Securing SAP S/4HANA
Reading time: 15 mins
by Birger Toedtmann, SAP
A lot of SAP customers are currently at the point of either planning or executing a conversion to SAP S/4HANA from SAP Business Suite.1 Among many other considerations, security is one of the bigger topics that spring to mind as part of this conversion: What exactly are the differences between SAP S/4HANA and the standard SAP Business Suite setups? What are the typical pitfalls and which tasks require the most effort? What tasks must be performed right away, and what tasks can you shift to later points in time? All these questions are largely related to the architectural and technological changes that come with SAP S/4HANA.
This article aims to address these questions and to help ensure that you can leverage the full potential of the solution. It outlines the five critical areas security administrators need to look at when it comes to securing an SAP S/4HANA implementation. It takes a closer look at these five areas — roles and authorizations, SAP HANA security, infrastructure security, cloud integration, and user management and authentication — and then provides guidance on the challenges that can arise and how to properly address them. It also examines the resources available from SAP to help you along the way, and how to address the security of the SAP S/4HANA core system: SAP NetWeaver Application Server (SAP NetWeaver AS) ABAP.
First, to ensure a clear understanding of the security activities connected with an SAP S/4HANA implementation project, we’ll take a closer look at how some of the underlying technology changes with SAP S/4HANA affect security considerations in your landscape.
New Security Considerations with SAP S/4HANA
The core system for SAP S/4HANA, like SAP Business Suite, is SAP NetWeaver AS ABAP. From a security standpoint, it looks like a traditional SAP ERP system running on an SAP HANA database, with all the related internal optimizations, and the same standard security controls, switches, and customizing required for other SAP NetWeaver AS ABAP-based systems. While it may seem that only the SAP HANA database requires a closer look in an SAP S/4HANA implementation, there is more to the story: SAP HANA in this setup is not just a new database, it is also an application server, and certain SAP S/4HANA application processes may run natively from it — or, to be more precise, may run natively from SAP HANA extended application services, advanced model, which is a development and runtime environment delivered with SAP HANA for native applications.
These native SAP HANA applications bypass the ABAP stack and its security controls, which must be addressed. SAP S/4HANA also offers a high degree of simplification through optimized SAP Fiori apps and cockpits, which supersede the old SAP Business Suite transactions. With the shift to web-based activities, many companies plan to offer some of these apps to external audiences — for example, letting your vendors directly enter their numbers in your system is a highly efficient business functionality. However, this “opening” of access to ERP functions will have an impact on the underlying network security infrastructure, which will need to be considered.
In addition, some organizations have already shifted processes to the cloud, and SAP S/4HANA comes with many options for integrating with these cloud-based scenarios in a hybrid landscape. For security teams, this means that critical data resides in a location other than on premise, and they must closely watch the security of the integration with external systems and applications. Finally, you must also coordinate access to all the different applications and instances, which requires smooth, efficient, and centralized user and authentication management.
Now that you have an understanding of some of the new security considerations related to SAP S/4HANA, let’s take a closer look at the tasks involved in securing your SAP S/4HANA landscape after a conversion from SAP Business Suite.
Securing an SAP S/4HANA Landscape
After converting from SAP Business Suite to SAP S/4HANA, there are five key areas you need to address quickly to secure your SAP S/4HANA landscape:
- Updating roles and authorizations
- Securing the SAP HANA system
- Ensuring a strong security infrastructure
- Integrating cloud applications
- Managing user access and authentication
Updating Roles and Authorizations
First, a conversion to SAP S/4HANA is, at its core, an upgrade. As with all upgrades, this means that you must update your roles and authorizations. For example, there will be new checks for authorization objects, new transactions, and old transactions — this is business as usual, and will require a significant amount of effort. A firm grasp of security transactions SU24 (Maintain Check Indicators) and SU25 (Upgrade Tool for Profile Generator) will help smooth the way through the required tasks.
Second, SAP S/4HANA includes new SAP Fiori apps, which are basically web services. Users need the authorization to use these apps, which is not too difficult to configure, but SAP S/4HANA includes a major design change in how to build roles, and this can be a challenge for those who are not yet familiar with SAP Fiori apps and how they are published using SAP Gateway. In SAP S/4HANA, the role-building transaction PFCG includes new mechanisms to integrate app catalogs and to communicate and sync with the publishing instance (SAP Gateway). It is important to understand how these mechanisms work and which steps to take in transaction PFCG to ensure a proper role-building process in the SAP S/4HANA application life cycle.
Securing the SAP HANA System
Your hosting partner or your data center operations team, depending on whether your deployment is on premise or in the cloud, must learn the new security settings and authorizations setup of an SAP HANA database to operate it correctly and shield it from improper access. With SAP HANA 1.0, specific developers and administrators required direct access to the database’s SQL port because SAP HANA studio connected to this port, and this presented security challenges. Now, SAP HANA development and administration activities are largely performed via web interface, so access to only the application server’s web service ports is typically sufficient. If this is not sufficient — for example, if important development functionality is not yet available in the Web IDE for SAP HANA — you should allow access to the SQL port from dedicated workstations only, such as Windows Terminal Server (WTS) workstations.
Another area to be aware of is the new authorizations design of SAP HANA extended application services, advanced model (the development and runtime environment for native SAP HANA-based applications). Building roles and authorizations for SAP HANA extended application services, advanced model, which was introduced with SAP HANA 2.0, is significantly different from traditional database and SAP application server security administration. You will need an expert for this if you want to develop new native applications for SAP HANA with a proper security design, and this requirement should be reflected in your project plan. Granting access to the administrative applications SAP ships with SAP HANA extended application services, advanced model, is another task that user admin teams need to know how to perform.
Keep in mind that the new features for SAP HANA extended application services, advanced model, are required for advanced processes only. Standard SAP S/4HANA processes typically do not require custom apps based on SAP HANA extended application services, advanced model. Only when you want to make use of the full potential of your SAP HANA engine do you need to quickly embrace all these security techniques.
Ensuring a Strong Security Infrastructure
Going digital implies opening business processes to the outside world, such as offering individualized services to vendors, customers, and other parties, and enabling them to stay informed about the progress of their transactions and enter their own changes in certain process steps. It also means executing these processes in real time rather than using an outdated approach such as asynchronous processing via email. In the past, allowing external users access to certain parts of business applications could be difficult in the closed-shop SAP world with its fat client SAP GUI connected to dedicated network ports, and many customers addressed this with SAP solutions such as SAP Enterprise Portal.
With SAP S/4HANA and its SAP Fiori technology, it has become simple to publish dedicated small apps to other user groups and their devices, be it mobile or desktop. Granting access to business-critical system components must be thoroughly shielded, however, and so a strong security architecture, similar to the one shown in Figure 1, is required to ensure that the right users have network access to the right set of apps with properly enforced security controls, such as two-factor authentication. In addition, SAP Gateway, which is where the apps are published and accessed, may need to be in a demilitarized zone (DMZ), while the SAP S/4HANA core system stays in the internal high-security network zone.
Data transmissions in this architecture must be secured with standard mechanisms such as the Transport Layer Security (TLS) protocol, and firewall setups must define where external users can and cannot go. You can also increase network security in scenarios where HTTP(S) and Remote Function Call (RFC) connections traverse network zones using the “reverse invoke” mechanism that is available with SAProuter (which handles RFC communication over network zone borders) and Web Dispatcher (which manages HTTP connections to SAP systems for web applications). This mechanism allows these types of traffic without permitting direct access to back-end systems — it reverses the Transmission Control Protocol (TCP) connection so that it is always initiated from the internal network instead of the DMZ, which enables easier and more secure firewall setups at the internal network zone border.
Keep in mind that individual teams — including the portal, SAP operations, security, firewall, and networking teams — must work closely together to synchronize all these configurations so there are no gaps created by misunderstandings. It is also important to note that these requirements are not new for digital businesses and are not specific to SAP or SAP S/4HANA, but you need to be sure to incorporate them into your SAP S/4HANA security project plan.
Integrating Cloud Applications
Instead of allowing certain external user groups access to on-premise applications, it is often easier and more secure to let users interact with cloud solutions. Many activities already take place in the cloud, and SAP S/4HANA offers a simpler way to exchange data in real time with environments such as SAP Cloud Platform through Cloud Connector, which easily and securely links SAP Cloud Platform applications with on-premise systems such as SAP S/4HANA.
To support hybrid business processes that incorporate both SAP S/4HANA on premise and applications in the cloud, security teams should know how to set up and run Cloud Connector in a secure manner, which is fairly simple, and how to grant permissions to cloud applications using the SAP Cloud Platform Identity Authentication and SAP Cloud Platform Identity Provisioning services. You may want to compare the setup of Cloud Connector to SAProuter or Web Dispatcher installations — they are similar types of standalone infrastructure engines that control network communications between business systems.
Managing User Access and Authentication
One of the biggest challenges in digital business scenarios is coordinating the various types of access, particularly when access is taking place across hybrid landscapes. You may need to set up users not only in the SAP S/4HANA core (that is, the SAP NetWeaver AS ABAP system), but also potentially as native users in SAP HANA itself. These users also need to have access to SAP Gateway, which provides the app catalog for users, and to all connected cloud applications. In addition, you will want to have a smooth handover between the individual systems once a user is authenticated the first time — you do not want users to be prompted for passwords over and over again.
Against this background, efficient central user management and modern authentication mechanisms are key with larger SAP S/4HANA implementations. Security teams should be familiar with federated single sign-on and Security Assertion Markup Language (SAML) 2.0. Also, without a decent identity management solution, you will have trouble keeping track of the individual accounts you must create and maintain. This solution should be capable of provisioning users into both cloud and on-premise systems. At a minimum, a central user administration system for both SAP S/4HANA and SAP Gateway must be in place, while cloud users could potentially be maintained separately. The right choice of technology should therefore be a part of your project plan for an SAP S/4HANA conversion, as it has consequences for how the user management processes can be remastered to match the demand of the new solution landscape.
You might now be thinking, “OK, this seems like a lot of additional work.” And it would be without the white papers, guidelines, recommendations, and tools SAP provides to help significantly simplify the process of establishing a secure setup and operation of SAP S/4HANA.2
Security White Papers
To help businesses increase the security of their SAP systems, SAP has published a series of white papers in SAP Support Portal (https://support.sap.com/securitywp). The first two — “Protecting SAP Applications Against Common Attacks” and “Secure Configuration of SAP NetWeaver Application Server Using ABAP” — were published in 2011 and 2012, respectively, with others following over time, including “SAP Security Recommendations: Securing Remote Function Calls (RFC).” These white papers continue to be valid and contain the most important things to consider from an SAP perspective. All of them are applicable to SAP S/4HANA systems and should serve as a basis for securing SAP S/4HANA. Security teams should know them by heart. If your current (non-SAP S/4HANA) landscapes are not yet operating based on these recommendations, you have a gap that needs to be dealt with urgently.
SAP Solution Manager
With SAP Solution Manager, SAP provides the System Recommendations application to highlight security notes that are missing in systems and the Configuration Validation application to monitor whether systems are configured correctly with respect to security. The Security Baseline Template (SAP Note 2253549), also included with SAP Solution Manager, not only contains all security recommendations from the security white papers available in SAP Support Portal, but also provides predefined target setting containers that you can directly upload into the Configuration Validation application. This is ready-made monitoring for all SAP security recommendations with a fairly small implementation footprint (and no additional licenses as the SAP Solution Manager applications are freely available).
Security Guides and Training
For roles and authorizations, SAP offers the usual security guides that accompany its solutions. For example, SAP HANA security recommendations are well summarized in a chapter of the SAP HANA Security Guide. SAP’s education organization also offers training courses, including a course on SAP S/4HANA authorization setup (ADM945) and a course on SAP HANA native authorizations (HA240).
Solutions for Identifying Risks and Managing Access
SAP provides comprehensive solutions to help with identifying security risks and managing user access. SAP Enterprise Threat Detection can be helpful for those that need higher security standards and integration in security information and event management (SIEM) and security operations center (SOC) processes. SAP also offers state-of-the-art user provisioning services for cloud applications (see Figure 2). The SAP Cloud Platform Identity Provisioning and SAP Cloud Platform Identity Authentication services allow you to set up federated single sign-on scenarios in a simple way and manage user accesses in cloud applications. SAP customers can neatly integrate their own identity providers into this architecture, which enables users (external as well as internal ones) to hop from on-premise applications to cloud applications and vice versa without disruption, while Cloud Connector ensures that business data is available where needed.
SAP Digital Business Services
For customers with stringent security requirements and a need for external assistance, SAP offers SAP Digital Business Services. As of Q1 2018, the new SAP Activate methodology for implementations and migrations contains elements that ensure security is not overlooked in any project. There are special phases focused on security design and implementation embedded in the overall implementation plan. SAP Value Assurance service packages also follow this design, offering assistance from SAP’s support services that can be used to safeguard an SAP S/4HANA implementation project.
In addition, SAP has refurbished its SAP MaxAttention offering (known as “New MaxAttention”), with a track (or “focus topic”) dedicated to security and compliance, as shown in Figure 3. You can make use of additional security services starting from the planning phase (for example, helping customers identify and close gaps in their solution landscapes) through the realization and run phases (for example, running security checks before go live).
Securing the Core
So far, this article has focused on the overall areas that are critical for securely running SAP S/4HANA solution landscapes. But what about the running core of SAP S/4HANA — that is, the SAP NetWeaver AS ABAP system? What are SAP’s most important recommendations for directly strengthening its security?
Using the SAP-provided white papers available at https://support.sap.com/securitywp and the Security Baseline Template, you can create a short list of critical activities that must be performed to increase the overall security level of your core system, such as:
- Standard user protection: Remove well-known factory passwords from the standard users SAP*, DDIC, and TMSADM using report RSUSR003 for all affected users.
- Credential protection: Remove outdated hash storage of passwords and protect hash tables.
- Secure SAP code: If it does not yet exist, set up a patching process to consume the security notes that SAP publishes each month.
- Secure custom code: Check if you have developer guidelines to write secure code, and assess whether a security scan engine might be required.
- Data transmission protection: Enable Secure Network Communication (SNC) and TLS for all client communications.
- Logging: Turn on all logging to ensure that no attack information is lost.
- Secure configuration: Check all relevant profile parameters and customizing for correct security settings.
- Interface security: Remove the SAP_ALL profile from technical users, check destination credentials, and activate Unified Connectivity (UCON) and Remote Function Call (RFC) callback protection to minimize the attack surface.
While each of these activities is important, you may not be able to conduct them all at the same time because of limited resources. SAP recommends that you avoid running more than three items in parallel to prevent overloading your SAP Basis and security teams. To prioritize the activities properly, it is helpful to assess the protective measures identified as missing and then order them according to their criticality and the effort required to remediate them, as shown in Figure 4. You can then create a project plan that prioritizes the security measures based on their estimated run time and ability to generate quick wins, as shown in Figure 5.
By securing your SAP S/4HANA implementation with the security strategies outlined in this article, you will be well on your way toward establishing a landscape that can leverage the full potential of the solution. You can help ensure the success of your SAP S/4HANA security project by answering some core questions at the very beginning of your project:
- Have we already considered all past SAP security recommendations? If not, take a second look.
- Are our skills for SAP S/4HANA and SAP HANA 2.0 roles and authorizations management sufficient?
- What should the network security architecture for SAP S/4HANA business and cloud integration scenarios look like?
- Is our user management technology capable of supporting the SAP S/4HANA landscape properly or do we need more advanced technology?
- Do our support engagements get SAP’s additional security offerings without additional charge?
With the answers to these questions, you will be ideally positioned to establish a strong, secure SAP S/4HANA implementation and seize the opportunities it can offer going forward.
1 For more on converting from SAP Business Suite to SAP S/4HANA, see the SAPinsider articles “Making the Move to SAP S/4HANA” (January-March 2017) and “A Simplified Way to Bring Your Custom Code to SAP S/4HANA” (Issue 2, 2018) available at SAPinsiderOnline.com. [back]
2 Using proper network design and the available technology are key, and remember that opening access to specific applications is not special to SAP software — it should be a standard request to security teams. [back]
Birger Toedtmann (firstname.lastname@example.org) worked for over 15 years in the area of designing and operating secure telecommunication networks at various companies, before joining SAP in 2007. Since then he has served customers as Technology Principal Consultant in the GRC and security domain, assisting them in securing their SAP landscapes. Birger also leads SAP Professional Services’s internal security community, a virtual group providing expert knowledge transfer to all associated consultants.