Securing GROW with SAP Landscape

(Jana Subramanian serves as  APJ Principal Cybersecurity Advisor for Cloud Security and has been recognized as a Fellow of Information Privacy (FIP) by the International Association of Privacy Professionals (IAPP). As part of his responsibilities, Jana helps with strategic customer engagements related to topics such as cybersecurity, data privacy, multi-cloud security integration architecture, contractual assurance, audit, and compliance.)

Introduction

SAP has introduced GROW with SAP in March 2023 as a means of supporting mid-sized businesses on their journey to Cloud ERP. The GROW with SAP package encompasses several key components, including cloud ERP solution – SAP S/4HANA Cloud, public edition , SAP Business Technology Platform with certain CPEA credits, pre-configured baseline and packaged activation services, SAP Build Services, and expert user support through SAP Community among others. This offering helps customers to manage business operation with an enhanced cloud-based system,  delivering security, flexibility, and predictable cost.

GROW with SAP bundle provides comprehensive security and ensures that customer core applications and data are protected through secure operations. In this blog, we will delve into the security features of the cloud-based ERP solution provided by GROW with SAP bundle offering and how it enables businesses of various sizes to protect their core valuable assets and data.

Figure 1: SAP Secure Cloud Operations

Shared Security Responsibility

SAP S/4HANA cloud, public edition is offered as public SaaS. SAP takes responsibility for ensuring the security of the SaaS platform architecture through advanced multi-tenant logical separation, security patching, managing backup and restoration, as well as securing infrastructure elements such as operating systems, networking, and applications. Additionally, SAP handles cloud (Hyperscaler) account management, operational security monitoring, incident management, personal data breach notifications, hardening and patching operating systems, application and providing solution support. Adherence to SLAs and contractual assurance is maintained through SAP Service Level Agreements, SAP Data Processing Agreements, General Terms and Conditions and SAP support policy. Customers are responsible for managing application layer security, user authentication, authorization, and secure integration to third-party systems and data privacy settings. The table below provides insight into the shared security responsibilities between SAP and the customer for key security topics.

For more details, please refer to the reference documentation for SAP S/4HANA cloud, public edition.

Customer Access to SAP S/4HANA cloud, public edition

1. The SAP S/4HANA cloud, public edition is hosted in SAP Converged Data Center, Azure, and Google Cloud at various global locations. In the SAP S/4HANA Cloud, Public Edition and SAP BTP, business users access the application via a standard browser, providing a seamless user experience across all devices and Fiori applications through the Fiori Launchpad.
2. SAP S/4HANA Cloud uses a load balancer and a web dispatcher. The incoming request is directed to the load balancer. The load balancer distributes incoming network traffic across shared web dispatcher cluster. Each customer accesses their system through a unique, customer-specific URL, with communication managed by the SAP Web Dispatcher’s Reverse Proxy component. The web dispatcher is responsible for routing incoming requests from the load balancer to the customer specific application (ABAP)
3. Standard users authenticate using SAML 2.0 assertions (SSO) through SAP Cloud Identity, ensuring secure access to the system. It handles authentication, ensuring that end users can securely access the system.
4. At the backend, the SAP HANA database powers the system, providing optimized access through Core Data Services (CDS) views. Both the SAP S/4HANA ABAP and SAP HANA components are managed by SAP, ensuring a reliable and secure environment for users.

Figure 2: Customer Access to SAP S/4HANA cloud, public edition

Secure Customer Data Segregation

In the SAP S/4HANA Cloud, public edition each customer’s environment is segregated using Security Group. Security Groups provide a mechanism for controlling access and communication between different resources in the cloud. This isolation ensures that customers’ applications and data are not exposed to other customers’ environments. Every tenant has their own ABAP application servers that operate on distinct SAP HANA tenant databases. The SAP S/4HANA cloud, public edition relies on multi-tenant database containers (MDC) feature of SAP HANA database allowing multiple isolated databases, referred to as “Tenant DB”. Tenant DB refers to independent databases that are part of a single SAP HANA system database. These databases store all the application data and configuration that are specific to each tenant. Therefore, each SAP HANA Tenant DB has its own set of tables, users, and security policies, and can be managed independently of other Tenant DB on the same system.

Customer security group allows system communication between various environment of the same customer. Within a customer’s environment, there are three system landscape: Development (D), Testing (T), and Production (P). The customer security group enables secure communication between these systems, ensuring that only authorized users and resources within the same customer’s environment can access and interact with the data and processes in these systems.

Integrated Secure Landscape

A secure connectivity from SAP S/4HANA cloud, public edition and SAP Business Technology Platform can be established via several methods that includes support for standard OData services in SAP S/4HANA cloud that can be consumed by applications running on SAP BTP, Integration Suite in SAP BTP to integrate SAP S/4HANA Cloud with other services and applications on SAP BTP by creating integration flows that define how data is exchanged between the systems.

Additionally  customer’s expose SAP S/4HANA Cloud services as APIs and consume them in your applications on SAP BTP. The secure connectivity can be established between SAP S/4HANA Cloud and SAP BTP leveraging  security and authentication mechanisms available such as  OAuth 2.0, SAML 2.0, and Client certificates. For example, SAP S/4HANA Cloud uses OAuth 2.0 for authentication and authorization. This ensures that only authorized users and applications can access data in SAP BTP.

SAP S/4HANA Cloud, public edition subscription contains embedded SAP Analytics Cloud and is automatically deployed and configured during tenant provisioning. However, this is limited to only live connection to  S/4HANA Cloud tenant.

Figure 3: Secure Integrated Landscape

Encryption Controls:

By default, SAP manages encryption key for data at rest encryption keys for SAP S/4HANA cloud, public edition. To manage the encryption keys, two Secure Stores in the File System (SSFS) are used. The Instance SSFS stores various encryption root keys (data volume, log volume, backup), while the System PKI SSFS stores system-internal root certificates for secure internal communication. The contents of both SSFSs are protected by SSFS Master Keys, which are generated during installation. There is an option for customers to use Customer-Controlled Encryption Key integration, You can refer to the documentation for details.

Figure 4: Data Protection and Encryption Stack

API Security:

Customers should follow best practice approach to security settings under their responsibility. SAP BTP provide API Security in API Management. The SAP S/4HANA cloud provides Business user Change API, Security Audit Log API, Business Role Change API, OAuth 2.0, SAML2.0, Cross Origin Resource Sharing security. Besides, customer should ensure establishing strong authentication methods for business users, such as multi-factor authentication and single sign-on. Additionally, it is crucial to define and enforce appropriate authorization levels based on users’ roles, securely configure, and manage trusted certificates for secure communication channels and implement read access logging to monitor and audit data access for potential security breaches or unauthorized activities.

Figure 5: API Security

Data Protection and Privacy

While SAP, as a data processor, is committed to protecting data through its Data Processing Agreement and Technical and Organisational Measures, SAP S/4HANA cloud application offers built-in security features and specific data protection functions that customers can easily customize to their needs to meet their data privacy compliance. These functions include consent management, security audit logs, read access logs, blocking, and deletion of personal data.

Figure 6: Data Privacy in SAP S/4HANA cloud, public edition

For more details in Data Protection and Privacy features available with SAP S/4HANA cloud, public edition, please refer to this documentation.

Additional References

Conclusion

Cybersecurity is paramount for safeguarding critical assets in all businesses, regardless of their size and scale. The GROW with SAP bundle addresses this need by providing a holistic approach to cybersecurity and data privacy requirements. This comprehensive offering not only ensures the protection of a company’s core assets but also affords flexibility, seamless integration, and the ability to extend and modernize their core ERP digitally. Thus, as mid-sized businesses adapt to the changing digital landscape, adopting the GROW with SAP bundle can help them enhance their  cybersecurity posture and compliance measures.

Disclaimer:

© 2023 SAP SE or an SAP affiliate company. All rights reserved. See Legal Notice on www.sap.com/legal-notice for use terms, disclaimers, disclosures, or restrictions related to SAP Materials for general audiences.