RISE with SAP: ‘Defense in Depth’ Security Architecture with SAP S/4HANA Cloud (Public Cloud)
(Jana Subramanian is APJ Principal Cybersecurity Advisor for Cloud Security and Fellow of Information Privacy (FIP) awarded by International Association of Privacy Professional (IAPP). Jana supports strategic customer engagements on cybersecurity, data privacy, multi-cloud security architecture, contractual assurance, audit, and compliance domains.)
The SAP S/4HANA Cloud is at the core of “Rise with SAP” offering. For a customer, it holds mission critical data used to implement business processes and data analytics. It is deployed in a public cloud as SaaS (Software-as-a-Service) offering. SAP S/4HANA Cloud is a “Multi-Tenanted” platform, delivering highly standardized content for various lines of business in an industry and for varieties industries. As digital transformation sweeps the IT industry, embracing cloud technologies is inevitable. In this context, cloud security is imperative to this transformation.
SAP S/4HANA Cloud runs on public cloud such as Google Cloud Platform (GCP), MS Azure and SAP Converged Data Centres around the world. SAP uses hyperscale providers who offer “Infrastructure-as -a-Service for greater flexibility, scalability, and security for the provisioning of cloud infrastructure. SAP S/4HANA Cloud tenant subscription includes provisioning of SAP Business Technology Platform (BTP) services such as Identity Authentication Services, Identity Provisioning Service, SAP Analytics Cloud, and In-App & Side by side via BTP / Extensibility Framework. In an earlier blog, we discussed “RISE with SAP: Multi-layer Defence in Depth Architecture of SAP S/4HANA Cloud, Private Edition” . In this blog, we will discuss a conceptual view of a “multi-layered defense in depth” security architecture with SAP S/4HANA Cloud (Public cloud).
“Defense in Depth” Security Architecture:
SAP S/4HANA Cloud offers physical, technical, and administrative controls at various security layers. This cloud environment offers, secure by design and secure by default with highest standardization for the SaaS environment. The following diagram illustrates “multi-layer defense in depth” architecture of SAP S/4HANA Cloud.
Customer Data Isolation:
- A virtualized ABAP Application Server is provisioned for each customer tenant
- Application isolation is enabled via “Security Group”
- The “Security Group” allows communication between different application instances that belongs to one tenant.
- Tenant “Security group” allows system communication between Q and P system of the same customer as shown in Figure 2 – SAP S/4HANA Landscape Cloud Architecture
- At the network level, security group prevents communication between tenants. The network traffic rules are defined using on source, destination, protocol, and ports
- Each SAP S/4HANA cloud tenant has their own tenant-database. It is part of overall SAP HANA Systems.
- SAP S/4HANA Cloud encrypts “data-at-rest” and “data-in-transit”
- End-to-end encryption is applied for “data-in-transit”
- “Data-at-rest” encryption covers database, central and local file systems, and storage backups.
- The cryptographic keys are managed securely via Key Management Systems (KMS) by SAP cloud operations teams
- “Segregation of Duties” guideline is applied for KMS.
- Secure Software Development Lifecycle (SSDLC) methodology is followed for the development of SAP S/4HANA application
- The product development considers security and data protection & privacy requirements. This is embedded at the start of the development process.
- The development team performs extensive risk assessment and threat modelling, design, and test effectiveness of the security controls which includes performing code scans, penetration tests, security tests – SAST & DAST and independent security assessments. More details on SAP SSDLC can be found here.
- Customer access SAP S/4HANA Cloud via Internet using HTTPS (port 443). The HTTPS traffic is terminated on the Web Dispatcher cluster.
- Customer access is enabled via central load balancer and using shared web dispatcher. There are separate Load Balancer Endpoints for UI end point by business user and an endpoint used for system-to-system communications.
- Customer can access Application Security Audit Logs.
- A trust boundary separates network into zones and each zone into segments.
- The security control is implemented into each zone based on the exposure of the systems to Internet/Intranet and is based on the classification of data handled by the systems in the zones.
- Virtual Private Cloud (VPC) is created for Systems, Admin, Backup. The system VPC is implemented to host the tenants of SAP S/4HANA cloud which spans availability zones. The secure central administration network segment host central cloud lifecycle management tools
The Cloud Operations and Management covers security patch management, hardening of operating systems, application, and databases virtual instances. The security incident and event management are available to collect, aggregate, correlate and apply security use cases for automatic alerts in the event of security incident occurrences. The team performs 24×7 infrastructure monitoring, database monitoring, secure admin access, regular backups, security vulnerability scanning, hacking simulations and remediations to secure the environment for customers.
The operational security activity broadly covers the following:
- SAP S/4HANA Cloud Infrastructure setup
- Data Segregation
- Intrusion Prevention
- Business Continuity & DR
- Secure Design of Cloud Services
- Network and Customer Segregation
- Backup and Restore Services
- Secure Development of platform services & tools
- Securing the infrastructure, operating systems, and/or container images, networking, and applications
- Operational and security monitoring
- Managing security incidents
- Personal Data Breach Notification
- Capacity Management
- Providing patches and solution support
- Vulnerability Scans, Hacking Simulations and Remediations
Secure Administration Access:
- SAP Cloud Administrator is allowed from whitelisted IP address and Multi-Factor Authentication sis required
- Security Groups enables communication between systems and admin VPC
- SAP uses central lifecycle management tools for operations and management of the cloud systems.
SAP Contractual Assurance:
SAP offers security assurance via contractual agreement, independent audits and certifications and having best practice security standards, policies, procedures. As a data processor, SAP cloud services comply to applicable data protection laws and provide personal data breach notifications without undue delay. The contractual agreements related to SAP cloud services can be downloaded at the SAP Trust Center. The Figure 4: SAP S/4HANA Cloud Security illustrates end-to-end security features.
Integration with SAP Business Technology Platform
SAP S/4HANA Cloud is integrating with SAP Business Technology Platform leveraging services such as Identity Authentication Services, Identity Provisioning Services and using integration suite and platform services. Customer can configure IAS (as IDP proxy), delegate authentications to their own IDP which may be located on-premises or in the cloud such Azure AD. The SAP BTP provides Identity Provisioning Services which allows synchronization of user data between source and target systems. SAP provides these services by default when customer subscribes to SAP cloud applications and it is the customer’s responsibility to configure these services depending on the authentication requirement
Audit and Compliance
SAP S/4HANA Cloud has achieved Certifications & Attestations on the following areas
- ISO Certificates
- ISO27001 Information Security Management System
- ISO27017 Implementation of cloud specific information security controls
- ISO27018 Protection of personal data in the cloud
- ISO22301 Business Continuity
SOC1 and SOC2 Type 2 audits are performed to validate design of security controls and implementation effectiveness of the security controls. SOC2 Type 2 report can be directly requested to SAP Trust Center subject to NDA. SOC1 Type 2 reports are available for existing customers who have production instance and have a valid NDA which can be requested via SAP Trust Center.
Shared Security Responsibility Model:
The security responsibility (as with any cloud services) is always shared between SAP (Cloud Service Provider) and cloud consumer. In SAP S/4HANA Cloud, customer have no access at the lower-level infrastructure layers such as VMs, Operating Systems, Load Balancers, Networking since this is fully managed by SAP. The following diagram illustrates shared security responsibility model between SAP and Cloud Customer.
Please refer to the blog “RISE with SAP: Shared Security Responsibility for SAP Cloud Services” for details. Specifically for SAP S/4HANA Cloud, the security control in the cloud stack is depicted in the diagram below:
The SAP S/4HANA Cloud offers highly standardized multi-tenanted landscape at a cost effective, scalable, defense in depth security at multiple layers. SAP S/4HANA Cloud operations adherence to best practice security is in alignment industry standards at technology, operational, legal measures. SAP handles critical security tasks such as secure architecture, security monitoring, security incident management, vulnerability scans, hacking simulations, independent 3rd party security audits, 24×7 Cyber SOC, This enables customers to focus on their core business processes and have a greater control over their data, reducing their total cost of ownership, enabling faster time to market.
(Disclaimer: The perspectives or opinions expressed in this blog are for information purposes only and should not be construed as a legal advice. The content in this blog does not constitute any representation, or any commitment or legal obligation on the part of SAP)