Community
Technology Blog Posts by SAP
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Read only

SAP S/4HANA Cloud Public Edition – Security Concepts

Topic_Expert
Associate
Associate
‎2025 May 06 12:15 PM
3,804

SAP S/4HANA Cloud Public Edition security measures

SAP S/4HANA Cloud Public Edition comes with the following security measures:

24/7 monitoring and threat detection: Data centers are continuously monitored by security operations teams, utilizing cutting-edge tools to detect and respond to potential threats in real time.

Compliance with global standards: Data centers comply with international standards and certifications, including ISO/IEC 27001, SOC 2, and GDPR, to help ensure that data is handled with the utmost care and in accordance with legal requirements.

Encryption and data protection: Robust encryption protocols are implemented for data at rest and in transit, safeguarding information from unauthorized access.

Access controls and audits: Access controls help ensure that only authorized personnel have access to critical systems and data. Additionally, regular audits are conducted for compliance with security policies and procedures.

Primary source of publicly available content can be found here in SAP Trustcenter.

Or in this blog-post and links collection to valuable security content.

 

Datacenter Security

Source for information can be found in SAP Trustcenter.

 

Attestations

The management systems are used across all SAP Cloud Secure services, execution of independent certification, and audit depending on service and organizational unit respectively.
Details are available at SAP Trustcenter.

The following attestations are available to the S/4HANA Cloud Public Edition Service:

Topic_Expert_1-1746191235023.png

 

Q/A Section:

  1. Q: Which Datacenter Tier level is SAP offering?

A: The “DC Tier Level” rating can officially only be given through the “Uptime Institute”. Only very few of our DCs are certified by the Uptime Institute and are allowed to carry an official Tier Level. Because of this, we usually don’t use the word DC Tier, but instead something like “similar to Tier III“, this is also assessed as part of internal audits. Additional Info: Four Tiers are defined by the Uptime Institute standard:

Tier I - BASIC CAPACITY and must include a UPS (uninterruptible power source)

Tier II - REDUNDANT CAPACITY and adds redundant power and cooling

Tier III - CONCURRENTLY MAINTAINABLE and ensures that ANY component can be taken out of service without affecting production

Tier IV - FAULT TOLERANT allowing any production capacity to be insulated from ANY type of failure.

2. Q: How do you ensure the data is not co-mingled between the customers when we use multi-tenancy?

A: On DB level, each customer is using a single database container completely separated from other customers, but in the same database. On top of that, the customer communication is separated via security groups taking care of strict separation per customer.

On Application server level, each customer is getting his own VMs and communication is as well strictly separated per security groups.

3. Q: Is it possible to bring my own key/allowed for customers to bring their own key?

A: Yes, with Data Custodian that is possible.

4. Q: Can we limit the access to the S/4HANA Public Cloud or Private Cloud to a specific IP address range (customer network)? Can we also limit the access of the APIs to specific IP range?

A: Our Identity Authentication services offer conditional authentication, of which IP range limitation is one possibility. Here’s the respective documentation.

This is not applicable to APIs:

IP allow-listing is not supported for API access, as IP allow-listing is not a practical approach for public SaaS solutions as outbound IP addresses of source systems often change, e.g. in case of failover scenarios, or are shared across-customers on Hyperscalers.

From S/4HANA side, we recommend leveraging strong authentication mechanisms like mTLS to mitigate the risk of unauthorized APIP access.

 

5. Q: Does SAP (or a third party) perform SAST/DAST scans (Static/Dynamic Application Security Scan) before delivering code? What tools are used? Are there any documentations we can send to the customer? How often are the scans performed?

A: Yes, SAP is performing Application Security Testing, both Static and Dynamic, as part of our Secure Development Lifecycle. For DAST and the main programming language ABAP, we’re utilizing our own solution CVA, whereas for other programming languages and DAST we’re using 3rd party tools, tailored to our own requirements. You can find out more about our secure development lifecycle in this document.

6. Q: Do we support mixed authentication (if the user doesn’t exist on Azure AD, he/she still can authenticate with Username/Password)

A: No. No fallbacks. Then simply the logon attempt will fail – by intend.

Anyway: It would not help to allow the user to “enter” the system since he’ll lack all authorizations and cannot do anything in the system.

7. Q: Is the customer data encrypted?

A: Data in transit as well as data at rest is encrypted.

My Trust Center” there is a document dedicated to SAP S/4HANA encryption

Plus, the encryption is also mentioned in our help pages.

8. Q: Please describe what Penetration Testing is carried out.

A: Penetration testing is a crucial security practice we perform to identify and address vulnerabilities in our applications and cloud infrastructure. We conduct various types of testing, including application, infrastructure, internal, and external penetration tests, as well as red team exercises, to simulate real-world attacks and improve our security posture. Regular testing, combined with continuous monitoring and remediation efforts, ensures the ongoing protection of our services and our customers' data.

9. Q: Please describe your disaster recovery process. How is this tested?

A: Please see sep. detailed content document as well as factsheet 

Tested annually and ISO22301 certified.

10. Q: How do you prevent unauthorized access (hacking) and what processes you follow if this occurs?

A: To prevent unauthorized access, we employ a multi-layered security approach that includes robust authentication mechanisms, such as multi-factor authentication (MFA) and single sign-on (SSO), to ensure only authorized users can access our systems. We also implement strict access controls, network segmentation, encryption for data at rest and in transit, and regular security updates and patching to minimize vulnerabilities. Continuous monitoring using advanced threat detection tools helps us identify and respond to suspicious activities.

In the event of a security breach, we follow a well-defined incident response process that begins with immediate containment of the threat to prevent further damage. Our security team quickly analyzes the breach to determine its origin and impact, while simultaneously initiating communication protocols to inform affected stakeholders. After the threat is neutralized, we conduct a thorough investigation to identify the root cause, apply necessary remediation measures, and document lessons learned to strengthen our defenses and prevent future incidents.

The customer network is isolated from the SAP company network. Our Identity Authentication services offers conditional authentication to customer systems.

11. Q: Can I limit network access to my instance,...? would it be possible to add blocking to the customer URLs for any IP other than theirs?

A: On S/4 Public Cloud, IP allow-listing is restricted to the SAP Identity Authentication Service (IAS), which is used to authenticate all customer business users. This leaves the gap for API traffic, though. As API traffic is sent directly to the S/4 Public Cloud system. IP allows listing directly on the S/4 Public Cloud is not possible.