Companies are increasingly choosing cloud technologies - now also for SAP. However, this progress is not without risk, as protection of most SAP systems is inadequate. Mitigation in the cloud opens new vulnerabilities and stricter conditions for SAP security and compliance, especially with regard to authorizations and SoD analyses. The solution? Risk management for the cloud.
In our webinar, we will show you how you can optimize security in your SAP landscape in the cloud and how to organize your authorizations - even after migration to S/4HANA - in a way that is both role-based and compliant. What preparations are needed before migration? Which migration strategy is right for you? Which steps must come first? Plan to mitigate risks on the SAP Cloud Platform at all relevant checkpoints and take advantage of our expertise: Our experts will present their experiences from a pilot project, respond to all your questions and optimally prepare you for the digital future.
Für Informationen auf Deutsch, sprechen Sie uns gerne an: sast@akquinet.de
3. From a hardware perspective a cloud is just a server somewhere in a data center.
Nevertheless, the SAP cloud brings a wide range of changes:
The hardware is now based in a SAP data center.
Access time depends on how close you are to the SAP data center.
Being closer to the data center usually results in faster access.
Is cheap access always the best? access times vs. costs.
The SAP cloud comes with a new operating system – S/4 HANA.
Only S/4 HANA databases will be supported.
Optimized calculation times due to improved connectivity between database and operation system.
SAP Cloud: What‘s behind all this?
„SAP Cloud“ explained easily
- 3 -
4. SAP Cloud: What‘s behind all this?
On Premise vs. Cloud – a comparison
- 4 -
On-Premise
Traditional licensing
Internal platforms
Own data center / server possible
Self service needed
Annual provision of SAP Updates
Individual software modifications
Cloud
License as a subscription
SaaS: Software as a Service
No need for data centers / servers
System serviced by SAP
Quarterly Updates
Does not (yet) support all scenarios
5. SAP Cloud: What‘s behind all this?
The different models - an overview.
SAP Public Cloud
100% software management
Fixed update dates
Extensions only via HCP
SAP Private Cloud
100% software management
Alignments on update dates with SAP possible
Limited possibility of software modifications
SAP On-Premise
No software management
Self service
Wide range of software modifications
SAP Hybride Cloud
Software management for the cloud part
Release management
12. Kick-Off meeting to discuss and clarifiy the objective and expectations.
Testing of different public cloud communication services to gather required data for
user roles.
Feedback after the evaluation of options.
Compliance: Safe with SAST
Phase 1 „research“: our approach
- 12 -
PFCG roles can be assigned through a combination of business role ID‘s and business
catalogue ID‘s.
13. In-App extension
Unsufficient access to SAP data
sources via ODATA service.
Compliance: Safe with SAST
Our approaches:
- 13 -
Side-by-side extension
App extension / development to
gather data through communication
scenarios
14. Compliance: Safe with SAST
How to match PFCG roles…
- 14 -
Business role
Business catalogue
=====
=====
=====
www.|
SAP Webservice
Authorization details of
catalogue entry for user role
Authorization objects
Role ID (PFCG-Role)
Matching with
On-Premise roles
(classic SoD analysis)
15. Phase 2: Implementation
Signed agreement regarding cooperation, development and licenses.
Joint Development of an implemantation plan.
Discuss and agree on possible SAST adaptions to ensure and create required
customized functionalities – a bonus for our ramp up customers.
Installation and test of a prototype with customer / partner.
Alignment on further ramp up opportunities.
Compliance: Safe with SAST
SoD and Compliance checks in the cloud
- 15 -
16. Compliance: Safe with SAST
SAST overall system SoD-Checks:
Book / edit invoices
- 16 -
Check / approve invoices
Close bookings
Remove closed bookings
Claire Accountant
17. Less interfaces result in a more stable system (decoupling).
Availability:
How many users can access data concurrently and how does the provider handle multiple
accesses?
Where is the next data center? (location dependency)
How fast can data be refreshed / updated?
DDoS attacks: What happens if the network fails?
Clarify how the provider will and can prevent the network failures.
Phishing and social vulnerabilities: What happens if login data leaks?
Compliance: Safe with SAST SUITE
What else to keep in mind?
- 17 -
19. Many new network interface risks:
More interfaces may lead to more potential vulnerabilities.
SAP GUI web access: Data can be accessed from everywhere.
Is my network secure?
Mobile phones, public hotspots and private networks are often secured
insufficiently.
Cloud connector: Either via DMZ or only reachable via proxy server?
SAP offers Audit-logging-possibilities but caution: “… Caution SAP HANA audit
policies […] cannot cover all requirements for data protection and privacy…”
https://help.sap.com/viewer/b3ee5778bc2e4a089d3299b82ec762a7/2.0.03/en-US/35eb4e567d53456088755b8131b7ed1d.html
Cloud Security
Interfaces: SAP web access makes it possible.
- 19 -
20. Data safety and data loss prevention
Clarify: when, where and how to create and store backups?
Ransomware protection: What is your direct responsibility and what is covered by the
provider?
How secure is my data in the cloud?
More data risk of more criminal readiness to gain access to data.
Every server is only as secure as its weakest vulnerability.
Not having your own risk control makes risk estimation more difficult.
Ongoing development of SAP Cloud: constant risk of new vulnerabilities.
Change passwords frequently and ask your provider for additional opportunities to protect
your data. What happens in the case of login data leakages? Web access offers the option to
log in from nearly anywhere.
Cloud Security
What else to keep in mind?
- 20 -
21. 1. Upgrade old systems:
Minimum requirement for Hana cloud is Version 6.06 of the ERP Central Component (ECC).
2. Define and create a team of experts and include external advisory.
3. Plan your strategy: how, where, when – manage and estimate time ressources and costs.
4. Info, info, info: ensure everyone knows his/her role and activities for moving to the cloud.
5. Testing first – ensure you will be prepared as good as possible and have a plan b for
unexpected Go-live challenges.
1. Copy p-systems.
2. Reproduce p-system similar to systems in the cloud.
3. Build mock-ups in p-system size.
6. Clean up before moving.
7. Careful mitigation.
Cloud Security
7 steps to become an initiator.
- 21 -
22. Cloud Security
Take Home Messages
Start planning early: Which cloud do I need?
Cloud: no or how?
Cleansing - Use the change as a chance!
Get experts on board.
Check your priorities – avoid over-customizing.
Create a checklist.
Include security and compliance from the beginning.
+
+
+
- 22 -
+
+
+
+