Many SAP customers continue to migrate applications to the cloud and are excited to take advantage of opportunities to innovate, but awareness of the security aspects of cloud-based applications is important to ensure that compliance and risk are kept top of mind. Customers who have traditionally only managed on-premise application security may be unsure of which aspects are new or different with a cloud solution. Additionally, there may be confusion on security responsibilities between the customer and the provider. A recent Protiviti post outlined the Balancing Act of SAP Cloud Security, while this post outlines what companies should be aware of when it comes to securing SAP Cloud Applications.
Cloud vs. on-premise security responsibilities
Security is a collaborative effort between the customer and the software provider regardless of implementation method; however, there are differences in responsibility between cloud and on-premise models.
With an on-premise deployment, SAP provides secure mechanisms for support packs and upgrades, but the customer remains responsible for securing the hardware, software and infrastructure and for staying up to date on patches and other updates.
In a cloud deployment, the provider is responsible for the physical security, hardware and platform management in all deployment models, the most common being SaaS (Software as a Service), PaaS (Platform as a Service) and IaaS (Infrastructure as a Service). While in some IaaS models, platform management is the responsibility of the customer, in the SAP Cloud Platform the software platform is managed by SAP.
With both on-premise and cloud deployments, the customer is responsible for their business processes as configured within the system as well as the applications, except in the SaaS model, in which the provider manages the applications. With any cloud deployment, the customer is still accountable from a regulatory perspective and should ensure that the provider is compliant with things such as SOC reports, ISO certification and legal agreements and that responsibilities are clearly defined.
Application security with common SAP cloud solutions
In managing the security of on-premise SAP applications, key areas of focus include user definition, access roles and sensitive access.
When it comes to cloud security, all of these aspects are still relevant in commonly used SAP solutions such as SAP SuccessFactors and SAP Ariba; however, there are some important differences. Those include:
In on-premise SAP applications such as S/4HANA, each user must have a user master record and accompanying user ID defined in the system. These are created through user administration transactions either manually by a security administrator or through an automated provisioning tool such as GRC (Governance Risk and Compliance) Access Control.
In SAP SuccessFactors, users must also have a user record; however, it is typically created either automatically when a user is hired into the system (if Employee Central is implemented) or loaded through a CSV (Comma Separated Values) file using the employee import function within the administrator tools section of the application. It is also possible to create users through GRC/IAG (Identity Access Governance) automation.
SAP Ariba user records can be created through the UI (User Interface) but are more commonly loaded through a CSV file similar to SAP SuccessFactors. It is also possible to create SAP Ariba users through IAG automation.
Just as access to user administration functions must be carefully controlled in on-premise applications, it is important for customers to be aware of all available methods of user definition and control which users can perform them (i.e., the ability to import user data) in cloud applications.
Access is role-based in both on-premise SAP applications and in SAP SuccessFactors and SAP Ariba; however, there are differences in the structure of each. Both SAP SuccessFactors and SAP Ariba use permissions rather than ABAP-based authorization objects to control access to functions in the system.
SAP SuccessFactors uses a concept called role-based permissions (RBP) to grant both permissions (e.g., view, update) in the system as well as the target population of data on which those actions can be performed. RBP is accessed through the administrator tools section of the application and is used to create permission roles and permission groups by selecting checkboxes for the desired functions to include in each role and selecting users to include/exclude in the various groups.
SAP Ariba also utilizes a role-based concept with groups and permissions to grant access to the SAP Ariba network. Administrators can create custom groups (which are essentially roles) with specific permissions and assign groups to users.
The familiar role-based authorization model used in on-premise SAP applications can be leveraged conceptually in cloud applications, but it is important to understand the technical differences in each such that roles and restrictions can be appropriately defined.
Sensitive access controls
As with on-premise applications, it is important for SAP customers to be aware of sensitive functions within cloud-based applications and how access to these functions is controlled. In addition to administrator access, there are other aspects within these applications that must be monitored and secured properly.
In SAP SuccessFactors, outside of RBP there are parts of system configuration that can impact user access such as form template permissions, XML code, workflow groups and route maps. As some aspects of configuration are handled only by the implementation partner or SAP support, customers should be aware of these aspects from a review and monitoring perspective.
Additionally, SAP SuccessFactors contains proxy functionality allowing users to act on behalf of other users, which can quickly get out of control if not governed by strong policies and procedures. SAP Ariba also contains an “act as” function to allow a user to act as another user, which should similarly be governed.
Both applications contain sensitive data, including personally identifiable information (PII), that must be protected appropriately both within the system and in load files and interfaces in transit and at rest. Establishing appropriate security controls is necessary to help protect sensitive data in your SAP environment.
SAP SuccessFactors and SAP Ariba both contain audit log capabilities, allowing for review of user and transactional activity and changes to system settings. It is important for customers to become familiar with these capabilities to incorporate the appropriate review and monitoring procedures into their cloud governance programs.
Moving forward with a secure cloud
While there are many similarities in managing security for on-premise and cloud applications, it is important for customers implementing cloud solutions to understand the technical differences and risks associated with each application and adjust their controls accordingly. Most aspects of application security for cloud solutions are maintained by the customer, but awareness of all administrative capabilities (including those of the provider) that may impact access is critical to ensuring that effective security controls are in place. Additionally, it is important that cross-system access risks, including segregation of duties, are examined and addressed for all relevant cloud applications as part of an effective cloud governance program. Protiviti is available to provide guidance on how to implement security measures to keep SAP environments safe while maximizing opportunities for innovation within the cloud.