sap business one in the cloud: beyond the cloud control center...3rd party software 1. customer...

SAP Business One in the Cloud:

Beyond the Cloud Control Center

Internal | SAP Employees and Partners OnlySMB Innovation Summit 2019

Special Thanks to:

Cornee Boorsma | SAP Netherlands

Gustav Szenczi | SAP Labs Slovakia

Andre Silveira | SAP Brazil

Michael Cardi | SAP America

2Confidential: Released for Partners© 2019 SAP SE or an SAP affiliate company. All rights reserved. ǀ

Agenda

➢ Business One In The Cloud

➢ Scope

➢ Architecture

➢ Partner Value-add

➢ Security

➢ Service Continuity

➢ Disaster Recovery & High Availability

➢ Monitoring

➢ Partner Panel

➢ Wrap-up

SAP Business One in the Cloud


SAP Business One Cloud Offering

The SAP Business One Cloud offering has two aspects:

1. Subscription-based licensing

• Covers software, service and support

• Separate SAP Business One Cloud pricelist

• Migration of existing perpetual licenses is possible

2. Cloud Control Center for SAP Business One

• SAP Business One Cloud solution = Cloud Control Center + SAP Business One

• The Cloud Control Center is a web application that enables cloud operators to manage the SAP

Business One Cloud Landscape.

SAP Business One User

Mobile apps

User Portal

Customer

Access

Partner

Management

Lanscape

Management

• SAP Business One

• Sales App

• Service App

• Data Transfer Workbench

• SAP Crystal Reports

Service Unit A (Version X.1)

• SAP Business One

• Sales App

• Service App

• Data Transfer Workbench

• SAP Crystal Reports

Service Unit B (Version Y.2)

Shared Landscape Components

• Customers

• Tenants

• User and Credentials

• Licenses

• Extensions

• Customers

• Tenants

• User and Credentials

• Licenses

• Extensions

• SAP HANA Database

• SAP Business One Services

• Presentation Server

• Integration

• SAP HANA Database

• SAP Business One Services

• Presentation Server

• Integration

Reseller Operator

Cloud Operator

Cloud Control Center

Landscape Management

Dedicated to a Single Service Unit

SAP HANA Database SAP Business One Services Presentation Server Integration

Company

Databases

Common

Database

Service

Layer

Analytics

service

Job

service

S S

Suse Linux

Windows

Backup

service

Mobile

service

S S S

SAP Business

One Client

Browser

Access

W

Integration

Framework (B1if)

W

Shared between Multiple Service Units Central Components

Storage License Server Extensions SLD/Cloud

Control Center

SLD Agent Domain

Controller

W

SWSW

W


Infrastructure

management

Disaster

recoverySecurity

3rd party

software

1. Customer & Tenant lifecycle management

Go!

2. User Management

3. Extension management

5. Seamless integration with essential 3rd party tools

Monitoring

4. Reseller operations

CC

CP

art

ner

Kn

ow

led

ge

How to join forces to build sustainable cloudWhat to expect from B1 Cloud Center

Security


Authorization controlActive Directory - Organization Units

Preferred structure would include organizational unit to achieve:

• Better transparency and clean User Active Directory structure

• Ability to delegate administrative tasks to dedicated users

• Ability to deploy custom Group Policy Objects per organization

units

B1_Cloud

++Reseller_Name

+++Customers

++++Customer_Name

+Resellers

Organization Units Users

Cloud Operators

Reseller

Operators

Customer Users

Active Directory structure generated by Cloud Control Center is

monolithic and outdated.


Resource access controlActive Directory - Security Groups

Customer

Users of specific Customers

Users of all Customers

Cloud Operators

Cloud Operators

Resellers

Operators of specific Reseller

Operators of all Resellers

Users of Reseller Customers

Users of specific Tenant

Tenant

Users of all Tenants

Service Unit Users

All users should have access to only those resources, that are needed for the users’ role.

Security groups can provide efficient way to access to control and limit the resource access.

11INTERNAL© 2017 SAP SE or an SAP affiliate company. All rights reserved. ǀ

Network segregation

Security

Introducing security groups into a landscape has several benefits:

• Reducing congestion – As there are fewer hosts in the subnetwork, local traffic is minimized

• Improved security – Broadcasts are minimized, therefore limiting visibility outside the group. Attack

surface is minimized as well, so if one group becomes compromised the other hosts still retain their

security

• Containing network problems – Limits impact of failures in one network to propagate further into the

landscape

Quick tips:

• Ensure that only those ports that are needed are opened. If a security group contains only web servers,

then probably only ports 80 and 443 are needed

• If the ports do not need to be accessed by everybody, set the appropriate rules. (E.g. LB and WS)

• Specify outbound rules of a security group as well. This prevents using your hosts in all kinds of attacks

When setting up security groups, it is a good practice to place all hosts serving the same purpose into one

security group. This means, that all DB servers should be in one security group, all web servers in another,

and all application servers in another.


SAP Business One Client and extensions are running directly on operating system.

If the end users can run and/or install software, then attackers can do as well.

Restrict Unauthorized Code / control code execution

Typical executables to restrict from executing by an end user in Windows environment should include:

regedit.exe, explorer.exe, cmd.exe, tasklist.exe, rundll32.exe, svchost.exe, … The same applies to script

interpreters including: python, csc, … The goal is to limit the attack surface by denying visibility into the

system as well as removing tools for controlling it.

Therefore we need application whitelisting to:

• Restrict executing all files (and DLLs) except the specified list. Blacklist

everything, whitelist needed files for specific users or user groups

• Log every attempt to execute restricted executable (or DLL) and regularly

review logs


Firewall

The first (inbound) and last (outbound) line of defense in the cloud environment is a firewall, which prevents

unwanted traffic from reaching deeper parts of the landscape.

Quick tips:

• All changes to the firewall rules should be logged into the audit log

• Use automation to update firewall settings. The automation can serve as a documentation to firewall rules

as well

• Firewall rules (or the automation rules) should be part of backup & restore procedures

• Review firewall rules regularly and remove unused, overlapping rules. Similarly, consider if rule is

necessary if it hasn’t been triggered for an extended period of time

• Regularly audit firewall logs for suspicious activity. Create monitoring and logging rules for those

• Keep firewall software and firmware up to date

About 99% of firewall breaches are caused by firewall misconfiguration. More in-depth firewall configuration

checklist can be found here: https://www.sans.org/media/score/checklists/FirewallChecklist.pdf

https://www.sans.org/media/score/checklists/FirewallChecklist.pdf


Limiting Data Access

Security

When hosting a non-native cloud application, often times the only possibility for

controlling and limiting the application functionality in terms of data access is to

have rules for accessing only the parts of disk (or shared storage) as well as

rules for accessing data. It is common for non-cloud applications to be built to

be used by one user only and don’t have built-in strategies for user isolation.

Quick tips:

• Data access should be synchronized with authentication & authorization

source, so that all changes to it are propagated across the landscape

• All users should have access to only that data that is needed for the users’

role. This is true for standard users, technical users, DevOps, …

• Apply the same principle as in every lock-down. Lock everything, then apply

permissions to needed locations and databases

In Windows environment, the C:\Windows directory and its’ subdirectories need to be accessible, as well as

personal directory in C:\Users and C:\Program Files (for reading, including it’s x86 vesion). Other disk

locations might include C:\Temp for example.


Each user, that has access to the system (customer, admin, DevOps, technical user) should have minimal

privileges, that allow for performing the task. This is true in every aspect of access, whether it is disk

access, network access, services access, data access, …

One Authentication & Authorization Source

Security

To be able to control the access to the landscape, it is necessary for authentication and authorization source

to exist. For maintainability, it is important, that there is one and only one source. This provides confidence

that changes to this source are propagated throughout the landscape and that all services check the

authentication and authorization against this source.

Quick tips:

• The source should be extremely well protected against change. If possible, network segregation should

be used to increase its’ protection

• All changes to the source should be logged into the audit log

• The content of the source should have a backup & restore strategy set, so that in case of disaster, it can

restore its’ operations quickly

• The source should be run in high availability. If the service(s) providing the authorization source fail, it will

be impossible to log into the landscape


Restricting Unauthorized Code

Security

Even when limiting data access (to the disk), there are still directories (or executables) that need to be

accessible to end user. The problem with non-cloud applications is, that they are running directly on

operating system. There are a lots of ways, which cannot be prevented by disk access authorization, but

when executed can cause significant damage to the host or even landscape. This is especially true in

Windows operating environment.

Quick tips:

• By default, restrict executing all files (and DLLs) except the specified list. Blacklist everything, whitelist

needed files for specific users or user groups

• Log every attempt to execute restricted executable (or DLL)

• Be aware of the fact, that blacklisting all executable files may cause a lockout of the host (nobody will be

able to log in, since critical executables are restricted from execution)

Typical executables to restrict from executing by an end user in Windows environment should include:

regedit.exe, explorer.exe, cmd.exe, tasklist.exe, rundll32.exe, svchost.exe, … The same applies to script

interpreters including: python, csc, … The goal is to limit the attack surface by denying visibility into the

system as well as removing tools for controlling it.

Service Continuity


Disaster recovery

High Availability

SAP Business One provides high availability for critical software components:

• System Landscape Directory

• License Server

It is to use high availability setup important to remove single point of

failure.

Data backup and recovery

SAP Business One defines backup and recovery procedures for software components. It does not have an

ambition to provide comprehensive backup solution.


The Cloud Services include daily backup of all customer data in accordance with standard backup

procedures. Backup service usually includes:

• Backup of customer databases and data folders

• Backup of internal and 3rd party systems (SLD database, License files and license assignment backups,

Secrets, Landscape definition files…)

• Backup retention

• Definition of maximum data loss

• Duration of data restore

SAP Business One Cloud does not provide comprehensive backup tool. Service provider is responsible for

choosing appropriate tools and backup strategy.

Backup and restore policyIT service continuity

• Make sure that the backup process is automated across all instances and monitored

• When backing up data, the best practice dictates to store the backups on different drives, offline media,

different geographical locations, etc.

• Perform periodical trial restore to ensure that all processes can be executed correctly


Set of policies to recover from natural or human induced disaster. Key aspects are:

• Recovery Point Objective – maximum targeted period in which data (transactions) might be lost from

an IT service due to a major incident

• Recovery Target Objective – time duration within which a business process must be restored after a

disaster (or disruption) in order to avoid unacceptable consequences associated with a break

in business continuity

Based on business expectations the disaster recovery strategy can include

• Data backups and replication to remote locations

• High availability of software components

• Remote backup site. A fully functional alternate site with an in-place network, security, storage, and

basic replacement server

Disaster recoveryIT service continuity

• Even just a one hour outage can result in significant costs to a small company

• Remote backup site significantly increases hardware costs. It is usually positioned as a premium

service


HA solutions keep your service as accessible as possible, even in the case of a partial server or software

failure.

It is important to identify any single point of failure and reconfigure around it so that it is not a single point

of failure anymore. Single point of failure can be software, server, storage, network, datacenter or ultimately

earth.

SAP Business One is providing high availability for critical software components:

• System Landscape Directory

• License Server

For remaining software components (SAP HANA, MS Domain controller, MSSQL, MS Remote Desktop

Services) standard high availability guides to be followed.

High availabilityIT service continuity

• According to reports, 67% of best-in-class organizations use fault-tolerant servers and software fault-

tolerant solutions to provide high availability

• SAP Business One high availability is design to protect end-users from outage. Secondary systems

might be affected when failure occurs

Monitoring


• Best practice is to log and monitor health status of the landscape

components (CPU utilization status, disk utilization status,

available memory, services status, critical entries in the log files

and event logs, ...)

• If an recurrent error occurs, it is important to establish monitoring

and define preventive, if required automated, actions.

• Monitoring system should located on hosts outside the productive

landscape. Make sure, you open only the necessary ports allowing

to monitoring system function correctly.

Monitoring


Monitoring

Monitoring system allows trapping events from different hosts or tools, as well as provides automated actions.

Monitoring system should be located on hosts outside the productive landscape. Make sure, you open only the

necessary ports allowing to monitoring system function correctly.

Best practice is to log health status of the landscape components (CPU utilization status, disk utilization status,

available memory, services status, critical entries in the log files and event logs, ...)

If a recurrent error occurs, it is important to establish monitoring and define preventive, if possible automated,

actions.

Automated actions can help in keeping the landscape running despite some of the services not working

properly (e.g. consuming too much memory). While the developers of the component fix the problem,

monitoring tool can still be used to monitor the status of the component and restarting it when needed to

free up consumed memory. In a combination with High Availability, end user will not notice service outage.


Health of the Service unit

It is important to monitor whole SU as it offers

complete B1 functionality to customer.

Integrate infrastructure parameters such as

• RAM consumption

• CPU utilization

• Disk I/O

• Network speed

and component health status e.g. service is

• Running

• Responding

• Configuration

• Serving it’s purpose


• Alerts should contain information about root cause and required response

• Do not ignore alerts that resolves without your involvement

• Do not mix monitoring data from machines in maintenance with data from productive system

• Keep your dashboard monitoring clean

• Scale your monitoring system with the landscape

• Monitor your backups and backup your monitoring

• Do you monitor Logs?

• Monitor your monitoring

• Combining business and technical data can help you to act proactively

Monitoring tips

Partner Panel


Partner Panel

Gary Feldman, President

I-Business Network

Richard Calvo

Consensus International


A pioneer in the Cloud Services

market, Gary formed I-Business

Network in 1999 as an outsourced

application hosting service focusing

on mid market ERP systems, landing

the first hosting agreements in 1999.

I-BN was one of the original

“Business One On-Demand” partners

in 2008 and became the first partner

Certified by SAP in Hosting Services

for Business One in 2012.

Gary Feldman, I-Bn

Additional Service UnitsAdditional Service Units

Landscape Management

Suse Linux

Windows

Dedicated to a Single Service

Unit

SAP HANA Database SAP Business One Services Presentation

Server

Integration

Company

Databases

Common

Database

Service

Layer

Analytics

service

Job

service

S S

Backup

service

Mobile

service

S S S

SAP

Business

One Client

Browser

Access

W

Integration

Framework

(B1if)

W

Shared between Multiple Service

Units

Central Components

Storage License Server Extensions SLD/Cloud

Control

Center

SLD Agent Domain

Controller

W

SWSW

W

FirewallSDN Router

ADC/Netscal

er

I-BN CloudCitrix Storefront Delivery ControllerActive Directory Print Services File Sharing

Backup & Replication

Administration

Active Directory MonitoringFile Server Anti-Virus/Malware Provisioning

Profiles


Cyber SecurityFirewall

Virus Protection

Intrusion Detection

Proxy Server

SQL injection protection

Backup and Replication

Identity Control

Password Policies

Micro-segmentation

Federated services - Single Sign On

Servers in Escrow

….


Easy to Use

Easy to Manage

SuSe Expertise

Infrastructure Expertise

Device independence

Desktop Experience

Federated services – Single Sign On

FileCloud

RDC Manager

….


Richard emigrated from Cuba at a

young age and took several IT

related jobs as he pursued his

Bachelor's Degree from Florida

International University, in order to

pay tuition.

Since joining Consensus in 2012 he

has held many roles and is currently

responsible for implementing and

managing the infrastructure and

software for their SAP Business One

Cloud offering.

Richard Calvo, Consensus

International


6Service Units

35Customers

85Tenants

Operational Efficiency with the Cloud Control CenterCurrent Implementations*

* Start of 2019

90%NNN last 2 years


Improved Provisioning AuditingAbility to audit actions related to customer, tenant, licensing operations including the operator responsible

Improve Customer Environment Ramp-Up timeSignificantly reduce the amount of time necessary to deploy a Business One company and access on hosted environment

Improve Shared Resource SecurityCloud services segregate visibility into shared resources like available license files, access to mobile and browser services

Simplify Tenant MigrationEasily run tenant upgrade prechecks and duplications including user and license assignments

Benefits

Questions

Thank you.

Gamification Challenge Code

JV7Y88By entering this SAP Breakout Session

code you will be granted 10 points

5 5

sap business one in the cloud: beyond the cloud control center...3rd party software 1. customer...

Documents