Customer Stories / Software & Internet / Global

2024
SAP logo

SAP Protects Mission-Critical Backups Using Amazon EBS Snapshot Lock

Learn how SAP stores mission-critical data for its SaaS applications and protects against ransomware using Amazon EBS.

Thousands

of virtual machines protected

70%

faster backup time

100+ PB

of data protected

Overview

Ransomware poses significant risks to enterprises worldwide. This type of malware encrypts data, making it inaccessible, so that a ransom can be demanded for restoring access to the information. As such threats evolve, organizations must enhance their cybersecurity measures to protect critical assets. SAP, a global leader in enterprise software, consistently implements robust data protection strategies to help combat these security challenges.

To better protect its clients’ data, SAP adopted a new solution from Amazon Web Services (AWS): Amazon Elastic Block Store (Amazon EBS) Snapshot Lock, which locks new and existing Amazon EBS Snapshots using a lock duration that can range from 1 day to about 100 years. This feature protects stored data from being unintentionally deleted, empowering SAP to provide its enterprise customers with greater peace of mind.

internet security and data protection concept, blockchain and cybersecurity

Opportunity | Using Amazon EBS to Store and Protect Data for SAP

Founded in 1972, SAP is one of the world’s largest enterprise software companies and serves millions of cloud users around the globe. The SAP Enterprise Cloud Services business unit helps enterprise customers migrate their SAP applications to the cloud. To keep this mission-critical data safe, the organization implements robust security measures. For over 7 years, the company has used Amazon EBS to store data for its enterprise applications.

SAP attaches an Amazon EBS volume, a durable, block-level storage device, to every virtual machine that it migrates to AWS. The majority of these are Amazon EBS General Purpose volumes, which offer balanced cost and performance for the majority of workloads. To keep its clients’ data readily recoverable, SAP relies on Amazon EBS Snapshots, a point-in-time copy of data that can be used to facilitate disaster recovery, migrate data across regions and accounts, and improve backup compliance.

The snapshots are managed and stored on Amazon Simple Storage Service (Amazon S3), an object storage service built to retrieve any amount of data from anywhere, for long-term retention. Amazon S3 is designed for 11 nines of durability, facilitating higher availability of data in Amazon EBS Snapshots.

Although this method met SAP’s storage and security requirements, the company sought additional safeguards against accidental or malicious deletions, which can be critical during a ransomware event. SAP’s customers increasingly requested protection against unintentional deletions, so the company turned to AWS to develop a new feature.

“We had Amazon EBS Snapshots to protect our critical data, but we needed additional protection from unauthorized or unintentional deletions to defend against ransomware” says Jayaprakasan Velusamy, senior enterprise architect at SAP Enterprise Cloud Services. “So, we submitted a feature request. It became a high priority for the Amazon EBS team.”

kr_quotemark

With Amazon EBS Snapshot Lock, we can now say that our snapshots are ransomware protected.”

Jayaprakasan Velusamy
Senior Enterprise Architect, SAP Enterprise Cloud Services

Solution | Expanding Amazon EBS Snapshot Lock to All Enterprise Clients with Backups

In 2023, AWS announced the release of Amazon EBS Snapshot Lock. This feature takes data stored as Amazon EBS Snapshots and locks it down, preventing any modifications or deletions during the specified lock period. This rigid control mechanism helps SAP better protect cloud environments that it manages on behalf of its enterprise clients because it secures the data in snapshots against unauthorized deletions.

SAP takes snapshots of all its customers’ Amazon EBS volumes to back up data at the application and file levels. The company uses the Amazon Data Lifecycle Manager to automate the creation, retention, and deletion of snapshots based on predefined schedules and retention guidelines. This service simplifies the management of these volumes and helps SAP maintain compliance with data retention policies. Then, it uses Amazon EBS Snapshot Lock to secure these backups under stringent compliance controls. The feature’s compliance mode verifies that the snapshots cannot be deleted, even by authorized users. After an optional cooling-off period of up to 72 hours, neither the snapshot nor the lock can be deleted until the lock duration expires, and the mode cannot be changed. SAP’s customers also have the option of customizing how long they would like to lock their snapshots, which has ranged from a few weeks to up to 2 years.

SAP is also adopting Amazon EBS gp3 volumes, the latest generation general-purpose volume type that balances price performance for a wide variety of transactional workloads. With Amazon EBS gp3 volumes, SAP can provision performance independent of storage capacity while providing up to 20 percent lower price per GB than existing volumes. These volumes are also designed to offer single-digit millisecond latency while delivering the provisioned performance 99 percent of the time. This move will help SAP maintain consistently high performance without inflating costs.

SAP protects over 100 petabytes of data and thousands of virtual machines using Amazon EBS Snapshot Lock. Its customers not only enjoy 70 percent faster backup times with significantly quicker recovery but also benefit from additional security and protection with the new feature. All of SAP’s enterprise clients who store backups have adopted Amazon EBS Snapshot Lock.

Outcome | Fulfilling Service-Level Agreements with Fast Snapshot Restore

SAP’s adoption of Amazon EBS Snapshot Lock has bolstered its ransomware defense capabilities, and the proactive engagement of its team helped bring this feature to life. Recognizing the need for even faster recovery times, SAP has adopted Amazon EBS fast snapshot restore, which empowers it to create a volume from a snapshot that is fully initialized at creation. With this feature, SAP can restore data from snapshots even faster, helping fulfill its service-level agreements.

“With Amazon EBS Snapshot Lock, we can now say that our snapshots are ransomware protected,” says Velusamy. “We had many clients asking for these capabilities, which we can now achieve. This capability helps boost our clients’ confidence and decisiveness in choosing to host their data with SAP, helping us potentially seal the deal.”

About SAP

With offices in more than 130 countries, SAP is one of the largest enterprise software companies in the world. Its offerings include RISE with SAP, a solution that can be hosted on AWS to bring SAP applications to the cloud.

AWS Services Used

Amazon EBS

Amazon Elastic Block Store (Amazon EBS) is an easy-to-use, scalable, high-performance block-storage service designed for Amazon Elastic Compute Cloud (Amazon EC2).

Learn more »

Amazon EBS Snapshots

Amazon EBS Snapshots provide a simple and secure data protection solution that is designed to protect your block storage data such as EBS volumes, boot volumes, as well as on-premises block data.

Learn more »

Amazon Data Lifecycle Manager

Amazon Data Lifecycle Manager provides an automated, policy-based lifecycle management solution for Amazon Elastic Block Store (EBS) Snapshots and EBS-backed Amazon Machine Images (AMIs).

Learn more »

Amazon S3

Amazon Simple Storage Service (Amazon S3) is an object storage service offering industry-leading scalability, data availability, security, and performance.

Learn more »

More Software & Internet Customer Stories

no items found 

1

Get Started

Organizations of all sizes across all industries are transforming their businesses and delivering on their missions every day using AWS. Contact our experts and start your own AWS journey today.