RISE with SAP: Multi-layer Defense in Depth Architecture of SAP S/4HANA Cloud, Private Edition
Introduction: The SAP S/4HANA Cloud, Private Edition is at the core of “RISE with SAP” offering which holds customer’s mission critical data and business processes. SAP Enterprise Cloud Services (ECS) provides a managed private environment with multi-layer defense in depth architecture handling infrastructure and technical managed services. This includes end-to-end SLA for the full solution stacks and a proven security architecture, minimizing risk for our customers. Multi-layer security requires security to be handled at people, process and technology levels. In this blog, we will discuss high level multi-layer “defense in depth” architecture offered to customers. For the sake of simplicity, only high level and abstracted approach is presented.
Approach to Multi-Layer Defense in Depth Architecture:
SAP S/4HANA Cloud, Private Edition is a “single tenanted” managed private environment for customers where SAP creates a separate account (AWS) or subscription (Azure) or project (GCP) for each customer. The applications and database virtual instances are solely dedicated to a single customer. Security by Design and Security by Default are deeply embedded into the multi-layer architecture.
The SAP S/4HANA Cloud, Private Edition supports the following data security features:
- A separate virtual instance for database and applications servers for a customer.
- Data encryption at rest: SAP HANA Data Encryption uses AES-256-CBC (256-bit key length) algorithm. Various encryption root keys (data volume, log volume, backup, application) are stored in the Instance Secure Store File System (SSFS) within the HANA database instance. SAP Crypto libraries used are FIPS 140-2 certified. Contents of SSFS is protected by SSFS Master Key.
- Unique encryption root keys and master key are generated during installation and during HANA version updates. Master keys can also be changed in regular intervals upon request. Segregation of duties (SoD) principle is applied to key management.
- The data at rest is encrypted – database volume, backups, redo logs and storage encryption (Server-Side Encryptions) at the Hyperscaler storage
- All HTTP traffics are protected with TLS 1.2 transport layer encryption with AES-256-GCM
- SAP HANA has many built in security features for role-based access control, authorizations, UI masking and anonymization capabilities
- The Web Application Firewall is integrated with Application Gateway (Azure) or Application Load Balancer (AWS) to secure inbound traffic from Internet.
- End-to-end encryption of data in transit.
- Availability of secure connectors and agents that are required to integrate the SAP S/4HANA system with other SAP SaaS applications securely. The agents are provisioned on request basis and upon customer’s acquisition of respective cloud solutions.
- Reverse Proxy – Web Dispatcher – No direct access to backend system.
- Secure Cloud Integrations via SAP Cloud Connector.
- All outbound connections are based on restricted access control list configured in the security components that are used within the cloud. All outgoing accesses support TLS 1.2 based in-transit encryption.
- Support for identity authentication via SAML, Kerberos/SPNEGO, X.509 certificates.
- Support for Multi-Factor Authentication.
- A set of account or subscriptions or Project in IaaS provider environment (AWS/Azure/GCP) created for a Customer to deploy dedicated SAP instances (virtual). The customer specific Virtual Private Cloud (VPC) or Virtual Network (VNET) are created within each subscription/account/project to address specific system/data isolation requirements. Within each VPC/VNET, there will be multiple subnets (using private CIDR block IP addresses) created to segregate the environments.
- Each subnet is configured with Security Group (AWS) or Network Security Group (Azure) or Firewall (GCP) with specific set of rules to control the network traffic.
- Security policies that are defined at the higher-level hierarchy are pushed to each subscription/ project/ account.
- Data replication traffic from primary to DR site will always go via private connectivity (peering)
- Customer access to VPC or VNET will only be via a private dedicated connectivity. It is possible to configure that no network access be allowed to the managed environment from Internet.
- SAP isolates admin network from the customer VPC/VNET using admin firewalls. Network traffic between customer VNET/VPC and SAP admin network always goes via encrypted VPN tunnels and all administrative data exchanges are encrypted via TLS 1.2 standards.
- All administration access requests flows through an access manager workflow approval process and gets validated by a designated authority.
- All actions including the granting/denying the admin access as well as actions performed by administrators are logged and audited.
SAP Enterprise Cloud Services (ECS) performs a number of tasks to secure the customer environment. This includes security patch management, hardening of operating systems, application, and databases virtual instances. The security incident and event management are available to collect, aggregate, correlate and apply security use cases for automatic alerts in the event of security incident occurrences. The team performs 24×7 infrastructure monitoring, database monitoring, security incident management, secure admin access, regular backups, security scanning and remediation to secure the environment for customers.
Audit and Compliance
SAP audits security controls which are validated through various Certifications & Attestations
- ISO Certificates
- ISO9001 Quality Management System
- ISO27001 Information Security Management System
- ISO27017 Implementation of cloud specific information security controls
- ISO27018 Protection of personal data in the cloud
- ISO22301 Business Continuity
SOC1 and SOC2 Type 2 audits are performed to validate design of security controls and implementation effectiveness of the security controls. SOC2 Type 2 report can be directly requested to SAP Trust Center subject to NDA. SOC1 Type 2 reports are available for existing customers who have production instance and have a valid NDA which can be requested via SAP Trust Center.
The SAP S/4HANA Cloud, Private Edition offers customers a single tenanted landscape, a great degree of flexibility on upgrade cycles, add-ons and delivers a defense in depth security architecture that protects customer core information assets in terms of confidentiality, integrity, and availability. This gives a transition and transformation roadmap to moving to cloud services for existing ECC on-premises customers. Many of the security tasks such as security monitoring, security incident management, independent 3rd party security audits, 24×7 Cyber SOC are offloaded to SAP operations and management personnel. This enables customers to focus on their core business processes and have a greater control over their data, reducing their total cost of ownership, enabling faster time to market.