Enforcing zero trust for enterprise security with Amazon GuardDuty for SAP

SAP is the world’s largest provider of enterprise applications and software. To accelerate innovation and time to market for its customers, SAP has released several critical software-as-a-service (SaaS) solutions that are powered by AWS.

When the company first started deploying its customers’ workloads in the cloud, SAP’s security operations team manually monitored, identified, and remediated all potential security events. “We were a team of five people creating all the organization’s AWS accounts by hand,” says Amos Wendorff, security data governance lead at SAP.

However, the company’s usage of AWS was rapidly growing. As SAP’s cloud footprint expanded, the challenges scaled. Responsible for monitoring 7,000 AWS accounts, SAP’s security operations engineers spent 20 percent of their time triaging security alerts with account owners across the company’s business units. “The focus in security shifted because our total number of AWS accounts was growing tremendously,” says Wendorff. “We realized we needed an automated approach to keep pace with the demands of our security requirements and the growing tool complexity across our environment.”

To help keep its cloud-based workloads secure, SAP followed the principles of never trust, always verify while building an enterprise security solution on AWS. Further, the company needed to scale to a fast-growing footprint of AWS accounts without creating additional software maintenance for its security operations team.

In alignment with zero-trust best practices, SAP implemented over 70 secure-by-default controls that automatically protect new and existing AWS accounts. “We trust AWS services because of their built-in—technical implementation—security controls,” says Wendorff. “The support that we’ve received from the AWS team is also top of the ladder.”

For automatic threat detection and response, SAP deployed GuardDuty, an agentless service that analyzes tens of billions of events across multiple sources. SAP’s engineers use GuardDuty to unlock critical insights about IP traffic patterns across its VPC flow logs, helping them develop effective security group rules that control inbound and outbound traffic.

SAP also activated GuardDuty Extended Threat Detection, which employs AI to identify both known and previously unknown attack sequences. Security findings and analytics are then fed into SAP’s observability solution, helping its engineers perform federated searches across its cloud resources.

The company also uses AWS Organizations to streamline account management, centralize governance, and enforce consistent management of its AWS resources across multiple accounts and AWS services. “We automated the life cycle of our accounts,” says Wendorff. “For example, if an account goes unused for a certain amount of time, it’s flagged to the account owner and deleted if it continues to be inactive.”

SAP continually adds additional layers of security to its solution. For example, SAP protects the data it stores in Amazon Simple Storage Service (Amazon S3)—an object storage service built to retrieve any amount of data from anywhere—by activating GuardDuty Amazon S3 Protection.

With this added layer of protection, SAP can quickly detect potential security risks for data, such as data exfiltration and destruction. “We’ve been steadily activating more protection plans in Amazon GuardDuty,” says Wendorff. “It’s low-hanging fruit for us. It doesn’t involve a lot of effort or overhead to strengthen the coverage of our protection.”

SAP has automated threat detection and response while gaining contextualized intelligence for security alerts. This helps SAP’s engineers prioritize alerts by level of risk and tackle urgent threats and vulnerabilities faster than before. In fact, SAP has significantly reduced its mean time to resolution, despite its cloud footprint continuing to grow from 7,000 to 10,000 AWS accounts.

Further, SAP’s security operations team saves time on investigating new finding types, helping reduce the company’s operational overhead. “With GuardDuty, we don’t need to spend our time staffing a detection team and developing new finding types based on the latest cybersecurity trends,” says Wendorff. “AWS takes care of that for us.”

Looking ahead, SAP will continue to extend its use of GuardDuty by implementing more protection plans, such as GuardDuty Malware Protection for Amazon S3. “Our SaaS customers have peace of mind that their workloads are protected with the latest findings and services,” says Wendorff. “And our security teams know that their AWS accounts are covered by Amazon GuardDuty.”