Being as IT Product Company, it's most important for SAP to deliver more complex design and constantly work towards meeting up customer needs, with regards to meet their expectation. SAP as organization not only believe in innovation but also delivering, Next generation Products, in various vertical as well as Line of Business.
Concept of Intelligent ERP, we know being as product company its our prime responsibility to , not only deliver customer expectations and also over and above, how secure and complex design we maintained in backend, so that SAP Customer should not get compromised at any given point. As Data is the primary source in any organization , to ensure growth.
Intelligent ERP
Now How secure the Data is and Handled at SAP. Firstly we will understand a brief about , How is data processed in On premises cases and also , in detail How SAP CLOUD is next generation Solution is working.
On-premise Security Concept
H/w in Secure/Trusted Zone: Servers are installed/maintained in secure/Trusted Zone
Operating System Security: accessing critical company IT resources locally and remotely, hence the need for secure computing environments has
become more pronounced. Mainly Confidentiality, Integrity, Availability etc … (Vulnerability)
Database Security : Securing Data Against Intentional or accidental threats , Securing/restrict access to the Database from Unauthorized users (Confidentiality,
Integrity and Availability)
Network (Public/Private): How the application is been available for users, considering business to run and at the same time secure integrity of the data mis-handling of data.
Application : various mechanism to authenticate , data access Using Role and authorization
Details (Assumption On-Premise system access Over Internet)
Assumptions:
Public IP and DNS is already configured , in place (Firewall)
SAP ERP SYSTEM as Gateway HUB
As sap strongly recommend any application which will be accessed From External/Public network should be configured/signed by Public CA, is already in place
Web-Server or Proxy is installed/configured in DMZ zone
Authentication Mechanism already in place . Like SSO using SAML (LDAP) ,or any other SSO mechanism or basic Authentication (not recommended), by SAP
Load-balancer configuration, whitelisting and blacklisting rules are well defined
SSL Termination is in place as per customer requirement , Like (End to End SSL or SSL Termination at Load Balancer or SSL termination at Web-Server, completely customer choice as per their security guidelines (TLS and MLS)
Client Protocol, well defined
Backend system cookie , Session Expiry other Security Related Configuration already well establish/maintained (to ensure smooth request and response Flow
Note:- Any time of SSL Termination configuration has its own merits and limitation, For instance: END to END SSL would impact overall , request and response time
Details Continues …
Process Flow in Detail:
User access Fiori application from Public/Open network
In our example request always , SSL (HTTPS)
Web-Server or Proxy Checks unwrap as it is secure content and forward request to IDP (Identity Provider), Which in our case In House/On-Premise LDAP
Based upon User Details IDP , validate credentials and issue token ,
Backend system and any Integrated system check and validate token or credentials, (in case of WSDL)
Backend system , which act or configured as SP (Service Provider) for LDAP (IDP), accept this assertion and process if it local request or forward to trusted non-SAP or SAP system for processing
Processed Data sent back through ERP and then DMZ and finally on User Device
So above is something , On-Premises Web based application typical configuration , based upon assumptions, Other undocumented security clearance aspects, which are different may vary from customer to customer, as each organisation has its own set of security provisions, to ensure, at any point of time there are no Data Compromised.
Bring your own devices
Company provided devices
In Intranet or
Over Public Network
Now Lets try understand , HOW SAP take cares of as par as access control mechanism, Data Provision etc
Overview Access Control: SAP Cloud Platform
What is SAP Cloud Platform ?
SAP Cloud Platform is an enterprise platform-as-a Service (enterprise PaaS) that provides comprehensive development services, which widely supported by Cloud Infrastructure providers and comprise various innovation technologies, Like Internet of Things, machine learning, artificial intelligence, and big data etc, helps achieving business agility and Digital transformation across various Business Verticals (Industry Solutions) etc
Various aspects, influence SAP Cloud Platform and constant innovation across, In today’s world, where technology is such fast driven by mainly : Automation, Innovation, Flexibility and scalability
Above all, Most commonly asked/raised , around security Aspects, Which we will discuss in detail further in this document
Overview Access Control: SAP Cloud Platform Cont ...
Overview Access Control: SAP Identity Provisioning
Overview Access Control: SAP Identity Provisioning Cont …
SAP Identity Provisioning is solution for Identity Lifecycle Management
Administration and Operations in the Cloud Foundry/Neo Environment
Single cockpit to perform all Administrative tasks, Like Global A/c , sub a/c , Org and spaces,
Managing Resource Provider to connect Non-SAP Cloud Vendor , using global account in cockpit
Managing Authentication and Authorization: Authentication SAML 2.0 IDP/SP configuration
SAP Cloud Identity Provisioning can be integrated not SAP Cloud solutions but also can be integrated to Social identity provider , We’ll understand this with example in next slides
SAP Cloud Identity provisioning also support two factor authentication
On-premise user store integration
In Other words , SAP Cloud Identity Provisioning provides secure access to web application
Implementation scenarios
Obtaining license
Overview Access Control: SAP Identity Provisioning Cont …
Overview Access Control: SAP Identity Provisioning Cont …
Overview Access Control: SAP Identity Provisioning Cont …
SSO (Source and Target systems configuration)
Above is screenshot for reference , from Identity Cockpit ,
Configuring Source and Target systems for SSO using Cockpit
Sync up users, scheduler or ad-hoc basis
Real time sync, Employee/Student self service on-boarding
Overview Access Control: SAP Identity Provisioning Cont …
Implementation scenarios Reference
Overview Access Control: SAP Identity Provisioning Cont …
Obtaining license
Your license contains Identity Provisioning
After the successful purchase. you'll receive two e-mails from SAP According to your contract with SAP, a technical contact person has been chosen as the first user of the Identity Provisioning service. who is granted with Administrator permissions. In these e-mails from SAP, you'll find the ID of this administrator (their P- or 5- user) and their e-mail address. They can access the Identity Provisioning UI with their user credentials.
Each e-mail from SAP contains also a URL link that you, as an administrator, can use to directly access the Identity Provisioning UI. These two URLs are related to two different Identity Provisioning accounts - the first one you can use for testing purposes, and the second one - for productive provisioning configurations and jobs.
If you encounter issues with accessing your Identity Provisioning UI.
create an incident to component BC-IAM-IPS.
Overview Access Control: SAP Identity Provisioning Cont … S/4 HANA Cloud
General Pre-requisites … SSO (On Prem AD, S/4 HANA Cloud and SAP Cloud Identity Provisioning)
Reference Example : SAP S/4 HANA on Cloud
SAP Cloud Identity Provisioning is Single point of Authentication mechanism, integrated to
On-Premises, Cloud based IDP, in General it is Active Directory
SAP Cloud Identity is Connected to backend, on-Premise or Cloud IDP via secure connection, Widely used Secure(https) SAML 2.0 for authentication
Integration of SAP S/4 HANA Cloud with other SAP Cloud based solution, is also managed by SAP Cloud Identity Provisioning
Building Trust relation between subaccount and Identity provider
Any Third party non SAP Cloud Solution can also be integrated through SAP Cloud Identity Provisioning (as far as it support SAML 2.0)
SAP is valid for on Premises NON SAP Solution can also be provisioned/Integrated
SAP Cloud Identity provisioning is simplify identity and access management with Cloud based governance (Streamline identity and access management), In complex on-premise and cloud environments
Enable self service request for multiple roles
Automated workflows, with built in risk simulation (SAP Cloud Identity Access Governance – 2002)
General Guidelines : Integration On-Premises SAP SYSTEMS & IDP
Reference Example : SAP S/4 HANA on Cloud
On Premise Identity Provider Microsoft AD is maintained
Employee Information in appropriate LDAP attribute , (SamAccountname, Email-ID, or employee-ID) etc
Service A/c with read permission in LDAP (Microsoft AD)
LDAP should be SSL Enabled,
VALID SSL Certificate should be installed for Secure connection
SAP Recommend: Should be public CA signed certificate preferred
Password Policy well defined on SAP On-Premise systems
Password Polity well defined on Microsoft AD
HTTPS should be enabled for integration
Metadata and certificate should be exchanged , to build trust and achieve (SSO)
General Guidelines : Integration Non-SAP Cloud System On-Premise IDP
Reference Example : SAP S/4 HANA on Cloud
On Premise Identity Provider Microsoft AD is maintained
Users authentication SAP Cloud Identity Provisioning and Authorization based upon Source system
Cloud Solution should be accessible, secure channel (https)
Signed by Public CA
SAML 2.0 with assertion should be supported
Trust between SAP Cloud identity provisioning and Non-SAP Cloud System , for single sign on (SS0)
Metadata and certificate to built Trust between SAP Cloud IDP and Non-SAP Cloud Solutions
Principal propagation between Neo and Cloud Foundry (using OAuth2SAMLBearer)
Trust between subaccounts Neo and Cloud Foundry (vise versa)
Secure from web attacks, Like ,CSRF Token (SQL Injection), XSS (Cross Site Scripting/Domain Relaxing), Slow HTTP Attack, Protect application web application using some of the best practice guideline as far as Web application development (UI5 and XSS Output Encoding Library) is concerned
URL encoding approach escape Special characters (Attack) , Solution encode Trusted urls
Custom header approach Build RESTful Web services (CSRF Protection for GET, POST, PUT, DELETE) etc.
General Guidelines : Integration Non-SAP Cloud System On-Premise IDP Cont …
Reference Example : SAP S/4 HANA on Cloud
Use Client Certificate based Authentication
Decryption is not possible, unless client certificate is compromised from device
Client a/c Locked is hardly possible, as there is no client credential
Key Pair and Certificate
Option 1 Client certificate is combination of Private and Public key (PKI)
Option 2 Single Sign On using SAP Passport
SAP Cloud Platform Integration keystore management, to create keypair x.509 certificate
Create Keypair using Openssl Tool
Trust between subaccounts Neo and Cloud Foundry (vise versa)
Secure from web attacks, Like ,CSRF Token (SQL Injection), XSS (Cross Site Scripting/Domain Relaxing), Slow HTTP Attack, Protect application web application using some of the best practice guideline as far as Web application development (UI5 and XSS Output Encoding Library) is concerned
URL encoding approach escape Special characters (Attack) , Solution encode Trusted urls
Custom header approach Build RESTFul Web services (CSRF Protection for GET, POST, PUT, DELETE) etc
General Security Guidelines : Difference between Cloud foundry vs Neo
Cloud Foundry
SAP Cloud Foundry Application runtime, open source application platform, managed by Cloud Foundry Foundation
Developer can develop , Build and enhance application using cloud foundry environment
Cloud foundry support multiple applications, Like : Java, Node.js (support by SAP)
Support multiple data centers, Like AWS, Azure, GCP etc
Below is the table for Trial Access
Cloud Foundry Environment Free Trial ABAP Environment
General Security Guidelines : Difference between Cloud foundry vs Neo
Neo Environment
Neo Environment runtime, SAP Proprietary Runtime
Neo is full of built in extensive feature, which help developer, easy-to-use in development environment
Neo Environment support development using various technologies, Like : SAP HANA XS and HTML5 applications
Neo allows , developer to develop application in UI5, mainly web based application
Allowing virtual machines install your own application, in-line between Platform-as-a-service and Infrastructure-as-a-service
Neo Free Trial ABAP Environment
Data Persistence
Data Security
What is data ?
Data is set of information that can be of measured, stored and , so can be referred later , analyze , process
In modern time data is the most curtail part of any organization, as helps in growth, potential analytics, areas to work on, Skill upgradation or Fixed asset etc.
Data Storage Security
At SAP, in Cloud World, Data is processed between the source and target and does not persist in SAP Cloud Platform Integration layer. On-premise and cloud applications are supported as source and target in the following direction, Mainly:
on-premise to cloud
cloud to on-premise
cloud-to-cloud
Cryptographic keys are used to encrypt and decrypt this sensitive data, and Cryptographic Keys managed as per organization security guidelines
SAP Cloud Platform Integration supports SSH File Transfer Protocol (SFTP)/PGP when transferring data to or from external server, to protect sensitive/crucial data
In order to provide privacy and security, SAP Cloud Platform uses/secure data using PGP to encrypt and decrypt Sensitive data
Data Persistence Cont …
Data Security ?
PGP keys are managed through the Data Services Agent Configuration program
PGP Management
Data privacy ?
View data feature: allows users to see data when data load run task completed
load data to external web service targets and receive a response from the external web service
SAP HANA database security ?
Organization's schemas are unique
Schemas protected with standard SAP HANA access control.
Metadata, jobs, data flows, runtime histories and logs
specific set of ports opened to the SAP HANA server, by default “deny” access control
SAP HANA only allowed protocols, related to Administrative-related, Like JDBC, SSH
SAP Cloud Platform Integration uses UI5 technology, which is based upon JavaScript
Data Persistence Cont …
Data Protection and Privacy
SAP provides specific features and functions to support compliance
decisions related to data protection must be made on a case-by-case basis, under consideration of the given system landscape
SAP software supports data protection compliance by providing security features and specific data protection-relevant functions
Glossary
References
https://help.sap.com/viewer/f48e822d6d484fa5ade7dda78b64d9f5/Cloud/en-US/b2cddb90224d4330a0fbf74573a...
https://blogs.sap.com/2019/02/24/sap-cloud-platform-environment-cloud-foundry-vs-neo/
https://www.sap.com/products/cloud-platform/capabilities/foundation.identity-provisioning.html?video...
https://help.sap.com/doc/03ed1ffc43c64e14803d5ecbd986d0e4/Cloud/en-US/hci10_security_en.pdf
https://en.wikipedia.org/wiki/Data
https://ga.support.sap.com/dtp/viewer/index.html#/tree/2143/actions/27412
https://help.sap.com/viewer/df50977d8bfa4c9a8a063ddb37113c43/Cloud/en-US/cbd76632d8aa4cb7bbf175d7607...
Regards
King Sharma
