Many SAP customers and partners are looking for guidance and best practices to find a secure way of moving to and setting up operations in the cloud. SAP offers a wealth of tutorials, documentation, and presentations on many important security topics – but we haven’t really shown you the big picture yet. Well, I would like to give it a try and hopefully this blog can help you navigate more easily through the SAP cloud security world.
Security is a very comprehensive topic, so I will start with a clear focus.
- What: Security in cloud landscapes – with some hybrid context information
- For whom: IT leaders, administrators, consultants, and development architects
- Out of scope: Data center, operation system, database security, and certifications
Do not search for “Enterprise Security Services” on the SAP price list. It is a holistic approach for structuring cloud security topics & services . Some of these services are part of SAP’s SaaS offerings, some are publicly available information, and some are on the price list.
Navigation to related blogs
Enterprise Security Services
Enterprise Security Services is a comprehensive guide to explain SAP security services in the cloud. It enables developers to reuse security services, so they can develop secure and compliant applications without re-inventing the wheel. It also provides administrators with a holistic overview of their options for operating secure cloud applications. Implementation partners understand the big picture, so they can provide security consulting services. Finally, it provides a structured approach for IT leaders on how to secure their cloud business with the help of SAP security services.
What is the idea behind the guide? Most companies have a huge on-premise investment and realize the advantage of cloud deployments. Often, they decide to run a proof of concept or start with a simple application, something that is not business-critical but useful. Perhaps a small application every employee can use to provide transparency on 3rd party costs such as travel, company car, education, and IT equipment. Reducing external costs is always a good thing – everyone would agree on that. You start to analyze how to get the relevant data, upload a copy of it to SAP Cloud Platform, build a small Java application and SAP Fiori user interface on top. Then an important question comes up: How can employees authenticate to the applications with known credentials?
The answer to this question is at the heart of the Enterprise Security Services: Cloud Identity Services. They provide basic capabilities for user authentication and provisioning, which is a core requirement for all integration and/or extension scenarios. In integration scenarios, you want to integrate SAP cloud solutions (SaaS), for example single sign-on across SAP SuccessFactors and SAP S/4HANA Cloud. Extensions are individual customer implementations on SAP Cloud Platform; examples range from a special user interface to a full-stack application. The 3rd party expense application would be a full-stack application.
Ok, your first application on SAP Cloud Platform works great and you decide to extend your application with more functionality. Management is also convinced about the value of your application. Then you get a call from your corporate security team, checking whether your solution complies with internal security standards. Enterprise Security Services can help you here with Secure Development Services. Secure Development Services enable developers to design secure applications. These reusable services are required by most applications, especially business applications. Audit logs can be stored centrally to support legal requirements, an authorization server manages authorizations and system-to-system authentication/authorization. There is also a secure tunnel to your on-premise system to access relevant data. The Cloud Application Programming Model (CAPM) helps developers design authorizations together with the data model.
Now that your application meets your internal security standards, you’re ready to focus on your application capabilities. But the next one to knock on your door is your manager, asking whether the solution is also compliant with internal and external regulations? Don’t get frustrated, there are platform capabilities too. Risk & Compliance is more of an organizational and administrative topic. If you are working in a large company, topics such as segregation of duties, access certification, and business role management across your system landscape are key to a secure and compliant operations strategy.
Another interesting topic is the compliant collection of consumer data (example: site visitors). Which company does not want to convert unknown site visitors to happy customers? But you must comply with regulation in doing so, too.
At lunch you meet a security expert and there it comes. The magic question: Does the platform provide enough transparency? Your answer: Of course! Luckily, you know now the capabilities of the Enterprise Security Services with the last category: Insight. There is the SAP Trust Center. It provides you information about the cloud status, privacy, security foundation, data center, legal agreements, and cloud operation. There is also a solution to monitor the data flow on various hypervisors and the concept of customer-controlled keys.
In the previous paragraphs, I used a custom application as an example. But this also works, if you want to apply security in the context of SaaS applications (SAP SuccessFactors, SAP S/4HANA…) without a custom application. In this case, Cloud Identity Services, Risk & Compliance, Insight, and parts of Secure Development Services can be adopted in a same manner. The only difference is, that these solutions are integrated with the best practices of the Intelligent Enterprise making use of the Enterprise Security Services. Example: SAP S/4HANA comes pre-integrated with Cloud Identity Services, so an employee will access the solution with Identity Authentication. Identity Provisioning can be used to synchronize new employees from SAP SuccessFactors to SAP S/4HANA. SAP Identity Access and Governance as part of Risk & Compliance provides already best practices for the segregation of duties rules for SAP S/4HANA. SAP just started with all the pre-configured content, but you can expect that we work hard on it in 2020.
Did you notice that I didn’t use the word cybercrime once? Well, there are so many aspects to this topic that I didn’t want to use the term. Of course, the Enterprise Security Services helps you to fight cybercrime, but it’s not the major driver behind this set of services. The focus is a holistic approach to cloud security.
Let us now dig deeper into each topic: