(Jana Subramanian serves as  APJ Principal Cybersecurity Advisor for Cloud Security and has been recognized as a Fellow of Information Privacy (FIP) by the International Association of Privacy Professionals (IAPP). As part of his responsibilities, Jana helps with strategic customer engagements related to topics such as cybersecurity, data privacy, multi-cloud security integration architecture, contractual assurance, audit, and compliance.)

Introduction

The SAP S/4HANA Cloud, Public Edition provides a comprehensive set of features and capabilities that empower businesses to standardize business processes, propel digital innovation and transformation, enhance security measures, and remain competitive in the digital age. As a core component of the GROW with SAP bundle, SAP S/4HANA cloud, public edition enables a seamless transition to Next-Generation Enterprise Resource Planning (ERP) systems, while protecting customer data and incorporating cybersecurity throughout every layer of the platform.

In this blog, we will address frequently asked questions (FAQ) about the cybersecurity aspects of the SAP S/4HANA Cloud, Public Edition that is easy to read by customers and partners. By exploring these frequently asked questions, one can obtain a better understanding of how SAP S/4HANA Cloud, Public Edition can improve security, protect customer data, and minimize potential risks.

Figure 1: Multi-Layer Security

Customer Segregation

S.No	Description of FAQ	FAQ Explained
1	How does SAP segregate each customer environment in SAP S/4HANA cloud public edition, specifically in Azure and GCP environments?	In SAP S/4HANA cloud, public edition uses an ABAP instance running on dedicated VMs for each customer. Security groups are utilized to achieve customer isolation, allowing access only to pre-configured, approved origins. These Security Groups (SGs) help in segregating customer environments, thereby enhancing the security and privacy of each customer's data and systems. This means each customer's resources and applications are confined within their own unique Security Group. This approach ensures that customers' data and applications remain separate and secure from those of other customers. SAP S/4HANA Cloud, public edition utilizes the built-in SAP HANA feature for tenant isolation, which guarantees the separation of customer data at the database level. Customer Security Groups are set up to allow system communication between the Development (D), Test (T), and Production (P) environments within the same customer's landscape. This communication ensures smooth data and system operations while maintaining the necessary isolation between different customers.
2	How is segregation established between admin network, backup network and Customer Tenancy Network?	SAP S/4HANA Cloud, public edition operates within a segregated network that is divided into numerous zones, each comprised of multiple segments. This division into distinct zones and segments facilitates the establishment of trust boundaries. The environment is further segregated into multiple VPC such as System VPC, Admin VPC and Backup VPC. The SAP S/4HANA cloud, public edition tenants are hosted on System VPC that spans multiple availability zones.  Admin VPC manages multiple project or system VPCs within the same region and the central administration network segment, which is linked to the SAP corporate network, houses the central cloud lifecycle management tools.
3	What are resources that are shared in the platform?	SAP S/4HANA cloud, public edition maintains shared infrastructure for  internet-facing components such as load balancers, and web dispatchers, central SAP HANA system, centralized cloud management and operations. This approach allows SAP to provide features such as scalability, cost-effectiveness, uniform mass upgrades, backup and restore, and disaster recovery solutions.

Secure Connectivity

Figure 2: Access to SAP S/4HANA cloud, public edition

S.No	Description of FAQ	FAQ Explained
4	How do customers connect to SAP S/4HANA cloud, public edition?	Communications between customer browser and the system landscapes of SAP S/4HANA Cloud are secured by TLS1.2 Customers use a unique, customer-specific URL. Communication is carried out via the SAP Web Dispatcher -  Reverse Proxy (RP) component For standard users the only way of authentication is SAML 2.0 assertions (SSO), based on SAP Cloud Identity. Using SAP IAS as IDP Proxy, authentication can be delegated to customer owned Identity Provider or 3rd party Identity Provider
5	Do you support dedicated network connection bypassing Internet?	No, Business user access to SAP S/4HANA Cloud, public edition is via the internet, as it is a public cloud-based Software-as-a-Service (SaaS) multi-tenant solution. The system uses TLS1.2 encryption to ensure secure communication between the user's device and the SAP S/4HANA Cloud, public edition.
7	How do I establish security in case I need to integrate with other cloud services?	The S/4HANA cloud, public edition subscription includes  credits for SAP BTP integration suite and extensions. SAP Cloud Identity Services (SAP BTP) are offered for authentication purposes and for integrating Single Sign-On (SSO) with the customer's Identity Provider (IDP). Customer can configure RBAC, API Security, Authentication, Authorization, Access Control for 3rd party integrations. All outbound connections are subject to restricted access control lists configured in the security components utilized within the cloud. Additionally, these outgoing connections must use TLS 1.2 for in-transit encryption.
8	What is the role of SAP BTP in SAP S/4HANA cloud, public edition?	SAP BTP provides a cloud-based platform for developing, deploying, and managing extensions and customizations, embedded analytics, and process automation among others. The Identity Authentications Service (IAS), Identity Provisioning Service (IPS) and certain cloud credits are included in the SAP S/4HANA cloud, public edition bundle. Additionally, SAP S/4HANA cloud, public edition provide ABAP Development Environment.
9	How do I secure the cloud integrations with SAP BTP, SAP S/4HANA cloud, public edition and on-premises SAP systems?	SAP BTP offers numerous services that enable building, extending, and connecting applications throughout the SAP landscape. APIs and Services: SAP BTP supplies a range of APIs and services that can be utilized to access data and functions within the SAP S/4HANA system. Access can be accomplished through the OData services or SOAP APIs provided by S/4HANA cloud. This enables the creation of bespoke applications or extensions on SAP BTP that can interface with the S/4HANA system. SAP Cloud Connector: For on-premises S/4HANA systems, the SAP Cloud Connector can be employed to create a secure link between the SAP BTP and the on-premises system. This ensures that applications on SAP BTP can securely access data and services within the on-premises system. SAP BTP Integration Suite: A service on SAP BTP, CPI enables the integration of disparate systems within the SAP landscape. It can be utilized to integrate SAP S/4HANA Cloud and on-premises systems with other systems (SAP or non-SAP) using pre-packaged integration flows or by creating custom flows. Events and Messaging: SAP BTP also offers services for event-driven architecture, such as the Enterprise Messaging service. This allows for real-time integration, where S/4HANA can publish events that are consumed by applications on SAP BTP. Single Sign-On: SAP BTP offers identity and access management services that can be integrated with SAP S/4HANA for authentication and single sign-on. SAP Fiori Launchpad: This can be employed to provide a unified and seamless user experience by integrating the applications developed on SAP BTP with the S/4HANA system.

Data Protection 

Figure 3: End-to-End Data Protection

S.No	Description of FAQ	FAQ Explained
10	How is data encryption supported for data in transit?	For data in transit, SAP uses TLS1.2 encryption. This means that any data being transmitted between the server and the client is encrypted. AES-256 bit is typically used as the encryption algorithm.
11	How is data at rest encryption performed in SAP S/4HANA cloud, public edition?	All data stored in databases, file systems, and logs is encrypted to protect it from unauthorized access. The Advanced Encryption Standard (AES-256 bit) is used for this purpose. SAP HANA, the database underlying S/4HANA Cloud, provides native data-at-rest encryption. It also includes several other security features, such as secure user authentication and authorization, SQL injection prevention, and audit logging. SAP HANA in-memory database uses HANA Volume Encryption to provide “data-at-rest” encryption for data, log, and backup volumes.  It uses AES-256 encryption algorithm. By default, the infrastructure-as-a-Service (IaaS) provider encrypts the storage used for storing data files, log files, and backup sets using Server-Side Encryption (SSE) technology, which utilizes server-managed keys. Backup and Restore capabilities are included as a part of standard delivery in case of Disaster Recovery. Backups of SAP HANA databases are also encrypted to ensure that data remains secure even when stored secondary site.
12	Can SAP S/4HANA cloud, public edition support Bring Your Own Key (BYOK)?	Yes. SAP S/4HANA Cloud system can be integrated with SAP Data Custodian's Key Management Service, which allows customers to manage their own encryption keys for HANA Data at Rest Encryption. For additional details, please refer to the official SAP documentation.
13	What is the other application-level data protection and privacy controls available with SAP S/4HANA cloud, public edition?	SAP S/4HANA cloud, public edition provides following application-level controls: Role-Based Access Control (RBAC) Pseudonymization Data Blocking and Deletion Data Retention Management Logging and Auditing Secure Data Processing Information Lifecycle Management (ILM) Read Access Logging

High Availability and Disaster Recovery

S.No	Description of FAQ	FAQ Explained
14	Do you support High Availability?	Yes. SAP provides System Availability SLA of 99.7 and deploys various technologies that are necessary maintain System Availability commitment.
15	Do you support Disaster Recovery and if so, what are the RTO and RPO?	Yes. Disaster Recovery is supported as an optional service and is available in select data centre location. The RTO is 12 hours and RPO is 30 minutes.
16	How does S/4HANA cloud, public edition manage capacity?	As the provider of SAP S/4HANA Cloud, public edition, SAP is responsible for the management the infrastructure and capacity of the service. This is to ensure that the systems possess the required resources for an optimal performance. Some of the approaches taken include resource allocation, capacity monitoring, performance evaluation, and scaling adjustments.

Malware Protection

S.No	Description of FAQ	FAQ Explained
17	How do you protect against Malware?	SAP cloud operations employees several security measures to protect against malware which include among others: Endpoint & Server Protection, End-Point Security, Malware Protection, Secure Booting Enforcing Baseline Security Policy based on SAP Global Security Hardening all the Virtual Servers and patching the systems regularly Backup and Restore, Regular Automated Backups and Encryption of Backups, Periodic patching of all infrastructure, applications, and DB Security Awareness Training on Phishing, Awareness, Simulate Testing Network Segregation to reduce the attack surface. Implement Network Security controls such as reverse proxy, security Groups, load Balancers Continuous Security Monitoring Periodic Testing
18	Does SAP S/4HANA cloud, public edition maintain capability virus scan for document uploads?	Yes. SAP S/4HANA Cloud uses virus scanning services to provide real-time protection and prevent the upload of malicious or suspicious content. The capabilities include the following: Real-Time Scanning: The virus scanning service is typically configured to scan files in real-time as they're being uploaded. This ensures immediate detection of any threats. Detection of Malicious Content: The virus scanning service uses advanced detection algorithms to identify various types of threats, including viruses, malware, spyware, ransomware, and other potentially harmful content. Rejection of Infected Files: If a file is found to be infected during the scanning process, the system will reject the file upload and prevent it from entering the system. This process helps to mitigate potential risks and protect the overall system integrity. Reporting and Alerts: When a threat is detected, the system can alert the administrators, providing information about the nature of the threat and the file it was detected in. This allows for prompt action to be taken. Updates and Maintenance: The virus scanning service is regularly updated to detect and prevent the latest known threats, ensuring ongoing protection against evolving cyber threats.

 

Audit Certification and Compliance

S.No	Description of FAQ	FAQ Explained
19	What security certifications audited via external 3rd party auditors are maintained for SAP S/4HANA cloud, public edition?	SAP S/4HANA cloud, public edition maintains several certifications, among them: ISO27001, ISO27017, ISO 27018 ISO 9001 Quality Management Systems BS10012 Personal Information Management ISO22301 Certification for Business Continuity Management Systems SOC 1 Type 2 SOC2 Type 2 The certifications can be downloaded via https://www.sap.com/sea/about/trust-center/certification-compliance.html and SOC attestation report can be requested via Trust Center subject to NDA.

Shared Security Responsibility

S.No	Description of FAQ	FAQ Explained
20	What are the broad security responsibilities for customers in SAP S/4HANA cloud, public edition?	User Management: Customers are responsible for managing their users, including the provisioning and de-provisioning of user accounts, setting appropriate user roles and authorizations (RBAC), and managing user credentials. Data Management: Customers are responsible for the data they store in the SAP S/4HANA Cloud. This includes data entry, data quality, data privacy, and complying with data protection regulations. Secure Configuration: Customers are responsible for configuring the S/4HANA Cloud application to suit their business processes. While SAP provides default configurations and best practice templates, each customer will need to adjust these to their specific requirements. Integration: If the customer is integrating S/4HANA Cloud with other systems (SAP or non-SAP), they are responsible for those integrations. This includes setting up secure connections, mapping data, and maintaining the integration. Compliance: Customers are responsible for ensuring their use of S/4HANA Cloud complies with all relevant laws and regulations. This includes data protection laws, industry-specific regulations, and country-specific laws. Change Management: Customers are responsible for managing changes in their organization, such as training users on how to use S/4HANA Cloud, managing the changeover from old systems, and updating business processes where necessary.
21	What are the broad security responsibilities of SAP as a Cloud Service Provider?	As the Cloud Service Provider (CSP) for SAP S/4HANA Cloud, public edition, SAP has a range of responsibilities to ensure the service is reliable, secure, and up to date. These responsibilities include: Infrastructure Management: SAP is responsible for managing the underlying infrastructure for the S/4HANA Cloud, public edition. This includes servers, storage, networking, and the cloud accounts with respect to Hyperscale providers as IaaS providers where these resources are hosted. System Availability: SAP ensures system availability, minimizing downtime with redundancy and failover mechanisms. Service level agreements (SLAs) typically define the System Availability. System Security: SAP is responsible for securing the underlying infrastructure and the platform. This includes entire platform stack that includes cloud infrastructure, network security, system security, OS, Database. Software Maintenance: SAP manages the updates and upgrades to the S/4HANA Cloud software. This includes patching for security, performance improvements, and adding new features. Backup/Restore/Disaster Recovery: SAP is responsible for implementing disaster recovery measures. This includes data backup and restore procedures to ensure data can be recovered in the event of a disaster. Compliance: SAP ensures that its services audited periodically by independent 3rd party auditors for security assurances. This includes certifications like ISO 27001, SOC1, SOC2 attestations. Personal Data Protection: Maintain Technical and Organisation Measures to protect personal data Personal Data Breach Notification: Maintain operational process in place to detect, report, and investigate a personal data breach. In the event of a data breach that affects personal data, SAP will notify affected customers promptly, in compliance with data protection regulations. This allows customers to take appropriate steps to mitigate the impact of the breach and fulfils SAP's obligations under regulations such as the EU's General Data Protection Regulation (GDPR). Support: SAP provides support to its customers, helping to resolve technical issues, answer queries, and provide guidance on best practices. Monitoring and Incident Response: SAP continuously monitors the system for any anomalies or security incidents and responds accordingly to mitigate risks.
22	What are the other contractual assurances related to cloud services that may be applicable?	Service Level Agreement: Defines the cloud service specific system availability, uptime, update windows, credits, and others SAP data Processing Agreement: SAP and its sub processors obligations and restrictions to process Personal Data in the provision of the Cloud Service, including: Description of Processing Technical Organisational Measures (TOMs) General Terms and Conditions: The essential legal terms that apply to the Cloud Service Cloud Support Policy: The service specific scope of support and success offerings Cloud Service Supplemental Terms and Conditions: The service specific legal terms that apply to the Cloud Service

Backup and Restore

S.No	Description of FAQ	FAQ Explained
23	How does the Backup and Restore process is implemented?	SAP performs regular scheduled backups. In case of any logical errors such as data corruption and other irreparable situations, SAP will perform restore operations. The backups storage is encrypted with AES 256-bit encryption. Appropriate processes and automated tools are in place to validate backup integrity, and backup logs are reviewed daily to detect and correct backup failures In the production environment, data recovery is set up to restore from the disk, with an added safeguard of data replication to a secondary data centre for enhanced data protection and redundancy. Daily backups are implemented to ensure data can be restored in case of data loss or system failure. For the non-production environment, backups are scheduled weekly, thereby providing a consistent and reliable data protection system for both environments

Application Security

S.No	Description of FAQ	FAQ Explained
24	How does SAP follow secure coding for application development?	The Secure Software Development Lifecycle (SSDLC) is crucial to the development of SAP S/4HANA cloud applications. From the outset, the development process is designed to incorporate security considerations, along with data protection and privacy requirements. The development team conducts comprehensive risk assessments and threat modelling, designs security controls, and tests their effectiveness. This includes performing code scans, penetration tests, static (SAST) and dynamic (DAST) application security tests, and independent security assessments. Detailed information on SAP's SSDLC approach can be accessed via link. The SAP S/4HANA source code, encompassing all utilized programming languages, undergoes a comprehensive scan, and the SAP S/4HANA web applications are evaluated through runtime testing. Additionally, The SAP Bug Bounty Program engages third-party researchers in the identification of security vulnerabilities, promoting a proactive approach to system security.

Logging and Monitoring

Figure 4: Security Relevant APIs

S.No	Description of FAQ	FAQ Explained
25	What are the security audit logs are available to customer on SAP S/4HANA application?	SAP S/4HANA supports various logs accessible by customer entities, including Security Audit Logs, Change Documents, Read Access Logs, Authorization Trace Logs, SAP Support User Request Logs, and IAS Security Audit Logs. The security logs can be access via API. For a more comprehensive understanding, please refer to the provided link.
26	Can customer get access to Infrastructure Logs	SAP provides Application Audit Logs which customer will have access. SAP collects and centrally manages Infrastructure Logs for shared infrastructure layers such as Firewalls, Load Balancers, Proxies, Applications Servers, Databases. Due to confidentiality reasons, shared infrastructure logs will not be shared with customers. SAP will perform event correlation across all log events to detect and remediate security incidents working in tandem with customers.
27	Can SAP share Cyber SOC Use cases with Customers?	SAP Cyber Fusion Center manages Security Use Cases after extensive research and are applied to SIEM. This is considered as SAP confidential. No customer specific security use cases will be considered for deployment as this is public SaaS SAP uses a combination of standard cloud monitoring scenarios such as monitoring administrative access and assessing logs for behavioural anomalies or breach of SOD, privilege user access abuse, common web exploits. In addition SAP has created its own proprietary monitoring scenarios based on our extensive experience and the particular characteristics of a specific cloud service This is constantly being updated based on internal review and threat intelligence feeds

Secure Operations

Figure 5: Secure Operations

S.No	Description of FAQ	FAQ Explained
28	Is there any support portal that customer can access to view cloud availability, status, and other touch points with SAP?	Yes. “SAP for Me" is SAP's innovative customer portal designed to offer a personalized interface for its customers. Acting as a centralized access point, the portal seamlessly integrates customer-specific data and digital self-services, facilitating streamlined and digitized interactions during post-sales touchpoints and throughout the customer's lifecycle. This platform serves as a digital companion for SAP customers, offering a customized, transparent view of their complete product portfolio, thereby enhancing their overall SAP experience.
29	Does SAP maintain Cyber SOC and if so, how the security use cases are being built?	Yes, the SAP Security Operation Centre (SOC) operates 24x7 following one global process and maintains external as well as internal Threat Intelligence. SAP maintains playbooks for common security incidents, for example phishing, malware/virus outbreak, privilege escalation, improper usage, unauthorised access, unauthorised disclosure, data deletion and data theft. SAP Security Operations maintain these playbooks and ensure all operations staff are trained in the execution of incident response procedures. Incident response teams follow standard incident response procedures, including detection, analysis, containment, eradication, recovery, and post-incident analysis.
30	How can customer raise a security incident?	Customers can use - SAP ONE Support Launchpad. Details can be found in SAP Note 1296527
31	What is the process for notifying personal data breach notifications to affected customers?	SAP has a comprehensive process for notifying customers of personal data breaches. The process is designed to ensure that customers are informed of the personal data breaches without undue delay and that they are given the information they need to take steps to protect themselves and notifying data protection authorities if required by regulations. The first step in the process is for SAP to investigate the breach. Once the investigation is complete, SAP will determine whether the breach has resulted in the unauthorized disclosure, modification, or deletion of the personal data. The personal data breach notification will be sent to the customer's primary contact person. The notification will include information about the breach, the types of personal data that were affected and the steps taken to remediate the issue that caused the breach. SAP will also work with the affected customers to investigate the breach and to take steps to prevent future breaches.
32	When and who decides to escalate an incident? Who is Contact Point for Security related communications?	Security incidents can be escalated either by a customer initiated process or by a SAP Operations process. SAP will escalate and notify customers when there is a confirmed accidental or unlawful destruction, loss, alteration, unauthorised disclosure of or unauthorised third-party access to Personal Data. SAP Breach Process is followed for all incidents and the customer notification will be communicated without undue delay. Communications will be sent to customer security contacts in SAP standard Personal Data Breach template via email and/or customer success manager SPOC. Customers provide and maintain their own Security Contacts within the SAP ONE portal.

Additional References

S.No	Description
1	Protect your SAP S/4HANA cloud
2	SAP Trust Center - Compliance
3	RISE with SAP: Adopting to Zero Trust Architecture Principles with SAP Cloud Services
4	‘Defence in Depth’ Security Architecture with SAP S/4HANA Cloud, public edition
5	Securing GROW with SAP Landscape

Conclusion

This blog seeks to answer some of the most common cybersecurity questions about RISE with SAP S/4HANA cloud, public edition. This solution offers strong and comprehensive security capabilities to protect customers' business data. By utilizing SAP's secure multi-tenanted architecture, secure operations, and security assurances through contracts and certifications, customers can have greater confidence that their mission critical business data is secure from emerging cyber threats. For more information on cybersecurity protections and contractual assurances, customers are encouraged to refer to the SAP Trust Center or access the resources provided in the references.

Acknowledgement:

The author would like to express deep appreciation for PATRICK BOCH, Product Management S/4HANA Security at SAP for his efforts in reviewing the content and providing valuable feedback. Special thanks to Björn Brencher, Product Security for clarifying few of the questions.

Disclaimer:

 © 2023 SAP SE or an SAP affiliate company. All rights reserved. See Legal Notice on www.sap.com/legal-notice for use terms, disclaimers, disclosures, or restrictions related to SAP Materials for general audiences.