Decoding Data Types and Security in SAP Cloud Services
(Jana Subramanian serves as APJ Principal Cybersecurity Advisor for Cloud Security and a Fellow of Information Privacy (FIP), awarded by the International Association of Privacy Professionals (IAPP). In this role, Jana supports strategic customer engagements on cybersecurity, data privacy, multi-cloud security integration architecture, contractual assurance, audit, and compliance.)
Data is the new currency and businesses need data to survive and thrive in the digital age. As enterprises embrace cloud technology to access, process, store and manage their data, they find themselves traversing a complex terrain of diverse data types, each presenting its unique attributes and security prerequisites. Understanding these data types and their implications for data security and regulatory compliance is paramount. SAP cloud services support wide range of cloud data types that help customers to manage their business and analyse the data. This blog explores the diverse data types supported by SAP cloud services. This will help to navigate security, compliance, and regulatory requirements around handling various data types. It is important to note that while we will provide a high-level overview of these data types, the specific data types hosted in SAP cloud services may vary depending on an organization’s unique business requirements, integration landscape, and the ever-evolving dynamics of security and regulation.
Cloud Data Types
SAP cloud services host variert of data types in cloud environments, including personal data, sensitive data, business data, integration data, and configuration data. Each of the data types have cybersecurity requirements and regulatory implications. Personal data, encompassing any information relating to an identifiable individual, and sensitive data, which includes details like health information or biometric records, are heavily regulated under laws like Europe’s GDPR, India’s Digital Personal Data Protection Act and China’s PIPL, requiring strict consent, protection, and handling protocols. Business data, though less strictly personal, in general, associated with personal data, still requires safeguarding, as it may contain proprietary or confidential information. Integration data, used to connect various systems or applications, and configuration data, essential for system setup and preferences, might not be inherently sensitive but can become so depending on the specific content and context.
The following section provides a high-level overview of personal data, sensitive personal data, and business data stored in SAP cloud services. While the data types mentioned in this blog are just examples of cloud data types, they do not encompass details of every field that can be configured within the cloud services. Nonetheless, this information will assist in having a fundamental understanding of the types of data stored, thereby facilitating an assessment of security, compliance and regulatory requirements.
SAP Business Technology Platform
SAP BTP maintains more than 90+ services that can be used for many integrations, extension, database, analytics, and database management use cases. Organizations must carefully evaluate what data type is used, accessed, processed, and stored in SAP BTP to determine compliance with their respective regulations. Customers can create a sub-account with SAP BTP and host their service in a region of their choice.
The table below provides examples of cloud data types for most commonly used services in SAP BTP.
|Service||Examples of Cloud Data Types|
Messages processed on a runtime node often encompass business data related to an integration scenario and may include personal data.
|SAP Identity Authentication Service||
|Identity Provisioning Service||
SAP Identity provisioning services can also store custom data types, depending on the specific needs of the organization. For example, an organization might use SAP Identity provisioning services to manage access to custom applications or systems. In these cases, the organization can define custom data types to store information about these applications or systems.
|Destination||The data type stored in the SAP BTP Destination Service is a JSON object. This object contains information about the destination, such as:
The SAP BTP Destination Service can be used to store destinations for a variety of different applications and systems, including:
SAP Analytics Cloud
Data modelling in SAP Analytics Cloud allows users to refine their data for analysis by bulk editing, categorizing, forming hierarchies, and creating custom calculations. The business intelligence segment of SAP Analytics Cloud consists of two main components: models and stories.
- ‘Models’ serve as the foundation for data analysis, involving the cleaning and organization of data. This includes defining the metrics and dimensions, arranging data hierarchies, configuring units and currencies, and introducing formulas to enrich the data.
- ‘Stories’ are the visualization aspect, where data is transformed into charts and graphs for enhanced understanding and insights.
|Services||Examples of Cloud Data Types|
|Planning, Business Intelligence, Predictive Analytics, Modelling||On-premises data sources (may contain metadata and some personal data). Query Data may contain personal and sensitive personal data.
SAP SuccessFactors is a cloud-based human capital management (HCM) software suite that helps organizations manage their workforce. It includes a wide range of modules for core HR, talent management, payroll, and analytics. The types of cloud data that are stored in SAP SuccessFactors are generally considered to be personal and sensitive data. This includes information such as employee names, email addresses, employee IDs, departments, job titles, salaries, benefits, performance reviews, goals, development plans, compensation data, payroll data, and analytics data.
|Service||Cloud Data Types|
|Employee Central (EC)||
SAP Ariba allows customers to provide Personal Data for user creation within the solution, stores transaction documents that may contain Personal Data of signatories or business contacts, and maintains contact information related to Trading Partners. Consequently, the typical range of Personal Data processed includes an individual’s name, business email address, and business phone number. Additionally, buyers have the option to include users’ home addresses for delivery of items purchased through the platform. Furthermore, some solutions within SAP Ariba give buyers the capability to create custom fields specifically for collecting additional Personal Data. SAP Ariba processes only non-security-classified information, such as vendor masters, purchase orders, purchase requisitions etc. In a typical hybrid integration scenario, copies of most transactional data reside in the customer’s ERP system.
SAP Ariba prohibits the processing of sensitive personal data through the solutions, such as a creating custom fields unless SAP has expressly authorized it for a specific purpose of the solution. In such cases, customers must submit the data strictly in compliance with both the privacy statement and contractual agreement.
|Services||Examples of Cloud Data Types|
|SAP Ariba – Business Contact Information||
|Ariba Strategic Sourcing Suite – Business Data||
|SAP Ariba Supply Chain Collaboration||
|SAP Ariba Commerce Automation||
SAP Concur stores a wide variety of data, including:
- Expense data: This includes information such as the date, time, location, and amount of each expense, as well as the vendor’s name, expense type, and payment method.
- Travel data: This includes information such as the dates and times of travel, the origin and destination, the mode of transportation, and the accommodations.
- Invoice data: This includes information about invoices received from vendors, such as the vendor’s name, invoice number, invoice date, and invoice amount.
- Payment data: This includes information about payments made to vendors, such as the date, amount, and payment method.
- Employee data: This includes information such as the employee’s name, email address, employee ID, department, and job title.
- Company data: This includes information such as the company name, address, and tax ID number.
In addition to this standard data, SAP Concur can also store custom data types, depending on the specific needs of the organization. For example, an organization might use SAP Concur to manage travel policies, approvals, or reimbursements. In these cases, the organization can define custom data types to store information about these policies and processes.
|Services||Cloud Data Types|
|Expense and Travel||
SAP S/4HANA Cloud, private edition, is a privately managed solution that can handle large amounts of data, including personal and sensitive data. The types of data stored will vary depending on the company’s operations, the modules they use, and the privacy regulations they operate under.
|Services||Cloud Data Types|
Cybersecurity and Data Protection in SAP Cloud Services
While customers retain ownership of their data, SAP maintains its obligations as a data processor by protecting this data through various technical and organizational measures. SAP safeguards customer data using data encryption both at rest and in transit. SAP cloud services offer tools for authentication, role-based access control, and security audit logs, including read access logs and change audit logs. SAP maintains confidentiality, integrity, and availability controls to maintain robust protection of customer data. SAP provides contractual assurances regarding personal data protection through data processing agreements that address compliance issues related to cross-border data transfers.
Cloud customers are given a variety of tools to manage security and data privacy in relation to their application & data hosted in SAP cloud services. Some procedures are specific to individual SAP cloud services, and it is up to the customer to use these tools effectively to improve security and maintain data privacy.
For instance, customers have the option to utilize features like UI Masking and Logging within SAP S/4HANA environment (for an additional license), enhancing data security. UI Masking helps in obscuring sensitive data fields from users who don’t need to see them, adding an extra layer of confidentiality. Similiarly, Logging provides a transparent audit trail of user interactions with the system, contributing significantly to data integrity and accountability. These tools, when used effectively, further stregthen the cybersecurity posture of businesses using SAP Cloud Services. For customers facing strict regulatory requirements, SAP Data Custodian’s Transparency and Control services offer complete visibility into where data is accessed and stored. Furthermore, customers can take advantage of the Bring Your Own Key (BYOK) capabilities provided by SAP Data Custodian’s Key Management Service (KMS) for SAP S/4HANA Cloud, private edition, enhancing data security and control.
In conclusion, it is paramount to perform due diligence and navigate the intricacies of cloud data types and security within SAP Cloud Services. While SAP cloud services support a diverse array of data types, including personal and business data, customers must be aware of the specific characteristics and sensitivity of the data they host, as well as the regulatory requirements that govern data hosted in SAP cloud services. SAP is committed to enforcing stringent cybersecurity and data privacy measures to safeguard data hosted in cloud services. However, the effectiveness of data security and compliance depends on a collaborative shared security and governance model, recognizing that safeguarding data is a joint endeavour between SAP and its customers.
© 2023 SAP SE or an SAP affiliate company. All rights reserved. See Legal Notice on www.sap.com/legal-notice for use terms, disclaimers, disclosures, or restrictions related to SAP Materials for general audiences.