Research Challenge

Over the past few years, the IT landscape transformed rapidly taking advantage of the consolidation of virtualization technologies and service oriented architectures as well as of the emergence of new data consumption devices.

Today, Infrastructure-as-a-Service (IaaS), Platform-as-a-Service (PaaS), and Software-as-a-Service (SaaS) may be valid alternatives to traditional IT systems for both the public and the business world. A multitude of vendors propose to host traditional systems (e.g., Amazon cloud), to develop generic software with advanced Software Development Kit (e.g., Microsoft Azure) and to customize dedicated software with mash-ups integrating social network ideas (e.g., the Facebook SDK). The development and execution of this generation of software raise new challenges since the ownership of servers, software, and data is blurred and can span across organizations and countries.

SAP is embracing this (r)evolution by extending the availability of its software and by bringing businesses together with solutions that integrate on-premise and on-demand software with a complete and complementary set of tools to access enterprise data (e.g., fat, web and mobile clients). These solutions are delivered to enterprises as a service ecosystem, where a full suite of enterprise software (including Human Resources, Supply Chain, Finance and Customer Relationship modules) are hosted in the cloud enabling partners and customers toadapt the system's capabilities or build cloud-based extensions. Ultimately, the SAP offer will provide end-to-end business processes across organisational boundaries able to support the emergence of a business market place for add-ons provided by Independent Software Vendors. The infrastructure is based on the following layered architecture that comprises a DBMS Layer, a PaaS Layer, and a SaaS Layer.


Security is of course critical for the new SAP Application Infrastructure, but it is also very difficult to attain because of the multi-faceted nature of the problem: sensitive data must be dealt with in accordance to regulations and internal policies; third-parties applications must be certified before deployment; even applications developed internally by a company must be closely inspected to detect and eliminate vulnerabilities that could enable misuse by unauthorized users; mechanisms should be put in place to prevent and/or detect frauds by authorized users involved in the execution of business processes.