Securing S4 Hana
Securing S4 Hana
Securing S4 Hana
Articles | Case Studies | White Papers | Q&As | Webinars | Videos | Blogs | Podcasts | Events | Magazine | Why Subscribe?
Search
Article
When you are planning a conversion from SAP Business Suite to SAP S/4HANA, many questions about changing security
needs can arise. This is due in large part to the architectural and technological changes that come with SAP S/4HANA. Read
this article to understand the five critical areas security administrators need to consider when securing an SAP S/4HANA
implementation and to familiarize yourself with the resources SAP provides to help significantly simplify the process of
establishing a secure setup and operation of SAP S/4HANA.
A lot of SAP customers are currently at the point of either planning or executing a conversion to SAP S/4HANA from SAP
Business Suite.1 Among many other considerations, security is one of the bigger topics that spring to mind as part of this
conversion: What exactly are the differences between SAP S/4HANA and the standard SAP Business Suite setups? What are
the typical pitfalls and which tasks require the most effort? What tasks must be performed right away, and what tasks can you
shift to later points in time? All these questions are largely related to the architectural and technological changes that come with
SAP S/4HANA.
This article aims to address these questions and to help ensure that you can leverage the full potential of the solution. It outlines
the five critical areas security administrators need to look at when it comes to securing an SAP S/4HANA implementation. It
takes a closer look at these five areas — roles and authorizations, SAP HANA security, infrastructure security, cloud integration, Conferences & Seminars: GRC 2019
and user management and authentication — and then provides guidance on the challenges that can arise and how to properly
address them. It also examines the resources available from SAP to help you along the way, and how to address the security of Conferences & Seminars: Basis &
the SAP S/4HANA core system: SAP NetWeaver Application Server (SAP NetWeaver AS) ABAP. SAP Administration 2019
First, to ensure a clear understanding of the security activities connected with an SAP S/4HANA implementation project, we’ll See more »
take a closer look at how some of the underlying technology changes with SAP S/4HANA affect security considerations in your
landscape.
https://sapinsider.wispubs.com/Assets/Articles/2018/September/SPI-Securing-SAP-S4HA... 2/14/2019
A Guide to Securing SAP S/4HANA Page 2 of 7
processes may run natively from it — or, to be more precise, may run natively from SAP HANA extended application services,
advanced model, which is a development and runtime environment delivered with SAP HANA for native applications.
These native SAP HANA applications bypass the ABAP stack and its security controls, which must be addressed. SAP
S/4HANA also offers a high degree of simplification through optimized SAP Fiori apps and cockpits, which supersede the old
SAP Business Suite transactions. With the shift to web-based activities, many companies plan to offer some of these apps to
external audiences — for example, letting your vendors directly enter their numbers in your system is a highly efficient business
functionality. However, this “opening” of access to ERP functions will have an impact on the underlying network security
infrastructure, which will need to be considered.
In addition, some organizations have already shifted processes to the cloud, and SAP S/4HANA comes with many options for
integrating with these cloud-based scenarios in a hybrid landscape. For security teams, this means that critical data resides in a
location other than on premise, and they must closely watch the security of the integration with external systems and
applications. Finally, you must also coordinate access to all the different applications and instances, which requires smooth,
efficient, and centralized user and authentication management.
Now that you have an understanding of some of the new security considerations related to SAP S/4HANA, let’s take a closer
look at the tasks involved in securing your SAP S/4HANA landscape after a conversion from SAP Business Suite.
Second, SAP S/4HANA includes new SAP Fiori apps, which are basically web services. Users need the authorization to use
these apps, which is not too difficult to configure, but SAP S/4HANA includes a major design change in how to build roles, and
this can be a challenge for those who are not yet familiar with SAP Fiori apps and how they are published using SAP Gateway.
In SAP S/4HANA, the role-building transaction PFCG includes new mechanisms to integrate app catalogs and to communicate
and sync with the publishing instance (SAP Gateway). It is important to understand how these mechanisms work and which
steps to take in transaction PFCG to ensure a proper role-building process in the SAP S/4HANA application life cycle.
Another area to be aware of is the new authorizations design of SAP HANA extended application services, advanced model (the
development and runtime environment for native SAP HANA-based applications). Building roles and authorizations for SAP
HANA extended application services, advanced model, which was introduced with SAP HANA 2.0, is significantly different from
traditional database and SAP application server security administration. You will need an expert for this if you want to develop
new native applications for SAP HANA with a proper security design, and this requirement should be reflected in your project
plan. Granting access to the administrative applications SAP ships with SAP HANA extended application services, advanced
model, is another task that user admin teams need to know how to perform.
Keep in mind that the new features for SAP HANA extended application services, advanced model, are required for advanced
processes only. Standard SAP S/4HANA processes typically do not require custom apps based on SAP HANA extended
application services, advanced model. Only when you want to make use of the full potential of your SAP HANA engine do you
need to quickly embrace all these security techniques.
With SAP S/4HANA and its SAP Fiori technology, it has become simple to publish dedicated small apps to other user groups
and their devices, be it mobile or desktop. Granting access to business-critical system components must be thoroughly shielded,
however, and so a strong security architecture, similar to the one shown in Figure 1, is required to ensure that the right users
have network access to the right set of apps with properly enforced security controls, such as two-factor authentication. In
addition, SAP Gateway, which is where the apps are published and accessed, may need to be in a demilitarized zone (DMZ),
while the SAP S/4HANA core system stays in the internal high-security network zone.
https://sapinsider.wispubs.com/Assets/Articles/2018/September/SPI-Securing-SAP-S4HA... 2/14/2019
A Guide to Securing SAP S/4HANA Page 3 of 7
Figure 1 — A simplified example of a security environment adapted to SAP S/4HANA — when SAP Gateway runs on the SAP HANA database
as well, SAP HANA cockpit requires access to both SAP Gateway and the SAP S/4HANA back end
Data transmissions in this architecture must be secured with standard mechanisms such as the Transport Layer Security (TLS)
protocol, and firewall setups must define where external users can and cannot go. You can also increase network security in
scenarios where HTTP(S) and Remote Function Call (RFC) connections traverse network zones using the “reverse invoke”
mechanism that is available with SAProuter (which handles RFC communication over network zone borders) and Web
Dispatcher (which manages HTTP connections to SAP systems for web applications). This mechanism allows these types of
traffic without permitting direct access to back-end systems — it reverses the Transmission Control Protocol (TCP) connection
so that it is always initiated from the internal network instead of the DMZ, which enables easier and more secure firewall setups
at the internal network zone border.
Keep in mind that individual teams — including the portal, SAP operations, security, firewall, and networking teams — must work
closely together to synchronize all these configurations so there are no gaps created by misunderstandings. It is also important
to note that these requirements are not new for digital businesses and are not specific to SAP or SAP S/4HANA, but you need to
be sure to incorporate them into your SAP S/4HANA security project plan.
To support hybrid business processes that incorporate both SAP S/4HANA on premise and applications in the cloud, security
teams should know how to set up and run Cloud Connector in a secure manner, which is fairly simple, and how to grant
permissions to cloud applications using the SAP Cloud Platform Identity Authentication and SAP Cloud Platform Identity
Provisioning services. You may want to compare the setup of Cloud Connector to SAProuter or Web Dispatcher installations
— they are similar types of standalone infrastructure engines that control network communications between business systems.
Against this background, efficient central user management and modern authentication mechanisms are key with larger SAP
S/4HANA implementations. Security teams should be familiar with federated single sign-on and Security Assertion Markup
Language (SAML) 2.0. Also, without a decent identity management solution, you will have trouble keeping track of the individual
accounts you must create and maintain. This solution should be capable of provisioning users into both cloud and on-premise
systems. At a minimum, a central user administration system for both SAP S/4HANA and SAP Gateway must be in place, while
cloud users could potentially be maintained separately. The right choice of technology should therefore be a part of your project
plan for an SAP S/4HANA conversion, as it has consequences for how the user management processes can be remastered to
match the demand of the new solution landscape.
https://sapinsider.wispubs.com/Assets/Articles/2018/September/SPI-Securing-SAP-S4HA... 2/14/2019
A Guide to Securing SAP S/4HANA Page 4 of 7
setting containers that you can directly upload into the Configuration Validation application. This is ready-made monitoring for all
SAP security recommendations with a fairly small implementation footprint (and no additional licenses as the SAP Solution
Manager applications are freely available).
Figure 2 — An example architecture that uses identity authentication and provisioning services for managing user access in the cloud
In addition, SAP has refurbished its SAP MaxAttention offering (known as “New MaxAttention”), with a track (or “focus topic”)
dedicated to security and compliance, as shown in Figure 3. You can make use of additional security services starting from the
planning phase (for example, helping customers identify and close gaps in their solution landscapes) through the realization and
run phases (for example, running security checks before go live).
Figure 3 — SAP MaxAttention includes a focus topic dedicated to security and compliance topics
https://sapinsider.wispubs.com/Assets/Articles/2018/September/SPI-Securing-SAP-S4HA... 2/14/2019
A Guide to Securing SAP S/4HANA Page 5 of 7
Using the SAP-provided white papers available at https://support.sap.com/securitywp and the Security Baseline Template,
you can create a short list of critical activities that must be performed to increase the overall security level of your core system,
such as:
• Standard user protection: Remove well-known factory passwords from the standard users SAP*, DDIC, and TMSADM
using report RSUSR003 for all affected users.
• Credential protection: Remove outdated hash storage of passwords and protect hash tables.
• Secure SAP code: If it does not yet exist, set up a patching process to consume the security notes that SAP publishes each
month.
• Secure custom code: Check if you have developer guidelines to write secure code, and assess whether a security scan
engine might be required.
• Data transmission protection: Enable Secure Network Communication (SNC) and TLS for all client communications.
• Logging: Turn on all logging to ensure that no attack information is lost.
• Secure configuration: Check all relevant profile parameters and customizing for correct security settings.
• Interface security: Remove the SAP_ALL profile from technical users, check destination credentials, and activate Unified
Connectivity (UCON) and Remote Function Call (RFC) callback protection to minimize the attack surface.
While each of these activities is important, you may not be able to conduct them all at the same time because of limited
resources. SAP recommends that you avoid running more than three items in parallel to prevent overloading your SAP Basis
and security teams. To prioritize the activities properly, it is helpful to assess the protective measures identified as missing and
then order them according to their criticality and the effort required to remediate them, as shown in Figure 4. You can then
create a project plan that prioritizes the security measures based on their estimated run time and ability to generate quick wins,
as shown in Figure 5.
Figure 4 — An example prioritization of security activities based on criticality and required effort
Conclusion
By securing your SAP S/4HANA implementation with the security strategies outlined in this article, you will be well on your way
toward establishing a landscape that can leverage the full potential of the solution. You can help ensure the success of your SAP
S/4HANA security project by answering some core questions at the very beginning of your project:
• Have we already considered all past SAP security recommendations? If not, take a second look.
• Are our skills for SAP S/4HANA and SAP HANA 2.0 roles and authorizations management sufficient?
• What should the network security architecture for SAP S/4HANA business and cloud integration scenarios look like?
• Is our user management technology capable of supporting the SAP S/4HANA landscape properly or do we need more
advanced technology?
• Do our support engagements get SAP’s additional security offerings without additional charge?
With the answers to these questions, you will be ideally positioned to establish a strong, secure SAP S/4HANA implementation
and seize the opportunities it can offer going forward.
https://sapinsider.wispubs.com/Assets/Articles/2018/September/SPI-Securing-SAP-S4HA... 2/14/2019
A Guide to Securing SAP S/4HANA Page 6 of 7
1 For more on converting from SAP Business Suite to SAP S/4HANA, see the SAPinsider articles “Making the Move to SAP S/4HANA” (January-March 2017) and “A Simplified Way to Bring Your
2 Using proper network design and the available technology are key, and remember that opening access to specific applications is not special to SAP software — it should be a standard request to security
teams. [back]
Birger Toedtmann
Birger Toedtmann ([email protected]) worked for
over 15 years in the area of designing and operating secure
telecommunication networks at various companies, before
joining SAP in 2007. Since then he has served customers as
Technology Principal Consultant in the GRC and security
domain, assisting them in securing their SAP landscapes.
Birger also leads SAP Professional Services’s internal security community, a
virtual group providing expert knowledge transfer to all associated consultants.
Follow
COMMENTS
Please log in to post a comment.
https://sapinsider.wispubs.com/Assets/Articles/2018/September/SPI-Securing-SAP-S4HA... 2/14/2019
A Guide to Securing SAP S/4HANA Page 7 of 7
https://sapinsider.wispubs.com/Assets/Articles/2018/September/SPI-Securing-SAP-S4HA... 2/14/2019