SAP Business One In The Cloud: Beyond The Cloud Control Center
Internal SAP Employees and Partners OnlySMB Innovation Summit 2019SAP Business One in the Cloud:Beyond the Cloud Control CenterAndre SilveiraMichael Cardi SAP Brazil SAP AmericaSpecial Thanks to:Cornee BoorsmaGustav Szenczi SAP Netherlands SAP Labs Slovakia
Agenda Business One In The Cloud Scope Architecture Partner Value-add SecurityService Continuity Disaster Recovery & High Availability MonitoringPartner PanelWrap-up 2019 SAP SE or an SAP affiliate company. All rights reserved. ǀ Confidential: Released for Partners2
SAP Business One in the Cloud
SAP Business One Cloud OfferingThe SAP Business One Cloud offering has two aspects:1. Subscription-based licensing Covers software, service and support Separate SAP Business One Cloud pricelist Migration of existing perpetual licenses is possible2. Cloud Control Center for SAP Business One SAP Business One Cloud solution Cloud Control Center SAP Business One The Cloud Control Center is a web application that enables cloud operators to manage the SAPBusiness One Cloud Landscape. 2019 SAP SE or an SAP affiliate company. All rights reserved. ǀ Confidential: Released for Partners4
Mobile appsSAP Business One UserService Unit A (Version X.1)Service Unit B (Version Y.2)CustomerAccess SAP Business One Sales App Service App Data Transfer Workbench SAP Crystal Reports SAP Business One Sales App Service App Data Transfer Workbench SAP Crystal ReportsPartnerManagement Customers Tenants User and Credentials Licenses Extensions Customers Tenants User and Credentials Licenses Extensions SAP HANA Database SAP Business One Services Presentation Server Integration SAP HANA Database SAP Business One Services Presentation Server IntegrationUser PortalReseller OperatorCloud Control CenterLanscapeManagementCloud OperatorShared Landscape Components
Landscape ManagementDedicated to a Single Service UnitSuse iceLayerSAP HANA obileserviceSAP BusinessOne ClientSAP Business One ServicesShared between Multiple Service UnitsIntegrationFramework (B1if)IntegrationCentral ComponentsWLicense ServerBrowserAccessPresentation ServerW SStorageWExtensionsSLD/CloudControl CenterWSSLD AgentWDomainController
How to join forces to build sustainable cloudPartner KnowledgeWhat to expect from B1 Cloud CenterInfrastructuremanagement3rd 1. Customer & Tenant lifecycle managementCCC2. User Management3. Extension management4. Reseller operations5. Seamless integration with essential 3rd party tools 2019 SAP SE or an SAP affiliate company. All rights reserved. ǀ Confidential: Released for Partners7
Security
Authorization controlActive Directory - Organization UnitsOrganization UnitsActive Directory structure generated by Cloud Control Center ismonolithic and outdated.UsersB1 CloudCloud OperatorsPreferred structure would include organizational unit to achieve: Resellers Better transparency and clean User Active Directory structure Ability to delegate administrative tasks to dedicated users Ability to deploy custom Group Policy Objects per organizationunits Reseller NameResellerOperators Customers Customer NameCustomer Users 2019 SAP SE or an SAP affiliate company. All rights reserved. ǀ Confidential: Released for Partners9
Resource access controlActive Directory - Security GroupsAll users should have access to only those resources, that are needed for the users’ role.Security groups can provide efficient way to access to control and limit the resource access.Cloud OperatorsCloud OperatorsResellersCustomerTenantOperators of all ResellersUsers of all CustomersUsers of all TenantsOperators of specific ResellerUsers of specific CustomersUsers of specific TenantUsers of Reseller Customers 2019 SAP SE or an SAP affiliate company. All rights reserved. ǀ Confidential: Released for PartnersService Unit Users10
Network segregationSecurityIntroducing security groups into a landscape has several benefits: Reducing congestion – As there are fewer hosts in the subnetwork, local traffic is minimized Improved security – Broadcasts are minimized, therefore limiting visibility outside the group. Attacksurface is minimized as well, so if one group becomes compromised the other hosts still retain theirsecurity Containing network problems – Limits impact of failures in one network to propagate further into thelandscapeQuick tips: Ensure that only those ports that are needed are opened. If a security group contains only web servers,then probably only ports 80 and 443 are needed If the ports do not need to be accessed by everybody, set the appropriate rules. (E.g. LB and WS) Specify outbound rules of a security group as well. This prevents using your hosts in all kinds of attacksWhen setting up security groups, it is a good practice to place all hosts serving the same purpose into onesecurity group. This means, that all DB servers should be in one security group, all web servers in another,and all application servers in another. 2017 SAP SE or an SAP affiliate company. All rights reserved. ǀ INTERNAL11
Restrict Unauthorized Code / control code executionSAP Business One Client and extensions are running directly on operating system.If the end users can run and/or install software, then attackers can do as well.Therefore we need application whitelisting to: Restrict executing all files (and DLLs) except the specified list. Blacklisteverything, whitelist needed files for specific users or user groups Log every attempt to execute restricted executable (or DLL) and regularlyreview logsTypical executables to restrict from executing by an end user in Windows environment should include:regedit.exe, explorer.exe, cmd.exe, tasklist.exe, rundll32.exe, svchost.exe, The same applies to scriptinterpreters including: python, csc, The goal is to limit the attack surface by denying visibility into thesystem as well as removing tools for controlling it. 2019 SAP SE or an SAP affiliate company. All rights reserved. ǀ Confidential: Released for Partners12
FirewallThe first (inbound) and last (outbound) line of defense in the cloud environment is a firewall, which preventsunwanted traffic from reaching deeper parts of the landscape.Quick tips: All changes to the firewall rules should be logged into the audit log Use automation to update firewall settings. The automation can serve as a documentation to firewall rulesas well Firewall rules (or the automation rules) should be part of backup & restore procedures Review firewall rules regularly and remove unused, overlapping rules. Similarly, consider if rule isnecessary if it hasn’t been triggered for an extended period of time Regularly audit firewall logs for suspicious activity. Create monitoring and logging rules for those Keep firewall software and firmware up to dateAbout 99% of firewall breaches are caused by firewall misconfiguration. More in-depth firewall configurationchecklist can be found here: llChecklist.pdf 2017 SAP SE or an SAP affiliate company. All rights reserved. ǀ INTERNAL13
Limiting Data AccessSecurityWhen hosting a non-native cloud application, often times the only possibility forcontrolling and limiting the application functionality in terms of data access is tohave rules for accessing only the parts of disk (or shared storage) as well asrules for accessing data. It is common for non-cloud applications to be built tobe used by one user only and don’t have built-in strategies for user isolation.Quick tips: Data access should be synchronized with authentication & authorizationsource, so that all changes to it are propagated across the landscape All users should have access to only that data that is needed for the users’role. This is true for standard users, technical users, DevOps, Apply the same principle as in every lock-down. Lock everything, then applypermissions to needed locations and databasesIn Windows environment, the C:\Windows directory and its’ subdirectories need to be accessible, as well aspersonal directory in C:\Users and C:\Program Files (for reading, including it’s x86 vesion). Other disklocations might include C:\Temp for example. 2017 SAP SE or an SAP affiliate company. All rights reserved. ǀ INTERNAL14
One Authentication & Authorization SourceSecurityTo be able to control the access to the landscape, it is necessary for authentication and authorization sourceto exist. For maintainability, it is important, that there is one and only one source. This provides confidencethat changes to this source are propagated throughout the landscape and that all services check theauthentication and authorization against this source.Quick tips: The source should be extremely well protected against change. If possible, network segregation shouldbe used to increase its’ protection All changes to the source should be logged into the audit log The content of the source should have a backup & restore strategy set, so that in case of disaster, it canrestore its’ operations quickly The source should be run in high availability. If the service(s) providing the authorization source fail, it willbe impossible to log into the landscapeEach user, that has access to the system (customer, admin, DevOps, technical user) should have minimalprivileges, that allow for performing the task. This is true in every aspect of access, whether it is diskaccess, network access, services access, data access, 2017 SAP SE or an SAP affiliate company. All rights reserved. ǀ INTERNAL15
Restricting Unauthorized CodeSecurityEven when limiting data access (to the disk), there are still directories (or executables) that need to beaccessible to end user. The problem with non-cloud applications is, that they are running directly onoperating system. There are a lots of ways, which cannot be prevented by disk access authorization, butwhen executed can cause significant damage to the host or even landscape. This is especially true inWindows operating environment.Quick tips: By default, restrict executing all files (and DLLs) except the specified list. Blacklist everything, whitelistneeded files for specific users or user groups Log every attempt to execute restricted executable (or DLL) Be aware of the fact, that blacklisting all executable files may cause a lockout of the host (nobody will beable to log in, since critical executables are restricted from execution)Typical executables to restrict from executing by an end user in Windows environment should include:regedit.exe, explorer.exe, cmd.exe, tasklist.exe, rundll32.exe, svchost.exe, The same applies to scriptinterpreters including: python, csc, The goal is to limit the attack surface by denying visibility into thesystem as well as removing tools for controlling it. 2017 SAP SE or an SAP affiliate company. All rights reserved. ǀ INTERNAL16
Service Continuity
Disaster recoveryData backup and recoverySAP Business One defines backup and recovery procedures for software components. It does not have anambition to provide comprehensive backup solution.High AvailabilitySAP Business One provides high availability for critical software components: System Landscape Directory License ServerIt is to use high availability setup important to remove single point offailure. 2019 SAP SE or an SAP affiliate company. All rights reserved. ǀ Confidential: Released for Partners18
Backup and restore policyIT service continuityThe Cloud Services include daily backup of all customer data in accordance with standard backupprocedures. Backup service usually includes: Backup of customer databases and data folders Backup of internal and 3rd party systems (SLD database, License files and license assignment backups,Secrets, Landscape definition files ) Backup retention Definition of maximum data loss Duration of data restoreSAP Business One Cloud does not provide comprehensive backup tool. Service provider is responsible forchoosing appropriate tools and backup strategy. Make sure that the backup process is automated across all instances and monitored When backing up data, the best practice dictates to store the backups on different drives, offline media,different geographical locations, etc. Perform periodical trial restore to ensure that all processes can be executed correctly 2017 SAP SE or an SAP affiliate company. All rights reserved. ǀ INTERNAL19
Disaster recoveryIT service continuitySet of policies to recover from natural or human induced disaster. Key aspects are: Recovery Point Objective – maximum targeted period in which data (transactions) might be lost froman IT service due to a major incident Recovery Target Objective – time duration within which a business process must be restored after adisaster (or disruption) in order to avoid unacceptable consequences associated with a breakin business continuityBased on business expectations the disaster recovery strategy can include Data backups and replication to remote locations High availability of software components Remote backup site. A fully functional alternate site with an in-place network, security, storage, andbasic replacement server Even just a one hour outage can result in significant costs to a small company Remote backup site significantly increases hardware costs. It is usually positioned as a premiumservice 2017 SAP SE or an SAP affiliate company. All rights reserved. ǀ INTERNAL20
High availabilityIT service continuityHA solutions keep your service as accessible as possible, even in the case of a partial server or softwarefailure.It is important to identify any single point of failure and reconfigure around it so that it is not a single pointof failure anymore. Single point of failure can be software, server, storage, network, datacenter or ultimatelyearth.SAP Business One is providing high availability for critical software components: System Landscape Directory License ServerFor remaining software components (SAP HANA, MS Domain controller, MSSQL, MS Remote DesktopServices) standard high availability guides to be followed. According to reports, 67% of best-in-class organizations use fault-tolerant servers and software faulttolerant solutions to provide high availability SAP Business One high availability is design to protect end-users from outage. Secondary systemsmight be affected when failure occurs 2017 SAP SE or an SAP affiliate company. All rights reserved. ǀ INTERNAL21
Monitoring
Monitoring Best practice is to log and monitor health status of the landscapecomponents (CPU utilization status, disk utilization status,available memory, services status, critical entries in the log filesand event logs, .) If an recurrent error occurs, it is important to establish monitoringand define preventive, if required automated, actions. Monitoring system should located on hosts outside the productivelandscape. Make sure, you open only the necessary ports allowingto monitoring system function correctly. 2019 SAP SE or an SAP affiliate company. All rights reserved. ǀ Confidential: Released for Partners23
MonitoringMonitoring system allows trapping events from different hosts or tools, as well as provides automated actions.Monitoring system should be located on hosts outside the productive landscape. Make sure, you open only thenecessary ports allowing to monitoring system function correctly.Best practice is to log health status of the landscape components (CPU utilization status, disk utilization status,available memory, services status, critical entries in the log files and event logs, .)If a recurrent error occurs, it is important to establish monitoring and define preventive, if possible automated,actions.Automated actions can help in keeping the landscape running despite some of the services not workingproperly (e.g. consuming too much memory). While the developers of the component fix the problem,monitoring tool can still be used to monitor the status of the component and restarting it when needed tofree up consumed memory. In a combination with High Availability, end user will not notice service outage. 2017 SAP SE or an SAP affiliate company. All rights reserved. ǀ INTERNAL24
Health of the Service unitIt is important to monitor whole SU as it offerscomplete B1 functionality to customer.Integrate infrastructure parameters such as RAM consumption CPU utilization Disk I/O Network speedand component health status e.g. service is Running Responding Configuration Serving it’s purpose 2019 SAP SE or an SAP affiliate company. All rights reserved. ǀ Confidential: Released for Partners25
Monitoring tips Alerts should contain information about root cause and required response Do not ignore alerts that resolves without your involvement Do not mix monitoring data from machines in maintenance with data from productive system Keep your dashboard monitoring clean Scale your monitoring system with the landscape Monitor your backups and backup your monitoring Do you monitor Logs? Monitor your monitoring Combining business and technical data can help you to act proactively 2019 SAP SE or an SAP affiliate company. All rights reserved. ǀ Confidential: Released for Partners26
Partner Panel
Partner PanelGary Feldman, PresidentI-Business Network 2019 SAP SE or an SAP affiliate company. All rights reserved. ǀ Confidential: Released for PartnersRichard CalvoConsensus International28
Gary Feldman, I-BnA pioneer in the Cloud Servicesmarket, Gary formed I-BusinessNetwork in 1999 as an outsourcedapplication hosting service focusingon mid market ERP systems, landingthe first hosting agreements in 1999.I-BN was one of the original“Business One On-Demand” partnersin 2008 and became the first partnerCertified by SAP in Hosting Servicesfor Business One in 2012. 2019 SAP SE or an SAP affiliate company. All rights reserved. ǀ Confidential: Released for Partners29
Landscape ManagementFirewallSDN RouterActive DirectoryFile nistrationActive Directory Print ServicesADC/NetscalerCitrix Storefront Delivery ControllerFile SharingI-BN CloudBackup & ReplicationDedicated to a Single ServiceUnitSSSSWSWSuse ayerSAP HANA DatabaseAnalyticsJobservice serviceBackupserviceMobileserviceSAPBusinessOne ClientSAP Business One ServicesShared between Multiple tionFramework(B1if)IntegrationCentral ComponentsWSWWSWProfilesStorageLicense ServerExtensionsSLD/CloudControlCenterAdditional Service UnitsAdditional Service UnitsSLD AgentDomainController
Cyber SecurityFirewallVirus ProtectionIntrusion DetectionProxy ServerSQL injection protectionBackup and ReplicationIdentity ControlPassword PoliciesMicro-segmentationFederated services - Single Sign OnServers in Escrow . 2019 SAP SE or an SAP affiliate company. All rights reserved. ǀ Confidential: Released for Partners31
Easy to UseEasy to ManageSuSe ExpertiseInfrastructure ExpertiseDevice independenceDesktop ExperienceFederated services – Single Sign OnFileCloudRDC Manager . 2019 SAP SE or an SAP affiliate company. All rights reserved. ǀ Confidential: Released for Partners32
Richard Calvo, ConsensusInternationalRichard emigrated from Cuba at ayoung age and took several ITrelated jobs as he pursued hisBachelor's Degree from FloridaInternational University, in order topay tuition.Since joining Consensus in 2012 hehas held many roles and is currentlyresponsible for implementing andmanaging the infrastructure andsoftware for their SAP Business OneCloud offering. 2019 SAP SE or an SAP affiliate company. All rights reserved. ǀ Confidential: Released for Partners33
Operational Efficiency with the Cloud Control CenterCurrent Implementations*63585Service UnitsCustomersTenants90%NNN last 2 years* Start of 2019 2019 SAP SE or an SAP affiliate company. All rights reserved. ǀ Confidential: Released for Partners34
BenefitsImproved Provisioning AuditingAbility to audit actions related to customer, tenant,licensing operations including the operator responsibleImprove Customer Environment Ramp-Up timeSignificantly reduce the amount of time necessary todeploy a Business One company and access on hostedenvironmentImprove Shared Resource SecurityCloud services segregate visibility into shared resourceslike available license files, access to mobile and browserservicesSimplify Tenant MigrationEasily run tenant upgrade prechecks and duplicationsincluding user and license assignments 2019 SAP SE or an SAP affiliate company. All rights reserved. ǀ Confidential: Released for Partners35
Questions
Thank you.Gamification Challenge CodeJV7Y88By entering this SAP Breakout Sessioncode you will be granted 10 points55
SAP Business One Cloud Offering The SAP Business One Cloud offering has two aspects: 1. Subscription-based licensing Covers software, service and support Separate SAP Business One Cloud pricelist Migration of existing perpetual licenses is possible 2. Cloud Control Center for SAP Business One SAP Business One Cloud solution .
May 02, 2018 · D. Program Evaluation ͟The organization has provided a description of the framework for how each program will be evaluated. The framework should include all the elements below: ͟The evaluation methods are cost-effective for the organization ͟Quantitative and qualitative data is being collected (at Basics tier, data collection must have begun)
Silat is a combative art of self-defense and survival rooted from Matay archipelago. It was traced at thé early of Langkasuka Kingdom (2nd century CE) till thé reign of Melaka (Malaysia) Sultanate era (13th century). Silat has now evolved to become part of social culture and tradition with thé appearance of a fine physical and spiritual .
SAP ERP SAP HANA SAP CRM SAP HANA SAP BW SAP HANA SAP Runs SAP Internal HANA adoption roadmap SAP HANA as side-by-side scenario SAP BW powered by SAP HANA SAP Business Suite powered by SAP HANA Simple Finance 1.0 2011 2013 2014 2015 Simple Finance 2.0 S/4 HANA SAP ERP sFin Add-On 2.0
SAP Certification Material www.SAPmaterials4u.com SAP Certification Material for SAP Aspirants at Low cost Home Home SAP Business Objects SAP BPC CPM SAP BPC 7.0 SAP EWM SAP GTS SAP Public Sector SAP Real Estate SAP FSCM SAP FI/CO SAP AC - FI/CO SAP BI 7.0 SAP CRM 5.0
SAP HANA Appliance SAP HANA DB In-Memory A io BI Client non-ABAP (SAP supported DBs) SAP Business Suite SAP Business Suite SAP Business Suite SAP Business Suite SAP Business Suite SAP Business Suite SAP Business Warehouse SAP HANA DB r In-Memory Source Systems SAP LT Replication Ser
On an exceptional basis, Member States may request UNESCO to provide thé candidates with access to thé platform so they can complète thé form by themselves. Thèse requests must be addressed to esd rize unesco. or by 15 A ril 2021 UNESCO will provide thé nomineewith accessto thé platform via their émail address.
̶The leading indicator of employee engagement is based on the quality of the relationship between employee and supervisor Empower your managers! ̶Help them understand the impact on the organization ̶Share important changes, plan options, tasks, and deadlines ̶Provide key messages and talking points ̶Prepare them to answer employee questions
Dr. Sunita Bharatwal** Dr. Pawan Garga*** Abstract Customer satisfaction is derived from thè functionalities and values, a product or Service can provide. The current study aims to segregate thè dimensions of ordine Service quality and gather insights on its impact on web shopping. The trends of purchases have
