In a world without borders, data needs a guardian
In the age of digital transformation, as data has become every organisation’s most valuable asset, protecting it has taken on strategic importance. Migration to the public cloud offers organisations unrivalled flexibility, scalability and cost efficiency, but it also raises serious questions about security and regulatory compliance. How can you ensure that sensitive business data remains under your control even when it physically resides in a cloud provider’s infrastructure? How do you meet regulatory requirements on data location and processing in a multi-cloud environment?
At SNOK we have spent years helping clients resolve these dilemmas by implementing advanced data-protection solutions in SAP systems. One of the most effective tools in our arsenal is SAP Data Custodian – a comprehensive SaaS solution that delivers unprecedented visibility and control over data in cloud environments.
What is SAP Data Custodian?
SAP Data Custodian is an advanced Software as a Service (SaaS) solution designed specifically to protect data held in cloud environments – public, private, hybrid and multi-cloud alike. It integrates with leading cloud service providers (hyperscalers), SAP applications and SAP-managed clouds, providing comprehensive data protection across the entire IT ecosystem.
“In today’s complex IT landscape, where data flows between different systems and clouds, the traditional approach to security – focused on securing individual infrastructure components – is no longer sufficient,” explains Jarosław Kamil Zdanowski, Head of SAP and Cybersecurity Consulting at SNOK. “We need solutions that protect data at every stage of its lifecycle, regardless of where it is stored or processed. SAP Data Custodian delivers exactly that kind of protection, enabling organisations to safely take advantage of the benefits of the public cloud.”
SAP Data Custodian consists of two main components:
-
Transparency and Control Service (TCS) – provides extended capabilities for monitoring and controlling data and cloud resources, including policy definition, activity monitoring, contextual access control and compliance management7.
-
Key Management Service (KMS) – enables management of cryptographic keys, essential for protecting sensitive data8.
Key features of SAP Data Custodian
Policy definition and enforcement
SAP Data Custodian allows you to configure geolocation policies for managing data storage, movement, processing and access. These policies can be readily adapted in response to changing global regulations, which is particularly relevant in the context of regulations such as GDPR, CCSL and CCRF.
At SNOK we regularly help clients define and implement such policies, tailoring them to specific industry and regulatory requirements. Our experience shows that properly configured policies significantly reduce the risk of data-security breaches and non-compliance.
Data transparency, alerts and reporting
The solution provides insight into where data has been shared, moved and stored in the public cloud, and by whom. The system notifies users of policy violations and data leaks, and delivers near-real-time compliance and risk reports.
Thanks to these capabilities, our clients gain full visibility of their data in the cloud, allowing them to respond quickly to potential threats and policy violations. At SNOK, we use these capabilities to build comprehensive monitoring solutions that provide continuous oversight of data security.
Independent key management
SAP Data Custodian offers full, independent control over encryption keys and data. The solution supports two main key-management scenarios:
-
Hold Your Own Key (HYOK) – allows a key to be created in an external key store and registered for use in SAP Data Custodian. Supported key stores include AWS Key Management Service, Fortanix DSM and Microsoft Azure Key Vault.
-
Bring Your Own Key (BYOK) – allows a key to be created in an external key store and its key material imported for use in SAP Data Custodian. Supported key stores include AWS Key Management Service, Fortanix DSM and Thales CipherTrust Cloud Key Manager.
At SNOK we have extensive experience implementing both of these scenarios, tailoring them to our clients’ specific security needs and requirements.
Data anonymisation
The data-anonymisation feature in SAP Data Custodian allows structured data to be analysed and replaced with anonymised data generated by machine-learning algorithms. This is particularly useful when creating test environments that require realistic data without exposing sensitive information.
The anonymisation process involves several steps:
-
Defining the anonymisation configuration
-
Scheduling the anonymisation analysis job
-
Scheduling the anonymisation generation job
At SNOK we regularly use this feature in migration and testing projects, providing our clients with secure development and test environments.
Contextual access control
SAP Data Custodian offers advanced contextual access-control mechanisms that restrict access to cloud data based on data category, geolocation and user context (such as user location, citizenship, department or employment type).
These mechanisms allow our clients to precisely control who has access to sensitive data and under what circumstances, significantly reducing the risk of unauthorised access. At SNOK we help configure these mechanisms, tailoring them to each organisation’s specific security and compliance requirements.
Benefits of implementing SAP Data Custodian
Managing data on your own terms
SAP Data Custodian enables organisations to take control of their data in the public cloud. Organisations can define and enforce where their data is stored, who has access to it, where it is processed and where it may be moved. This is particularly relevant for global business operations, where different jurisdictions may have differing data-protection requirements.
At SNOK we help clients develop comprehensive data-management strategies that account for both business and regulatory requirements. Our approach is based on a thorough analysis of organisational needs and tailoring SAP Data Custodian’s features accordingly.
Public-cloud benefits with private-cloud-grade data protection
SAP Data Custodian combines the benefits of using the public cloud with the data security, transparency and control characteristic of on-premises or private-cloud deployments9. This allows organisations to fully leverage the flexibility, scalability and cost efficiency of the public cloud while retaining full control over their data2.
Our experience at SNOK shows that this hybrid approach to data security is particularly valuable for organisations that must meet stringent regulatory requirements while still wanting to benefit from modern cloud technologies3.
Supporting compliance with GDPR and other regulations
SAP Data Custodian enables global compliance with data-protection regulations in public-cloud deployments by configuring and rapidly adapting policies in response to changing regulations. The solution supports compliance with regulations such as GDPR, CCSL, CCRF, India’s privacy law and China’s cybersecurity law.
At SNOK we specialise in adapting SAP Data Custodian to the specific regulatory requirements of different industries and regions. Our comprehensive approach to compliance covers not only the implementation of technical safeguards but also the development of appropriate processes and procedures.
SAP Data Custodian use cases
Data governance
SAP Data Custodian supports data governance through infrastructure transparency and control features. The solution provides governance capabilities addressing global regulations, data sovereignty and data location. It establishes consistent data guidelines through ready-made policy templates, automated policy-violation alerts, incident-management workflows and audit reporting.
At SNOK we have implemented such solutions for numerous clients, helping them meet regulatory requirements and ensure data sovereignty. Our approach is based on a thorough analysis of specific regulatory requirements and adapting SAP Data Custodian’s features accordingly.
Data protection
SAP Data Custodian provides data protection through application transparency and control features. The solution allows data-protection policies to be applied based on customer privacy frameworks, monitoring and securing data in SAP applications hosted in public clouds and on-premises environments.
Our projects at SNOK often involve implementing such policies, enabling continuous monitoring of activity and data protection by monitoring critical operations, preventing exposure of sensitive data to unauthorised users, minimising exposure of personal data through contextual masking policies, and notifying users when privileged accounts access confidential data.
Anomaly detection
SAP Data Custodian offers anomaly-detection features that identify suspicious activity. The solution monitors system activity and generates alerts about suspicious behaviour without requiring policies to be set.
At SNOK we use these capabilities to build advanced threat-detection systems that allow early identification of potential security breaches. Our approach combines automated anomaly detection with the expertise of our security specialists, ensuring effective protection against advanced threats.
Integration with SAP services
SAP Data Custodian integrates with a broad range of SAP services, including SAP BTP, SAP Business Application Studio, SAP BTP Connectivity Destination Service, SAP Document Management Service, HTML5 Application Repository, SAP SuccessFactors HCM, SAP HANA Enterprise Cloud, SAP S/4HANA Cloud, SAP Analytics Cloud, SAP Integrated Business Planning for Supply Chain and SAP SuccessFactors Incentive Management.
At SNOK we have extensive experience integrating SAP Data Custodian with various SAP services, allowing us to deliver comprehensive security solutions for our clients’ entire SAP ecosystems. Our projects often involve complex integrations that ensure consistent data protection across the whole IT environment.
Implementing SAP Data Custodian – best practices
Planning and preparation
Before implementing SAP Data Custodian, it is essential to thoroughly understand the organisation’s business and regulatory requirements. A detailed analysis of the existing IT environment should be carried out, identifying sensitive data and determining where it is stored and processed.
At SNOK we always begin implementation projects with a detailed analysis of the client’s needs and an assessment of their IT environment. Our approach is based on understanding the specific business challenges and opportunities that the technology is intended to address.
Configuration and customisation
Configuring SAP Data Custodian involves several key steps:
-
Configuring the S/4HANA technical user
-
Configuring application control
-
Configuring application transparency
-
Configuring tokenisation
-
Configuring resource facts
Integration with existing systems
SAP Data Custodian must be integrated with existing SAP systems and other business applications. This integration requires careful planning and testing to ensure smooth operation and avoid disruption to business processes.
SAP Data Custodian compared with the competition
Compared with Microsoft Azure Information Protection and AWS CloudTrail, SAP Data Custodian offers more granular controls tailored to the specific needs of SAP environments. While competing solutions focus mainly on securing cloud infrastructure, SAP Data Custodian provides comprehensive protection at both the infrastructure and application levels.
The future of data security in the cloud
The future of data security in the cloud will be shaped by several key trends:
-
The growing importance of data sovereignty and compliance with local regulations
-
Increased use of artificial intelligence and machine learning in threat detection
-
Development of quantum technologies and their impact on encryption
-
Evolution towards a zero-trust approach to cloud security
“At SNOK we believe the future belongs to organisations that can stay ahead of threats,” says Jarosław Kamil Zdanowski. “That is why we continuously invest in developing our expertise and tools. This allows us to provide our clients with the highest level of protection, tailored to current and future challenges.”
At SNOK we actively track these trends and adapt our solutions to ensure our clients enjoy the highest level of security in a rapidly changing cyberthreat landscape. Our approach combines deep technical knowledge with an understanding of the business aspects of data security, enabling us to deliver solutions that are both effective and practical.
Summary
SAP Data Custodian is a comprehensive solution for protecting data in cloud environments, offering unprecedented visibility and control over data across the entire IT ecosystem. With advanced features such as policy definition and enforcement, data transparency, independent key management, data anonymisation and contextual access control, the solution enables organisations to make full use of the benefits of the public cloud while retaining complete control over their data.
At SNOK we have extensive experience implementing SAP Data Custodian and other security solutions for SAP systems3. Our approach is based on a deep understanding of both the technical and business aspects of data security, enabling us to deliver solutions that effectively address the specific challenges of every organisation.
If your organisation is considering migrating to the cloud, or is already using cloud services and looking for ways to enhance security and regulatory compliance, SAP Data Custodian could be the ideal solution1. At SNOK we are ready to help you evaluate, implement and optimise this solution to ensure the highest level of protection for your data in the cloud.
Contact us to find out how SAP Data Custodian can help your organisation safely harness the potential of the cloud.