Hello Everyone,
In this white paper, we will examine some of the key topics that ERP enterprise Information Security leaders should consider when setting up the security and controls for their SAP BTP Cloud integration with S/4 HANA and cloud applications.
Based on my S/4 HANA and Cloud experience, my goal is to provide key security design aspects and process insights within SAP Business Technology Platform (BTP) Cloud and "Best practices" to keep in mind from Security, Compliance and Controls perspective w.r.t SAP S/4 HANA and Cloud.
Commonly known as SAP Business Technology Platform - BTP. (Source - BTP - SAP Help) and provides hosting capabilities for web-based user interface to manage the various cloud applications. It is also said as "central point" of entry to the cloud platform, where one can create and access your accounts, sub-accounts, applications and manage all activities associated with them.
In similarity with any particular ERP solution, for SAP Cloud Foundry (aka BTP Cockpit) below listed are some of the key things to be considered -
Few key pointers - will help understand the difference between SAP Cloud Foundry (versus) Neo
If you want to create a trial account, below is the link for reference:
https://cockpit.hanatrial.ondemand.com/trial/#/home/trial
(Note - You will need an active SAP S* user id or your SAP linked account profile for the below)
Once you are inside the SAP BTP Cockpit (Console), in order to further navigate and access key elements, you need to browse under -
In order to have the above network flow diagram established, one will need to do the following:
The advantage of having "Directories" is to manage and structure your "so called systems" accordingly and segregate between Development, Quality and Production landscape.
Depending on whether you would like to integrate 3rd party cloud application or SAP cloud application, define the strategy that is best suited for your business need. Here, I will be taking an example of external cloud application -
Trading Platform is an external cloud application that interacts through SAP BTP Cockpit (Cloud Foundry) with SAP S/4 HANA - Treasury management module as the backend.
Define goals and understand the key essential elements pertaining to business requirements between On-Premise versus Cloud applications and lay out strategy that will be cost and operational effective.
Listed below are key elements that one can consider to fulfil the best practice criteria -
Listed below are key controls to be considered while deploying risk & controls framework for -
Complete working picture after the various integration scenarios considered in the above section -
As a recap, before I conclude this blog would like to summarize the key factors that one needs to be keep in mind while implementing this scenario:
To help you get started, listing below SAP provided tutorials to help get familiarized and deep-dive with the various components of BTP Cockpit, Cloud Foundry, and ABAP, S/4 HANA elements from integration point of view:
Get Started with SAP Business Technology Platform SAP HANA Service
Develop Your First SAPUI5 Web App on Cloud Foundry
Connect to SAP S/4HANA Cloud with SAP BTP, ABAP Environment
Extend SAP S/4HANA Cloud on SAP BTP, Cloud Foundry Environment
Extend SAP SuccessFactors on SAP BTP, Cloud Foundry Environment
In this white paper, we will examine some of the key topics that ERP enterprise Information Security leaders should consider when setting up the security and controls for their SAP BTP Cloud integration with S/4 HANA and cloud applications.
Based on my S/4 HANA and Cloud experience, my goal is to provide key security design aspects and process insights within SAP Business Technology Platform (BTP) Cloud and "Best practices" to keep in mind from Security, Compliance and Controls perspective w.r.t SAP S/4 HANA and Cloud.
Key Sections -
- Overview - SAP BTP Cockpit - Cloud Foundry
- Security Strategy & key integration requirements
- SAP Cloud Environment Model
- SAP BTP Cockpit Management Console
- 3rd Party Cloud application (to be integrated)
- Governance & Compliance Model
- Security & Controls Model - Best Practices
- Cloud BTP Cockpit & Identity Authentication Services (IAS) – Controls Framework
- End To End Integration process Flow
- Conclusion
Overview - SAP BTP Cockpit
Commonly known as SAP Business Technology Platform - BTP. (Source - BTP - SAP Help) and provides hosting capabilities for web-based user interface to manage the various cloud applications. It is also said as "central point" of entry to the cloud platform, where one can create and access your accounts, sub-accounts, applications and manage all activities associated with them.
Image 1 - Architecture and Users overview - SAP BTP Cockpit
Strategy & Key Integration Requirements
In similarity with any particular ERP solution, for SAP Cloud Foundry (aka BTP Cockpit) below listed are some of the key things to be considered -
- Governance Model
- Cloud Connector Model
- Security & Authorization Model
Image 2 - Approach & Integration Model Diagram
SAP Cloud Environment Model
Few key pointers - will help understand the difference between SAP Cloud Foundry (versus) Neo
- Cloud Connector - Identity Authentication Services (IAS)
- BTP Cockpit Connector
Image 3 - Difference between SAP - Cloud Foundry and Neo
SAP BTP Cockpit Management Console
If you want to create a trial account, below is the link for reference:
https://cockpit.hanatrial.ondemand.com/trial/#/home/trial
(Note - You will need an active SAP S* user id or your SAP linked account profile for the below)
Image 4 - SAP BTP Console (Real Time-View)
Once you are inside the SAP BTP Cockpit (Console), in order to further navigate and access key elements, you need to browse under -
Go To Your Trial Account
In order to have the above network flow diagram established, one will need to do the following:
- Start from the (root) account - Global Account
- Default (trial) version will be provided by SAP
- Create Sub-Accounts (as needed)
- Create Directory
- Within Directory - create sub-accounts
The advantage of having "Directories" is to manage and structure your "so called systems" accordingly and segregate between Development, Quality and Production landscape.
Image 5 - Account, Sub-Account & Directories (Real Time-View)
Integration of (Cloud application)
Depending on whether you would like to integrate 3rd party cloud application or SAP cloud application, define the strategy that is best suited for your business need. Here, I will be taking an example of external cloud application -
Trading Platform is an external cloud application that interacts through SAP BTP Cockpit (Cloud Foundry) with SAP S/4 HANA - Treasury management module as the backend.
- Platform users will access via SAP BTP - Cloud Cockpit (Cloud Foundry and Cloud Connector)
- Business users will login through the backend (SAP S/4 HANA system)
Governance & Compliance Model
Define goals and understand the key essential elements pertaining to business requirements between On-Premise versus Cloud applications and lay out strategy that will be cost and operational effective.
Image 6 - Key Attributes - Governance, Risk & Compliance Model
Security & Controls Model - Best Practices
Listed below are key elements that one can consider to fulfil the best practice criteria -
- A secured, efficient design framework - S/4 HANA v2020 (On-Premise) and Cloud Foundry
- Leverages Identity Authentication mechanism
- Security Access controls perspective
- Integrate Fiori apps (TPI cloud) with S/4 HANA
- Segregation Of Duties (SOD)
- Risk & Controls framework
- Centralized User management
- Security Event Monitoring and Logging
- Operational effectiveness - process improvements, consider delegations and remediate gaps
- Controls Automation
Image 7 - Security and Controls Process Model (Best Practices)
Cloud Cockpit & IAS – Risk & Controls Framework
Listed below are key controls to be considered while deploying risk & controls framework for -
- Cloud Foundry - SAP BTP Cockpit
- S/4 HANA application
- 3rd party (cloud application)
Image 8 - RC Framework
Process working - Real Time Scenario
Complete working picture after the various integration scenarios considered in the above section -
Image 9 - Technical aspects of the process integration
Conclusion
As a recap, before I conclude this blog would like to summarize the key factors that one needs to be keep in mind while implementing this scenario:
- Keep in mind key Security and access controls and how they can be applied to your scenario
- Baseline the various governance and risk controls frameworks (incorporates business reqs)
- Cloud environment - that will work best per your structure
- On Cloud and On Premise applications
- Boundary & Trusted (Systems, applications) to be integrated
- Risk & Controls framework - (Both, cloud and on-premise)
- Aim towards secured and SOD risk free role
- Have a monitoring and logging tool in place - alerting, auditing logs & reporting
Please do provide your feedback and inputs in "Comments" section below. And, encourage you to follow my profile for any help related to the content. And, do share this blog if you feel it will help other fellow practitioners.
Key Tutorial Links
To help you get started, listing below SAP provided tutorials to help get familiarized and deep-dive with the various components of BTP Cockpit, Cloud Foundry, and ABAP, S/4 HANA elements from integration point of view:
Get Started with SAP Business Technology Platform SAP HANA Service
Develop Your First SAPUI5 Web App on Cloud Foundry
Connect to SAP S/4HANA Cloud with SAP BTP, ABAP Environment
Extend SAP S/4HANA Cloud on SAP BTP, Cloud Foundry Environment
Extend SAP SuccessFactors on SAP BTP, Cloud Foundry Environment
- SAP Managed Tags:
3 Comments
