Technology Blogs by SAP
Learn how to extend and personalize SAP applications. Follow the SAP technology blog for insights into SAP BTP, ABAP, SAP Analytics Cloud, SAP HANA, and more.
cancel
Showing results for 
Search instead for 
Did you mean: 
Jana_Cyber
Product and Topic Expert
Product and Topic Expert
22,760
(Jana Subramanian serves as the APJ Principal Advisor on Cybersecurity and is a Fellow of Information Privacy (FIP) awarded by the International Association of Privacy Professionals (IAPP).  Jana provides expert support on cybersecurity, data privacy, cloud security integration, contractual assurance, audit, and compliance to strategic customers in APJ.)

Introduction

RISE with SAP is a comprehensive business transformation service offered by SAP. The packaged bundle includes numerous products, tools, and services that addresses the needs of customers. In this bundle, the digital core can be either the SAP S/4HANA Cloud, private edition or the SAP S/4HANA Cloud, public edition offering that utilizes Software as a Service (SaaS) model. Customers can choose either offering based on their industry type, regulatory requirements, and security needs. Other factors to consider include the organization's level of control and customization needs, budget, and resources when deciding SAP S/4HANA cloud, private edition, or SAP S/4HANA cloud, public edition model is the best fit for their requirements.

SAP implements a multi-layered security strategy and a "zero trust" approach for all SAP cloud services. The cloud services adhere to industry-standard security practices, including encryption, access control, auditing and compliance, logging and monitoring, and secure operations, all while following SAP's own standards, policies, and procedures. SAP is committed to ensuring the security and protection of its customers' data. Towards this end, SAP has implemented a comprehensive approach to cybersecurity. The design of controls and implementation effectiveness is regularly audited by independent auditors. Customer can access ISO certificates or raise a request for SOC2 attestation reports from SAP Trust Center.  SAP offers contractual assurances for the safeguarding of personal data through the implementation of robust Technical and Organizational measures.


Having established the security context for SAP cloud services, this blog will explore the nuances in their differences between SAP S/4HANA Cloud Private Edition and SAP S/4HANA Cloud Public Edition. This list is not exhaustive and few references are provided for further reading.

Security Overview: SAP S/4HANA Cloud, private edition vs SAP S/4HANA Cloud, public edition

In this section, we will delve into the nuances of security features or capabilities between the two offerings from a “security and data privacy” perspective. While SAP secures both the platforms based on industry best practice approaches, highly regulated industries tend to opt for SAP S/4HANA Cloud, private edition due to regulation and compliance reasons such as data residency, customizations, partner add-ons and wants to maintain the existing process design and investment in ERP. SAP S/4HANA Cloud, Public Edition offers a standardized solution for new customers and is optimized for businesses that are eager to embrace the future of ERP with a new implementation and defined processes. It provides ease of configuration, adaptability, and the ability to grow as needed.














































































































Security Topic SAP S/4HANA Cloud, private edition SAP S/4HANA Cloud, public edition
Secure Landscape

  • This is a single-tenant environment. SAP ECS creates a separate account, subscription, or project with the Hyperscaler.

  • The Virtual Private Cloud (VPC) and all other resources within the environment are exclusively reserved for one customer.

  • Within the VPC, multiple subnets are created for gateway, admin, production. The DR is hosted either in the same region or on a different region.




  • This is a multi-tenant Software-as-a-Service (SaaS) model where a System VPC is established to host SAP S/4HANA Cloud, public cloud tenants. Admin VPC and Backup VPC is created for network isolation

  • The network is divided into distinct zones and segments.

  • The virtualized ABAP application server instances are assigned to a single customer tenant.

  • Each customer is environment is segregated via Security Groups

  • At the data persistence level, each SAP S/4HANA Cloud tenant has a distinct tenant database, isolated from other tenant databases within the same SAP HANA database system.


IaaS Providers 

  • SAP uses AWS, Azure, and Google Cloud Platform as IaaS provider to host and manage the landscape. SAP manages and owns the Root Account to Hyperscaler.

  • While RISE with SAP predominately runs on Hyperscalers for most customers, additional options exist to run RISE with SAP at Customer Data Center for data residency & compliance, SAP Data Center and Premium Partner Data Center in select regions. Consult CAAs for details.




  • This is hosted on Azure, Google Cloud and SAP Converged Data Center. In China, Alibaba is used. SAP manages and owns the Root Account to Hyperscaler (IaaS providers)


Service Delivery Model

  • This is private managed cloud environment. SAP Enterprise Cloud Services maintains comprehensive Roles and Responsibilities for this offering.




  • This is a state of art of modern ERP solution solutions offered as Software as a Service (SaaS)


Secure Access

  • HTTPS communications between a customer's web browser and the SAP S/4HANA Cloud system landscapes are protected by the TLS 1.2 encryption protocol.

  • Additionally, Access from thick clients (SAP Frontend) is uses SAP proprietary DIAG protocol secured by SAP Secure Network Communication (SNC) with AES-256-GCM.

  • Separate Web Dispatcher and Cloud Connector is included in the production subnets




  • HTTPS communications between a customer's web browser and the SAP S/4HANA Cloud system landscapes are protected by the TLS1.2 encryption protocol.

  • Customers are provided with a unique, customer-specific URL and communication is facilitated through the SAP Web Dispatcher - Reverse Proxy (RP) component.


 
Reverse Proxy

  • Dedicated Web Dispatcher and SAP Cloud Connector  for Production and Non-Production for each customer




  • Reverse Proxy is achieved via Shared Web Dispatcher Cluster


Authentication

  • Supports SAP Cloud Identity Services – Identity Authentication, SAP Single Sign-On, SAP Extended Single Sign-on, private edition

  • Basic SSO with Kerberos and with SAP IAS support SAML2.0, Kerberos, X.509 and 2FA. For SAP GUI, X.509 and MFA via Extended Single Sign-on

  • Supports SAP & 3rd party identity provider


 

 


  • Supports single sign-on with X.509, SAML2.0

  • Two factor authentication

  • Supports SAP & 3rd party identity provider

  • Standard users are only able to authenticate using SAML 2.0 assertions (Single Sign-On) through SAP Cloud Identity or 3rd party identity providers


 
Connectivity

  • A dedicated Private Connectivity to SAP S/4HANA cloud, private edition is available.

  • Either IPSEC VPN or Hyperscaler native connectivity (AWS Direct Connect, Azure ExpressRoute or Google Cloud Interconnect). High Availability connectivity options are available for resiliency.




  • All communication is secured via standard browser based TLS 1.2 and access to SAP S/4HANA cloud, public edition is via Internet.

  • There is no dedicated private connectivity available as this is a multi-tenanted SaaS.


Authorizations

  • Full role/authorization customization possible by customer

  • SAP Business Technology Platform – Identity Authentication Service and Identity Provisioning Service is available




  • This is bundled with SAP Business Technology Platform Identity Provisioning Service

  • Simplified configuration of authorizations with delivered catalogues and role templates


Encryption

  • Data-in-transit (TLS1.2) encryption is used to secure all client connections from Customer Network to SAP cloud system.

  • Data at Rest is encrypted with AES256 bit. Database volume and backup encryption-based on SAP HANA security as well as the encryption of the IaaS provider storage where database files and its backups are stored.




  • Data-in-transit (TLS1.2) encryption is used to secure all client connections from Customer Network to SAP cloud system.

  • Data at Rest is encrypted AES256 bit. Database volume  encryption-based on SAP HANA security as well as the encryption of the IaaS provider storage where database files and its backups are stored.


Security Logging

  • Security Audit Logs (Application) are available to customers.

  • Integration with SAP Enterprise Threat Detection as a separate service for application and DB logs. Separate License and Integration effort required.

  • OS and DB Logs to be available as a separate service (LogServ)

  • Read Access Logs

  • Change Audit

  • Authorization Trace Logs

  • SAP Support User Request Logs




  • Security Audit Logs (SAL) is available. Security audit logs capture technical-level security-related events, such as user logins, which may be required in the event of an audit. It is possible to obtain security audit logs from SAP S/4HANA Cloud and integrate them into a customer's security and event management solution (SIEM).

  • Read Access Logs

  • Change Audit

  • Authorization Trace Logs

  • SAP Support User Request Logs


High Availability and Disaster Recovery

  • High Availability is configured by default.

  • Customers can optionally subscribe to Disaster Recovery for their productive environments in cloud.

  • The replication of SAP HANA can be either synchronous or asynchronous, depending on the design.

  • Failover sites are configured with data replication from productive environments and with equal infrastructure capacity.  DR can be within the region or outside the regions depending on the Hyperscaler environment.

  • RTO=12 hours, RPO=30 minutes or 0 depending on the design




  • High Availability (HA) and DR is available

  • Disaster Recovery is an optional Service

  • RTO=12 hours, RPO=30 minutes


Virus Scan

  • Protection against Malicious or Suspicious content Attachments




  • Protection against Malicious or Suspicious content Attachments


Backup and restore

  • Standard Service.

  • The backup process is automated and stored in either a secondary availability zone within the same region or another region. The frequency and retention period of the backups are determined by SAP's policy.




  • Standard Service.

  • The backup process is automated and stored in either a secondary data centre or another availability zone within the same region. The frequency and retention period of the backups are determined by SAP's policy.




Secure Operations

 


  • Centralized Security Incident and Event Monitoring operating 24x7 and Cyber Threat Intelligence

  • SAP maintains playbooks for common security incidents such as malware/virus outbreak, phishing, data theft, elevation of privilege, improper usage, unauthorized access, personal data breach,

  • Security teams follow through standard incident response procedures from detection to closure & lesson learned.

  • Security Operations maintain these playbooks and ensure all staff are trained adequately.


 


  • Centralized Security Incident and Event Monitoring operating 24x7 and Cyber Threat Intelligence

  • SAP maintains playbooks for common security incidents such as malware/virus outbreak, phishing, data theft, elevation of privilege, improper usage, unauthorized access, personal data breach,

  • Security teams follow through standard incident response procedures from detection to closure & lesson learned.

  • Security Operations maintain these playbooks and ensure all staff are trained adequately.


 
System Availability

  • 99.7% for production systems




  • 99.7% for production systems


Integrated Security Products

  •  Security Audit Logging

  • SAP Enterprise Threat Detection, UI Masking and Logging require additional license, and integration effort.

  • SAP Business Technology Platform Service – Identity Authentication (IAS) and Identity Provisioning Services




  • Security Audit Logging

  • SAP Information Lifecycle Management

  • SAP Business Technology Platform Service – Identity Authentication (IAS) and Identity Provisioning Services


Security Customization

  • Secure by design, secure by default and customer managed security levels

  • Customer managed authorization concepts


 

 


  • Secure by design, secure by default and secure cloud services

  • Pre-configured business roles ready for lean customer adoption


 
Business Configuration/Content

  • Best Practice activation included and optional




  • Standardized, Best Practice via Central Business Configuration (CBC)


 
Releases/Upgrades

  • Customer owned, technical installation by SAP, yearly on request and Customer must stay in mainstream maintenance




  • This is managed by SAP and two major releases are available providing feature enhancements.

  • Continuous Feature Delivery Update


 
Session Timeout for Authentication

  • The default session timeout for Identity Authentication is set to 720 minutes, or 12 hours via SAP Cloud Identity. In case Corporate Identity Provider is used, session timeout can be configured to a desired value.




  • The default session timeout for Identity Authentication is set to 720 minutes, or 12 hours via SAP Cloud Identity. In case Corporate Identity Provider is used, session timeout can be configured to a desired value.



For additional reading, you can refer to the following security blogs:

  1. RISE with SAP: ‘Defense in Depth’ Security Architecture with SAP S/4HANA Cloud, public edition

  2. RISE with SAP: Multi-layer Defense in Depth Architecture of SAP S/4HANA Cloud, Private Edition

  3. Securing RISE with SAP

  4. How to audit SAP S/4HANA Cloud, public edition

  5. Difference between SAP S/4HANA :Public Vs Private edition : RISE with SAP


Conclusion

This blog presents a comparison of approach to security between SAP S/4HANA Cloud, Private Edition and SAP S/4HANA Cloud, Public Edition. The selection between these two Cloud ERP models depends on business processes and needs, and both models are built with security in mind, incorporating secure design and secure default features. To determine which model is best for their business, customers should consider their specific requirements such as regulation, industry type, cost, flexibility, and localization needs. Regardless of the choice, SAP is committed to providing a best-practice approach to security.

Note:

Find out how to make intelligent decisions that support your business, improve your profit, and drive sustainability by exploring SAP’s free learning content on Explore RISE with SAP S/4HANA Cloud. SAP S4/HANA Cloud is the next-generation cloud-based enterprise resource planning (ERP) system that allows you to combine the realms of finance, supply chain, asset management, sourcing and procurement, service, sales, manufacturing and more all in one place. Check out even more role-based learning resources and opportunities to get certified in one place on SAP Learning site.

 

Disclaimer:

© 2023 SAP SE or an SAP affiliate company. All rights reserved. See Legal Notice on www.sap.com/legal-notice for use terms, disclaimers, disclosures, or restrictions related to SAP Materials for general audiences.

 
13 Comments