Security and Compliance Blogs
Security & compliance of business operations are critical in this age of rising cyber threats, increasing compliance regulations, and rapid technological change. SAP customers, partners and SAP employees put great effort in to meet those risks and work towards effective security outcomes and cyber resilient systems. We benefit from each others' challenges and successes to protect the business processes and services we all depend on. Join us here for blog posts and thought leadership regarding the security and compliance of SAP software and cloud services, as well as secure development, deployment, and operational practices, whether on-premise or cloud.
cancel
Showing results for 
Search instead for 
Did you mean: 
SvenFrank
Associate
Associate
1,487

100k-identities.jpg

This blog was co-authored by Amos Wendorff & Martin Pankraz

 

Introduction

SAP as a global cloud player is utilising a multi-cloud strategy to use whatever fits best for their solution. To support this, Microsoft Entra ID plays a central role as an Identity Provider (IDP) to govern and manage access.

Cross-tenant and IDP capabilities enable enforcing geo-location restrictions with more than 6k IP ranges, manage and enforce device compliance for more than 350k devices across multiple platforms, and multi-factor-authentication (MFA) in various levels for more than 150k active users.

SvenFrank_0-1723127987347.png

Transitioning to Entra ID Access Governance

We as SAP recommend SAP Identity and Access Management (IDM) customers to migrate to Microsoft Entra ID too. We run it in various areas today as a Governance solution which allows us to Orchestrate via the Cross Tennant Sync or SCIM the required accounts and access to AWS, GCP, SAP Business Technology Platform (BTP), and others. See this introductory article and this migration guide for more details.

Handling user identities and application permissions

Let’s talk about the IDP capabilities with the power of tagging application also known as service principals you can easily set custom security attributes which allow then to flow thru Conditional Access Policies which are defined either based on Security, Contractual or Compliance requirements without the need of fiddling around in the Policies daily, considering that over 30k+ Applications are connected.

Hyperscalers like Azure, Amazon Web Services (AWS), Google Cloud Platform (GCP), or Alibaba Cloud, and SAP Business Technology Platform are configured as Enterprise Apps. They are managed with Entra ID tags based on security requirements.

If you want to know more how to integrate SAP Business Technology Platform with Entra ID have a look here.

SvenFrank_1-1723128051074.png

Let’s focus on our Azure world for now. We are utilising cross-tenant sync to allow swift account synchronisation including inheriting the security model. Sources are device compliance, and MFA management to name a few. An example would be: Limiting access to these resources when your authentication level is Fido2 and the likes which can be easily controlled with custom security attributes.

What is a Secure Admin Workstation and how can Cross Tenant Sync help me?

Due to the cross-tenant capabilities, we can separate the administrative devices also known as PAW/SAW’s (Privilege Admin Workstation / Secure Admin Workstation) which are special hardened devices with multiple active security controls active going beyond a standard office device.

To get a bit deeper we distinguish between SAP internal corporate resources and customer facing resources but let’s use Azure as an example, due to the cross-tenant capabilities, we can leverage device-compliance originating from the Privileged Admin Workstation Tenant easily in all trusted Resource Tenants. It is important to know that an Identity + Device must be from the same source. Otherwise, access is denied, because identity and calling device are from different sources.

SvenFrank_2-1723128075957.png

 

 


How to manage the access flow between tenants?

This is where the cross-tenant sync and Access Reviews/Access Catalogs become very handy since you can request the user to get access to the tenant and can then as soon the approval flow be completed usually synced over within less than an hour. The same applies for the even more important leaver scenario where the identity is purged in the same time frame but since the authentication occurs in source tenant you don’t need to wait for the sync to occur this is more than for cleaning up the resources.

Then within the target the resources can be requested easily via Privileged Identity Management (PIM) like for Entra ID Roles for just in time access to when you are eligible group member also for group memberships which allow other Just-in-Time (JIT) access when needed.

Like you get certain access to an onboarded Enterprise Application when you activated a certain group membership prior to access. This allows you to obtain administrative access due to role mapping for example. These are all only examples of the technical capabilities for JIT & PIM. Learn more here.
 

Access Reviews and B2B Accounts

Entra ID’s access review feature allows us to automate reviews for resources and accounts, expanding the reach of our own tooling which uses usually rest API’s for managing certain permissions on Azure level usually on an Administrative Unit Level or Management Group Level depending on if we look at Entra ID vs Azure resources.

To get an idea how large these Access Reviews can be let’s take our Guest Account Review where we are reviewing more than 100k Accounts on a regular base.

SvenFrank_3-1723128075958.png

 

As you can see above, we are nearly cleaning out ±30k Accounts with every review cycle which runs behind the scenes taking care ­­of the responses processing them and taking the appropriate action when the cycle ends.

 

Conclusion

This approach allows us to run a robust security posture across multiple cloud platform, applications and tools to fulfil our security, governance, contractual obligation across our Partners and Customers.

 

Benefits

  • Risky User detection Out of the box
  • Access reviews for B2B
  • Conditional Access
  • Geo blocking as a service to meet our compliance needs

We hope that this article has inspired you to take a look at your own security architecture.