SAP Cloud Platform Security: Safeguarding Your Business
At SAP, we take security seriously. Whether an organization needs to run applications securely through SAP data centers or needs to ensure that applications are securely developed for internal or external use, SAP customers can always be assured that the latest and greatest security measures are upheld. For this post let’s focus specifically on the comprehensive SAP Cloud Platform integrated security services that customers rely upon to securely run and develop applications.
Let’s start with the physical security involved with applications running on the SAP Cloud Platform. Data within these cloud applications no longer resides on-premises within your organization but is stored and run through SAP data centers around the world. SAP data centers are subject to high levels of industry security standards with ISO 27001 certified and SOC1 and SOC2 compliance.
Data backup is physically separated but co-located within the same region as the primary SAP Data Center whenever possible. Your organization’s data is always kept securely separate from other customer data and administrative access to the data is highly restricted. Any data at rest or in transit is securely encrypted to the highest possible standards.
SAP’s Cloud Platform Technical and Organization Measures (TOM) imparts a high level of security and covers all bases with its security patch and malware management, multi-tenancy, access restrictions, business continuity management, disaster recovery, subcontractor compliance, 24 x 7 security monitoring, network security, encryption, policies and standards, strong authentication and access management tool, video and sensor surveillance, intruder alarm systems and so much more.
SAP offers different security mechanisms for ensuring that only approved users have access to SAP Cloud Platform applications.
With the SAP Cloud Platform Identity Authentication service, you can provide your employees, customers, and partners with simple and secure cloud-based access to the business processes, applications, and data they need, including two-factor authentication and custom password policy. For authentication and single sign-on, you can choose SAP Cloud Platform Identity Authentication or use your own corporate IdP with identity federation. SAP Cloud Platform also supports social IdPs such as Facebook, Google or LinkedIn for authentication. The social IdP integration will make consumer on-boarding to your cloud applications easily achievable.
User Role Access using SAP Cloud Platform Identity Provisioning
What about the different user roles and departments accessing the SAP Cloud Platform?
SAP Cloud Platform Identity Provisioning offers a comprehensive, low cost approach to identity lifecycle management in the cloud. Beyond provisioning on-premise or third party cloud users to SAP Cloud applications, customers can also provision the relevant user authorizations to the respective SAP cloud applications during the provisioning process. The is done by defining the access policies before the provisioning process. It maps between your source user groups to your user roles in the cloud.
Furthermore, SAP Cloud Platform supports dynamic role assignment. When the user roles in on-premises or cloud systems change, the SAML user attributes will change immediately. When the user logs into the platform, the new role credentials will be automatically assigned. This ensures, based on a user’s role, that areas of the cloud application and data only relevant to them can be accessed. As a point of note, you can also program user role assignments using platform authorization APIs for a secure and private authorization process.
Authentication and Single Sign-on with OAuth and SAML
OAuth is a security prevention measure that replaces an individual’s username and password with a token – so your access is always protected. OAuth provides clients with a “secure delegated access” to server resources on behalf of a resource owner. SAP Cloud Platform supports the OAuth 2.0 protocol as a reliable way to protect application APIs and resources. How the OAuth flow is staged includes a Security Assertion Markup Language (SAML) 2.0-compliant IdP that authenticates the user and produces an authorization code. The client connects with SAP Cloud Platform OAuth service, where the access token is generated. From there, authentication is evaluated, validated and in-line with service scope.
Beyond the above security services, SAP Cloud Platform also provides a Cloud Identity Access Governance service to help you manage identities and optimize compliance across your enterprise. For example, to achieve SOX compliance for your company.
The Importance of Security
The security architecture of SAP Cloud Platform aims to establish security measures that are among the highest in the industry. At SAP, your data, platform and application security is our top priority regardless of where you are located in the world. Our aim is to consistently safeguard your business.
To read more, please visit SAP Cloud Platform.