(Jana Subramanian serves as APJ Principal Cybersecurity Advisor for Cloud Security and has been recognized as a Fellow of Information Privacy (FIP) by the International Association of Privacy Professionals (IAPP). As part of his responsibilities, Jana helps with strategic customer engagements related to topics such as cybersecurity, data privacy, multi-cloud security integration architecture, contractual assurance, audit, and compliance.)
Introduction
RISE with SAP S/4HANA Cloud, Private Edition (PCE) – Customer Data Center option is a cloud ERP solution that allows customers run SAP S/4HANA Cloud, private edition, on dedicated hardware in customer's own data centre or with Colocation services. This option caters to customers with data sovereignty, residency, and security requirements. It is particularly beneficial for customers in regions without Hyperscaler access, those requiring low-latency and high-performance, and those subject to strict regulations, as it allows customers to host their data and systems in their own data centre.
This blog discusses the high-level security measures in place for RISE with SAP S/4HANA Cloud, Private Edition deployed in a Customer Data Center (CDC).
Shared Security Responsibility
In simple terms, both SAP and the customer share the responsibility for security. SAP takes care of the reference architecture, infrastructure setup, configurations, operations, and management for the private managed environment. Meanwhile, the customer provides a certified data centre, handles internet access points, manages network access routing and security, and manage the SAP S/4HANA applications – functional & change management, data, and user access within the cloud environment.
Figure 1: Shared Security Responsibility Model
The table below offers a high-level perspective on the shared security governance between SAP and customers.
Security Area |
SAP |
Customer |
Identity and Authentication |
- Administer the identity, access and authorization controls of SAP administrators (Privileged Access Management) who are responsible for managing and operating the RISE with SAP, private edition, in the customer data centre.
|
- The customer administrator manages identity, authentication, and authorization controls for business users accessing the SAP S/4HANA cloud application.
|
Data Center and Infrastructure |
- Responsible for the hardware, hypervisor, virtualization infrastructure. SAP has formed partnerships with Lenovo, HPE, and Dell to supply, maintain, and manage Infrastructure services. SAP has back-to-back agreement for the IaaS provided by hardware vendors.
|
- Responsible for providing qualified data center or co-location facility to host the infrastructure.
|
Secure Access |
- Maintain Resilient IPSEC VPN for operation and management such as Infrastructure logs, OS and database event Logs, SAP audit logs (operations & management) and other telemetry data & application software updates for change requests and break-fix via SAP Admin network
- Please note: Outbound monitoring data do not contain any customer business data processed in SAP application.
- All data exchanged via management network going via the encrypted VPN tunnel and using TLS 1.2 encryption wherever applicable.
|
- RISE with SAP – Customer Data Center (CDC) is connected to the customer's internal network environment using at least 2 links (for redundancy) with a minimum speed of 10G per link. These links will carry all the network traffic to CDC (customer and management)
|
Internet Access |
Manage two internet VPN terminations at their internet access point:
- One from SAP ECS Shared Service Support Environment to support RISE with SAP S/4HANA cloud edition, customer data center
- One from SAP's IaaS Supplier Support Environment.
- Customers bear the responsibility of safeguarding their provided Internet Circuits against DDOS attacks.
|
- Responsible for providing an Internet access point and manage routing and security. These links are used for carrying the traffic of SAP/IaaS management and workload domain from the network area of the SAP customer data center to the Internet. This traffic passes through the customer's internal network before reaching the Internet through their pre-existing Internet access points.
- Customer is required to provide Web Application Firewall (WAF) to secure inbound internet traffic on their end
- SAP takes responsibility to ensure DDOS protection for all network connections, including the Management Network.
|
VPN |
- Work with customer for setting up IPSEC VPN to meet the requirement for resiliency and security of the connection for operations and management.
|
- The VPN endpoints must be established and maintained. The VPN is necessary for configuring the infrastructure and for ongoing management and support. Customer must provide public IP address for IPSEC VPN and performing Network Address Translation to management VPN endpoint.
|
Infrastructure Setup |
- Work with customer to capture sizing requirements, forecast for next 5 years and agree on the to-be landscape.
- Collaborate with the IaaS providers (Lenovo, HPE, and Dell) to ensure they carry out the following:
- Rack and stack the infrastructure
- Deploy certified design approved by SAP
- Set up the IaaS supplier management infrastructure
- Configure and test compute, storage, network, and virtualization
|
- Provide Data Center Facility and Access. Customer to provide IP ranges and DNS zone that are non-overlapping with the rest of their internal infrastructure, as per our RISE with SAP customer data center standards.
- Customer must provide all the firewall setups and controls on the network traffic to the Rise with SAP customer data centre infrastructure.
|
Operations |
- Resilient platform architecture (HA and DR)
- Management of all Hardware and Cloud Infrastructure
- Managed Backup and Restore
- Building Secure Virtual Machines, Operating systems, networking, HANA Database
- HANA DB Management
- Technical Managed Services (R&R Link)
- Operational Security and Managing security incidents
- 24x7 Security Monitoring
- Personal Data Breach Notification
- SLA and Support Services
- Threat Management & Patch Management
- Security Audits and Compliance of the Cloud Services
|
- DC Facility, Power, cooling
- DC network and routing security
- Load Balancers
- Business User Identity Management
- Business User Authentication and Application Authorisation Management
- Application User Roles, User Groups, Access Control
- Customer Data Ownership
- Compliance to Government & Industry Regulations
- Application Security Audit Logging
- Integration and Extensions, Custom Applications Development
- Configuration of the Customer Business Processes
- Application Change Management
|
Secure Network Access
Two internet VPN connections are established at the customer's internet access point:
- One connection originates from SAP's Customer Data Center (CDC) Shared Service Support Environment.
- The other connection comes from SAP's Infrastructure-as-a-Service (IaaS) Supplier Support Environment.
Both these VPNs are encrypted and carry bi-directional management plane traffic to the RISE with SAP S/4HANA cloud, private edition, CDC.
Figure 2: Secure Network Access
The customer will provide the Public IPs for SAP to configure Admin Server within CDC environment. The VPN is essential for establishing the infrastructure and providing ongoing management and support. The customer is responsible for setting up and maintaining the VPN endpoints. Additionally, the customer can configure third-party devices between their data centre and the demarcation point of the Customer Data Center (CDC) to filter, control, or manage internet traffic as needed.
RISE with SAP S/4HANA cloud, private edition, customer data centre (CDC) option deployment will be and extension of customer's own internal network connected via redundant fibre / copper cross connect. Customer to provide IP ranges and DNS zone that are non-overlapping with the rest of their internal infrastructure, as per our CDC standards. Customer must provide all the firewall setups and controls on the network traffic to the CDC infrastructure.
Secure Architecture and Segregation
The detailed documentation on SAP S/4HANA cloud, private edition, customer data centre option – connectivity is available
here. The salient security architecture details are as follows:
- SAP S/4HANA Private Cloud Edition, customer data centre option is a single tenant deployment of S/4HANA in a dedicated physical hardware for each customer. The physical and virtual design is co-engineered with IaaS provider and approved by SAP. This is delivered as cloud operating, ran via your very own data centre saving significant upfront investment for customers.
- The landscape by default consists of 3 tier environments meant for development, quality assurance and production usage. The production and non-production environment segregated by a separate subnet, with an optional Network Access Controls.
- Infrastructure sizing is in general mapped to the license metrics. The infrastructure sizing based on the customer specific requirement will be done to assess the hardware capacity. Additional infrastructure can be deployed based on the actual needs of the customer via change order.
- As this is a private cloud offering, the dedicated network is created using customer provided private CIDR address range (RFC 1918 compliant) which is non-overlapping with customer’s on-premises network.
- RISE with SAP – Customer Data Center (CDC) is connected to the customer's internal network environment using at least 2 links (for redundancy) with a minimum speed of 10G per link. These links will carry all the network traffic to CDC (customer and management)
- Access to services from the public Internet is limited to specific use cases. To enable mobile users to access Fiori applications, a secure web application firewall can be used, and the customer is responsible for ensuring the firewall's availability. Cloud integrations are permitted to use secure protocols for outbound Internet connections (via customer network), and to connect to other SAP Cloud solutions, such as Ariba, Concur, and SuccessFactors.
Figure 3: Data Encryption
- Customer connects to dedicated SAP managed environment in Customer Own Data Center using dedicated cross connect network connection.
- Data-in-transit encryption is used to secure all client connections from Customer Network to SAP systems.
- All HTTP traffics are protected with TLS 1.2 transport layer encryption with AES-256-GCM
- Access from thick clients (SAP Frontend) is uses SAP proprietary DIAG protocol secured by SAP Secure Network Communication (SNC) with AES-256-GCM.
- SAP HANA in-memory database uses HANA Volume Encryption to provide “data-at-rest” encryption for data, log and backup volumes. It uses AES-256 encryption algorithm with Cipher block chaining (CBC) cipher mode (AES-256-CBC).
- Besides HANA volume encryption, persistent storage where SAP HANA stores encrypted volume is also encrypted using storage encryption modules (“data-at-rest” encryption). It also uses AES-256-GCM.
- A separate subnet can be allocated for both the production and non-production environments within the workload domain, ensuring a clear distinction and separation between the two.
Access to Logs via LogServ (Optional)
LogServ is an SAP Enterprise Cloud Service (ECS) service designed to securely store and facilitate access to your own OS/DB, DNS, Network and Flow logs. SAP ECS platform enables both customers and internal teams to efficiently collect and centralize logs from all systems, applications, and ECS services in use. SAP ECS provides a secure API that allows authenticated access to customer-specific logs. Log data can be served in near real-time to multiple destinations, such as SIEM, data lakes, and customers, overall efficiency of log management. LogServ solution reduces the load on servers and data sources while offering additional features such as log filtering for cost optimization, log enrichment, and pseudonymization or anonymization of sensitive fields or data
Below is a high-level overview of the architecture for LogServ:
Figure 4: LogServ Architecture Overview
The Data Landing Zone (DLZ) is at the heart of LogServ's architecture, enabling SAP ECS to efficiently process and distribute log data to multiple destinations in the appropriate format. With DLZ, ECS can ensure that log data from a source is delivered to the right place at the right time securely. The salient feature of LogServ is that SAP ECS can offer near real-time log collection and integration with your SIEM or log management system. The log retention feature allows indefinite retention, with customizable retention policies for each data source. Longer retention periods are possible, and customer can also recover logs that were retained by SAP ECS.
Zero Trust Architecture Principles
The Zero Trust Architecture Framework changes traditional security methods by focusing on a flexible, identity-based approach instead of relying solely on perimeter defences and VPNs. Organizations need to protect various resources and manage access to them with dynamic policies that adapt to evolving threats. The NIST Special Publication (SP) 800-207 Zero Trust Framework explains these principles and provides examples of how zero trust can improve an enterprise's security.
Figure 6: Zero Trust Architecture Principle
You can refer to a blog titled
"RISE with SAP: Adapting to Zero Trust Architecture Principles with SAP Cloud Services" to gain insights into how SAP adheres to Zero Trust Architecture principles when delivering SAP cloud services.
Multi-Layer Security
SAP employs a thorough multi-layer security strategy to protect its cloud services by incorporating security measures across multiple layers. This approach offers defence against threats at various levels, minimizing overall risk and bolstering the security of SAP environments.
1. Cloud Security Measures
In SAP cloud services, several security measures are implemented to protect data, applications, and infrastructure. These include data encryption, strong user authentication, access controls, network security, intrusion detection and prevention systems, regular security audits, vulnerability assessments, and compliance with relevant regulations and standards
Figure 6: Multi-Layer Security
2. Certification and Attestation
SAP collaborates with independent third-party auditors to verify the design of controls and the effectiveness of implementation, ensuring that SAP's cloud security controls, policies, and practices align with industry standards. Various certifications, audits, and assessments by these independent organizations maintain these assurances. Key attestations and assurances for SAP cloud services include ISO 27001, SOC 1 Type 2, SOC 2 Type 2, ISO 27017, ISO 27018, and many others, depending on the specific SAP cloud service. For details on the available certification and attestation, please refer to SAP Trust Center.
3. Technical and Organisation Measures
SAP has established a set of technical and organizational measures aimed at safeguarding personal data and complying with data protection regulations. The technical measures involve the implementation of encryption, access control, secure coding practices, among other protective measures that prevent unauthorized access or deletion of data. Meanwhile, the organizational measures encompass the protocols for handling personal data, developing incident response plans, security monitoring and notification of personal data breaches. These measures are contractually assured and can be referenced here.
4. Information Security Controls:
As part of commitment to information security, SAP adheres to the ISO 27002 as a baseline standard which provides a set of best practices for the development and implementation of an effective Information Security Management System (ISMS). This standard defines 14 information security controls such as security policy, access control, asset management, cryptography, and compliance. SAP conducts regular ISO27001 audits to ensure that its cloud services have robust ISMS put in place that protect information assets against unauthorized access, modification, or destruction. The standard covers all aspects of information security, including physical security, operations security, and supplier relationships. The ISO27001 certificates can be downloaded from SAP Trust Center
5. Trust Services Principles
SAP employs a set of principles developed by the American Institute of Certified Public Accountants (AICPA) to assess the effectiveness of controls in information systems. For cloud services, the appropriate Trust Services Principles (TSPs) are selected based on the relevance of the controls. These TSPs are used to evaluate the effectiveness of the design and implementation of the cloud service.
The TSPs consist of five principles that include:
- Security: Protection of the system from unauthorized physical or logical access
- Availability: The system's availability for use as agreed upon
- Processing Integrity: The system's processing is accurate, timely, authorized, and complete
- Confidentiality: The protection of designated confidential information as agreed upon
- Privacy: The collection, use, retention, and disclosure of personal information conform with the applicable privacy principles.
Figure 7: End-to-End Security
Conclusion
This blog provides a high-level overview of the security features available for RISE with SAP S/4HANA Cloud, Private Edition, Customer Data Center options. While the customer is responsible for the qualified physical data centre, SAP employs security best practices in managing the landscape, ensuring data localization, data sovereignty, and regulatory compliance. As customer requirements can vary, it is recommended to engage with an SAP Cloud Architect Advisory for a thorough evaluation of each customer's security needs in order to develop approved solutions managed by SAP Enterprise Cloud Services. Alternatively, for additional inquiries, you may reach out to
rakesh.roushan@sap.com.
Acknowledgement:
The author would like to express deep appreciation for Rakesh Roushan, Head of RISE with SAP S/4HANA cloud, private edition, customer data centre architecture & advisory and Roland Costea, Chief Information Security Officer, SAP Enterprise Cloud Services for their efforts in reviewing the content and providing valuable feedback.
Disclaimer:
© 2023 SAP SE or an SAP affiliate company. All rights reserved. See Legal Notice on
www.sap.com/legal-notice for use terms, disclaimers, disclosures, or restrictions related to SAP Materials for general audiences.