Being as IT Product Company, it's most important for SAP to deliver more complex design and constantly work towards meeting up customer needs, with regards to meet their expectation. SAP as organization not only believe in innovation but also delivering, Next generation Products, in various vertical as well as Line of Business.

Concept of Intelligent ERP, we know being as product company its our prime responsibility to , not only deliver customer expectations and also over and above, how secure  and complex design we maintained in backend, so that SAP Customer should not get compromised at any given point. As Data is the primary source in any organization , to ensure growth.

Intelligent ERP

Now How secure the Data is and Handled at SAP.  Firstly we will understand a brief about , How is data processed in On premises cases and also , in detail How SAP CLOUD is next generation Solution is working.

On-premise Security Concept

  •          H/w in Secure/Trusted Zone: Servers are installed/maintained in secure/Trusted Zone
  • Operating System Security: accessing critical company IT resources locally and remotely, hence the need for secure computing environments has
    become more pronounced. Mainly Confidentiality, Integrity, Availability etc … (Vulnerability)
  • Database Security : Securing Data Against Intentional or accidental threats , Securing/restrict access to the Database from Unauthorized users (Confidentiality,
    Integrity and Availability)
  • Network (Public/Private): How the application is been available for users, considering business to run and at the same time secure integrity of the data mis-handling of data.
  • Application : various mechanism to authenticate , data access Using Role and authorization

Details (Assumption On-Premise system access Over Internet)​

Assumptions:

  • Public IP and DNS is already configured , in place (Firewall)
  • SAP ERP SYSTEM as Gateway HUB 
  • As sap strongly recommend any application which will be accessed From External/Public network should be configured/signed by Public CA, is already in place
  • Web-Server or Proxy is installed/configured in DMZ zone
  • Authentication Mechanism already in place . Like SSO using SAML (LDAP) ,or any other SSO mechanism or basic Authentication (not recommended), by SAP 
  • Load-balancer configuration, whitelisting and blacklisting rules are well defined
  • SSL Termination is in place as per customer requirement , Like (End to End SSL or SSL Termination at Load Balancer or SSL termination at Web-Server, completely customer choice as per their security guidelines (TLS and MLS)
  • Client Protocol, well defined
  • Backend system cookie , Session Expiry other Security Related Configuration already well establish/maintained (to ensure smooth request and response Flow
  • Note:- Any time of SSL Termination configuration has its own merits and limitation, For instance: END to END SSL would impact overall , request and response time

Details Continues …

Process Flow in Detail:

  • User access Fiori application from Public/Open network
  • In our example request always , SSL (HTTPS) 
  • Web-Server or Proxy Checks unwrap as it is secure content and forward request to IDP (Identity Provider), Which in our case In House/On-Premise LDAP
  • Based upon User Details IDP , validate credentials and issue token , 
  • Backend system and any Integrated system check and validate token or credentials, (in case of WSDL)
  • Backend system , which act or configured as SP (Service Provider) for LDAP (IDP), accept this assertion and process if it local request or forward to trusted non-SAP or SAP system for processing
  • Processed Data sent back through ERP and then DMZ and finally on User Device

So above is something , On-Premises Web based application typical configuration , based upon assumptions, Other undocumented security clearance aspects, which are different may vary from customer to customer, as each organisation has its own set of security provisions, to ensure, at any point of time there are no Data Compromised. 

  • Bring your own devices
  • Company provided devices
  • In Intranet or 
  • Over Public Network

Now Lets try understand , HOW SAP take cares of as par as access control mechanism, Data Provision etc

Overview Access Control: SAP Cloud Platform 

What is SAP Cloud Platform ?

  • SAP Cloud Platform is an enterprise platform-as-a Service (enterprise PaaS) that provides comprehensive development services, which widely supported by Cloud Infrastructure providers and comprise various innovation technologies, Like Internet of Things, machine learning, artificial intelligence, and big data etc, helps achieving business agility and Digital transformation across various Business Verticals (Industry Solutions) etc
  • Various aspects, influence SAP Cloud Platform and constant innovation across, In today’s world, where technology is such fast driven by mainly : Automation, Innovation, Flexibility and scalability
  • Above all, Most commonly asked/raised , around security Aspects, Which we will discuss in detail further in this document

Overview Access Control: SAP Cloud Platform  Cont ...

Overview Access Control: SAP Identity Provisioning 

Overview Access Control: SAP Identity Provisioning Cont … 

  • SAP Identity Provisioning is solution for Identity Lifecycle Management
  • Administration and Operations in the Cloud Foundry/Neo Environment
  • Single cockpit to perform all Administrative tasks, Like Global A/c , sub a/c , Org and spaces, 
  • Managing Resource Provider to connect Non-SAP Cloud Vendor , using global account in cockpit
  • Managing Authentication and Authorization: Authentication SAML 2.0 IDP/SP configuration
  • SAP Cloud Identity Provisioning  can be integrated not SAP Cloud solutions but also can be integrated to Social identity provider , We’ll understand this with example in next slides
  • SAP Cloud Identity provisioning also support two factor authentication
  • On-premise user store integration
  • In Other words , SAP Cloud Identity Provisioning provides secure access to web application
  • Implementation scenarios
  • Obtaining license

Overview Access Control: SAP Identity Provisioning Cont … 

Overview Access Control: SAP Identity Provisioning Cont … 

Overview Access Control: SAP Identity Provisioning Cont … 

  • SSO (Source and Target systems configuration)

  • Above is screenshot for reference ,  from Identity Cockpit , 
  • Configuring Source  and Target systems for SSO using Cockpit  
  • Sync up users, scheduler or ad-hoc basis
  • Real time sync, Employee/Student self service on-boarding

Overview Access Control: SAP Identity Provisioning Cont … 

Implementation scenarios  Reference

Overview Access Control: SAP Identity Provisioning Cont …

Obtaining license

  • Your license contains Identity Provisioning
  • After the successful purchase. you'll receive two e-mails from SAP According to your contract with SAP, a technical contact person has been chosen as the first user of the Identity Provisioning service. who is granted with Administrator permissions. In these e-mails from SAP, you'll find the ID of this administrator (their P- or 5- user) and their e-mail address. They can access the Identity Provisioning UI with their user credentials.
  • Each e-mail from SAP contains also a URL link that you, as an administrator, can use to directly access the Identity Provisioning UI. These two URLs are related to two different Identity Provisioning accounts - the first one you can use for testing purposes, and the second one - for productive provisioning configurations and jobs.
  • If you encounter issues with accessing your Identity Provisioning UI. 
  • create an incident to component BC-IAM-IPS.

Overview Access Control: SAP Identity Provisioning Cont … S/4 HANA Cloud

General Pre-requisites … SSO (On Prem AD, S/4 HANA Cloud and SAP Cloud Identity Provisioning)

Reference Example : SAP S/4 HANA on Cloud

  • SAP Cloud Identity Provisioning is Single point of Authentication mechanism, integrated to 
  • On-Premises, Cloud based IDP, in General it is Active Directory 
  • SAP Cloud Identity is Connected to backend, on-Premise or Cloud IDP via secure connection, Widely used Secure(https) SAML 2.0 for authentication
  • Integration of SAP S/4 HANA Cloud with other SAP Cloud based solution, is also managed by SAP Cloud Identity Provisioning
  • Building Trust relation between subaccount and Identity provider
  • Any Third party non SAP Cloud Solution can also be integrated through SAP Cloud Identity Provisioning (as far as it support SAML 2.0)
  • SAP is valid for on Premises NON SAP Solution can also be provisioned/Integrated 
  • SAP Cloud Identity provisioning is simplify identity and access management with Cloud based governance (Streamline identity and access management), In complex on-premise and cloud environments 
  • Enable self service request for multiple roles
  • Automated workflows, with built in risk simulation (SAP Cloud Identity Access Governance – 2002)

General Guidelines : Integration On-Premises SAP SYSTEMS & IDP

Reference Example : SAP S/4 HANA on Cloud 

On Premise Identity Provider Microsoft AD is maintained

  • Employee Information in appropriate LDAP attribute , (SamAccountname, Email-ID, or employee-ID) etc
  • Service A/c with read permission in LDAP (Microsoft AD)
  • LDAP should be SSL Enabled, 
  • VALID SSL Certificate should be installed for Secure connection 
  • SAP Recommend: Should be public CA signed certificate preferred 
  •  Password Policy well defined on SAP On-Premise systems
  • Password Polity well defined on Microsoft AD
  • HTTPS should be enabled for integration 
  • Metadata and certificate should be exchanged , to build trust and achieve (SSO)

General Guidelines : Integration Non-SAP Cloud System On-Premise IDP

Reference Example : SAP S/4 HANA on Cloud

  • On Premise Identity Provider Microsoft AD is maintained
  • Users  authentication SAP Cloud Identity Provisioning and Authorization based upon Source system
  • Cloud Solution should be accessible, secure channel (https) 
  • Signed by Public CA
  • SAML 2.0 with assertion should be supported
  • Trust between SAP Cloud identity provisioning and Non-SAP Cloud System , for single sign on (SS0)
  • Metadata and certificate to built Trust between SAP Cloud IDP and Non-SAP Cloud Solutions
  • Principal propagation between Neo and Cloud Foundry (using OAuth2SAMLBearer)
  • Trust between subaccounts Neo and Cloud Foundry (vise versa)
  • Secure from web attacks, Like ,CSRF Token (SQL Injection), XSS (Cross Site Scripting/Domain Relaxing),  Slow HTTP Attack, Protect application web application using some of the best practice guideline as far as Web application development (UI5 and XSS Output Encoding Library) is concerned
  • URL encoding approach  escape Special characters (Attack) , Solution  encode Trusted urls
  • Custom header approach  Build RESTful Web services (CSRF Protection for GET, POST, PUT, DELETE) etc.

General Guidelines : Integration Non-SAP Cloud System On-Premise IDP Cont …

Reference Example : SAP S/4 HANA on Cloud

  1. Use Client Certificate based Authentication
  2. Decryption is not possible, unless client certificate is compromised from device 
  3. Client a/c Locked is hardly possible, as there is no client credential 
  4. Key Pair and Certificate 
  5. Option 1 Client certificate is combination of Private and Public key (PKI) 
  6. Option 2 Single Sign On using SAP Passport 
  7. SAP Cloud Platform Integration keystore management, to create keypair x.509 certificate
  8. Create Keypair using Openssl Tool 
  9. Trust between subaccounts Neo and Cloud Foundry (vise versa)
  10. Secure from web attacks, Like ,CSRF Token (SQL Injection), XSS (Cross Site Scripting/Domain Relaxing),  Slow HTTP Attack, Protect application web application using some of the best practice guideline as far as Web application development (UI5 and XSS Output Encoding Library) is concerned
  11. URL encoding approach  escape Special characters (Attack) , Solution  encode Trusted urls
  12. Custom header approach  Build RESTFul Web services (CSRF Protection for GET, POST, PUT, DELETE) etc

General Security Guidelines : Difference between Cloud foundry vs Neo

Cloud Foundry

  • SAP Cloud Foundry Application runtime, open source  application platform, managed by Cloud Foundry Foundation
  • Developer can develop , Build and enhance application using cloud foundry environment 
  • Cloud foundry support multiple applications, Like :  Java, Node.js  (support by SAP)
  • Support multiple data centers, Like AWS, Azure, GCP etc

Below is the table for Trial Access

Cloud Foundry Environment Free Trial ABAP Environment

General Security Guidelines : Difference between Cloud foundry vs Neo

Neo Environment

  • Neo Environment runtime, SAP Proprietary Runtime
  • Neo is full of built in extensive feature, which help developer, easy-to-use in development environment
  • Neo Environment support development using various technologies, Like :  SAP HANA XS and HTML5 applications
  • Neo allows , developer to develop application in UI5, mainly web based application
  • Allowing virtual machines install your own application, in-line between Platform-as-a-service and Infrastructure-as-a-service

Neo Free Trial ABAP Environment

Data Persistence

Data Security 

 

What is data ? 

Data is set of information that can be of measured, stored and , so can be referred later , analyze , process

In modern time data is the most curtail part of any organization, as helps in growth, potential analytics, areas to work on, Skill upgradation or Fixed asset etc. 

Data Storage Security

At SAP, in Cloud World, Data is processed between the source and target and does not persist in SAP Cloud Platform Integration layer. On-premise and cloud applications are supported as source and target in the following direction, Mainly:

  1. on-premise to cloud
  2. cloud to on-premise
  3. cloud-to-cloud
  • Cryptographic keys are used to encrypt and decrypt this sensitive data, and Cryptographic  Keys managed as per organization security guidelines
  • SAP Cloud Platform Integration supports SSH File Transfer Protocol (SFTP)/PGP when transferring data to or from external server, to protect sensitive/crucial data
  •  In order to provide privacy and security, SAP Cloud Platform uses/secure data using PGP to encrypt and decrypt Sensitive data

Data Persistence Cont …

Data Security ?

  • PGP keys are managed through the Data Services Agent Configuration program

PGP Management

Data privacy ?

  • View data feature: allows users to see data when data load run task completed 
  • load data to external web service targets and receive a response from the external web service

SAP HANA database security ?

  • Organization's schemas are unique
  • Schemas protected with standard SAP HANA access control. 
  • Metadata, jobs, data flows, runtime histories and logs
  • specific set of ports opened to the SAP HANA server, by default “deny” access control
  • SAP HANA only allowed protocols, related to Administrative-related, Like JDBC, SSH 
  • SAP Cloud Platform Integration uses UI5 technology, which is based upon JavaScript

Data Persistence Cont …

Data Protection and Privacy 

  • SAP provides specific features and functions to support compliance
  • decisions related to data protection must be made on a case-by-case basis, under consideration of the given system landscape
  • SAP software supports data protection compliance by providing security features and specific data protection-relevant functions

Glossary

References

  • https://help.sap.com/viewer/f48e822d6d484fa5ade7dda78b64d9f5/Cloud/en-US/b2cddb90224d4330a0fbf74573adc395.html
  • https://blogs.sap.com/2019/02/24/sap-cloud-platform-environment-cloud-foundry-vs-neo/
  • https://www.sap.com/products/cloud-platform/capabilities/foundation.identity-provisioning.html?video=e0e46073-617d-0010-87a3-c30de2ffd8ff
  • https://help.sap.com/doc/03ed1ffc43c64e14803d5ecbd986d0e4/Cloud/en-US/hci10_security_en.pdf
  • https://en.wikipedia.org/wiki/Data
  • https://ga.support.sap.com/dtp/viewer/index.html#/tree/2143/actions/27412
  • https://help.sap.com/viewer/df50977d8bfa4c9a8a063ddb37113c43/Cloud/en-US/cbd76632d8aa4cb7bbf175d7607db463.html

Regards

King Sharma