(Jana Subramanian serves as  APJ Principal Cybersecurity Advisor for Cloud Security and has been recognized as a Fellow of Information Privacy (FIP) by the International Association of Privacy Professionals (IAPP). As part of his responsibilities, Jana helps with strategic customer engagements related to topics such as cybersecurity, data privacy, multi-cloud security integration architecture, contractual assurance, audit, and compliance.)

Introduction

The SAP S/4HANA Cloud, Private Edition serves as the foundation for the "RISE with SAP" offering, safeguarding customers' essential business data and their mission critical operations. SAP Enterprise Cloud Services (ECS) delivers a managed private environment featuring a multi-layered defence-in-depth and zero-trust architecture principles that covers infrastructure and technical managed services. This comprehensive approach encompasses end-to-end SLAs for the entire solution stack under SAP operations management and a robust security capability, effectively reducing cost, risk for customers and enhancing business value.

In this blog, we delve into some common cybersecurity questions frequently asked by our customers and partners. I have attempted to gather the most important cybersecurity questions and offer clear, concise answers in an easy-to-read FAQ format.

Customer Network Segregation

S.No	Description of FAQ	FAQ Explained
1	How does SAP segregate each customer in SAP S/4HANA cloud private edition, specifically in AWS, Azure and GCP environments?	In SAP S/4HANA Cloud, Private Edition, SAP establishes separate accounts (AWS), subscriptions (Azure), or projects (GCP) for each customer, creating a clear boundary at the account level. Additionally, at the network level, SAP sets up a logically separated Virtual Private Network (VPC/VNET) for each customer, hosting a dedicated S/4HANA application landscape with a private IP address space for each customer. As a result, this managed environment remains private and secure for each customer.
2	How do you further segment your network to ensure resource isolation?	SAP ECS creates multiple subnets such as Gateway, Admin, Production subnets. The subnet is configured with a Security Group (AWS)/Network Security Group (Azure), Firewall (GCP), which includes a specific set of rules designed to manage and control network traffic. There are additional security measures such as Managed Firewall available on specific platforms subject to additional commercial impact and for details, please reach out respective SAP Cloud Architect Advisory team.
3	Is it necessary for SAP Development, QA, and Production environments to be part of the same Virtual Network (VPC or VNET)? In other words, do we require communication between non-production (lower) and production environments?	Yes, according to SAP ECS reference architecture, SAP keep all systems within the same virtual network (VPC/VNET). Within the VPC, there are multiple subnets protected by cloud firewall/security groups rules to manage east-west traffic based on customer requirements. Communication between non-production and production systems is necessary for software logistics purposes, such as transport management, client copies etc.

Secure Connectivity

S.No	Description of FAQ	FAQ Explained
4	Do you support IPSEC VPN to connect to SAP S/4HANA cloud, private edition landscape?	Yes. Customers can employ an IPsec-based Site-to-Site (S2S) VPN over the internet to connect to their dedicated virtual private network in the cloud. VPN configurations largely depend on the specific Hyperscale provider platform being used, such as AWS, Azure, or GCP. The requirements for each platform can be found in their respective documentation.
5	Do you support dedicated network connection bypassing Internet?	Yes. For accessing productive workloads, it is recommended to use a dedicated private connection with redundancy, as this ensures a higher quality of service and greater availability. Hyperscale-provided solutions such as  AWS Direct Connect, Azure ExpressRoute, and GCP Cloud Interconnect can be utilized to establish these network connections. Details regarding edge locations and networking partners can be found in the respective Hyperscaler documentation.
6	Does SAP S/4HANA cloud, private edition support AWS Transit Gateway?	No, SAP ECS does not allow Transit Gateway configuration. However if customer owns a Transit Gateway in their subscription, SAP S/4HANA cloud, private edition can be connected to customer owned Transit Gateway to establish connectivity ensuring all their site connected to the central Transit Gateway.
7	How do I establish security in case I need to integrate with other cloud services?	The S/4HANA Private Cloud Edition includes connectors and agents necessary for integrating the S/4HANA system with other public cloud solutions from SAP. The SAP cloud connectors are included in the landscape. The agents are provisioned upon request and after the customer acquires the respective cloud solutions. All outbound connections are subject to restricted access control lists configured in the security components utilized within the cloud. Additionally, these outgoing connections must use TLS 1.2 for data in-transit encryption.
8	How do I securely connect to SAP Business Technology Platform?	SAP Cloud Connector is created as a part of the secure landscape ensuring secure communication between SAP S/4HANA cloud, private edition, and SAP Business Technology Platform. Mutual TLS1.2, also known as two-way authentication, adds an extra layer of security by requiring both the client and the server to authenticate each other. By using mutual TLS 1.2, the Cloud Connector ensures data in transit is encrypted and protected from unauthorized access, helping maintain a high level of security for cloud integrations.
9	What protections are available for inbound traffic from Internet accessing resources in SAP S/4HANA cloud, private edition?	A Web Application Firewall (WAF) is set up for managing inbound internet connections and is linked with Application Load Balancers or Application Gateways. This centralized configuration safeguards web applications from common threats and vulnerabilities at the application layer. This is not turned on by default and customer would require highlighting this requirement as part of onboarding preparation.
10	Do you support VPC or VNET Peering to connect to own account or subscriptions?	Yes. Virtual Network Peering can be established between SAP S/4HANA cloud, private edition, and customer owned account/subscription. This is a software configuration and traffic will traverse via hyperscale provider backbone network
11	How about support for Load Balancers?	Yes. Network Load Balancer is supported to access SAP S/4HANA cloud, private edition production subnet. These operate at the Transport Layer (layer 4) and support TCP, HTTP, and HTTPS protocols. Application Load balancer is used with WAF Rules for internet inbound internet is available.
12	Do you support Private Link provided by Hyperscale provider in SAP S/4HANA cloud, private edition?	While SAP BTP supports Private Link, this feature is not available for SAP S/4HANA cloud, private edition which is in development as of now.

Encryption

S.No	Description of FAQ	FAQ Explained
13	How is data encryption supported for data in transit?	SAP supports TLS1.2 for data in transit end-to-end.
14	How is data at rest encryption performed in SAP S/4HANA cloud, private edition?	SAP HANA in-memory database uses HANA Volume Encryption to provide “data-at-rest” encryption for data, log, and backup volumes.  It uses AES-256 encryption algorithm. By default, the infrastructure-as-a-Service (IaaS) provider encrypts the storage used for storing data files, log files, and backup sets using Server-Side Encryption (SSE) technology, which utilizes server-managed keys.

High Availability and Disaster Recovery

S.No	Description of FAQ	FAQ Explained
15	Do you support High Availability?	Yes. SAP provides System Availability SLA of 99.7 and deploys various technologies that are necessary to maintain System Availability commitment.
16	Do you support Disaster Recovery and if so, what are the RTO and RPO?	Yes. Disaster Recovery is supported as an optional service. The standard DR offers RPO= 0 (Short Distance DR) or 30  minutes (Long Distance DR) and RTO=12 hours depending on the hyperscale provider used. An enhanced DR of RTO of 4 hours is available for customers who require it. Please contact Cloud Architect Advisor for details.
17	How does S/4HANA cloud, private edition manage autoscaling, and what is the typical timeframe for this process?	Autoscaling in the traditional Infrastructure as a Service (IaaS) sense is not applicable within the RISE with SAP S/4HANA cloud, private edition. As SAP S/4HANA cloud, private edition handles predictable workloads for SAP S/4HANA applications, SAP utilizes Reserved Instances for customers throughout the duration of their contracts. SAP ECS delivery performs periodic capacity review and customers will be informed about the utilization trend and discuss future needs. Customer can then submit a change request to increase capacity as needed.

General Security Questions

S.No	Description of FAQ	FAQ Explained
18	How do you ensure that no authorized access is allowed to customer data by the cloud admins?	By default, access to the customer's business client (customer-managed) is not permitted for SAP cloud admin unless explicitly authorized and granted by the customer. Customer owns customer data. Cloud Admin only have access to Client 000. In order for SAP cloud admin to access Client 000, the following controls must be in place HTTPS and VPN connections are encrypted Strong authentication is enforced Terminal servers are utilized Jump hosts are used Session Recording SAP SIEM monitors all sessions DLP (Data Loss Prevention) technology is in place. In SAP S/4HANA, both read access logs and change audit logs play an essential role in maintaining transparency and ensuring data security. These logs allow customers to track and monitor user activities within the system, helping to identify any unauthorized access or potential security risks
19	How do you protect against Lateral Movement?	By default, all administrative ports are blocked between the systems. The only way an administrator can generate a new session is from the jump host area (admin plane). Also, our Endpoint Detection & Response (EDR) tool run specific detections as per our playbooks that are tightly integrated into our SIEM/SOAR tools.
20	How do you protect against Malware?	SAP cloud operations employs several security measures to protect against malware which include among others:   Endpoint & Server Protection - End-Point Security, Detection & Response (EDR), Malware Protection, Secure Booting Backup and Restore - Regular Automated Backups and Encryption of Backups, Periodic patching of all infrastructure, applications, and DB Security Awareness Training on Phishing, Awareness, Simulate Testing Network Segregation to reduce the attack surface. Implement Network Security controls like Dedicated Network Connection, WAF, Security Groups, Load Balancers Threat Intelligence and Continuous Security Monitoring Internet Proxy and DNS Security Periodic Testing
21	How do you protect against ransomware?	The threat of ransomware continues to grow for larger organizations all over the world. To mitigate this threat, SAP Enterprise Cloud Services helps ensure that key actions, best practices, and controls are in place in your private cloud. These controls are split into three main categories: preventive, detective, and reactive. For further details, please refer to  “Mitigate the Threat of Ransomware to Business-Critical SAP Applications” whitepaper.
22	If data is corrupted or any other scenario, how system SLA is offered?	To ensure the highest level of system availability and data protection, SAP offers a comprehensive Service Level Agreement (SLA) that covers the end-to-end stack, including infrastructure, operating system, database, and application layers. The standard System Availability SLA is 99.7% While SAP is responsible for maintaining system availability and protecting the data at the infrastructure, operating system, and database levels, it is important to note that the logical integrity of the data falls under the responsibility of Customer. SAP's availability SLA provides customers with a reliable, secure, and consistent environment for their data and applications, while customer ensures the logical integrity of the data as it is processed within the applications.
23	What are the shared services involved in managing RISE, and what are the common elements with respect to security and data privacy?	S/4HANA Cloud, private edition is a private cloud solution in which all application and database instances, as well as the underlying infrastructure components, are exclusively dedicated to a specific customer. For each customer, SAP utilizes a dedicated Virtual Private Cloud (VPC) within a Hyperscaler. The management plane, however, is shared among all customers and connected via SAP Admin VPCs.
24	Where can I look for Roles and Responsibilities pertaining to SAP S/4HANA cloud, private edition?	RISE roles and responsibilities document as part of the contract describes regular operational tasks in cloud delivery and security aspect is mostly implicit on all of those tasks that SAP performs under our responsibility. Major security operational topics are implemented and managed globally across all cloud solutions offered by SAP. Hence such tasks are not explicitly called out in specific product’s roles & responsibilities documents.
25	What security certifications audited via external 3rd party auditors are maintained for SAP S/4HANA cloud, private edition?	SAP S/4HANA cloud, private edition maintains following certifications: ISO27001, ISO27017, ISO 27018 ISO 9001 Quality Management Systems BS10012 Personal Information Management ISO22301 Certification for Business Continuity Management Systems SOC 1 Type 2 SOC2 Type 2 The certifications can be downloaded via https://www.sap.com/sea/about/trust-center/certification-compliance.html and SOC attestation report can be requested via Trust Center subject to NDA.
26	What are the broad security responsibilities for customers in SAP S/4HANA cloud, private edition?	The customer is responsible for managing configuration, implementation, integration, monitoring, and application support, among other tasks, at the application level. Dedicated private connectivity to Hyperscale provider Application user identity management Management of authentication and authorization for application users Definition of user roles, groups, and access control Customer data ownership Compliance with government and industry regulations Application security audit logging Integration and extension support, including custom application development Configuration of customer business processes Application change management.
27	What are the broad security responsibilities of SAP as a Cloud Service Provider?	Managing detective, protective and remediation controls on cloud accounts Resilient platform architecture (HA and DR) Single Tenanted Landscape Managed Backup and Restore Building Secure Virtual Machines, Operating systems, networking, HANA Database HANA DB Management Technical Managed Services (R&R Link) Operational Security and Managing security incidents 24x7 Security Monitoring Personal Data Breach Notification SLA and Support Services Threat Management & Patch Management
28	How do I raise a support or security incident ticket with SAP?	Customers can use - SAP ONE Support Launchpad. Details can be found in SAP Note 1296527
29	How does SAP provide security assurance?	The SAP Data Processing Agreement is designed to comply with local data privacy regulations worldwide, incorporating technical and organizational measures to safeguard personal data. SOC reports and ISO certifications offer independent proof of security, availability, confidentiality, and privacy. SAP products are evaluated against globally recognized standards, and platform hardening is implemented. An integrated management system ensures information security, data protection, and service delivery. A comprehensive security architecture covers applications and processing systems.
30	Can customer perform Vulnerability and Penetration testing?	Yes. Customer can request for performing VAPT at the application layer only, and this can be performed only by due approval and authorization by SAP. For details, please refer to this SAP Notes.
31	Security Patch Management	SAP ECS performs OS/DB security patches regularly. For Technical Basis Security Patch Management, SAP examines the available patches and creates deployment bundles, which are subjected to testing before their release. As stipulated in the contract, customers must initiate requests for security patches and permit downtimes during the Maintenance Period. The Service Request for patch requests should be submitted via the Customer Dashboard.
32	What are the other contractual assurances related to cloud services that may be applicable?	Service Level Agreement - Defines the cloud service specific system availability, uptime, update windows, credits, and others SAP data Processing Agreement: SAP and its sub processors obligations and restrictions to process Personal Data in the provision of the Cloud Service, including: Description of Processing Technical Organisational Measures (TOMs) General Terms and Conditions: The essential legal terms that apply to the Cloud Service Cloud Support Policy: The service specific scope of support and success offerings Cloud Service Supplemental Terms and Conditions: The service specific legal terms that apply to the Cloud Service
33	Do you maintain Cyber SOC operating  24x7?	Yes, the SAP Security Operation Centre (SOC) operates 24x7 following one global process. SAP maintains playbooks for common security incidents, for example phishing, malware/virus outbreak, privilege escalation, improper usage, unauthorised access, unauthorised disclosure, data deletion and data theft. SAP Security Operations maintain these playbooks and ensure all operations staff are trained in the execution of incident response procedures. Incident response teams follow standard incident response procedures, including detection, analysis, containment, eradication, recovery, and post-incident analysis.
34	What logs are made available to customers?	SAP provides Application Security Audit Logs which customer can fully access SAP collects and centrally manages Infrastructure Logs for shared infrastructure layers such as Firewalls, Load Balancers, Proxies, Applications Servers, Databases SAP will perform event correlation across all log events to detect and remediate security incidents working in tandem with customers. SAP will be able to provide near real-time customer specific OS/DB logs to customer’s log server or SIEM via “LogServ” additional service.
35	How does customer data is returned to customer upon contract expiry or termination?	Customers have the option to obtain a system export or a copy of the native database backup, which can be restored on their own Hyperscale platforms. Additionally, customers can export SAP data from the SAP application using tools provided by SAP or our partners. Please refer to relevant SAP contractual assurance for details.

 

Additional References

S.No	Description
1	Roles and Responsibility – SAP S/4HANA cloud, private edition
2	SAP Trust Center - Compliance
3	RISE with SAP: Adopting to Zero Trust Architecture Principles with SAP Cloud Services
4	RISE with SAP: Multi-layer Defence in Depth Architecture of SAP S/4HANA Cloud, Private Edition
5	Securing RISE with SAP

 

Conclusion

The purpose of this blog is to provide answers to commonly asked cybersecurity questions by SAP customers and partners regarding RISE with SAP S/4HANA cloud, private edition. The solution offers strong and comprehensive security capabilities that ensure the protection of customers' business data. By utilizing SAP reference architecture, secure operations, and security assurances through contracts and certifications, customers can have greater confidence that their business sensitive data is secure from emerging cyber threats. For more information on cybersecurity protections and contractual assurances, customers are encouraged to refer to SAP Trust Center or access the resources provided in references.

 

Acknowledgement:

The author would like to express deep appreciation for  Roland Costea, Chief Information Security Officer, SAP Enterprise Cloud Services and Manoj Nair, Principal Cloud Architect and Advisory, APJ for their efforts in reviewing the content and providing valuable feedback. 

 

Disclaimer:

© 2023 SAP SE or an SAP affiliate company. All rights reserved. See Legal Notice on www.sap.com/legal-notice for use terms, disclaimers, disclosures, or restrictions related to SAP Materials for general audiences.