SAP customers are adopting RISE with SAP at an accelerated pace. The division of cloud security responsibilities between SAP as Cloud Service Provider (CSP) and Customer as a consumer of SAP cloud service always surface during discussion with customers on security and compliance related to SAP cloud services. RISE with SAP comes with bundling of SAP S/4HANA Cloud Suite, SAP Business Technology Platform, SAP Business Network Starter Pack and SAP Business Process Intelligence as one bundle. In this blog, we will explore shared security responsibility model for SAP cloud services offered in SAP S/4HANA Cloud, Private Edition (Managed Private Environment), SAP Business Technology Platform offered as Platform as a Service (PaaS) and SAP Cloud Services operating in Software as a Service (SaaS) model.
For the sake of simplicity and easy understanding, shared security responsibility is abstracted to provide high level information. For detailed product descriptions and roles & responsibilities, please refer to product documentations and relevant links provided in this blog.
SAP S/4HANA Cloud, Private Edition – Shared Security Responsibility Model
SAP Security Responsibility
The SAP S/4HANA Cloud, Private Edition is a privately managed environment where SAP maintains Hyperscaler root or master account and creates customer specific account or subscriptions. This is referred to as “single-tenanted” since the applications and databases virtual instances are dedicated to a customer. Virtual Network (VNET) are created within each subscription/account to address specific system/data isolation requirements. Within each Virtual Network, there will be multiple subnets (using private CIDR block IP addresses) created to segregate the environments.
SAP uses a Central Cloud Access Manager (CAM) to manage SAP Administrative access to IaaS provider subscriptions/accounts. Various roles and access rights are created for cloud admins. Therefore, operations and management of cloud environment, with customer account or subscription is managed by SAP.
Each subnet is configured with Security Group using a specific set of rules to control the network traffic. SAP handles all cloud operations & management such as backup and restore, patching, maintenance, technical basis support, HANA services management and key management of data at rest. The following is a broad list of activity that are performed by SAP operations and management.
- Dedicated Account/Subscription for each customer
- Logically isolated Virtual Private Network (VNET)/VPC
- Dedicated S/4HANA application landscape for customer assigned Private IP Address space
- Auto-Restart High Availability and Regional or cross-regional Disaster Recovery
- Regular 3rd party security audit – SOC1, SOC2, ISO 27001
- Vulnerability Management and Penetration Testing
- Customer specific release management
- Security Incident and Change Management
- 24×7 Security Monitoring,
- Personal Data Breach Notifications
Following are the key security responsibility for Customers:
- SAP S/4HANA Cloud, Private Edition may be considered as privately managed single tenanted environment where the customer is broadly responsible for applications user identity, authentications, application authorizations, user roles, groups, and access controls.
- The customer is responsible for working with a Hyperscaler (AWS or Azure or GCP) to get “dedicated connectivity” if their compliance requires a dedicated connectivity to SAP S/4HANA Cloud, Private Edition. Hyperscale providers natively support dedicated connectivity options such as AWS supporting AWS Direct Connect, Azure supports Azure Express Route and Google Cloud supports Google Cloud Interconnect. While SAP will work with customer to setup the software configurations at the customer landscape created by SAP and test the connectivity, it would be customer’s responsibility to procure the physical connectivity from Hyperscaler or other network service providers who may have a relationship with hyperscale IaaS providers to support dedicated connectivity solutions.
- The customer is responsible for transports between environments and integration between SAP S/4HANA applications and SAP SaaS or third party solutions. SAP BTP is available under various subscription models for customers.
- The customer is responsible for Application Security Audit logging.
- SAP S/4HANA applications provides various privacy configurations for the customer to configure privacy settings such as consent management, read access logs, application security audit logs. It is up to customers to manage such privacy configuration related to Sap S/4HANA application based on their requirement.
- The customer handles application basis support and functional changes with appropriate change management
- The customer is responsible for Side-by-side and In-App extensions, Code enhancement & code modifications and access to S/4HANA Extensibility Framework
It must be noted that customers do not have access to hyperscale provider accounts as this environment is fully managed by SAP. Customers get to access the SAP S/4HANA applications and functionalities securely on a Hyperscaler platform that is securely operated and managed by SAP.
The detailed roles and responsibilities related to SAP HANA Enterprise Cloud and SAP S/4HANA Cloud, Private Edition can be found here.
SAP Business Technology Platform – Shared Security responsibility Model
SAP Business Technology Platform (Cloud Foundry) is offered as multi-tenanted Platform as a Service model, running on AWS and Azure platforms in multiple regions globally. This an open development platform that covers integrations and extensions of applications in SAP eco-systems as well as 3rd party systems.
SAP is responsible for operating the cloud infrastructure which includes 24×7 monitoring, patching, operating systems, golden images for virtual machines and containers with best practice hardening standards, regular updates and managing security incidents. It must be noted that SAP hosts many SaaS application on top of SAP BTP such as SAP Analytics Cloud, Conversational AI and other Industry Solutions. Therefore, SAP considers security operations and management of the platform as vital and paramount. Broadly, the following are the core responsibilities that SAP undertakes for SAP Business Technology Platform.
- Multi-Availability (Multi-AZ) platform architecture
- Logical Tenant Separation
- Backup and Restore Services
- Secure Development of platform services & tools
- Creation of Runtime Environment
- Securing the infrastructure, operating systems, and/or container images, networking, and applications
- Operational and security monitoring
- Managing security incidents
- Personal Data Breach Notification
- Operating cloud resources
- Providing patches and solution support
- Adherence SLA and Contractual Assurance
Customers use SAP Business Technology Platform to develop new applications, integrations, extensions capability and workflow.
The SAP BTP comes with services such as Identity Authentication Services (IAS) for central authentications across SAP cloud services, with applications such as SAP SuccessFactors, SAP S/4HANA Cloud Essential (Public Cloud) and SAP IBP pre-integrated with SAP BTP IAS. It is up to customer to configure, delegate authentications to their own IDP which may be located on-premises or in the cloud such Azure AD. The platform also comes with Identity Provisioning Services which allows synchronization of user data between source and target systems. SAP provides these services by default when customer subscribes to SAP cloud applications and it is the customer’s responsibility to configure these services depending on the authentication’s requirement.
The shared security responsibility model for SAP Business Technology Platform can be found in SAP help page in this link
SAP Cloud Services (Software as a Service) – Shared Security responsibility Model
SAP offers a number of SAP Cloud Services in software as a Service model such as SAP Ariba, SAP Concur, SAP Integrated Business Planning, SAP Analytics Cloud, SAP SuccessFactors, and many other business & industry applications. The underlying theme of shared security responsibility remains the same regardless of the SaaS applications.
SAP takes governance and management responsibility of securing the underlying SaaS platform in terms of secure architecture, secure software development of applications, creating a multi-tenanted platform where customer data is logically separated via database schemas, ensuring high availability, disaster recovery, development policy, process and procedure around service operations and management. SAP is also responsible for security monitoring, personal data breach notification. The operational responsibility that is covered by SAP is available in SAP Trust Center. As a data processor, SAP meets its obligations as specified in our SAP personal data processing agreements.
SAP runs SaaS applications in global regions and the data center locations can be found here.
SAP uses combination of SAP data centers, hyperscale provider environment such as AWS, Azure and Google Cloud Platform or some solutions are hosted in Equinix/3rd party DCs. You can refer to the white paper available on SAP Trust Center “SAP and Hyperscalers: Clarifying Security in the Cloud” for details on shared security responsibility between SAP, Hyperscalers and customers.
While SAP is responsible for securing the SaaS application and the underlying supporting platform infrastructure with operational and management responsibility, customers are responsible for the following:
- Securing their customer data via applications security settings. Customer owns customer data and therefore customer is responsible for their data security
- Manage their business process logic, workflows related to applications.
- Manage User Identities, Authentications and Authorization of users to application functions
- Manage Consent Management and enter the data related to their users
- Review Application Security Audits Logs
It is important to highlight that customer is responsible for performing risk assessment before they subscribe to cloud services and migrate their data with respect to the security of cloud services. SAP provides security assurance to customer via independent 3rd party audit reports such ISO27001, ISO22301 and customers can request independent audit reports such as SCO1, SOC2 via SAP trust center.
Regardless of the cloud service model subscribed by customers, SAP considers customer data as “confidential” and hence provide comprehensive multi-layer security and data protection capabilities with SAP contractual assurance (SAP DPA with Technical and Organizational Measures) and security assurance via independent 3rd party audit reports (SOC1, SOC2). SAP cloud services follow robust global security policy that is based industry practice approach such as ISO 27002 (Information Security Management Systems), NIST 800 (Federal Security Policies, Standards, Procedures), ISO22300 for Business Continuity and Industry Security Standards such as PCI-DSS. SAP constantly performs security risk assessment, modernizes the security architecture and platforms, and develop new security policies, procedures and processes to handle challenges of evolving threat landscape.