SAP S/4HANA Cloud Private Edition plays a central role in the RISE with SAP offering, hosting customers’ data and business processes. SAP Enterprise Cloud Services (ECS) delivers a managed private environment with a layered defensive architecture covering the infrastructure and the associated technical managed services. This includes comprehensive SLAs for the full solution stack and a proven security architecture that minimises risk for customers. Layered protection requires security to be addressed at the level of people, processes and technology alike. In this post we outline the layered defensive architecture at a high level. For the sake of clarity, only an abstract, high-level approach is presented.
Approach to the layered defensive architecture
SAP S/4HANA Cloud Private Edition is a managed, single-tenant private environment for customers, in which SAP creates a separate account (AWS), subscription (Azure) or project (GCP) for each customer. Applications and virtual database instances are dedicated exclusively to a single customer. Security by Design and Security by Default are deeply embedded throughout the layered architecture.

Data protection
SAP S/4HANA Cloud Private Edition supports the following data security capabilities:
-
A separate virtual instance for the database and application servers per customer.
-
Encryption of data at rest: SAP HANA data encryption uses the AES-256-CBC algorithm (256-bit key length). Different encryption keys (data volume, log volume, backups, applications) are stored in the Instance Secure Store File System (SSFS) inside the HANA database instance. The SAP cryptographic libraries used are certified to the FIPS 140-2 standard. SSFS content is protected by the SSFS Master Key.
-
Unique encryption keys and the master key are generated during installation and version upgrades of HANA. Master keys can also be rotated at regular intervals on request. Segregation of Duties (SoD) is applied to key management.
-
Data at rest is encrypted - database volume, backups, redo logs, and storage-level encryption (server-side encryption) in hyperscaler storage.
-
All HTTP traffic is protected via TLS 1.2 transport-layer encryption with AES-256-GCM.
-
SAP HANA includes numerous built-in security capabilities, such as role-based access control, authorisations, UI masking and anonymisation capabilities.

Application security
-
A web application firewall is integrated with the Application Gateway (Azure) or Application Load Balancer (AWS) to secure inbound traffic from the internet.
-
Encryption of data in transit at the endpoint.
-
Availability of secure connectors and agents required for secure integration of the SAP S/4HANA system with other SAP SaaS applications. Agents are provisioned on request and once the customer has purchased the relevant cloud solutions.
-
Reverse proxy - Web Dispatcher - no direct access to the backend system.
-
Secure cloud integrations via the SAP Cloud Connector.
-
All outbound connections are governed by a restricted access control list configured in the security components used in the cloud. All outbound access supports TLS 1.2-based encryption in transit.
-
Support for identity authentication via SAML, Kerberos/SPNEGO and X.509 certificates.
-
Support for multi-factor authentication.

Network security
-
For each customer, a dedicated account, subscription or project is created within the IaaS provider environment (AWS/Azure/GCP) to deploy dedicated (virtual) SAP instances. For each subscription/account/project, customer-specific Virtual Private Clouds (VPC) or Virtual Networks (VNET) are created to meet specific system/data isolation requirements. Within each VPC/VNET, multiple subnets are created (using private CIDR IP addresses) to segregate environments.
-
Each subnet is configured with a Security Group (AWS), Network Security Group (Azure) or Firewall (GCP) with a defined set of rules governing network traffic.
-
Security policies defined at a higher hierarchy level are propagated to each subscription/project/account.
-
Data replication traffic from the primary site to the DR site is always carried over a private connection (peering).
-
Customer access to the VPC or VNET is possible only via a dedicated private connection. It is also possible to configure the environment so that no network access from the internet to the managed environment is permitted at all.
-
SAP isolates the administrative network from the customer VPC/VNET using administrative firewalls. Network traffic between the customer VNET/VPC and SAP’s administrative network always runs over encrypted VPN tunnels, and all administrative data exchanges are encrypted to TLS 1.2 standards.
-
All administrative access requests go through an approval process managed by an access manager and are verified by a designated authority.
-
All activities, including granting/denying administrative access and actions performed by administrators, are logged and audited.

Operational security
SAP Enterprise Cloud Services (ECS) carries out a range of tasks aimed at securing the customer environment. This includes security patch management and the hardening of operating systems, applications and virtual database instances. Security incident and event management is available for collecting, aggregating, correlating and applying security use cases to automatically detect security incidents. The team performs 24×7 infrastructure monitoring, database monitoring, security incident management, ensures secure administrator access, regular backups, security scanning and threat elimination in order to secure the environment on behalf of customers.

Audit and compliance
SAP conducts audits of its security controls, verified through a range of certifications and attestations.
ISO certifications:
-
ISO 9001 Quality Management System
-
ISO 27001 Information Security Management System
-
ISO 27017 Cloud Services Security
-
ISO 27018 Protection of Personal Data in the Cloud
-
ISO 22301 Business Continuity Management
SOC 1 and SOC 2 Type 2 audits are carried out to verify the design of the security controls and the operating effectiveness of their implementation. The SOC 2 Type 2 report can be requested directly from the SAP Trust Center subject to a confidentiality agreement. SOC 1 Type 2 reports are available to existing customers with a productive instance and a valid confidentiality agreement, obtainable via the SAP Trust Center.
SNOK’s role and how we can help
SNOK, as an SAP partner, has built extensive experience in implementing and managing SAP solutions, including SAP S/4HANA Cloud Private Edition. We offer comprehensive advisory and support services in the field of security and data protection, enabling our clients to make the most of the cloud solutions offered by SAP. With our expertise, clients can be confident that their data is protected to the highest standards, and that the transition to the cloud is smooth and secure. It is also worth noting that SNOK holds ISO certifications, which confirms our commitment to delivering high-quality services and adhering to international data security standards.
Summary
SAP S/4HANA Cloud Private Edition gives customers a single-tenant landscape, considerable flexibility in upgrade and add-on cycles, and a defence-in-depth architecture that protects core information assets in terms of confidentiality, integrity and availability. This provides a clear transition and transformation path to cloud consumption for existing on-premise ECC customers. Many security-related tasks - such as security monitoring, security incident management, independent security audits, and a 24×7 Cyber SOC - are shifted onto SAP’s operational and management staff. This allows customers to focus on their core business processes and gain greater control over their data, leading to lower total cost of ownership and faster time to market.
If you would like to learn more about how SNOK can help your organisation secure its data in SAP S/4HANA Cloud Private Edition, get in touch with us today.