Enhanced Data Security and Protections for SAP Cloud Services
(Jana Subramanian serves as APJ Principal Cybersecurity Advisor for Cloud Security and a Fellow of Information Privacy (FIP), awarded by the International Association of Privacy Professionals (IAPP). In this role, Jana supports strategic customer engagements on cybersecurity, data privacy, multi-cloud security integration architecture, contractual assurance, audit, and compliance.)
SAP customers host their business critical and sensitive data in cloud services, where SAP manages cybersecurity at the platform level using a shared security model. SAP’s cloud services contractual assurance includes a Data Processing Agreement that outlines Technical and Organizational Measures, a Service Level Agreement (SLA), and a Support Policy, among other security assurances. With the increasing amount of data being collected and processed by organizations, SAP provides solutions for greater transparency and control over data security for customers. This is part of our customer-centric approach to data security. SAP customers often want to have control over their data security and protection, especially when their SAP cloud services are hosted in public clouds such as AWS, Azure, and Google Cloud Platform. In addition to the invalidation of the EU-US Privacy Shield framework, the Schrems II decision by the Court of Justice of the European Union (CJEU) has also led to increased scrutiny of data transfer mechanisms and the development of new privacy standards for cross-border data transfers. As a result, companies are now required to implement additional measures to ensure the privacy and security of personal data when transferring it between the EU and the US.
Customers often look for the following capabilities:
- Capabilities for managing their own encryption keys
- Visibility into where their data is resident and where it is being accessed
- Access to their own SAP application security audit logs and reporting
- Security Incident and Event Management to monitor SAP landscape
- Advanced Identity and Authentication Management
- Capabilities that support User Interface Masking and Logging
In this discussion, we will explore the security solutions and tools available to our customers and their respective use cases for securing their data hosted on SAP cloud services. Some of these security services may be available under an additional license only for a specific set of cloud services.
SAP Data Custodian Key Management Service
As SAP customers adopt a cloud-first strategy, SAP S/4HANA applications are increasingly being hosted on public cloud services such as AWS, Azure and GCP. For enhanced security and data protection, our customers require control over their cryptographic keys, empowering them to take a proactive approach to securing their data hosted on SAP cloud services. SAP Data Custodian Key Management Service (KMS) simplifies the process of securing sensitive data in public, private, hybrid, and multi-cloud environments. It provides cryptographic key provisioning, control, and monitoring services to protect your data.
SAP Data Custodian delivers an independent key management system (KMS) through a Software as a Service model (SaaS). In general, SAP Data Custodian KMS can be used with S/4HANA single-tenant deployments such as BYOL, SAP Analytics Cloud (Private Edition), SAP S/4HANA Cloud, Private Edition (in roadmap), and S/4HANA hosted in public clouds. The key features of SAP Data Custodian KMS include:
- Compliance with FIPS 140-2 certification (for select cases)
- Data protection and privacy
- Prevention of cloud service providers from having visibility into customer data
- Segregation of Duties
- Master Key Management outside of the HANA environment
- Multiple levels of key chain hierarchy
- Role-based access, authentication, and authorization
- Audit logs for KMS access
Broadly, SAP Data Custodian KMS offers four different models with nuanced differences namely Bring Your Customer Controlled Encryption Keys, Bring Your Own Key (BYOK), Hold your Own Keys, and Customer Specific Encryption Keys (CSEK). You can refer to help.sap.com for details:
- Customer-Controlled Encryption Keys (CCEK) Scenarios
- Bring Your Own Key (BYOK) Scenarios
- Hold Your Own Key (HYOK) Scenarios
- Customer-Specific Encryption Key (CSEK) (Glossary Link)
SAP Data Custodian Transparency and Control Service
SAP Data Custodian Transparency and Control Services offers customers with data transparency and control capabilities. The service delivers cloud data insight and protection, data governance, compliance and audit reporting, and rapid identification and notification of data protection issues.This allows customers to control over how their data is used and accessed. SAP Data Custodian offers policy-based templates for regulatory and business compliance that can be readily configured by customers. This makes it easy for customers to ensure that their data management practices meet the necessary regulatory and compliance requirements.
SAP Data Custodian provides transparency and control over data, which can be useful in a variety of situations, including:
- Data Classification: Organize and classify data to better understand and manage it
- Inventory/Cloud Resource: Track and manage cloud resources and data inventory
- Unauthorized Access: Prevent unauthorized access to sensitive data
- Data Localization: Ensure that data is stored and processed in compliance with relevant laws and regulations
- GDPR Compliance: Help organizations comply with the EU General Data Protection Regulation (GDPR)
- Export Control: Ensure compliance with export control regulations
- Cloud Provider Access Control: Control access to cloud provider services and data
- S/4H Access Transparency: Provide visibility into access to SAP S/4HANA data
- S/4H Field Masking: Mask sensitive fields in SAP S/4HANA data
- Data Localization and Residency: Manage data localization and residency requirements.
Application-Level Security Audit Log Control
SAP manages platform-level logs in cloud services, and customers have access to security audit logs at the cloud application layer. Application-level security audit log include change audit logs, read access logs, and authorization trace logs, among others. This allows customers to monitor and track access to their data and ensure that their applications are being used in compliance with their security policies. For more information on logging for SAP S/4HANA security, please refer to the SAP Press book on the topic. This book provides detailed information on how to configure and use logging to ensure the security of your SAP S/4HANA system.
SAP Enterprise Threat Detection Cloud Edition
SAP Enterprise Threat Detection Cloud Edition offers real-time security event monitoring for customer’s SAP landscape at a low cost through a consumption-based subscription license model. This service allows customer to benefit from SAP’s expertise in monitoring security issues in SAP systems, helping customer to identify and respond to potential threats in a timely manner. This is a multi-tenant cloud application that runs on SAP Business Technology Platform (Cloud Foundry) using SAP HANA Cloud. It can be used to monitor logs from SAP ABAP systems, SAP HANA systems, and SAP Java systems. This allows customer to track and monitor security events across your entire SAP landscape, helping customer to identify and respond to potential threats in real-time. For more information, please refer to the provided link containing additional information and resources on the topic.
UI Masking and Logging
Organizations can use UI masking solutions to improve data protection and comply with internal and legal requirements for restricting access to sensitive data. Sensitive data is masked on the application server side, which prevents editing of the data in SAP user interfaces. This ensures consistent protection of sensitive data across the entire application, including in table displays, value help, export, download, print, and other functions. The enhanced data protection features include field level masking, attribute-based access control, reveal on demand, and data blocking. This helps to prevent unauthorized access to sensitive data and ensures that it is used in compliance with your security policies.
In addition, UI logging solutions help you track data access across SAP’s platform-specific environments. This enhances data security and compliance by logging user data and showing you who accessed which data, how, and when. For the latest enhancements to the product, check out blog.
SAP Business Technology Platform – Data Privacy Controls
The SAP Business Technology Platform has been designed with built-in capabilities for privacy controls that can be configured by the customer administrator. This includes transparent collection of user data and a range of privacy configuration options. With SAP BTP, customers can use data privacy settings to manage consent, track changes and logging, create information reports, and initiate data erasure. These key functions help customers maintain control and visibility over their data privacy.
Please refer to the following diagram for an overview of the data privacy features available with SAP BTP.
SAP BTP provides support for the management of identities, authentication, authorization, identity federation, principal propagation, distributed application logging for compliance, and extensive monitoring capabilities.
Please refer to the following diagram for an overview of the data security features available with SAP BTP.
For more information, refer to the blog “Essential Data Privacy and Security Controls in SAP Business Technology Platform”
Our SAP security solutions help customers protect their mission critical data in SAP cloud services. The goal is to give customers control over their own data and help them meet regulatory and business requirements. Customers can choose from a range of security solutions, each designed for specific use cases and cloud services. Customers can enhance data security and protection by purchasing additional licenses for the respective security solutions.
(Disclaimer: Please note that the views and opinions expressed in this blog are for informational purposes only and should not be considered legal advice. The content in this blog does not constitute any representation or commitment on the part of SAP. This blog is not intended to create any legal relationship between SAP and the reader, and SAP is not responsible for any actions taken based on the information provided in this blog.)