SAP-Partner-kein

SAP Cloud Security and Compliance

SAP pursues a clear strategy: cloud first! As a result, cloud-based products such as SAP S/4HANA Cloud and the SAP Business Technology Platform (SAP BTP) are given priority for further development, which continuously increases their attractiveness. Nevertheless, many companies are hesitant to move to the SAP Cloud. Security concerns are often at the forefront – after all, business-critical applications and sensitive data leave the company’s own premises. Are these reservations justified?

What is the actual state of SAP Cloud security? This article takes a deep dive into the topic and highlights all the important security measures that the provider has implemented.

Table of contents

In this article you will find the following topics:

How secure is company data in the SAP S/4HANA Cloud?

SAP takes the issues of data protection and data security very seriously. This is demonstrated by a look at the software manufacturer’s security concept, which roughly outlines the following components:
  • Strictly secured data centers
  • Certifications in accordance with international standards
  • Encryption and access control
  • Robust backup and disaster recovery strategy
  • Comprehensive cyber security mechanisms
These elements of SAP Cloud Security are described in more detail below.

1. Strictly secured data centers

SAP operates around 100 data centers worldwide. Of these, 30 are located in Europe and 6 in Germany. Companies have the option of selecting the location for their data themselves. On the one hand, better performance of the SAP S/4HANA Cloud ERP system can be achieved through geographical proximity. On the other hand, the free choice of location is important with regard to compliance issues. This is because a local location ensures that local legal requirements such as the EU GDPR are met. In Germany, SAP data centers are located at the SAP headquarters in Walldorf as well as in Frankfurt am Main, Rellingen and St. Leon-Rot. There are also other data centers whose operating locations are not publicly disclosed for security reasons. The SAP data centers are monitored around the clock and are equipped with state-of-the-art physical security measures. These include
  • biometric access controls
  • video surveillance and motion sensors
  • multi-level access restrictions for employees
The SAP security concept also ensures that the systems can continue to operate even in the event of natural disasters or other unforeseeable events. This is achieved with emergency power generators, fire protection systems, specially secured network connections, geo-redundant systems and automatic switchovers, among other things.

2. Certifications according to international standards

The software manufacturer can prove that SAP Cloud Security is functional and meets the highest security standards through several internationally recognized certifications. These include:

ISO/IEC 27001: Information security management

SAP has implemented a comprehensive information security management system (ISMS), which is confirmed by the globally recognized ISO/IEC 27001 certification. This system ensures that all sensitive data is protected through strict access controls, encryption and risk management. The certificate also proves that SAP continuously monitors its data centers with regard to security risks and carries out regular audits to identify and rectify security gaps at an early stage.

ISO 22301: Business continuity management

ISO 22301 certifies that SAP has a robust business continuity management system (BCMS). This ensures that operations are maintained even in the event of disruptions such as cyberattacks or natural disasters. This includes automatic failover mechanisms, redundancy in multiple data centers and regular testing of emergency plans to ensure data availability and business continuity.

SOC 1 Type II: Financial processes and data integrity

The SOC 1 Type II report confirms the effectiveness of the internal controls that ensure the protection of financially relevant processes. SAP thus proves that access rights, data integrity and backup processes function properly over an extended period of time. This is particularly important for customers in regulated industries such as finance.

SOC 2 Type II: Compliance standard for handling data

The SOC 2 Type II certification focuses on adherence to five basic compliance principles: Security, Availability, Confidentiality, Processing Integrity and Data Protection. For this certificate, SAP data centers must prove that they continuously implement measures such as encryption, intrusion detection systems and access controls to ensure the security of customer data.

BS 10012: Information management of personal data

BS 10012:2017, certified by the British Standards Institution (BSI), specifies requirements for a Personal Information Management System (PIMS). This certification confirms that SAP processes personal data in accordance with the GDPR and applies strict guidelines for the protection of privacy. The processes in the SAP data centers are therefore demonstrably designed to ensure that the collection, storage, processing and deletion of personal information is transparent and secure.

3. Encryption and access control

Another security measure of SAP Cloud Security is to prevent unauthorized access to sensitive company data. The provider uses robust end-to-end encryption for this purpose. This means that data from SAP S/4HANA Cloud is protected both during transmission (“in-transit”) and at rest (“at-rest”). SAP uses the AES-256 algorithm for this, which is considered one of the most secure encryption standards. SAP has also implemented strict access controls in SAP S/4HANA Cloud. Companies can use the following mechanisms, for example
  • Multi-factor authentication (MFA) for access to systems
  • Role-based access controls (only authorized employees may access certain data)

4. Robust strategy for backup and disaster recovery

To ensure business continuity, the SAP security architecture also includes sophisticated disaster recovery plans. All data is stored in at least two different data centers – often even in different countries to minimize regional risks such as natural disasters. The backup strategies include
  • daily automatic backups of all customer data
  • redundant data storage to avoid data loss
  • automatic failover mechanisms: In the event of a data center failure, all services are automatically redirected to another data center.
These measures guarantee almost 100% availability of cloud-based SAP S/4HANA systems. Even in the event of a hardware failure or natural disaster, companies can continue to operate without disruption.

5. Comprehensive cyber security mechanisms

Last but not least, the SAP security strategy includes a series of preventive and proactive state-of-the-art security measures to prevent, detect and stop cyber attacks in good time. Essentially, these are
  • Regular security audits to identify potential vulnerabilities at an early stage
  • Patch management via an automated security policy to close known vulnerabilities immediately
  • Security Information and Event Management (SIEM): real-time monitoring of systems for early detection of suspicious activities (including threat detection using artificial intelligence)
  • Regular penetration tests to ensure that the security architecture can withstand current threats
  • Dedicated security team with qualified experts
  • Continuous training of staff with regard to cyber security
  • Task force immediately available in the event of an emergency

How secure is the use of the SAP Business Technology Platform (SAP BTP)?

SAP S/4HANA Cloud, Public Edition is an ERP system that relies heavily on predefined business processes (so-called best practices). Companies do not have the option of changing the source code. However, they can use the SAP Business Technology Platform (SAP BTP) to achieve a certain degree of customization. This cloud-based platform opens up various options for this:
  • Use of existing extensions (for example from the SAP App Center)
  • Develop own applications (apps) or extend existing applications
  • Integration: linking SAP and non-SAP systems with each other
  • Use of databases and analyses with SAP HANA Cloud
  • Creating automations (for example with RPA technology)
Of course, it is also essential that processes and data are protected for such activities. For this reason, there is also a concept for SAP BTP that guarantees high security standards. It is referred to as “SAP Business Technology Platform Security” or “SAP BTP Security” for short and comprises the following elements:
  1. Access controls and identity management
  2. Preventive protective measures
  3. Integration and secure data connection
  4. Threat detection and response mechanisms
These components of SAP BTP Security aim to minimize both internal and external security risks. They are described in more detail below.

1. Access controls and identity management

Access controls ensure that only authorized persons have access to SAP BTP and its applications. This is the first line of defence to prevent unauthorized access. The following mechanisms are particularly effective here:

Identity authentication (multi-factor authentication)

SAP uses the Identity Authentication Service, which enables multi-factor authentication (MFA). In addition to a password, users must enter a second factor, for example an access code from an app. MFA protects against phishing attacks and other attempts to misuse access data.

Role-based access controls

Access to applications and data is regulated by role-based access controls. Users only receive as many authorizations as they need for their activities (principle of minimum privileges). This minimizes the risk of internal security incidents occurring. Note: The user company itself is responsible for the configuration of identities (MFA), roles and authorizations.

2. Preventive protective measures

SAP BTP Security also includes a range of preventive protective measures. These are aimed at preventing attacks before they can even take place. The measures include:

Sandboxing

Applications in SAP BTP run in isolated environments (sandboxes). Even if an application is compromised, the damage is limited to this environment. Other applications or data areas are not affected.

Web Dispatcher

The SAP Web Dispatcher acts as a reverse proxy that checks and filters incoming requests before they are forwarded to the internal systems. It protects against DDoS attacks and ensures that only legitimate requests are allowed through.

Proxy server with content filtering

Proxy servers check incoming data traffic and block unwanted content such as malware or phishing attempts before they reach the applications. This prevents malicious data packets from entering the platform. This strengthens application security.

3. Integration and secure data connection

Another important aspect of security in SAP BTP is the secure connection of external systems, especially on-premise systems. The following tools, among others, are provided for this purpose:

SAP Cloud Connector

The SAP Cloud Connector enables a secure connection between on-premise systems and SAP BTP. It ensures that data is encrypted and transmitted via secure channels. The Cloud Connector works according to the principle of least privilege, so that only authorized connections can be established.

Secure Network Communication (SNC)

SAP BTP uses Secure Network Communication (SNC) for encrypted data transmission. This ensures that no unencrypted data traffic takes place between systems.

4. Threat detection and response mechanisms

In the SAP Business Technology Platform, threats are monitored in real time and countermeasures are automatically initiated if necessary. Intrusion detection systems, SIEM solutions and automated security updates are used to ward off both known and new threats.

Intrusion-Detection-System (IDS)

The intrusion detection system (IDS) continuously monitors network traffic and detects suspicious activities such as unauthorized access attempts or anomalies in user behaviour. As soon as a threat is detected, the system automatically triggers alerts that are forwarded to the relevant security team. In critical cases, the IDS can initiate automatic blocking to limit the damage.

Security Information and Event Management (SIEM)

The SIEM system collects log data from various sources – including login data, network events and system access – and analyzes it for suspicious patterns. Using artificial intelligence (AI), the SIEM system detects anomalies that could indicate potential attacks. It enables early detection of unknown threats so that the security team can react proactively.

Security patch management process

To close known vulnerabilities in the platform, SAP BTP Security follows a structured patch management process. This process ensures that security updates are applied regularly and promptly. Patches are implemented automatically without interrupting the operation of the applications. This reduces the risk of attackers being able to exploit known security vulnerabilities.

What is the significance of the SAP Trust Center in terms of SAP Cloud Security and Compliance?

The SAP Trust Center is a central platform from SAP that ensures transparency regarding the security, data protection and compliance measures of SAP cloud services such as S/4HANA Cloud and SAP BTP. It is aimed at customers who want to find out more about SAP’s security standards, certifications and data center infrastructure. In addition, SAP provides up-to-date information on security incidents, maintenance windows and data protection guidelines via the Trust Center.

SAP On-Premise vs. SAP Cloud ERP: Which is more secure?

Many people still believe that an SAP on-premise system is more secure than SAP cloud solutions. But on closer inspection, the opposite is true. Not even large corporations – let alone SMEs – are able to achieve such a high level of security in an in-house data center as SAP or large hyperscalers such as AWS, Microsoft and Google can. There are two main reasons for this: Firstly, a solid security architecture with powerful elements such as continuous monitoring, geo-redundant backups, comprehensive certification and strict access controls incurs extremely high costs. Additional financial outlay for the ongoing maintenance of the infrastructure and regular modernization are further complications. Furthermore, it is very difficult to recruit the specialist staff required to set up your own security team. Overall, it is therefore advisable not to close your mind to the cloud issue due to security concerns, but to take an objective look at the performance of SAP Cloud Security. It quickly becomes clear that solutions such as SAP S/4HANA Cloud and SAP BTP are not only technologically and strategically advantageous, but can also guarantee effective protection of applications, processes and data against a wide range of risks.

Do you want support from experts?

Are you planning to implement SAP S/4HANA? Would you like professional and efficient advice and support?

Request appointment