Security & Compliance for the SAP Cloud and S/4HANA: How to take initiative [Webinar]

Security and
Compliance
for the SAP Cloud
& S/4HANA
How to take initiative.

SAP Cloud:
What‘s behind
all this?

From a hardware perspective a cloud is just a server somewhere in a data center.
Nevertheless, the SAP cloud brings a wide range of changes:
 The hardware is now based in a SAP data center.
Access time depends on how close you are to the SAP data center.
Being closer to the data center usually results in faster access.
Is cheap access always the best?  access times vs. costs.
 The SAP cloud comes with a new operating system – S/4 HANA.
Only S/4 HANA databases will be supported.
Optimized calculation times due to improved connectivity between database and operation system.
SAP Cloud: What‘s behind all this?
„SAP Cloud“ explained easily
- 3 -

On Premise vs. Cloud – a comparison
- 4 -
On-Premise
 Traditional licensing
 Internal platforms
 Own data center / server possible
 Self service needed
 Annual provision of SAP Updates
 Individual software modifications
Cloud
 License as a subscription
 SaaS: Software as a Service
 No need for data centers / servers
 System serviced by SAP
 Quarterly Updates
 Does not (yet) support all scenarios

The different models - an overview.
SAP Public Cloud
 100% software management
 Fixed update dates
 Extensions only via HCP
SAP Private Cloud
 100% software management
 Alignments on update dates with SAP possible
 Limited possibility of software modifications
SAP On-Premise
 No software management
 Self service
 Wide range of software modifications
SAP Hybride Cloud
 Software management for the cloud part
 Release management

Compliance:
SAST in the Cloud?

Compliance: SAST in the Cloud
- 7 -
Billing
Customer data
accounting
Claire Accountant

Create invoice
Change adressed account
Release for confirmation
- 8 -
Claire Accountant
Invoice number: xxxx
To: customer 20354
Amount: x00.000,- €
Note: subsequent invoice
IBAN: DE45xxxxxx56

- 9 -
Confirm invoice
and finalise billing process
Claire Accountant
Invoice number: xxxx
To: customer 20354
Amount: x00.000,- €
Note: subsequent invoice
IBAN: DE45xxxxxx56

An all inclusive solution:
- 10 -
Claire Accountant

Compliance:
Safe with
SAST SUITE
- 11 -

 Kick-Off meeting to discuss and clarifiy the objective and expectations.
 Testing of different public cloud communication services to gather required data for
user roles.
 Feedback after the evaluation of options.
Compliance: Safe with SAST
Phase 1 „research“: our approach
- 12 -
 PFCG roles can be assigned through a combination of business role ID‘s and business
catalogue ID‘s.

In-App extension
 Unsufficient access to SAP data
sources via ODATA service.
Our approaches:
- 13 -
Side-by-side extension
 App extension / development to
gather data through communication
scenarios

How to match PFCG roles…
- 14 -
Business role
Business catalogue
=====
=====
=====
www.|
SAP Webservice
Authorization details of
catalogue entry for user role
Authorization objects
Role ID (PFCG-Role)
Matching with
On-Premise roles
(classic SoD analysis)

Phase 2: Implementation
 Signed agreement regarding cooperation, development and licenses.
 Joint Development of an implemantation plan.
 Discuss and agree on possible SAST adaptions to ensure and create required
customized functionalities – a bonus for our ramp up customers.
 Installation and test of a prototype with customer / partner.
 Alignment on further ramp up opportunities.
SoD and Compliance checks in the cloud
- 15 -

SAST overall system SoD-Checks:
Book / edit invoices
- 16 -
Check / approve invoices
Close bookings
Remove closed bookings
Claire Accountant


 Less interfaces result in a more stable system (decoupling).
 Availability:
 How many users can access data concurrently and how does the provider handle multiple
accesses?
 Where is the next data center? (location dependency)
 How fast can data be refreshed / updated?
 DDoS attacks: What happens if the network fails?
Clarify how the provider will and can prevent the network failures.
 Phishing and social vulnerabilities: What happens if login data leaks?
Compliance: Safe with SAST SUITE
What else to keep in mind?
- 17 -

Cloud Security
How to take initiative.

Many new network interface risks:
 More interfaces may lead to more potential vulnerabilities.
 SAP GUI web access: Data can be accessed from everywhere.
 Is my network secure?
Mobile phones, public hotspots and private networks are often secured
insufficiently.
 Cloud connector: Either via DMZ or only reachable via proxy server?
SAP offers Audit-logging-possibilities but caution: “… Caution SAP HANA audit
policies […] cannot cover all requirements for data protection and privacy…”
https://help.sap.com/viewer/b3ee5778bc2e4a089d3299b82ec762a7/2.0.03/en-US/35eb4e567d53456088755b8131b7ed1d.html
Cloud Security
Interfaces: SAP web access makes it possible.
- 19 -

 Data safety and data loss prevention
 Clarify: when, where and how to create and store backups?
 Ransomware protection: What is your direct responsibility and what is covered by the
provider?
 How secure is my data in the cloud?
More data  risk of more criminal readiness to gain access to data.
 Every server is only as secure as its weakest vulnerability.
Not having your own risk control makes risk estimation more difficult.
 Ongoing development of SAP Cloud: constant risk of new vulnerabilities.
 Change passwords frequently and ask your provider for additional opportunities to protect
your data. What happens in the case of login data leakages? Web access offers the option to
log in from nearly anywhere.
Cloud Security
What else to keep in mind?
- 20 -

1. Upgrade old systems:
Minimum requirement for Hana cloud is Version 6.06 of the ERP Central Component (ECC).
2. Define and create a team of experts and include external advisory.
3. Plan your strategy: how, where, when – manage and estimate time ressources and costs.
4. Info, info, info: ensure everyone knows his/her role and activities for moving to the cloud.
5. Testing first – ensure you will be prepared as good as possible and have a plan b for
unexpected Go-live challenges.
1. Copy p-systems.
2. Reproduce p-system similar to systems in the cloud.
3. Build mock-ups in p-system size.
6. Clean up before moving.
7. Careful mitigation.
Cloud Security
7 steps to become an initiator.
- 21 -

Cloud Security
Take Home Messages
Start planning early: Which cloud do I need?
Cloud: no or how?
Cleansing - Use the change as a chance!
Get experts on board.
Check your priorities – avoid over-customizing.
Create a checklist.
Include security and compliance from the beginning.
+
+
+
- 22 -
+
+
+
+

DO YOU HAVE ANY QUESTIONS?
WE ANSWER. FOR SURE.
JONAS KELBERT
Platform Security Developments
Fon: +49 40 88173-2745
Email: jonas.kelbert@akquinet.de
Web: www.sast-solutions.de
© Copyright AKQUINET AG. All rights reserved. This publication is protected by copyright.
All rights, in particular the right of reproduction, distribution, and translation, are reserved. No part of this document may be reproduced in any form (photocopy, microfilm or other process) or processed, copied, or distributed using electronic systems without the prior
written agreement of AKQUINET AG. Some of the names mentioned in this publication are registered trademarks of the respective provider and as such are subject to legal provisions.
The information in this publication has been compiled with the greatest care. However, no guarantee can be given for its applicability, correctness, and completeness. AKQUINET AG shall assume no liability for losses arising from use of the information.

Security & Compliance for the SAP Cloud and S/4HANA: How to take initiative [Webinar]

Empfohlen

Empfohlen

Weitere ähnliche Inhalte

Mehr von akquinet enterprise solutions GmbH

Mehr von akquinet enterprise solutions GmbH (20)

Kürzlich hochgeladen

Kürzlich hochgeladen (20)

Security & Compliance for the SAP Cloud and S/4HANA: How to take initiative [Webinar]