Security with SAP RISE: A Shared Model of Responsibility
SAP RISE is a cloud-based service offering from SAP that includes the private edition of SAP S/4HANA Cloud at the core. As part of the offering, SAP maintains privately-managed, single-tenanted accounts for each customer with hyperscale providers including AWS, Azure and GCP. The accounts are fully managed by SAP. Therefore, SAP acts as a cloud service provider and the customer is essentially a consumer of an SAP cloud service.
SAP customers are responsible for most aspects of security for on-premise deployments or cloud deployments managed directly with hyperscale providers. However, SAP RISE divides the responsibilities between SAP and customers.
As the cloud service provider, SAP assumes many of the responsibilities for security that would otherwise lay with the customer. This includes security at the hyperscaler and network level, as well as security for databases and servers, including operating systems for SAP servers.
Customers are responsible for the application and data layer. However, the responsibility for these areas can also be shared with SAP through optional Cloud Application Services (CAS) that extend the services delivered through SAP RISE. For example, SAP can assume the responsibility for identifying, analyzing, and implementing required security notes. However, this requires an additional CAS package that is not included in standard RISE services. If the customer does not obtain the package, the responsibility for analyzing and selecting notes for implementation lays with the customer. Once selected, the customer can create a service request for SAP to apply the notes.
The security of custom code is also the responsibility of each customer. Customers are encouraged to analyze custom code and remove obsolete, redundant and duplicate code to comply with SAP’s Clean Core principle. The remaining custom developments can be adapted and migrated to systems maintained by SAP Enterprise Cloud Services. However, customers are responsible for ensuring that the developments are secure and do not contain code-level vulnerabilities. RISE customers can secure custom SAP programs and applications using the SAP-certified Cybersecurity Extension for SAP (CES). CES supports the automated detection of code vulnerabilities in ABAP and UI5 applications. It can be used to support S/4HANA migrations and on-going development and maintenance activities for custom applications.
With the exception of SAP HANA, access control is also the responsibility of customers. This includes managing end user permissions and administrative privileges. Customers can opt-in for optional CAS packages that provide SAP managed services for this area. The Cybersecurity Extension for SAP can be used to monitor access privileges for systems in SAP RISE including segregation of duties violations and access to critical roles, profiles, transactions and authorizations at both the functional and technical level. This includes S/4HANA and supporting systems.
Security hardening is applied by SAP through standard builds used for each ABAP system. The builds include mandatory security settings documented in SAP Note 3250501. This includes areas such as security-relevant profile parameters, securing standard users, deleting unused clients, deactivating vulnerable ICF services, system and client change options, and hardening for the RFC gateway and message server. The settings can be overridden by customers. Therefore, it is important to automate monitoring for compliance with the hardening requirements. This can be performed using the Cybersecurity Extension for SAP. Compliance Reporting in CES will automatically identify compliance gaps for SAP systems against the requirements of SAP Enterprise Cloud Services (ECS) in Note 3250501.
The final area that customers are responsible for is logging and monitoring. SAP provides customers with access to application logs. Customers can request access to OS, DB and network logs. This is provisioned using a premium offering called LogServe. The application and infrastructure logs can be integrated with SIEM solutions to automate threat detection and response. Alternatively, customers can pay for SAP Enterprise Threat Detection (ETD), cloud edition, or opt for a 24/7 or 8/5 managed service from SAP based on ETD. Neither option is included in standard RISE services.
The cloud edition of ETD includes less than 50 patterns for detecting Indicators of Compromise (IOC) in SAP solutions. The Cybersecurity Extension for SAP provides more than 900 patterns to detects IOCs in SAP systems, including patterns for databases, operating systems, and standalone components such as the SAProuter and Web Dispatcher.
Overall, SAP RISE does not delegate the responsibility for security patching, secure development, access control, hardening, and logging and monitoring from customers to SAP. This is possible for some areas but only through the addition of optional packages that are not included in standard RISE services. Customer and SAP responsibilities are detailed in a comprehensive matrix provided by SAP ECS for more than 1000 tasks. The matrix is a reference for standard, optional, and additional services, excluded tasks, and services available through available CAS packages that are subject to additional service fees. Note that the matrix is subject to change by SAP.