Securing RISE with SAP
In the beginning of the year 2021, SAP has launched RISE with SAP, a unique proposition of ONE Contract and ONE offer for business to ride the wave of business transformation. The RISE with SAP bundle consists of SAP S/4HANA Cloud Suite, SAP Business Technology Platform Consumption, SAP Business Network Starter Pack, SAP Business Process Intelligence.
At the core of the bundle is SAP S/4HANA Cloud, Private Edition which handles critical business processes. SAP customers can choose the hyperscale provider of choice between Amazon Web Services (AWS), Microsoft Azure, Google Cloud Platform. The security and compliance are of paramount importance since the SAP S/4HANA Cloud, Private Edition and SAP Business Technology platforms handles mission critical business processes, integration flows, analytics, business processes and application development. In this blog, we will discuss shared security responsibility model on Rise with SAP bundle specifically S/4HANA Cloud, Private Edition and SAP Business Technology Platform.
Shared Security Responsibility Model
It is important to understand nuances on shared security responsibility model between various entities as a part of RISE with SAP – SAP as SaaS provider, Customers, Hyperscale providers. By leveraging hyperscale IaaS providers for providing secure data center, virtual infrastructure, secure hypervisor, operations and administration of the foundational virtual infrastructure and software defined services, SAP is able to deliver to our customers greater agility, deployment velocity, security, capacity for hosting SAP cloud applications, pivoting on security and compliance at the core of SaaS offering. The diagram below shows at a high-level SAP S/4HANA Cloud, Private Edition shared security responsibility model
While SAP Business Technology Platform offers Identity Authentication Service, customer remains responsible for delegating authentication to customer-controlled identity provider to enable single-sign-on authentication to SAP cloud services. Customer control the business process, tenant specific security setting, security audit logs generated by applications and configuration of integration, extending their applications to cloud and applications development.
This shared security model brings great benefit to our customers as SAP manages the underlying platform, patches, updates, security monitoring, high availability, disaster recovery and provides contractual assurances on SLA, personal data protection and privacy and other security assurances such as independent 3rd party audit reports.
Customers can refer to SAP Trust Center for independent audit reports, standard SAP contracts, FAQ on security, data protection and privacy.
SAP S/4HANA Cloud, Private Edition – Security and Compliance
SAP S/4HANA Cloud, Private Edition is a “single” tenanted edition that is considered as “private” since SAP S/4HANA Cloud, Private Edition is deployed on a logically isolated “Virtual Network (VNET) or Virtual Private Cloud” which considered as a dedicated network container to a single customer. Therefore, network services (gateway, proxy, DNS, LB, WAF), application instances and HANA instances are dedicated to a customer with customer assigned Private IP Addresses. The virtual network is configured in a customer specific dedicated subscription, accounts, or Project (Azure or AWS or GCP) which is owned and managed by SAP.
This is also considered as “Private Managed Environment”. SAP takes operational and management responsibility which includes: Infrastructure (Azure/AWS/GCP) Management, OS Management, DB Management, Orchestration and Account Configurations, SAP AS Basis Management, Security Monitoring, Audit & Compliance of the SAP S/4HANA Cloud, Private Edition.
Some salient aspects of SAP S/4HANA Cloud, Private Edition is as follows:
- The landscape by default consists of 3 tier environments meant for development, quality assurance and production usage. Customers can optionally purchase additional environments to address their specific requirements.
- Infrastructure sizing is in general mapped to the license metrics. Details are documented in the Service Description Guide. Additional infrastructure can be purchased based on the actual needs of the customer.
- As this is a private cloud offering, the dedicated virtual network is created using customer provided private CIDR address range (RFC 1918 compliant) which is non-overlapping with customer’s on-premise network.
- SAP S/4HANA Cloud, Private Edition requires customer to connect using a dedicated private network link. Site-to-Site VPN or dedicated access options ExpressRoute (Azure), AWS Direct Connect (AWS) or Cloud Interconnect (GCP). Name resolution is configured by creating a dedicated zone under customer’s internal DNS domain.
- Exposure of services to public network (Internet) is restricted to specific use cases. Mobile users can be enabled for Fiori applications via a secure web application firewall upon customer request. Internet outbound is allowed for cloud Integrations using secure protocols and connecting to other SAP Cloud solutions (such as Ariba, Concur, SuccessFactors)
- Customers can optionally subscribe to Disaster Recovery for their productive environments in cloud. Failover sites are configured with data replication from productive environments and with equal infrastructure capacity.
Data at Rest Encryption and Data-in-Transit Encryption
Data-in-transit encryption is used to secure all client connections from customer network to SAP systems. All HTTP traffics are protected with TLS 1.2 transport layer encryption with AES-256-GCM Access from thick clients (SAP Frontend) is uses SAP proprietary DIAG protocol secured by SAP Secure Network Communication (SNC) with AES-256-GCM.
SAP HANA in-memory database uses HANA Volume Encryption to provide “data-at-rest” encryption for data, log and backup volumes. It uses AES-256 encryption algorithm with Cipher block chaining (CBC) cipher mode (AES-256-CBC)
Besides SAP HANA volume encryption, persistent storage where SAP HANA stores encrypted volume is also encrypted using storage encryption modules (“data-at-rest” encryption). It also uses AES-256-GCM.
The summary of SAP S/4HANA cloud Private Cloud Edition is highlighted as follows. While this does not all aspects of the security, it gives a snapshot of key security design and architectural approach the SAP S/4HANA cloud deployed with Hyperscaler.
SAP Business Technology Platform:
Our customers have many applications both SAP and non-SAP in their landscape and building robust business process is key successful business transformation. SAP Business Technology platform, which is offered as Platform-as-a-Service (PaaS), delivers this key functionality providing data management and analytics, supports application development and integration, and allows customers to use intelligent technologies such as artificial intelligence, machine learning, and the Internet of Things to drive innovation. While this blog does not cover all aspects of security on SAP Business Technology Platform (SAP BTP), the platform provides many native security tools and services that our customer leverage to build secure applications, integration, and extension capability. The operational security is very similar to SAP SaaS services, security assurance is provided to our customers such as ISO27001, ISO27017, ISO27018 and SOC attestations. The SAP BTP natively has many tools to provide integration security which can be consumed by customers readily with CPEA licenses. Some of the popular security tools and services is listed here for convenience but more detailed capability of the SAP BTP can be found here.
As a Cloud Service Provider (CSP), SAP understands importance of protecting customer data with confidentiality, integrity, availability, and privacy controls through many layers of security. Rise with SAP is being offered to many regulated industries and SAP is committed to help our customers comply to the sectorial as well as government regulations. SAP provides contractual assurances on personal data processing to adhere to applicable local data privacy regulations, security assurances via Service Organization Control (SOC) reports and certifications to provide independent evidence for security, availability, confidentiality, data protection, and quality. SAP security policies have been derived from industry best practice standards such as ISO 27002, NIST and SAP maintains robust policies, processes, and procedures, secure architecture covering cloud applications with integrated management system for information security, data protection, and service delivery.