Multi-layer Cloud Defense Strategy by SAP

Trust in the Cloud: RISE with SAP, Private Edition's Impenetrable Defense Architecture

In the world of "RISE with SAP," data security and privacy is taken seriously. At the heart of the offering is the SAP S/4HANA Cloud, Private Edition, which holds our customer's mission-critical data and business processes. To ensure the safety and security of the customers' data, SAP offers multi-layer "defense in depth" architecture, managed by SAP Enterprise Cloud Services (ECS).

The SAP S/4HANA Cloud, Private Edition provides a secure and flexible solution for customers, with a single tenanted landscape that allows for greater control over data and more flexibility in upgrade cycles and add-ons. The defense in depth security architecture ensures that customer information assets are protected in terms of confidentiality, integrity, and availability. This solution offers a clear roadmap for existing ECC on-premises customers looking to transition and transform to cloud services. With security monitoring, incident management, and independent third-party security audits all handled by SAP operations and management personnel, customers are free to focus on their core business processes while reducing their total cost of ownership and accelerating time to market.

Data Security

The SAP S/4HANA Cloud, Private Edition is a secure haven for businesses, offering a suite of robust data security features to ensure customer data is protected at all times. Here are some of the key security features offered by SAP:

1. Virtual Instance Separation: Each customer is allocated a separate virtual instance for their database and application servers, ensuring complete isolation and protection of their critical data.
2. Data Encryption at Rest: With SAP HANA Data Encryption, data at rest is protected using the highly secure AES-256-CBC encryption algorithm. Root encryption keys for data volume, log volume, backup, and application are stored in the Instance Secure Store File System (SSFS) within the HANA database instance. The contents of SSFS are protected by the SSFS Master Key, and the encryption root keys and master keys are generated during installation and updates and can be changed upon request.
3. Server-Side Encryption: The data at rest, including database volume, backups, redo logs, and storage, is encrypted using server-side encryption at the Hyperscaler storage.
4. Transport Layer Security: All HTTP traffic is protected using the highly secure TLS 1.2 transport layer encryption with AES-256-GCM.
5. Built-in Security Features: SAP HANA comes with a host of built-in security features, including role-based access control, authorizations, UI masking, and anonymization capabilities, to further bolster the security of customer data.

With these robust data security features in place, businesses can rest assured that their mission-critical data is always protected and that their operations can continue seamlessly and securely.

Application Security

1. Integration of the Web Application Firewall with hyperscalers’ Application Gateway or Application Load Balancer to secure inbound traffic from the internet.
2. End-to-end encryption of data in transit ensures that sensitive information remains secure throughout its journey.
3. Secure connectors and agents are available to integrate the SAP S/4HANA system with other SAP SaaS applications. These agents are provisioned upon request and after the customer has acquired the respective cloud solutions.
4. Reverse Proxy - Web Dispatcher - ensures that there is no direct access to the backend system.
5. Secure Cloud Integrations via SAP Cloud Connector.
6. All outbound connections are restricted by access control lists configured within the cloud's security components. In addition, all outgoing accesses are encrypted using TLS 1.2.
7. Support for identity authentication via SAML, Kerberos/SPNEGO, and X.509 certificates.
8. Multi-Factor Authentication is also supported, providing an extra layer of security for user authentication.

Network Security

1. The SAP S/4HANA Cloud, Private Edition provides a secure and dedicated infrastructure on popular IaaS platforms like AWS, GCP, and Azure. Each customer is assigned a set of accounts or subscriptions to deploy their own virtual SAP instances, with the Virtual Private Cloud (VPC) or Virtual Network (VNET) created within each subscription or account to ensure system and data isolation.
2. These VPCs/VNETs are further divided into multiple subnets, each with a Security Group (AWS), Firewall (GCP), or Network Security Group (Azure) to manage network traffic.
3. Higher-level security policies are pushed down to each subscription or account, ensuring consistent security across the landscape.
4. Data replication traffic from the primary to the DR site is always transmitted via private connectivity (peering).
5. Customer access to VPC or VNET is only possible via private dedicated connectivity, which can be configured to disallow any network access from the internet.
6. SAP administers its network and customer VPC/VNET separately, with the admin network protected by its own firewall.
7. All network traffic between the customer VPC/VNET and the SAP admin network flows through encrypted VPN tunnels, and all administrative data exchanges use TLS 1.2 standards.
8. Administration access requests are subject to an access manager workflow approval process, with designated authorities validating all requests.
9. All actions, including granting/denying admin access and actions taken by administrators, are logged and audited to ensure accountability and traceability.

Operational Security

SAP Enterprise Cloud Services (ECS) offers a range of services designed to protect our customers' environments, including patch management, hardening of virtual instances, and security incident and event management. Teams work around the clock to monitor infrastructure, databases, and security incidents. Customers are also provided secure admin access, regular backups, and security scanning and remediation to ensure the highest level of security. With ECS, our customers can rest assured that their environments are protected against potential threats.

Security Audits

SAP audits security controls which are validated through various Certifications & Attestations

ISO Certificates

1. ISO9001 Quality Management System
2. ISO27001 Information Security Management System
3. ISO27017 Implementation of cloud-specific information security controls
4. ISO27018 Protection of personal data in the cloud
5. ISO22301 Business Continuity

SOC1 and SOC2 Type 2 audits are performed to validate the design of security controls and the implementation effectiveness of the security controls. SOC2 Type 2 report can be directly requested to SAP Trust Center subject to NDA. SOC1 Type 2 reports are available for existing customers who have production instances and have a valid NDA which can be requested via SAP Trust Center. Click to know more about SOC1 and SOC2 Type 2.

‍That is a wrap for today. In our next installment, we'll do a detailed security comparison between RISE with SAP’s Private Edition and Public Edition. So make sure you come back for more insights because this is a blog you don't want to miss!

‍