Traditionally, organizations run enterprise resource planning applications in their own infrastructure in an on-premises data center. As the digital transformation sweeps across industries, organizations embrace “cloud first” strategy. This strategy brings business value such as vision to value, resiliency, scalability, time to value, speed to market, and optimized Total Cost of Ownership (TCO). In general, Customers have two choices with respect to SAP S/4HANA migration to cloud. Each option brings major shift in the security governance and operations.
- Build SAP S/4HANA cloud landscape (Bring Your Own License – BYOL) with customer’s own account/subscriptions with public cloud service provider (Hyperscaler). Customers or system integrators (SI) manage platform landscape architecture, security operations, and platform management.
- RISE with SAP: SAP S/4HANA Cloud, Private Edition running on public cloud services such as AWS, Azure, or Google Cloud Platform (GCP) platform. SAP manages platform landscape architecture, security operations and platform management.
Often, we encounter questions from customers regarding the difference between (1) and (2), its cybersecurity value proposition.
Cybersecurity is an emerging concern for the Enterprise. In recent years, organizations experience sophisticated and exponential increase in cyber-attacks. Assessing cyber risk, compliance to regulation, security, data privacy is of paramount importance. Given the significance of this subject, often enterprise board level discussion is warranted. As a result of such discussions, enterprise cyber security strategies are drawn. In this blog, we will discuss business value of cyber security in relation to (1) and (2).
Security challenges with customer/SI managed SAP S/4HANA on Hyperscaler
Today, Digital transformation is impacting all industries. With cyber-attacks increasing in greater intensity and sophistication, investment in people, technology and process must be made to protect mission critical application and secure sensitive data. While organizations may consider cybersecurity as a cost, lapses in security can lead to reputational damage, hefty regulatory fines, disruption to business.
Often cloud security and migration issues are multi-dimensional. Firstly, enterprises require “cloud skills” to plan, design and implement secure and resilient architectures for SAP S/4HANA architectures within Hyperscaler platform. There is a big skill gap, and it is difficult to find talents in cloud domain. This can be a daunting task as mis-configured cloud services such as exposing storage buckets publicly or disabling API logging accidentally can have security implications. There must be an automation and remediation controls to identify misconfiguration issues and compliance risks in the cloud.
Secondly, cloud account must be secured. The admin access must be secured on the principle of least privilege. The operating systems must be hardened, centralized API logging should be enabled. Further, all the unnecessary processes in VMs should be disabled and hardened, meeting security standards to run the SAP applications. Hyperscale providers only provide IaaS, and it is up to customers/SI to secure the platform and applications. The environment must be scanned for vulnerabilities regularly, risk categorized and security patches must be deployed diligently.
Thirdly, aligning SLA with business objectives can be harder as SLA is fragmented between multiple service providers. Customers get SLA from IaaS providers (AWS, Azure or GCP) but this does not cover up to application layer and is limited to infrastructure layer only. Multiple providers with varying SLAs must be engaged for secure cloud connectivity, application managed services, technical availability, and basis support. There are no aggregated SLA up to application layer as illustrated in the Figure 1: Fragmented SLA below.
Last but not the least, investment must be made in people, technology, and process to build robust SIEM solutions. Even if organization has the best of technology in security monitoring, failure can still happen due in inadequate processes and lack of people skills operating and managing the environment. Cyber Threat Intelligence capabilities may have to be beefed up to understand evolving threat landscape and minimize cyber risk. In most cases, customers/SI may already have an existing Cyber SOC, but it must be able to handle SAP environment including network and applications.
All the above are the real impediments to successful cloud deployment and migration if due care and diligence is not exercised by customer/SI. This would result in increased cost, project delays, inadequate security controls and monitoring exposing organizations to cyber risk. Security conversation must happen at the earliest stage possible to unravel understanding keys assets, data classification and mechanism to secure the environment.
RISE with SAP – Business Value of Cyber Security
SAP maintains robust security posture following industry best practice approach such as NIST, SANS, CIS standards. SAP adopts risk-based approach to deploy comprehensive, validated, documented set of security controls. With SAP S/4HANA Cloud, Private Edition running on public cloud service providers (AWS, Azure and GCP), SAP performs an automated scanning of cloud environment, maintains Cloud Account Lifecycle Management (CALM) processes, build golden images, and deploy automatic remediation of creating non-compliant resources that does not meet baseline security standards.
Shared Security Responsibility
SAP owns and manages the public cloud service provider (AWS, Azure, and Google Cloud Platform) relationship and owns the master root account. In SAP S/4HANA Cloud, Private Edition, SAP provisions a separate account or subscriptions for each customer. Using standard reference architecture, SAP builds secure cloud virtual infrastructure solely for their individual customer landscape. SAP hardens, deploys security patches, securely operates environment with security monitoring, malware management, HA/DR. Administrate access for operations and management is based on Role Based Access Control (RBAC) via dedicated Management Network with Jump Host, MFA. Further audit logs are enabled for all administrative actions. SAP provides contractual assurances on systems availability aggregated up-to application layer. Contractual assurances are delivered via data processing agreements and general legal terms and conditions. The environment is also audited for SOC and ISO 27001, ISO22301, ISO 9001 standards.
Customer is responsible for business strategy and processes, business users’ identity and authentications, authorizations. Additionally, customer is responsible for any add-ons, 3rd party connectors, integrations and extensions, custom application development and security settings of the SAP S/4HANA application. It is vital for customer to understand the roles and responsibilities in RISE with SAP offerings so that advanced services can also be opted via SAP Cloud Applications Services. All the standard tasks undertaken by SAP, optional, additional and cloud application services (CAS) activities are also listed here to bring granular clarity on the shared security responsibility model.
RISE with SAP – Value of Cyber Security
Aggregated SLA aligning with Business:
RISE with SAP provides a managed private environment for customers offering an aggregated SLA of 99.7% up to the application level for production environment. SAP manages the entire technical operations and management of the solution stack with one contract and one SLA. This greatly relieves customer of doing heavy lifting security operations and management of the platforms. This allows customers/System Integrators to focus on security of custom application developments, add-ons and securing their connectivity to their eco-system partners. This greatly helps organization to realize their vision and speed to value while SAP undertakes securing the platform. This way, Customers can focus on the innovation at the business processes and application.
Resilient and Secure Reference Architecture:
SAP has developed a reference architecture that is best suited to run SAP S/4HANA in a private managed environment. As the application hosts critical and sensitive data, the systems are designed with resiliency providing HA and DR capabilities with defined Recovery Time Objective and Recovery Point Objective. SAP adopts zero trust and defense in depth architecture principles. Protective, detective, and automated remediation controls are applied at the micro-segmented environment.
Security Monitoring and Data Privacy Regulatory Compliance:
SAP maintains secure administrative network to collect, store, forward the logs to centralized security event management platform where events are correlated for automatic alerts. In the event of suspicious or malicious activity, security incident ticket is raised for further investigation by security experts. In the event of personal data breach, SAP fulfils obligations as data processor and notifies customers without undue delay as required by regulation and remediates promptly.
Compliance Monitoring and Security Posture Management:
SAP performs compliance scans mapping alignment to SAP Global Security and other industry best practice security standards on cloud service infrastructure assets such as virtual machine, databases, web dispatchers, storage systems etc. This greatly helps to secure the environment, identifying and remediating risks through security assessments and automated compliance monitoring.
Lower TCO for Security Operations:
As SAP cloud operations performs cadence on security patch management, security incident and event management – tools, people, technology and process, malware management, reporting personal data breaches and security assurance via independent audits. It should be noted that SAP tools, technology, processes are meant to protect only SAP cloud environment where customer landscape is hosted. While SAP collects logs from various layers such as OS, DB, Load Balancers, Subnets, customers have access to application security audit logs.
This would enable customer to have significantly lower TCO for security operations. Customer landscape may contain many SAP and non-SAP systems and they may have to their own security operations but RISE with SAP model, to an extent alleviate the cost elements while providing security at scale.
Cyber Threat Intelligence:
It is a common knowledge that industry at large is facing tenacious and devious threat actors. SAP defense capabilities are based on MITRE ATT&CK framework. SAP Cyber Threat Intelligence function augments security operations, gathering external threat intelligence insights on threat actors, their tactics, techniques, and procedures, and gather data, indicators of compromise (IOC) across SAP landscape. This further helps to enhance sophisticated and automated cyber defense capabilities. The collective experience and security knowledge of handling many customers on RISE with SAP, the team is far better positioned to enhance protective, detective and remediation controls.
Cyber Security at Scale and Speed
In my earlier blog, I have discussed topics on “Securing RISE with SAP”, “RISE with SAP: Multi-layer Defense in Depth Architecture of SAP S/4HANA Cloud, Private Edition” and “RISE with SAP: Adopting to Zero Trust Architecture Principles with SAP Cloud Services”. SAP Enterprise Cloud Service supports customer adoption journey and help secure RISE with SAP – SAP S/4HANA Cloud, Private Edition environment. The following diagram provides high level perspective of how SAP continues to enhance security of the customer landscape and brings technical & organizational measures to protect sensitive customer data. SAP provides security at scale and speed due to integrating and streamlining many of the security processes and leveraging the power of security automations.
The RISE with SAP proposition is a business enabler. It helps to run mission critical business processes. It is an engine of growth, innovation, and pivotal to enterprises. In RISE with SAP, we can deliver security by design and security by default with reference architecture blueprints. This cloud service is delivered at speed and scale with automated security scans, cloud security posture management, building golden images, security orchestration, automation, and response. This is augmented with SAP Cyber Threat Intelligence to enhance our defensive controls. This brings significant business value to customers, with enhanced protection of their data, aggregated SLA aligning to their business, contractual assurance, compliance to data protection and security audit assurance. As new cyber threats appear in the horizon on a regular basis, SAP continues to research and build robust cyber defense capabilities to protect customer data.