Founder | Transform Partner | Enabling Leadership to Deliver Measurable Outcomes through Digital Transformation, Enterprise Architecture & AI
Multi-Layer Defence in Depth #SecurityArchitecture #DataSecurity Customer Data Isolation: -A virtualized ABAP Application Server is provisioned for each customer tenant -Application isolation is enabled via “Security Group” -The “Security Group” allows communication between different application instances that belongs to one tenant. -Tenant “Security group” allows system communication between Q and P system of the same customer as shown in Figure 2 – #SAP S/4HANA Landscape #CloudArchitecture -At the network level, security group prevents communication between tenants. The network traffic rules are defined using on source, destination, protocol, and ports -Each SAP S/4HANA cloud tenant has their own tenant-database. It is part of overall SAP HANA Systems. #DataEncryption: -SAP S/4HANA Cloud encrypts “data-at-rest” and “data-in-transit” -End-to-end encryption is applied for “data-in-transit” -“Data-at-rest” encryption covers database, central and local file systems, and storage backups. -The cryptographic keys are managed securely via Key Management Systems (KMS) by SAP cloud operations teams -“Segregation of Duties” guideline is applied for KMS. #ApplicationSecurity -Secure Software Development Lifecycle (SSDLC) methodology is followed for the development of SAP S/4HANA application -The product development considers security and data protection & privacy requirements. This is embedded at the start of the development process. -The development team performs extensive risk assessment and threat modelling, design, and test effectiveness of the security controls which includes performing code scans, penetration tests, security tests – SAST & DAST and independent security assessments. More details on SAP SSDLC can be found here. -Customer access SAP S/4HANA Cloud via Internet using HTTPS (port 443). The HTTPS traffic is terminated on the Web Dispatcher cluster. -Customer access is enabled via central load balancer and using shared web dispatcher. There are separate Load Balancer Endpoints for UI end point by business user and an endpoint used for system-to-system communications. -Customer can access Application Security Audit Logs. #NetworkSecurity -A trust boundary separates network into zones and each zone into segments. -The security control is implemented into each zone based on the exposure of the systems to Internet/Intranet and is based on the classification of data handled by the systems in the zones. -Virtual Private Cloud (VPC) is created for Systems, Admin, Backup. The system VPC is implemented to host the tenants of SAP S/4HANA cloud which spans availability zones. The secure central administration network segment host central cloud lifecycle management tools Source: SAP Blog #TransformPartner – Your #DigitalTransformation Consultancy