strong> <strong>the</strong> <strong>Cloud</strong><br />
With this special feature set, <strong>Oracle</strong> Identity Analytics completes <strong>the</strong> cloud identity management stack<br />
and provides <strong>the</strong> ability to implement a fully <strong>in</strong>tegrated end-to-end role management, user<br />
adm<strong>in</strong>istration, account provision<strong>in</strong>g, and compliance solution. This solution allows a comb<strong>in</strong>ed SoD<br />
risk analysis — start<strong>in</strong>g on <strong>the</strong> OS layer up to <strong>the</strong> <strong>ERP</strong> layer — us<strong>in</strong>g <strong>Oracle</strong> Identity Analytics as <strong>the</strong><br />
<strong>in</strong>terface component between <strong>Oracle</strong> Identity Analytics and <strong>SAP</strong> Bus<strong>in</strong>essObjects Access Control.<br />
Summary<br />
<strong>Oracle</strong> solutions for <strong>SAP</strong> <strong>in</strong> a cloud span <strong>the</strong> enterprise — from browser to datacenter to storage —<br />
giv<strong>in</strong>g users access to <strong>SAP</strong> anywhere, keep<strong>in</strong>g bus<strong>in</strong>esses competitive, reduc<strong>in</strong>g costs, sav<strong>in</strong>g energy,<br />
and maximiz<strong>in</strong>g ROI. Based on market-tested, <strong>in</strong>dustry-lead<strong>in</strong>g cloud technology, <strong>Oracle</strong>’s end-to-end<br />
solutions for <strong>SAP</strong> provide a high-performance, robust, open, flexible <strong>SAP</strong> architecture that leverages<br />
virtualization to reduce costs and <strong>in</strong>crease agility (Figure 42). Nobody delivers virtualization throughout<br />
<strong>the</strong> enterprise like <strong>Oracle</strong> does — with proven technologies that dramatically reduce energy costs. The<br />
solutions open up <strong>the</strong> potential of global collaborative comput<strong>in</strong>g for bus<strong>in</strong>esses of any size while<br />
keep<strong>in</strong>g data safe, comply<strong>in</strong>g with government policies, and provid<strong>in</strong>g fast access to bus<strong>in</strong>ess<br />
<strong>in</strong>formation.<br />
Figure 42. Sun cloud technology for <strong>SAP</strong><br />
<strong>Oracle</strong>’s Global <strong>SAP</strong> Service Portfolio<br />
Reduc<strong>in</strong>g power consumption, offer<strong>in</strong>g on-demand SaaS cloud services, implement<strong>in</strong>g virtualization,<br />
<strong>in</strong>creas<strong>in</strong>g security and compliance, and manag<strong>in</strong>g it all is a huge endeavor. <strong>Oracle</strong> can help with<br />
everyth<strong>in</strong>g from design<strong>in</strong>g clouds, to perform<strong>in</strong>g upgrades, to operat<strong>in</strong>g and manag<strong>in</strong>g private <strong>SAP</strong><br />
cloud environments.<br />
48
<strong>Oracle</strong>’s Sun Solution Center for <strong>SAP</strong><br />
<strong>Oracle</strong> White Paper—<strong>SAP</strong> <strong>ERP</strong> <strong>in</strong> <strong>the</strong> <strong>Cloud</strong><br />
<strong>Oracle</strong>’s Sun Solution Center for <strong>SAP</strong> has <strong>SAP</strong> application architects and <strong>Oracle</strong> and <strong>SAP</strong> solution<br />
experts that provide world-class service around <strong>the</strong> globe to address unique <strong>SAP</strong> requirements. Among<br />
<strong>the</strong> many services offered, <strong>the</strong> <strong>SAP</strong> Competency at <strong>the</strong> solution center provides <strong>the</strong> follow<strong>in</strong>g services:<br />
Architecture design and capacity plann<strong>in</strong>g<br />
Hardware siz<strong>in</strong>g tools for bus<strong>in</strong>ess partners<br />
<strong>SAP</strong> on <strong>Oracle</strong> solutions<br />
Reference architectures<br />
<strong>SAP</strong> on <strong>Oracle</strong> workshops<br />
To f<strong>in</strong>d solution centers, see www.sun.com/solutioncenters/locations/<strong>in</strong>dex.jsp<br />
Sun Jo<strong>in</strong>t Support Center for <strong>SAP</strong> Applications<br />
Sun Jo<strong>in</strong>t Support Center for <strong>SAP</strong> Applications provides round-<strong>the</strong>-clock, worldwide support to<br />
resolve <strong>in</strong>teroperability issues between <strong>Oracle</strong> server platforms and <strong>SAP</strong> software runn<strong>in</strong>g <strong>in</strong> virtualized<br />
or non-virtualized environments. <strong>SAP</strong> has expertise <strong>in</strong> resolv<strong>in</strong>g complex <strong>in</strong>tegration issues between<br />
<strong>the</strong> Sun software stack and <strong>SAP</strong> application components such as <strong>Oracle</strong> Identity Analytics and <strong>SAP</strong><br />
back-end components. Support teams are located on-site nearby <strong>the</strong> <strong>SAP</strong> headquarters <strong>in</strong> Walldorf,<br />
Germany to streaml<strong>in</strong>e <strong>in</strong>formation transfer and problem resolution. In addition, <strong>SAP</strong> tra<strong>in</strong>ed support<br />
teams are located <strong>in</strong> <strong>the</strong> United States and Asia to offer faster, more specialized worldwide problem<br />
resolution.<br />
<strong>Oracle</strong> Virtualization Services<br />
<strong>Oracle</strong> offers a complete set of virtualization services across computer, network<strong>in</strong>g, and <strong>in</strong>frastructure<br />
components to help save power, space, and cool<strong>in</strong>g costs, improve service levels, <strong>in</strong>crease utilization,<br />
and facilitate provision<strong>in</strong>g to maximize ROI. Professional services staff can help run datacenters more<br />
efficiently — recommend<strong>in</strong>g <strong>the</strong> appropriate mix of virtualization technology and IT processes to<br />
achieve specific goals. <strong>Oracle</strong> estimates <strong>the</strong> TCO and ROI benefits that an IT project can achieve and<br />
helps create bus<strong>in</strong>ess value.<br />
<strong>Oracle</strong> Storage Virtualization Services<br />
Start<strong>in</strong>g with an evaluation of a company’s current storage issues, <strong>Oracle</strong>’s storage virtualization<br />
services help determ<strong>in</strong>e and implement a virtualization strategy that enables companies to achieve<br />
ongo<strong>in</strong>g bus<strong>in</strong>ess and technological goals. <strong>Oracle</strong> consults on areas to help reduce costs and optimize<br />
resources and recommends <strong>the</strong> appropriate mix of virtualization technology and IT processes. Sun<br />
Managed Services for Storage can provide best practices to virtualize, monitor, and manage storage<br />
utilization, staff resources, and system processes. <strong>Oracle</strong> helps virtualize across all SSD/Flash, various<br />
disk, and tape-based storage and maximize <strong>the</strong> availability of distributed, heterogeneous disk, backup,<br />
and archive <strong>in</strong>frastructure.<br />
49
Global <strong>Oracle</strong> Support<br />
<strong>Oracle</strong> White Paper—<strong>SAP</strong> <strong>ERP</strong> <strong>in</strong> <strong>the</strong> <strong>Cloud</strong><br />
<strong>Oracle</strong> offers <strong>in</strong>tegrated packages of support services that deliver comprehensive <strong>Oracle</strong> hardware and<br />
software support for <strong>SAP</strong> users with mission-critical and bus<strong>in</strong>ess-critical applications. These services<br />
are designed to handle urgent bus<strong>in</strong>ess requirements. As part of <strong>the</strong> offer<strong>in</strong>gs, enterprises ga<strong>in</strong> access to<br />
Sun Vendor Integration Program Interop Support. Through this program, <strong>Oracle</strong> and <strong>SAP</strong> collaborate<br />
to identify, isolate, and resolve complex <strong>in</strong>teroperability issues.<br />
For More Information<br />
For more <strong>in</strong>formation about <strong>Oracle</strong> solutions for <strong>SAP</strong> environments, please visit oracle.com/sun or<br />
call +1.800.786.0404 to speak to an <strong>Oracle</strong> representative. Additional <strong>in</strong>formation can be found at:<br />
http://www.sun.com/sap<br />
http://www.sap.com/solutions/bus<strong>in</strong>ess-suite/crm/crmondemand/<strong>in</strong>dex.epx<br />
http://www.sap.com/solutions/sapbus<strong>in</strong>essobjects/ondemand/<strong>in</strong>dex.epx<br />
50
<strong>SAP</strong> <strong>ERP</strong> <strong>in</strong> <strong>the</strong> <strong>Cloud</strong><br />
April 2010<br />
Author: Timm Seitz<br />
<strong>Oracle</strong> Corporation<br />
World Headquarters<br />
500 <strong>Oracle</strong> Parkway<br />
Redwood Shores, CA 94065<br />
U.S.A.<br />
Worldwide Inquiries:<br />
Phone: +1.650.506.7000<br />
Fax: +1.650.506.7200<br />
oracle.com<br />
Copyright © 2010, <strong>Oracle</strong> and/or its affiliates. All rights reserved.<br />
This document is provided for <strong>in</strong>formation purposes only and <strong>the</strong> contents hereof are subject to change without notice.<br />
This document is not warranted to be error-free, nor subject to any o<strong>the</strong>r warranties or conditions, whe<strong>the</strong>r expressed<br />
orally or implied <strong>in</strong> law, <strong>in</strong>clud<strong>in</strong>g implied warranties and conditions of merchantability or fitness for a particular purpose.<br />
We specifically disclaim any liability with respect to this document and no contractual obligations are formed ei<strong>the</strong>r<br />
directly or <strong>in</strong>directly by this document. This document may not be reproduced or transmitted <strong>in</strong> any form or by any<br />
means, electronic or mechanical, for any purpose, without our prior written permission.<br />
<strong>Oracle</strong> and Java are registered trademarks of <strong>Oracle</strong> and/or its affiliates. O<strong>the</strong>r names may be trademarks of <strong>the</strong>ir<br />
respective owners.<br />
AMD, Opteron, <strong>the</strong> AMD logo, and <strong>the</strong> AMD Opteron logo are trademarks or registered trademarks of Advanced Micro<br />
Devices. Intel and Intel Xeon are trademarks or registered trademarks of Intel Corporation. All SPARC trademarks are<br />
used under license and are trademarks or registered trademarks of SPARC International, Inc. UNIX is a registered<br />
trademark licensed through X/Open Company, Ltd. 0310