Product Management update SAP #S4HANA Cloud 1702: Security Overview
This blog is part of our S/4HANA Cloud 1702 update series and focusing on an topic that is top of mind: cloud security. Security is broadly classified under: application, operations, integration, and authentication, and i’ll use this classification to get into more details.
Application security: SAP follows a secure software development lifecycle framework, designing and building security into our products, in conformance with ISO/IEC 27034.
Product teams implement the following capabilities to enforce security inside the software:
- Authentication and authorization functions to enforce access control
- Data encryption during transfer and at rest
- Integrity protection and message authentication codes
- Secure session management and request forgery and click-jacking protection
- Logging of security events and data access
- Architecture and code reviews
- Static code analysis to identify paths in the code where non validated input finds a way to output, can be injected into code or database queries, or can cause memory corruptions
- Dynamic security testing that can reveal unprotected access paths, indirect object references, or unforeseen error situations leading to privilege escalations
- Penetration tests that can affirm expected security status or uncover additional attack paths
Product teams use a library of security requirements and security controls within SAP’s internal “Product Standard Security” to mitigate security risks, with inputs incorporated from valuable public sources such as OWASP, SANS, and CWE. See further details here.
Secure cloud operations: SAP S/4HANA Cloud meets high standards of trust to deliver an SaaS offering and is compliant with ISO 27001 for information security.
- SAP regularly prepares ISAE3402/SSAE16-SOC 1 Type I and SOC 2 Type I audit reports. SOC 1 Type II and SOC 2 Type II audit reports are in preparation. The ISAE 3000 SOC 2 engagement is based on Trust Services Principles (TSP 100) of security.
- Software is hosted in three data centers located in Sterling, Virginia, United States; Sydney, Australia; and St. Leon-Rot, Germany. They have at least SAP data center Level 3 rating, for physical security and backup infrastructure.
- All access to systems is done through encrypted communication channels using standard transport layer security protocol and strong encryption algorithms.
- Infrastructure (operating system or hypervisor for virtual machines), application, and database security patches are applied as standard process.
- Network security is reinforced with reverse proxy farms to hide network topology. Internet-facing parts are protected by a Web application firewall.
- Customer instances are isolated on a network layer, which limits the technical communication a system can initiate to systems of the same customer or to outside.
- Secure access is realized using role-based SAP Fiori apps for identity and access management. Read Access Logging can be activated to respect data protection and privacy guidelines.
Further details here.
Secure integration: In an on-premise integration scenario between two applications, APIs, IDocs, and Web services are available to be invoked. Rogue and deprecated APIs are blacklisted.
- Published APIs for SAP S/4HANA Cloud with sample code and details can be accessed here.
- In an integration scenario between two cloud applications, all APIs and Web services are blacklisted by default, to begin with. SAP Cloud Platform, as a secure communication tunnel, does not return values until the APIs and Web services are whitelisted, using protocols such as SOAP or REST.
Secure identity authentication: SAP Cloud Identity software is an SAML 2.0 compliant, central identity provider (IDP) for user authentication and SSO to gain access to SAP S/4HANA Cloud.
- In summary, security in the public cloud is of paramount importance to SAP. Customers need to know that they can trust the SAP brand, and SAP S/4HANA Cloud, when they are running mission-critical business operations.
- Further details on how this can be realized is documented here.
- The capability exists in SAP Cloud Identity to delegate to a customer chosen IDP for user authentication.
- SaaS = Software as a service
- SAML = Security Assertion Markup Language
- SSO = Single sign-on
- SOAP = Simple Object Access Protocol
- REST = REpresentational State Transfer
- IDoc = Intermediate Document
For more information on SAP S/4HANA Cloud, check out the following links:
- S/4HANA cloud release info: http://www.sap.com/s4-cloudrelease
- Product documentation and What’s new in 1702 available here
- Best practices for all the cloud editions here