Most of software development can be described by two characteristics: whether it’s important and whether it captures your attention. The effort going into the first check box is often higher than the second – and in security, attention-grabbing features are the proverbial drop in the ocean compared to those efforts which are put into making a solution more secure.
Therefore, when I was tasked with highlighting new security features in the S/4HANA Public Cloud for the last releases, the list of security improvements in both the software itself as well as the cloud operations and other security areas was long at first. However, it was significantly reduced when those features were excluded which are not visible on first sight.
Nevertheless, I felt it was – and is – important to convey to our customers and partners about how deeply security is embedded into processes here at SAP. While doing so, I’d also like to touch upon the different security areas for the S/4HANA Public Cloud as well as fulfilling the original task – i.e. tell you about the latest features and enhancements in the S/4HANA Public Cloud.
First of all, as mentioned in the beginning, security is by now embedded deeply into the mindset here at SAP. Something I came to appreciate when my journey with SAP started a few months back: I literally never had a more secure workplace than I do now. Of course, this also reflects in the way we develop software. The “Secure Software Development Lifecycle” or S2DL (IT nerds just can’t do without a good acronym) is something which is not just a fig’s leaf, but taken very seriously. From my fellow team members in the S/4HANA security department, for example, I have learned a lot about things like threat modeling, risk approach, security assessment and validation or code scans (more on that later). Which emphasizes a point I have been making for years, well before I re-joined SAP: that S/4HANA is one of the most secure solutions ever to leave the development departments of SAP.
With a software as complex as S/4, we obviously don’t stop at developing it in a secure manner. In fact, when you take a look at the features in security and the closely related data protection and privacy (DPP), you will see that S/4HANA Public Cloud includes industry leading features in both areas.
Take security: secure access with support for state-of-the-art technologies such as SSO or MFA, secure communication and encryption leveraging native HANA capabilities, an enforced security-by-default implementation, automated security patch deployment, sharing Security Audit Logs with our customers for further analysis – as mentioned, the list is long. Another example are authorizations – always a complex undertaking in any implementation of SAP solutions. With S/4HANA cloud, we significantly simplified the configuration of authorizations using business catalogues and other helpful tools, such as the IAM accelerators.
Going further: data privacy. Ever since the introduction of the GDPR in 2018, SAP has been at the forefront of complying to the regulation and even go beyond this. Which is why we include features into S/4HANA Public Cloud which you will be hard pressed to find in other cloud solutions. In this case it’s important to distinguish between data protection features, were we support all mandatory features to comply with the GDPR as well as other privacy regulations around the globe. On the other hand, our embedded privacy tools, such as the Information Retrieval Framework (IRF), the Information Lifecycle Management (ILM) or the Read Access Logging (RAL) enable our customers to provide state-of-the-art data protection for their customers and users.
SAP has always been about developing high-quality and highly secure software. With the rise of the cloud, we are now also responsible for operating that same software. A responsibility we don’t take lightly. Which is why secure operations and landscape architecture is our fourth cornerstone when we talk about the security of S/4HANA Cloud Edition. Data Center security which matches that of Fort Knox, a robust technical security architecture where customer data are strictly separated and a highly effective and efficient SAP Cyber Defense & Response Center – rest assured that your data is safe at SAP.
You might think that it would be my job to brag about the security of SAP S/4HANA Public Cloud – but in fact we have attestations from 3rd parties around the world which – quite literally – certify what I have mentioned in this post. S/4HANA Public Cloud is certified to BSI-C5, ISO27001, ISO 22301, SOC-1, SOC-2 and a bunch of local certifications around the globe. Not to mention our comprehensive contracts covering Data Processing, Security Frameworks and, of course, local regulations. If you would like to deep dive into these certifications – they are all available in the SAP Trust Center.
With the groundwork laid, let’s get into some of the enhancements of the latest release for S/4HANA Public Cloud when it comes to security, related to the different areas. Starting with Software Development, the S/4HANA Public Cloud is fully tested for security – which includes not only vulnerability scans and static code scans, but also tailor-made dynamic application security testing is performed on any development.
For the area of Identity and Access Management, we’ve included two additional accelerators for creating workplace lists within initial applications and for quarterly release activities.
In Data Privacy, we have implemented two additional logs for the Information Retrieval Framework (IRF), logging both the collection of data as well as the generation of models when setting up the IRF. And, speaking of setting up, we have also added some configuration steps in the overall data protection settings.
And, for security, we also implemented a new Trusted Network Zone positive list, which accompanies the already existing clickjacking positive list.
Last, but not least, while I would very much like to project my initial statement into the future, Niels Bohr once said “Prediction is very difficult, especially if it’s about the future”. We can assure you, however, that we’ll keep working to keep your data and your processes as secure as possible.
Finally, I hope that with this blog post I was able to give you a bit insight into security in S/4HANA Public Cloud and would like to renew my offer from the very beginning: If you do have any questions, suggestions or need for more information on security in S/4HANA Cloud or S/4HANA on premise, feel free to reach out.