Explore RISE with SAP S/4HANA Cloud

Describing Security for the SAP S/4HANA Cloud Deployment Options

Objectives
After completing this lesson, you will be able to:

After completing this lesson, you will be able to:

  • Describe security for the SAP S/4HANA Cloud deployment options

SAP Cloud Security

Four Pillars of the SAP Cloud Secure Strategy

SAP is committed to maintaining the highest levels of security for our customers, their data, and their processes.

Select each icon below to learn about the four pillars of the SAP Cloud Secure Strategy.

SAP Trust Center & My Trust Center

The SAP Trust Center is a self-service center where you can initiate requests and collect information related to security, privacy, and compliance for cloud services and on-premise software. Key areas of the site include:

  • Cloud Status
  • Security
  • Privacy
  • Compliance
  • Cloud Operations
  • Data Center
  • Agreements

The My Trust Center is an area within the SAP Support Portal for SAP Trust Center and extends the public offering by granting access to additional documentation available only to SAP customers and partners with a valid SAP user ID. You can find the following:

  • SAP Security Policies, Frameworks, and Technical and Organizational Measures (TOMs).
  • Lists of SAP's sub-processors which provide data processing services on behalf of SAP to its customers
  • Compliance evidence documents from SAP partners providing services to SAP (e.g. Hyperscaler infrastructure services).
  • Useful links and documents about Security and Data Protection & Privacy for SAP Products, Cloud Services, Professional Services and Support.

SAP Global Security Team

At SAP locations around the world, the Physical Security team helps ensure that people are safe and that assets are protected.

In the event of a security risk or breach, the Cyber Defense & Design team manages incidents and vulnerabilities related to SAP offerings, including reports of suspicious activity provided by customers. This team also recommends and mandates baseline security configurations for SAP solutions across all operating systems, firewalls, and other configurations to prevent such security issues from the start.

To help ensure that SAP customers receive uniform and equal security, the Security Risk & Compliance team analyzes and translates audit information to provide actionable improvements. This team is also responsible for aligning and revising security policy.

The Security Enablement team empowers colleagues on security topics and handles general security questions from inside and outside of SAP.

The Communications team is likely the one with which you are most familiar. This team of experts trains the SAP employees responsible for answering many of your questions and creates FAQs and learning materials.

Data Center Security

A data center is the brain of a company and the place where the most-critical processes are run. The key to success of the SAP data center lies in the robust design of every individual component and in the redundancy of all critical components. This ensures that SAP can count on its "brain" at any time, and SAP customers can rely on the contractually guaranteed availability of cloud applications running in the data center.

How a Data Center works

There are three key components in a data center:

  • Power Supply: The data center is connected to two separate grid sectors operated by the local utility company. If one sector fails, the second one continues to supply power. The data center also houses 13 diesel generators in a separate building. Together, they produce a total of 29 megawatts.
  • Cooling: All electronic components and processors generate heat when operated. If it is not dissipated, the processor's efficiency may decrease to the point that the component could fail. Therefore, cooling a data center is essential - and costly, due to the concentrated computing power.
  • Controlled Access: SAP data centers are the backbone of our cloud business. We use state-of-the-art technology and rigorous security to protect data virtually and physically against data breaches, fires, terror attacks, and other threats. Our data centers meet the highest security standards.

Integration, security, and performance between solutions located in different cloud data centers

All communication between Data Centers is encrypted by industry measures. The detail of implementation varies by solution and data flow.

Backup retention procedures

SAP conduct backups in the form of a disk-to-disk copy, which enables rapid data creation and recovery. In addition to full backups done on a daily basis, we create interim backup versions several times each day. We then archive these at a secondary location for security purposes.

Monitoring and logging access to SAP Data Centers

SAP data centers are monitored around the clock with video cameras at every entry point. We use these cameras to record and monitor each access event and log this in our access system for 90 days. Single-person access and "mantrap" systems provide access only to authorized individuals. Technicians can enter special rooms using custom-configured ID cards. High-sensitivity areas require authentication by means of biometric scans.

Technical security features

The multilayered, partitioned, proprietary network architecture permits only authorized access with:

  • A Web dispatcher farm that hides the network topology from the outside world.
  • Multiple Internet connections to minimize the impact of distributed denial-of-service (DDoS) attacks.
  • Layered security measures that continuously monitors solution traffic for possible attacks.
  • Multiple firewalls that divide the network into protected segments and shield the internal network from unauthorized Internet traffic.
  • Third-party audits performed throughout the year to support early detection of any newly introduced security issues.

Hybrid Security with Enterprise Security Services

Enterprise Security Services is a holistic approach for addressing cloud security. It provides a comprehensive guide to the different security services that are available and explains when they should be used, and how to integrate them.

Components of Enterprise Security Services:

  • Cloud Identity Services address identity and access management in the cloud. They can be used across the SAP cloud solution portfolio, and they include the Identity Authentication and Identity Provisioning services as a part of SAP Cloud Identity Services.
  • Secure Development Services help support the development of secure applications on the Business Technology Platform. These services, such as SAP Cloud Application Programming Model and the Cloud Connector, enable developers to build secure enterprise business applications.
  • Risk and Compliance are provided by solutions such as SAP Cloud Identity Access Governance to help security administrators manage risks and meet corporate compliance goals.
  • Insight is delivered by SAP through its SAP Trust Center site to provide a transparent view into how SAP manages cloud applications for customers. With SAP Data Custodian, SAP customers can gain insight into the location and movements of data.

Security partners complete the picture by providing generic services such as static code and open source vulnerability scanners.

Data Protection and Privacy

Data Protection & Privacy

To demonstrate our compliance obligations with data protection and privacy laws, SAP has implemented a wide range of measures, such as a data protection management system (DPMS), to help protect data controlled by us and our customers.

  • Line of Business Data Protection Guidelines: The basis for our Data Protection Management System is a set of company-wide data protection guidelines, function-specific work instructions, and a worldwide network of data protection representatives.
  • Internal Data Protection: SAP regularly trains all employees and verifies a high level of data protection awareness with regular audits in more than 100 locations worldwide every year.
  • Data Protection Management System Certificate: Accredited by the British Standards Institution (BSI) of London, the certification is based on British Standard 10012, the standard for personal information management systems. Audit details and results are made available to all customer through the annual customer audit report.

Who owns your data?

SAP does not acquire ownership or stewardship of the data processed for the customer when it performs services for cloud solutions. 

What are the data controller and data processor roles in a cloud environment?

A data controller is the entity that determines the purposes, conditions, and means of the processing of personal data. A data processor is an entity which processes personal data on behalf of the controller. The data processor and controller in a cloud environment are the same as within an on-premise environment.

How does SAP ensure sub-processors protect your personal data?

Sub-processors are used for the processing of personal data. They are subject to data protection agreements that contain the same level of protection as the agreements SAP enters with its customers.

How does SAP ensure appropriate security for the storage and processing of personal data?

SAP has implemented and is maintaining technical and organizational measures (TOMs). These TOMs comprise measures in the following areas: physical access control, system access control, data access control, data transmission control, data input control, job control, availability control, data separation control, and data integrity control.

What is SAP's view on the Data Protection Officer (DPO) role?

SAP views the role of the data protection officer (DPO) as a central part of our overall data protection strategy. In addition, SAP has established an entire data protection and privacy (DPP) team that consists of attorneys, auditors, and technical experts reporting to the DPO.

What is the EU General Data Protection Regulation (GDPR)?

The GDPR is an EU law that went into effect on May 25, 2018. It is a far-reaching and comprehensive regulation that protects the individual rights of data subjects in the EU. GDPR applies to all companies processing personal data of EU-based individuals, regardless of the company's location.

What is the applicability of SAP's Data Privacy Agreement based on GDPR?

SAP's Data Privacy Agreement is applicable to all of our data center and processing locations, globally.

What regulations are applied to personal data stored and processed in a customer's cloud subscription?

SAP SE is a German company and is therefore under EU regulation. SAP follows the GDPR regulation introduced by the EU on May 25, 2018. Our Data Privacy Agreement acts as the contract for commissioned data processing and is based on the most current applicable data protection regulation. Each company must consider its own local laws and regulations when conducting business.

How does SAP adhere to region-specific data protection regulations?

We are fully committed to complying with all relevant legislation. This includes GDPR and other data protection laws such as the Japan Social Security and Tax Number regulation, the Argentina Personal Data Protection Act, and Canadian privacy laws.

What is the difference between cloud and on-premise solutions when it comes to GDPR?

There is no difference between cloud and on-premise solutions because GDPR applies to businesses and their processes, not products. Compliance is a result of business processes that meet the requirements of the law. Both cloud and on-premise software can help make those processes happen. A benefit to cloud software is that it can be updated more frequently, ensuring the latest functionality and standards are in place.

How do you transfer data securely between the U.S. and EU?

Transfers of personal data between the U.S. and EU are based on EU standard contractual clauses (SCCs). According to GDPR, SCCs are approved as appropriate safeguards. This provides a lawful mechanism of transferring personal data outside the EU and EEA and forms a legally binding agreement between SAP global entities that establishes requirements for a baseline protection of personal data.

SAP and Hyperscalers

SAP and Hyperscalers

SAP has relationships with hyperscaler data center providers that can quickly deploy and scale SAP software in the cloud. SAP S/4HANA Cloud, private edition is deployed in SAP HANA Enterprise Cloud, our managed, private cloud offering. You can then choose the location of the server where your software is installed. It could be in a hyperscaler data center, or an SAP data center.

Hyperscalers provide more choices for data center locations, enable customers to easily scale their solution, and are cost-effective. If a customer chooses a hyperscaler data center, SAP will manage the contract with the hyperscaler and effectively be the liaison between the customer and the provider.

Best Practices for Secure Operations

SAP Secure Operations Best Practices

SAP's security best practices structure 16 topics across five layers: Organization, Process, Application, System, and Environment.

Select the buttons below to learn more about security best practices.

Note
SAP provides the following services for securing systems:

Save progress to your learning plan by logging in or creating an account