SAP Security Operations On Azure
In this article, I will address the topic of SAP Security Operations on Azure. I will discuss Azure platform components like disk storage all the way to application layer and audit/compliance topics.
[Author’s Note: 1 April 2020]: Microsoft has published a single page here for all Technical Security Documentation. Very useful to just go there and be re-directed. I like the taxonomy structure, includes everything from conceptual framework, reference architectures, training links.
First, we need to understand the security responsibilities on Azure. Between the customer and Microsoft, there is a shared responsibility model. This is dependent on the deployment stack (IaaS, PaaS, SaaS). For a typical SAP Netweaver based S/4 HANA solutions on Azure, it will be IaaS (Infrastructure as as Service). See below diagram:
Microsoft Azure will take care of security ranging from the physical datacenter, network, hosts and up to hypervisor layer.
Let’s start by looking at a SAP whitepaper Security Recommendations: A Practical Guide for Securing SAP® Solutions which is a good framework for our discussion here.
There are lot to cover from a security perspective so I will only expand further on the specific topics (red highlighted) which Microsoft Azure services have capabilities/tools/artifacts to support a typical customer responsibility for SAP security operations. Before that, from the Azure cloud platform perspective, please download this Center of Internet Security (CIS) Microsoft Azure Foundations. In this document, we discuss recommendations for
- Identity Access Management
- Security Center
- Storage Account
- SQL Services (Database and Server)
- Logging and Monitoring
- Virtual Machines
[Author’s Note: 15 Jan 2020]: New developments since publication
- New Azure blueprint for CIS Benchmark
- Overview of the CIS Microsoft Azure Foundations Benchmark blueprint sample
At the heart of the base infrastructure security, we are a looking at the following and I expand further from the above:
From a network perspective, let’s have a look at the standard SAP on Azure Reference Architecture. This depicts how to administer an Azure virtual network topology, isolation, restriction of network services and protocols through the concept of Azure Network Security Groups. This network security would need to comply with security policy requirements that your organization dictates.
Through a hub-and-spoke network topology, the SAP application and database servers are all isolated from either internet or even to the on-premises network. Instead all traffic to-and-from on-premise has to traverse through to the hub which VNet peered to the a spoke. This guarantees the network isolation for the SAP solution on Azure from the public internet.
For more advanced network security measures, a network DMZ – “Implement a DMZ between Azure and your on-premises datacenter“, you can use a network virtual appliance like F5 which are available in Azure Marketplace. NVAs are layer 7 devices which comes with WAF (Web Application Firewall) and other capabilities.
For the first scenario, it could be that you intend to connect back to your corporate network (private) only. A sample diagram below
Source: Microsoft (modified)
The second scenario could be you might require direct access to the internet and private DMZ to your corporate network at the same time. See below for a sample diagram for external facing “Implement a DMZ between Azure and the Internet“.
Source: Microsoft (modified)
However, please note that NVAs are not supported to be configured in the communication path between the SAP application servers and the DBMS servers of a SAP solution on Azure. The communication path needs to be a direct due to functionality and performance reasons. More details can found in “SAP HANA infrastructure configurations and operations on Azure” which explicitly explains the rationale.
[Author”s Note]: 3-December 2020
Dennis Padia published an article detailing a how to setup SAP internet facing SAP Fiori apps with Azure Application Gateway Web Applicatin Firewall
[Author’s Note]: 27-January 2020.
My colleague, Apparao Sanam published a article detailing a sample architecture design with Internet-Facing SAP Fiori Access using Azure Firewall and Azure Application Gateway.
For further details please read his article
Source: Apparao Sanam
The “Security considerations” section of the SAP NetWeaver on Azure Virtual Machines (VMs) – Planning and Implementation Guide also addresses topics on network security. The guide specifies the network ports you must open on the firewalls to allow application communication to go through and is a good resource to reference.
Operating Systems/Database Security/Secure Configuration
Windows, SUSE Linux, RHEL (Redhat) Linux or any other operating systems security will lie solely with the customer or managed services provider. There are Azure Marketplace images available for SAP deployments.
However, these are generic templates and are not hardened or built in with security controls. A common benchmark model that most customers can take guidance from Center of Internet Security (CIS). You can find benchmark best practice guidelines for OS. As with all guidelines, enterprises need to balance this in compliance with their own internal security policies and adopt the measures appropriately.
Generally, Microsoft Azure also recommends the following points:
- Azure Storage Service Encryption (SSE) is recommended to be enabled for all the Azure Storage Accounts. Azure Blobs for backup will also be encrypted in the Azure Storage account. Any data that is written to the storage after enabling the SSE will be encrypted.
- Linux IaaS VM: Azure Disk Encryption can be used. DM-Crypt features of Linux can provide volume encryption for the boot disk operating system and non-HANA/AnyDB related data disks that maybe attached to the VM
- Windows IaaS VM:Azure Disk Encryption. BitLocker features of Windows can provide volume encryption for the operating system and the data disks.
- Both OSes can use Azure Key Vault can be used control and manage the disk-encryption keys and secrets in your key vault subscription. It has capabilities in provisioning and managing of SSL/TLS (Secure Sockets Layer/Transport Layer Security) certificates. The secrets can also be protected by HSM (Hardware Security Modules).
- For Databases, Microsoft recommends using the SAP HANA native encryption technology. Likewise, if you are using SQL Database, TDE (Transparent Data Encryption) should be enabled.
Users and Authorization
This topic will be focused on Azure IaaS level only as SAP and Database users/profiles are handled outside of Azure.
Azure Resource Manager is a deployment and management tool for Azure. It also provides a Azure Role-Based Access Control RBAC model for assigning administrative privileges at the IaaS level resources that host for your SAP solution on Azure. Basically its main purpose is for segregation and control of duties for your users/group and grant only the amount of access that is needed to perform their jobs for resources . This follows the principle of least privilege from a security perspective.
There is also a risk of accidental or through malicious intention whereby an administrator may delete or modify critical Azure resources that your SAP solution is residing on. Using Resource Lock, this can be prevented and mitigated.
A great blog “Orica’s S/4HANA Foundational Architecture Design on Azure” by my colleague Cameron Gardiner has a section on “Security on Cloud” which discusses the above topics in more details.
Authentication and Single Sign On
[Author”s Note]: 3-December 2020
Dennis Padia published an article detailing a how to setup SAP on Azure: Single Sign On Configuration using SAML and Azure Active Directory for Public and Internal URLs
I covered this topic on access management in my other blog SAP IT Service Operations Management on Azure. The main prerequisite for secure user and authorization management is defining, implementing, and monitoring an authorization process.
Microsoft views the key aspect of cloud security is identity and access. Users can access your organization’s resources from anywhere using various devices and apps. Conditional access is a cornerstone capability for Azure Active Directory (Identity Access Management)PaaS service. It connects to thousand of cloud apps including the specific connectors and these include SAP solutions like below:
- SAP Netweaver in Azure
- SAP HANA
- SAP Cloud Platform
- SAP Cloud Platform Identity Authentication
- SAP Cloud for Customer
- SAP Business Object Cloud
- SAP Business ByDesign
Through this connectors, authentication and single-sign are seamless and result lower integration effort for your organization, while ensuring only authorized users are let into your SAP solutions.
Frontend security (mobile)
In the past, SAPgui was the predominant frontend solution for SAP on client workstation. This has evolved to SAP Fiori on a browser and increasingly to mobile devices as the preferred platform for user experience.
Microsoft Enterprise Mobility + Security which is cloud based mobile device management solution that your organization can use to manage your user’s BYOD (Bring Your Device) device. Basically the features and functionality include:
- Identity and access management
- Information protection
- Advanced Threat protection
- Unified endpoint management
- Microsoft Cloud App Security or CASB (Cloud Access Security Broker)
If you are using SAP Cloud Platform to develop your SAP Fiori Apps, this is integrated with the Microsoft Enterprise Mobility + Security capabilities. See extract of the announcement by Microsoft and SAP on how it works; click here if you want to read in full.
- “SAP has developed SAP HANA Cloud Platform mobile service for SAP Fiori . This is a cool service that enables SAP customers to easily generate custom hybrid mobile SAP Fiori apps enhancing the SAP Fiori user experience with mobile qualities and significantly improving the usability while leveraging the investment customers made to deploy SAP Fiori applications. I think this is a tremendous innovation from SAP.
- The Microsoft Intune App SDK is encapsulated in a Cordova plug-in that SAP has integrated into the hybrid mobile service for SAP Fiori. If a customer is an EMS or Intune customer, when they build their custom hybrid SAP Fiori apps, the Intune mobile application management (MAM) capabilities can be automatically added to the apps.
- The hybrid mobile SAP Fiori apps are then published to SAP’s enterprise apps store – SAP Mobile Place.
- The hybrid mobile SAP Fiori apps can then be downloaded and published to Microsoft Intune where IT Pros can manage the full application lifecycle, including native MAM controls. For the future, we will continue to invest to make the integration even more seamless.”
You can check out SAP Fiori for IOS and information in this SAP note 2450334 – Intune integration with Fiori Client.
Security review and monitoring
According to the SAP whitepaper Security Recommendations: A Practical Guide for Securing SAP® Solutions, security reviews includes continuous monitoring to detect break-in attempts, violations of requirements, or security policies. This is necessary so that it allow you initiate corrective measures in timely manner to mitigate your exposure.
At the IaaS level, Azure Security Center will be the main capability for you to monitor these services. Another capability called Azure Sentinel which essentially is a SIEM (Security information and event management) application native to Azure and is now general available as of Nov 2019.
Currently, there is no direct integration to SAP and its HANA database to my knowledge, but I would think an extension to Azure Security Center and Azure Sentinel is possible with the customized integration plugins or endpoints.
In my original post paragraph above, I mentioned no integration for SAP with Azure Sentinel but now as of [Author’s Note: 26-May-21]: Protecting SAP application with new Azure Sentinel SAP threat monitoring solution is now released. See snapshot picture view.
You can test-drive the solution via SAP CAL (Cloud Appliance Library) and have in deployed into Microsoft Azure in minutes.
There are also other third-party solutions like: Enterprise Threat Monitor for SAP through Splunk. Splunk Enterprise has been offered in Azure Marketplace since 2016, so this could be viable existing solution to give you the following key capabilities:
- SAP debugging is used for bypassing transaction authorizations
- A user downloaded customer master data of a production system
- An SAP system is opened to changes
- An HR terminated employee’s SAP account is used for connecting to an SAP system
- Failed logons of multiple SAP users from the same workstation
- An unauthorized user assigned a critical SAP role to another user
- Account sharing
[Author’s Notes – 13 Jan 2020] : New Announcement between SAP and Splunk as of 31 Nov 2019
SAP also recommend using SAP Security Optimization service for security monitoring and reporting. It is designed to verify and improve the security of SAP solutions by identifying potential security issues and providing key recommendations. A sample report can be downloaded here. This can help in your SAP security review and remediation efforts prior to an external/internal audit.
Cloud Security and Audit Compliance
Microsoft stated goal is for Azure to be a trusted and secure cloud. Microsoft invests $1 billion on security research and development every year. It also has 3500 security professionals working just to protect and defend against threats. AI technology is used to analyze against 6.5 trillion global signals and this is based on the Intelligent Security Graph technology. You can also connect to the Microsoft Graph Security API, read the technical whitepaper here and high-level architecture below
Ongoing rigorous validation by real world Red Team exercise. This enables Microsoft to test breach detection and response to measure readiness and impacts of real-world attacks.
Azure also has the largest compliance portfolio with more than 85 offerings covering multiple industries and geographies. Azure has more than 74 international and industry-specific compliance certifications, such as SOC 1, SOC 2, ISO 27001, and 5 regions for Government including SAP HANA certified M-series VMs in 2 GovCloud regions
Compliance offerings are based on various types of assurances, including formal certifications, attestations, validations, authorizations, and assessments produced by independent third-party auditing firms, as well as contractual amendments, self-assessments, and customer guidance documents produced by Microsoft.
You can download a copy of Overview of Microsoft Azure compliance to get a full view of the offerings.
The resources list below will also give you more information
- Microsoft Service Trust Portal Australia Page
- Microsoft Trust Center – Australian Government Certified Cloud Services List (CCSL)
- Azure Security and Compliance Blueprints for PROTECTED
- Tenant Isolation in Microsoft Azure
- Australian Information Security Manual
- Australian Cyber Security Centre (ACSC) Certified Cloud List
[Author’s Note: 17 Jan 2020]: A Nice Summary list of Australian IRAP certified services for Azure Regions
In light of GDPR (General Data Protection Regulation) and other data protection regulations, safeguarding of privacy and compliance is now considered a key compliance activity. These regulations often restrict the geographies in which you can store, process, and access sensitive data and carry significant fines for noncompliance.
As such, questions of this nature are being asked when you are running SAP on Azure:
- How do I comply with these new regulations?
- How do I quickly respond to changes in data protection laws?
- How do I meet multiple regional regulations simultaneously as a multinational enterprise?
During the recent SAPPHIRE 2019 held in May, Microsoft and SAP announced the general availability of SAP Data Custodian on Azure.
SAP Data Custodian is designed to assist in GDPR compliance efforts of organizations using the public cloud like Microsoft Azure. SAP Data Custodian can also assist with compliance in the following key areas of the legislation
- Privacy by Design – requires the inclusion of data protection at the onset of system design versus being added later.
- Data Transfers – controllers have the obligation to ensure the protection and privacy of personal data when that data is being transferred outside the company, to a third party and / or other entity within the same company.
- Data Breach Notification – organisations must notify the local data protection authority of a data breach within 72 hours of discovering it. This means organisations need to ensure they have the technologies and processes in place that will enable them to detect and respond to a data breach.
See a sample dashboard view of SAP Data Custodian on Azure
End to end security operations for SAP on Azure is a shared responsibility. A secure and robust SAP solution being hosted on Azure needs to have security being considered early in design and build and deployed accordingly.
I hope this gives you a guide and view on what SAP Security Operations on Azure look like and the associated links embedded will give you more background material.
- Microsoft’s stated goal is to provide a secure and trusted cloud for its customers and partners.
- SAP on Azure is a shared security responsibility between customers and Microsoft.
- Azure IaaS services form the foundation for SAP solutions on Azure, and there are various security configuration and operational required by customers and/or managed service providers to ensure a secure and robust environment.
- There are various first-party Azure and third-party solutions that are available in Azure Marketplace to sufficiently help protect a SAP solution on Azure.
- SAP Data Custodian on Azure is a newly released SAP SaaS solution that can assist in regulatory compliance scenarios for your organization.
Other Relevant Articles on SAP Technical Community
- Condensed Content: please read below instead
- Multi-Cloud Capability Model for SAP Cloud Platform and Microsoft Azure
I blog this article to share information that is intended as a general resource and personal insights. Errors or omissions are not intentional. Products and services mentioned in this article are not endorsements. Opinions are my own and not the views of my employers (past, present or future) or any organization that I may be affiliated with. Your comments to my posts are your views. Content from third party websites, Microsoft, SAP and other sources reproduced in accordance with Fair Use criticism, comment, news reporting, teaching, scholarship, and research.
This article was first published on Linkedin on 25 June 2019.