RISE with SAP: Adopting to Zero Trust Architecture Principles with SAP Cloud Services
(Jana Subramanian is APJ Principal Cybersecurity Advisor for Cloud Security and Fellow of Information Privacy (FIP) awarded by International Association of Privacy Professional (IAPP). Jana supports strategic customer engagements on cybersecurity, data privacy, multi-cloud security architecture, contractual assurance, audit, and compliance domains.)
Over the last two years, global pandemic has been the most dominant concern. During this time, organizations that use digital technologies to deliver products and services have successfully adopted hybrid work model for their workforce. Today, enterprises embrace “cloud-first” strategy more than ever before. As a result, organizational perimeter-based network boundaries are beginning to blur. The rapid adoption to SaaS cloud services brings a new focus on “Zero Trust Architecture” principles. Organizations can no longer trust perimeter security alone with an “implicit trust” granted to assets or user accounts based solely on their physical or network location.
In this new zero-trust framework, an enterprise needs to eliminate implicit trust. This means: 1. Needs to deploy automated identity and context-aware access controls to verify every user session. 2. Required to continuously analyze and evaluate the risk posed to its assets and business functions. 3. Ensure protection and mitigation measures are available. 4. All data flows are required to verified, regardless of their origin or destination.
In this blog, we will cover “zero-trust” principles ingrained in ‘Rise with SAP Cloud Services’. We will discuss the tools available to help our customers to implement a robust “zero-trust” architecture framework.
Blurred Organizational Boundaries
Unlike in the past, when enterprise companies operated in their own or hosted data centers, modern enterprise networks have evolved into a hybrid landscape with the consumption of public and private cloud services. Organizations have adopted various cloud service models (IaaS, PaaS, and SaaS). A typical IT environment is a mix of on-premises resources, hosted data center environments and multi-cloud services.
The cloud resources and the services are running on the Hyperscale environment with software defined networking accessed via public internet. This is further enabled by secure network channels over the Internet or accessed via dedicated private connectivity natively provided by the Hyperscaler services. With this hybrid approach, enterprise network boundaries have blurred. The networks have become heterogenous and securing the landscape across multitudes of platforms require consistent policy decision point and policy enforcement point. This should be enabled by software defined networking and security automation.
The threat landscape is evolving, and attacks are getting to be highly sophisticated. This is emanating both from inside and outside of the organization with mobile workforce dispersed everywhere. “Zero-trust” Architecture Framework greatly help secure every data flow, identities, applications, endpoints regardless of where it is being accessed. This is further supplemented by robust security management processes such as access control, change management continuous logging and monitoring, security breach notifications, independent 3rd party audits and compliance, encryption of data at rest and in transit. Therefore, “Zero Trust” is not a product but a combination of people, security processes and technologies and principles coming together to secure organizational environment.
Zero Trust Architecture Principle transforms the traditional approach to enterprise security moving from an ineffective perimeter-centric and VPN based approaches to a dynamic, identity-centric, and policy-based approach. Organizations are facing challenges in protecting resources – both on-premises and cloud assets, application services, databases, business workflows, networks, and user accounts. There is an imperative need to control access to resources through an authentication and authorization on a per session basis. The policies must be dynamic and must be defined for an access based on evolving threats. The NIST Special Publication (SP) 800-207 Zero Trust Framework provides a comprehensive understanding on zero-trust principles. The document provides general deployment models and use cases where zero trust can improve an enterprise’s overall information technology security posture.
Following are the broad principles that must be adhered as a best practice:
- Eliminate Implicit Trust: There should be no implicit trust based on physical location or device ownership. All user, device, network, application must be treated as “untrusted”.
- Verify all data flows/sessions: All data flows or sessions must be authenticated and authorized with principle of least privilege. Access to resources must support dynamic security policies.
- Limit the Blast Radius: Design Micro-segment the network with software defined network perimeter. It is important to prevent threats moving laterally on the network by architecting and enforcing micro-segmentation with an associated security policies on each application layer and database layer.
- Role Based and Context Aware Access: Authorization to access resources must be provided in a secure and consistent manner with Role and Context based decisions. The policy engine should support creation of dynamic and statics policies.
- Least Privileged Access: Only minimum access should be granted to users based on the concept of least-privileged access to every access decision, allowing or denying access to resources based on the combination of several contextual factors.
- Dynamic and Adaptive Policies: The policy enforcement points, and policy decision points are key elements to zero trust principles. The control plane for Policy Enforcement must be centralized and support dynamic and adaptive reacting to changes to an environment.
- Data Protection: Data must be protected with encryptions (both in transit and at rest), anonymization, tokenization, and various other obfuscation techniques.
- Visibility and Control: Continuous logging and monitoring. Log must be collected at all levels, inspected, and continuously monitored for all configuration changes, resource accesses, and network traffic for suspicious activity.
Approach to Zero-Trust Principles with SAP Cloud Services:
In the following sections, we will look at how SAP cloud services adopt Zero Trust Architecture principles at a high level without going into configuration details. Today, organizations must perform their own risk assessments as it is not possible to eliminate cybersecurity risk entirely. Besides, in adopting Zero-Trust Architecture principles, organizations must have a well-defined cyber security policy, standards and guidelines, identity and access management, continuous logging and monitoring to reduce overall risk and to protect digital assets against common threats.
The following diagram highlights core architectural elements of the zero-trust principles. The goal is to protect organizational identities, endpoints, business applications, data, infrastructure, secure internal and external network connections in a hybrid environment. Every data flow must be verified, and trust established for each session. The dynamic security policy must be defined, and enforcement point deployed at various points. This includes establishing principle of least privilege, securing all services, system-to-system APIs, authentications and authorization management, privileged credential management and security automation.
SAP Trust Center has published a documentation SAP: Zero Trust Architecture which is available for SAP customers. This provides deep insight on the architecture elements.
SAP’s strategy for centralized point of authentication in cloud and hybrid environment is to use SAP Cloud Identity Services. SAP Cloud Identity Services runs on SAP Business Technology Platform consisting of Identity Authentication Services and Identity Provisioning Services. Many of SAP cloud services have bundled SAP Identity Authentication Services as a part of cloud subscriptions without incurring additional costs. Identity Authentication provides services for authentication, SSO, user management, and on-premises integration. The options available include user self-services such as registration and password reset for employees and partners. Security features include protecting access to applications, support to define risk-based authentication rules, two-factor authentication, and delegated authentication to on-premises user stores and other identity providers.
The Identity Provisioning service (IPS) provides secure identity lifecycle management as a service with identity and authorization provisioning and deprovisioning. Identity Provisioning Service performs the task of reading users and groups from a source system and provisioning them to a target system. Further filtering and/or mapping are applied during job execution. The IPS supports industry standard protocol SCIM2.0 (System for Cross-Domain Identity Management) makes it possible for SAP Identity Management to provision users to and from SCIM systems.
The architecture is based on open standard and supports SAML2.0 and Open ID. A wide variety of user authentication options available which includes:
- Biometric Authentication
- Username and Password
- 2FA using TOTP, RSA, SMS, Web Authn
- Delegated Authentication to Customer owned IDP/Corporate user Data Store (IDP as proxy)
SAP Identity Authentication Services support risk-based authentication and the administrator can configure rules based on a number of variables such as IP Address range, User Type, Authentication Method, User Group. Actions can be defined such as allow, deny, and have an additional 2 factor authentications. When a user tries to access the application, the rules evaluate if the user meets the criteria of the rule. The evaluation starts with the rule with the highest priority, until the criteria of a rule are met. If the criteria of a rule are met, the rest of the rules aren’t evaluated.
Built-on SAP BTP, SAP Identity Access Governance is a tool for access analysis, role design, access certifications, access request, privileged access management. It uses SAP NetWeaver APIs to fetch data from target systems and perform access analysis. SAP Cloud Identity Access Governance (IAG) provides integration with SAP’s latest cloud applications such as SAP Ariba, SAP SuccessFactors, SAP S/4HANA Cloud, SAP Analytics Cloud, and the product is being developed to support more SAP and non-SAP cloud services.
The following links provide excellent reference architecture for Identity and Access Management and CIO guide on Identity Lifecycle in Hybrid landscape.
- Single Sign-on: SAP Reference Architecture for Identity Access Management by Marko Sommer
- Identity Lifecycle: SAP Reference Architecture for Identity Access Management by Gunnar Kosche
- A Single Sign-On Guide for SAP S/4HANA Cloud, Private Edition (RISE with SAP) by Matthias Kaempfer
- CIO Guide: Identity Lifecycle in Hybrid Landscapes
As per SAP cloud security standards, customer data processed in SAP cloud services is treated as “confidential”.
- Data-in-transit encryption is used to secure all client connections from Customer Network to SAP systems. All HTTP traffics are protected with TLS 1.2 transport layer encryption with AES-256-GCM.
- Access from thick clients (SAP Frontend) is uses SAP proprietary DIAG protocol secured by SAP Secure Network Communication (SNC) with AES-256-GCM.
- SAP HANA in-memory database uses HANA Volume Encryption to provide “data-at-rest” encryption for data, log, and backup volumes.
- Besides HANA volume encryption, persistent storage where SAP HANA stores encrypted volume is also encrypted using storage encryption modules (“data-at-rest” encryption). It also uses AES-256-GCM.
- The storage used to store data files, log files and the backup sets are encrypted by default by IaaS provider using Server-Side Encryption (SSE) that uses server managed keys.
- SAP HANA supports various data protection and privacy features such as encryptions, tokenization, masking, anonymization, and other obfuscation techniques.Additionally, SAP offers SAP Data Custodian is offered to customers as multi-cloud SaaS designed to achieve cloud data insight and protection, data governance, compliance and audit reporting, rapid identification and notification of data protection breaches and an independent Customer Controlled Key Management Services. Customer can subscribe to this service to protect data iTransparency of the SAP Data Custodian solution helps customers answer the following key questions:
- Where is my data stored?
- How has the data been moved and processed?
- Who is accessing my data and from which location?
Data control functionality of SAP Data Custodian helps customers achieve:
- Governance configures public-cloud data location, movement, and access policies
- Enforcement enforces geolocation controls for data access, storage, and movement
- Compliance help comply with global data protection regulations
Finally, SAP Data Custodian support independent key management systems. Customer Controlled Encryption Keys allow users to encrypt their HANA database in the public cloud. The key benefits are as follows:
- Protect your data in the public cloud
- Prevent unauthorised 3rd party disclosure of information e.g. by states, state actors
- Secure data against breaches by insiders and external entities
- Control who has access to encryption keys
- Segregation of Duties – encryption keys are managed separately from your data
The diagram below shows some of the possible use cases that can be deployed with SAP S/4HANA deployments. SAP Data Custodian is available to customers as SaaS and is progressively integrated within SAP cloud solutions to provide greater transparency, control and independent KMS service to customers.
- Data Classification
- Inventory/Cloud Resource
- Unauthorized Access
- Data Localization
- GDPR Compliance
- Export Control
- Cloud Provider Access Control
- S/4H Access Transparency
- S/4H Field Masking
- Data Localization and Residency
SAP S/4HANA Cloud, Private Edition:
SAP uses AWS, Azure and Google Cloud, SAP owned DC and partner DC (such as Equinix) to host SAP cloud services. As a strategy, SAP uses Hyperscaler such as AWS, Azure and Google Cloud as IaaS provider to host Rise with SAP SAP S/4HANA Cloud, Private Edition. SAP uses hyperscale providers for “IaaS” requirements for greater flexibility, scalability, and security for the provisioning of SAP cloud infrastructure. This is a dedicated landscape for each customer. While SAP SE owns the root account, each customer gets a dedicated account or subscriptions where Virtual Network (VNET) or VPCs are created within each subscription/account to address specific system/data isolation requirements. Security policies that are defined at the higher-level hierarchy are pushed to each subscription/ project/ account. Within each Virtual Network, there will be multiple subnets (using private CIDR block IP addresses) created to segregate the environments.
- Subscription (Azure)/Account (AWS)/Project (GCP) – A logical isolation of environment for all resources for a customer
- Virtual Network or VPC – An isolated landscape or secure environment where instances or virtual machines can run. Application Servers and Databases Servers can be created leveraging these instances or virtual machines.
- Security Group (AWS)/Network Security Group (Azure)/Firewall (GCP) – Enforce and control network traffic security rules to allow/deny inbound or outbound traffic.
The network is micro-segmented into smaller islands where workloads are contained. Each segment has its own ingress and egress controls using network security groups or security groups to minimize the “blast radius” of unauthorized access to data. A software-defined perimeters with granular controls are deployed to prevent unauthorized actors to propagate throughout your network, and so reduce the lateral movement of threats. Further additional subnet environments are created for gateway, network services and production environment.
A dedicated private connection with redundancy is recommended for accessing productive workload as it ensures quality of service and higher availability service levels. Hyperscaler provided solutions such as AWS Direct Connect, Azure ExpressRoute and GCP Cloud Interconnect can be used to establish such network connection. Information around edge locations and networking partners can be found in respective Hyperscaler documentation. You can refer to a blog “Secure Connectivity to SAP Cloud Services hosted on Hyperscaler” on secure connectivity options available.
SAP S/4HANA Cloud – Essential (Public Cloud)
SAP S/4HANA Cloud runs on public cloud such as Google Cloud Platform (GCP), MS Azure and SAP Converged Data Centers around the world. SAP S/4HANA Cloud tenant subscription includes provisioning of SAP Business Technology Platform (BTP) services such as Identity Authentication Services, Identity Provisioning Service, SAP Analytics Cloud, and In-App & Side by side via BTP / Extensibility Framework. A virtualized ABAP Application Server is provisioned for each customer tenant and application isolation is enabled via “Security Group”. The “Security Group” allows communication between different application instances that belongs to one tenant.
- A trust boundary separates network into zones and each zone into segments.
- The security control is implemented into each zone based on the exposure of the systems to Internet/Intranet and is based on the classification of data handled by the systems in the zones.
- Virtual Private Cloud (VPC) is created for Systems, Admin, Backup. The system VPC is implemented to host the tenants of SAP S/4HANA cloud which spans availability zones. The secure central administration network segment host central cloud lifecycle management tools
You can refer to a blog “RISE with SAP: ‘Defense in Depth’ Security Architecture with SAP S/4HANA Cloud (Public Cloud)” on security control and segmentations provided to secure the landscape.
- API Management Security: API Management capabilities are available in SAP Business Technology Platforms. API management provides secure, simple, scalable, and secure access to digital assets through application programming interfaces (APIs) and enables developer communities to consume these.
- SAP provides Role Based Access Control (RBAC) to limit access to application systems. Access Control leverages the SAP NetWeaver authorization model and assigns authorizations to users based on roles.
- Regular application and OS level patching based on SAP Notes and vendor recommendations
- Regular Vulnerability Scanning, Penetration Testing and timely remediations as a part of managed cloud operations
- Web Application Firewall is enabled for SAP S/4HANA Cloud, Private Edition for inbound Internet traffic to protect against application-level attacks such as SQL injections or Cross-Site Scripting.
- The development team performs extensive risk assessment and threat modelling, design, and test effectiveness of the security controls which includes performing code scans, penetration tests, security tests – SAST & DAST and independent security assessments. More details on SAP SSDLC can be found here.
- UI Masking and Logging capabilities are available to customer, and this can be enabled for SAP S/4HANA with additional licensing. Sensitive data are masked on the server side and editing is blocked in SAP user interfaces; resulting in consistent protection also in table display, value help, export, download, print etc.
- Provides unmasked data to specifically authorized users/roles only – on top of existing authorization system (PFCG)
- Small-scale, auditable, archivable “access trace” in case of access to protected data fields
- With SAP data Custodian, SAP S/4HANA contextual application control can be set. This allows users to configure access/export control policies. The feature can intercept user access attempts, understand the location of the user, and validate the access attempt against the configured policies. The feature allows users to configure exceptions if required.
SAP multi-cloud team enables and accelerates SAP application and platform migration to public cloud. SAP maintains SAP licenses, OS templates for Windows Server, SUSE, and RedHat Enterprise Linux compliant to SAP security policies. SAP builds golden images based on the best practices of various industries. Each of the LOB build a blueprint cloud architecture that uses various cloud infrastructures such as instances, VMs, containers, logging and monitoring tools, configuration management, load balancers, VPC, Networks and Secure Connectivity. SAP uses security automation, CI/CD and DevOps processes and ITIL release & deployment processes for testing and approval.
While customers are responsible for managing endpoints of business users in cloud services, SAP admins endpoints are hardened with Data Loss Protection (DLP), Anti-Virus, Anti-Malware, X.509 digital certificates. SAP manages device asset inventory and non-compliant endpoints are quarantined automatically. Multifactor Authentications and Jump Host is required before access to any cloud environment for operations. SAP isolates admin network from the customer VNET/VPC using admin firewalls. Network traffic between customer VNET/VPC and SAP admin network always goes via encrypted channel and all administrative data exchanges are encrypted via TLS 1.2 standards. The cloud managed environment uses dedicated identity management and access control systems. All access is managed via the least privilege principle. All administration access requests flows through an access manager workflow approval process and gets validated by a designated authority.
Zero Trust Architecture is a business enabler. It encompasses people, process, technology, and an architecture framework. That said, inherent risks do exist. Managing those risks is multi-dimensional endeavor. Managing this risk to business require designing and building access policies and deploying enforcement at various points. To implement such change in paradigm, require organizational culture change, buy-in from business stakeholders, planning, developing asset inventory, mapping complex data flow, micro-segmenting networks to limit blast radius and holistically address securing hybrid multi-cloud environment. Security controls are required to check users, devices, systems, and processes to interact with business data, and then effectively manage the associated risks. In practice, given the diverse set of solutions available, a customer may choose additional tools and third-party solutions to secure their environment. To this end, SAP cloud services provide a comprehensive set of tools to customers to build a zero-trust architecture and secure SAP and non-SAP environments.
(Disclaimer: The perspectives or opinions expressed in this blog are for information purposes only and should not be construed as a legal advice. The content in this blog does not constitute any representation, or any commitment or legal obligation on the part of SAP)