A Guide to Securing SAP S/4HANA Page 1 of 7

Articles | Case Studies | White Papers | Q&As | Webinars | Videos | Blogs | Podcasts | Events | Magazine | Why Subscribe?

Search

BI HANA CLOUD ADMIN/DEV EMERGING TECH

Sponsored by Holland House

Article

Securing SAP S/4HANA

A Guide to Strengthening the Security of Your SAP S/4HANA Implementation
by Birger Toedtmann | SAPinsider, Volume 19, Issue 3

September 14, 2018

UniSpool: the most powerful

output and print management
solution

When you are planning a conversion from SAP Business Suite to SAP S/4HANA, many questions about changing security
needs can arise. This is due in large part to the architectural and technological changes that come with SAP S/4HANA. Read
this article to understand the five critical areas security administrators need to consider when securing an SAP S/4HANA
implementation and to familiarize yourself with the resources SAP provides to help significantly simplify the process of
establishing a secure setup and operation of SAP S/4HANA.

A lot of SAP customers are currently at the point of either planning or executing a conversion to SAP S/4HANA from SAP
Business Suite.1 Among many other considerations, security is one of the bigger topics that spring to mind as part of this
conversion: What exactly are the differences between SAP S/4HANA and the standard SAP Business Suite setups? What are
the typical pitfalls and which tasks require the most effort? What tasks must be performed right away, and what tasks can you
shift to later points in time? All these questions are largely related to the architectural and technological changes that come with
SAP S/4HANA.

This article aims to address these questions and to help ensure that you can leverage the full potential of the solution. It outlines
the five critical areas security administrators need to look at when it comes to securing an SAP S/4HANA implementation. It
takes a closer look at these five areas — roles and authorizations, SAP HANA security, infrastructure security, cloud integration, Conferences & Seminars: GRC 2019
and user management and authentication — and then provides guidance on the challenges that can arise and how to properly
address them. It also examines the resources available from SAP to help you along the way, and how to address the security of Conferences & Seminars: Basis &
the SAP S/4HANA core system: SAP NetWeaver Application Server (SAP NetWeaver AS) ABAP. SAP Administration 2019

First, to ensure a clear understanding of the security activities connected with an SAP S/4HANA implementation project, we’ll See more »
take a closer look at how some of the underlying technology changes with SAP S/4HANA affect security considerations in your
landscape.

New Security Considerations with SAP S/4HANA

The core system for SAP S/4HANA, like SAP Business Suite, is SAP NetWeaver AS ABAP. From a security standpoint, it looks
like a traditional SAP ERP system running on an SAP HANA database, with all the related internal optimizations, and the same
standard security controls, switches, and customizing required for other SAP NetWeaver AS ABAP-based systems. While it may
seem that only the SAP HANA database requires a closer look in an SAP S/4HANA implementation, there is more to the story:
SAP HANA in this setup is not just a new database, it is also an application server, and certain SAP S/4HANA application

https://sapinsider.wispubs.com/Assets/Articles/2018/September/SPI-Securing-SAP-S4HA... 2/14/2019
A Guide to Securing SAP S/4HANA Page 2 of 7

processes may run natively from it — or, to be more precise, may run natively from SAP HANA extended application services,
advanced model, which is a development and runtime environment delivered with SAP HANA for native applications.

These native SAP HANA applications bypass the ABAP stack and its security controls, which must be addressed. SAP
S/4HANA also offers a high degree of simplification through optimized SAP Fiori apps and cockpits, which supersede the old
SAP Business Suite transactions. With the shift to web-based activities, many companies plan to offer some of these apps to
external audiences — for example, letting your vendors directly enter their numbers in your system is a highly efficient business
functionality. However, this “opening” of access to ERP functions will have an impact on the underlying network security
infrastructure, which will need to be considered.

In addition, some organizations have already shifted processes to the cloud, and SAP S/4HANA comes with many options for
integrating with these cloud-based scenarios in a hybrid landscape. For security teams, this means that critical data resides in a
location other than on premise, and they must closely watch the security of the integration with external systems and
applications. Finally, you must also coordinate access to all the different applications and instances, which requires smooth,
efficient, and centralized user and authentication management.

Now that you have an understanding of some of the new security considerations related to SAP S/4HANA, let’s take a closer
look at the tasks involved in securing your SAP S/4HANA landscape after a conversion from SAP Business Suite.

Securing an SAP S/4HANA Landscape

After converting from SAP Business Suite to SAP S/4HANA, there are five key areas you need to address quickly to secure your
SAP S/4HANA landscape:

• Updating roles and authorizations

• Securing the SAP HANA system
• Ensuring a strong security infrastructure
• Integrating cloud applications
• Managing user access and authentication

Updating Roles and Authorizations

First, a conversion to SAP S/4HANA is, at its core, an upgrade. As with all upgrades, this means that you must update your roles
and authorizations. For example, there will be new checks for authorization objects, new transactions, and old transactions —
this is business as usual, and will require a significant amount of effort. A firm grasp of security transactions SU24 (Maintain
Check Indicators) and SU25 (Upgrade Tool for Profile Generator) will help smooth the way through the required tasks.

Second, SAP S/4HANA includes new SAP Fiori apps, which are basically web services. Users need the authorization to use
these apps, which is not too difficult to configure, but SAP S/4HANA includes a major design change in how to build roles, and
this can be a challenge for those who are not yet familiar with SAP Fiori apps and how they are published using SAP Gateway.
In SAP S/4HANA, the role-building transaction PFCG includes new mechanisms to integrate app catalogs and to communicate
and sync with the publishing instance (SAP Gateway). It is important to understand how these mechanisms work and which
steps to take in transaction PFCG to ensure a proper role-building process in the SAP S/4HANA application life cycle.

Securing the SAP HANA System

Your hosting partner or your data center operations team, depending on whether your deployment is on premise or in the cloud,
must learn the new security settings and authorizations setup of an SAP HANA database to operate it correctly and shield it from
improper access. With SAP HANA 1.0, specific developers and administrators required direct access to the database’s SQL port
because SAP HANA studio connected to this port, and this presented security challenges. Now, SAP HANA development and
administration activities are largely performed via web interface, so access to only the application server’s web service ports is
typically sufficient. If this is not sufficient — for example, if important development functionality is not yet available in the Web
IDE for SAP HANA — you should allow access to the SQL port from dedicated workstations only, such as Windows Terminal
Server (WTS) workstations.

Another area to be aware of is the new authorizations design of SAP HANA extended application services, advanced model (the
development and runtime environment for native SAP HANA-based applications). Building roles and authorizations for SAP
HANA extended application services, advanced model, which was introduced with SAP HANA 2.0, is significantly different from
traditional database and SAP application server security administration. You will need an expert for this if you want to develop
new native applications for SAP HANA with a proper security design, and this requirement should be reflected in your project
plan. Granting access to the administrative applications SAP ships with SAP HANA extended application services, advanced
model, is another task that user admin teams need to know how to perform.

Keep in mind that the new features for SAP HANA extended application services, advanced model, are required for advanced
processes only. Standard SAP S/4HANA processes typically do not require custom apps based on SAP HANA extended
application services, advanced model. Only when you want to make use of the full potential of your SAP HANA engine do you
need to quickly embrace all these security techniques.

Ensuring a Strong Security Infrastructure

Going digital implies opening business processes to the outside world, such as offering individualized services to vendors,
customers, and other parties, and enabling them to stay informed about the progress of their transactions and enter their own
changes in certain process steps. It also means executing these processes in real time rather than using an outdated approach
such as asynchronous processing via email. In the past, allowing external users access to certain parts of business applications
could be difficult in the closed-shop SAP world with its fat client SAP GUI connected to dedicated network ports, and many
customers addressed this with SAP solutions such as SAP Enterprise Portal.

With SAP S/4HANA and its SAP Fiori technology, it has become simple to publish dedicated small apps to other user groups
and their devices, be it mobile or desktop. Granting access to business-critical system components must be thoroughly shielded,
however, and so a strong security architecture, similar to the one shown in Figure 1, is required to ensure that the right users
have network access to the right set of apps with properly enforced security controls, such as two-factor authentication. In
addition, SAP Gateway, which is where the apps are published and accessed, may need to be in a demilitarized zone (DMZ),
while the SAP S/4HANA core system stays in the internal high-security network zone.

https://sapinsider.wispubs.com/Assets/Articles/2018/September/SPI-Securing-SAP-S4HA... 2/14/2019
A Guide to Securing SAP S/4HANA Page 3 of 7

Figure 1 — A simplified example of a security environment adapted to SAP S/4HANA — when SAP Gateway runs on the SAP HANA database
as well, SAP HANA cockpit requires access to both SAP Gateway and the SAP S/4HANA back end

Data transmissions in this architecture must be secured with standard mechanisms such as the Transport Layer Security (TLS)
protocol, and firewall setups must define where external users can and cannot go. You can also increase network security in
scenarios where HTTP(S) and Remote Function Call (RFC) connections traverse network zones using the “reverse invoke”
mechanism that is available with SAProuter (which handles RFC communication over network zone borders) and Web
Dispatcher (which manages HTTP connections to SAP systems for web applications). This mechanism allows these types of
traffic without permitting direct access to back-end systems — it reverses the Transmission Control Protocol (TCP) connection
so that it is always initiated from the internal network instead of the DMZ, which enables easier and more secure firewall setups
at the internal network zone border.

Keep in mind that individual teams — including the portal, SAP operations, security, firewall, and networking teams — must work
closely together to synchronize all these configurations so there are no gaps created by misunderstandings. It is also important
to note that these requirements are not new for digital businesses and are not specific to SAP or SAP S/4HANA, but you need to
be sure to incorporate them into your SAP S/4HANA security project plan.

Integrating Cloud Applications

Instead of allowing certain external user groups access to on-premise applications, it is often easier and more secure to let users
interact with cloud solutions. Many activities already take place in the cloud, and SAP S/4HANA offers a simpler way to
exchange data in real time with environments such as SAP Cloud Platform through Cloud Connector, which easily and securely
links SAP Cloud Platform applications with on-premise systems such as SAP S/4HANA.

To support hybrid business processes that incorporate both SAP S/4HANA on premise and applications in the cloud, security
teams should know how to set up and run Cloud Connector in a secure manner, which is fairly simple, and how to grant
permissions to cloud applications using the SAP Cloud Platform Identity Authentication and SAP Cloud Platform Identity
Provisioning services. You may want to compare the setup of Cloud Connector to SAProuter or Web Dispatcher installations
— they are similar types of standalone infrastructure engines that control network communications between business systems.

Managing User Access and Authentication

One of the biggest challenges in digital business scenarios is coordinating the various types of access, particularly when access
is taking place across hybrid landscapes. You may need to set up users not only in the SAP S/4HANA core (that is, the SAP
NetWeaver AS ABAP system), but also potentially as native users in SAP HANA itself. These users also need to have access to
SAP Gateway, which provides the app catalog for users, and to all connected cloud applications. In addition, you will want to
have a smooth handover between the individual systems once a user is authenticated the first time — you do not want users to
be prompted for passwords over and over again.

Against this background, efficient central user management and modern authentication mechanisms are key with larger SAP
S/4HANA implementations. Security teams should be familiar with federated single sign-on and Security Assertion Markup
Language (SAML) 2.0. Also, without a decent identity management solution, you will have trouble keeping track of the individual
accounts you must create and maintain. This solution should be capable of provisioning users into both cloud and on-premise
systems. At a minimum, a central user administration system for both SAP S/4HANA and SAP Gateway must be in place, while
cloud users could potentially be maintained separately. The right choice of technology should therefore be a part of your project
plan for an SAP S/4HANA conversion, as it has consequences for how the user management processes can be remastered to
match the demand of the new solution landscape.

Navigating the Process with Support from SAP

You might now be thinking, “OK, this seems like a lot of additional work.” And it would be without the white papers, guidelines,
recommendations, and tools SAP provides to help significantly simplify the process of establishing a secure setup and operation
of SAP S/4HANA.2

Security White Papers

To help businesses increase the security of their SAP systems, SAP has published a series of white papers in SAP Support
Portal (https://support.sap.com/securitywp). The first two — “Protecting SAP Applications Against Common Attacks” and
“Secure Configuration of SAP NetWeaver Application Server Using ABAP” — were published in 2011 and 2012, respectively,
with others following over time, including “SAP Security Recommendations: Securing Remote Function Calls (RFC).” These
white papers continue to be valid and contain the most important things to consider from an SAP perspective. All of them are
applicable to SAP S/4HANA systems and should serve as a basis for securing SAP S/4HANA. Security teams should know
them by heart. If your current (non-SAP S/4HANA) landscapes are not yet operating based on these recommendations, you
have a gap that needs to be dealt with urgently.

SAP Solution Manager

With SAP Solution Manager, SAP provides the System Recommendations application to highlight security notes that are missing
in systems and the Configuration Validation application to monitor whether systems are configured correctly with respect to
security. The Security Baseline Template (SAP Note 2253549), also included with SAP Solution Manager, not only contains all
security recommendations from the security white papers available in SAP Support Portal, but also provides predefined target

https://sapinsider.wispubs.com/Assets/Articles/2018/September/SPI-Securing-SAP-S4HA... 2/14/2019
A Guide to Securing SAP S/4HANA Page 4 of 7

setting containers that you can directly upload into the Configuration Validation application. This is ready-made monitoring for all
SAP security recommendations with a fairly small implementation footprint (and no additional licenses as the SAP Solution
Manager applications are freely available).

Security Guides and Training

For roles and authorizations, SAP offers the usual security guides that accompany its solutions. For example, SAP HANA
security recommendations are well summarized in a chapter of the SAP HANA Security Guide. SAP’s education organization
also offers training courses, including a course on SAP S/4HANA authorization setup (ADM945) and a course on SAP HANA
native authorizations (HA240).

Solutions for Identifying Risks and Managing Access

SAP provides comprehensive solutions to help with identifying security risks and managing user access. SAP Enterprise
Threat Detection can be helpful for those that need higher security standards and integration in security information and event
management (SIEM) and security operations center (SOC) processes. SAP also offers state-of-the-art user provisioning
services for cloud applications (see Figure 2). The SAP Cloud Platform Identity Provisioning and SAP Cloud Platform Identity
Authentication services allow you to set up federated single sign-on scenarios in a simple way and manage user accesses in
cloud applications. SAP customers can neatly integrate their own identity providers into this architecture, which enables users
(external as well as internal ones) to hop from on-premise applications to cloud applications and vice versa without disruption,
while Cloud Connector ensures that business data is available where needed.

Figure 2 — An example architecture that uses identity authentication and provisioning services for managing user access in the cloud

SAP Digital Business Services

For customers with stringent security requirements and a need for external assistance, SAP offers SAP Digital Business
Services. As of Q1 2018, the new SAP Activate methodology for implementations and migrations contains elements that ensure
security is not overlooked in any project. There are special phases focused on security design and implementation embedded in
the overall implementation plan. SAP Value Assurance service packages also follow this design, offering assistance from SAP’s
support services that can be used to safeguard an SAP S/4HANA implementation project.

In addition, SAP has refurbished its SAP MaxAttention offering (known as “New MaxAttention”), with a track (or “focus topic”)
dedicated to security and compliance, as shown in Figure 3. You can make use of additional security services starting from the
planning phase (for example, helping customers identify and close gaps in their solution landscapes) through the realization and
run phases (for example, running security checks before go live).

Figure 3 — SAP MaxAttention includes a focus topic dedicated to security and compliance topics

Securing the Core

So far, this article has focused on the overall areas that are critical for securely running SAP S/4HANA solution landscapes. But
what about the running core of SAP S/4HANA — that is, the SAP NetWeaver AS ABAP system? What are SAP’s most important
recommendations for directly strengthening its security?

https://sapinsider.wispubs.com/Assets/Articles/2018/September/SPI-Securing-SAP-S4HA... 2/14/2019
A Guide to Securing SAP S/4HANA Page 5 of 7

Using the SAP-provided white papers available at https://support.sap.com/securitywp and the Security Baseline Template,
you can create a short list of critical activities that must be performed to increase the overall security level of your core system,
such as:

• Standard user protection: Remove well-known factory passwords from the standard users SAP*, DDIC, and TMSADM
using report RSUSR003 for all affected users.
• Credential protection: Remove outdated hash storage of passwords and protect hash tables.
• Secure SAP code: If it does not yet exist, set up a patching process to consume the security notes that SAP publishes each
month.
• Secure custom code: Check if you have developer guidelines to write secure code, and assess whether a security scan
engine might be required.
• Data transmission protection: Enable Secure Network Communication (SNC) and TLS for all client communications.
• Logging: Turn on all logging to ensure that no attack information is lost.
• Secure configuration: Check all relevant profile parameters and customizing for correct security settings.
• Interface security: Remove the SAP_ALL profile from technical users, check destination credentials, and activate Unified
Connectivity (UCON) and Remote Function Call (RFC) callback protection to minimize the attack surface.

While each of these activities is important, you may not be able to conduct them all at the same time because of limited
resources. SAP recommends that you avoid running more than three items in parallel to prevent overloading your SAP Basis
and security teams. To prioritize the activities properly, it is helpful to assess the protective measures identified as missing and
then order them according to their criticality and the effort required to remediate them, as shown in Figure 4. You can then
create a project plan that prioritizes the security measures based on their estimated run time and ability to generate quick wins,
as shown in Figure 5.

Figure 4 — An example prioritization of security activities based on criticality and required effort

Figure 5 — Example project plan based on the prioritization of security activities

Conclusion
By securing your SAP S/4HANA implementation with the security strategies outlined in this article, you will be well on your way
toward establishing a landscape that can leverage the full potential of the solution. You can help ensure the success of your SAP
S/4HANA security project by answering some core questions at the very beginning of your project:

• Have we already considered all past SAP security recommendations? If not, take a second look.
• Are our skills for SAP S/4HANA and SAP HANA 2.0 roles and authorizations management sufficient?
• What should the network security architecture for SAP S/4HANA business and cloud integration scenarios look like?
• Is our user management technology capable of supporting the SAP S/4HANA landscape properly or do we need more
advanced technology?
• Do our support engagements get SAP’s additional security offerings without additional charge?

With the answers to these questions, you will be ideally positioned to establish a strong, secure SAP S/4HANA implementation
and seize the opportunities it can offer going forward.

https://sapinsider.wispubs.com/Assets/Articles/2018/September/SPI-Securing-SAP-S4HA... 2/14/2019
A Guide to Securing SAP S/4HANA Page 6 of 7

1 For more on converting from SAP Business Suite to SAP S/4HANA, see the SAPinsider articles “Making the Move to SAP S/4HANA” (January-March 2017) and “A Simplified Way to Bring Your

Custom Code to SAP S/4HANA” (Issue 2, 2018) available at SAPinsiderOnline.com. [back]

2 Using proper network design and the available technology are key, and remember that opening access to specific applications is not special to SAP software — it should be a standard request to security

teams. [back]

Birger Toedtmann
Birger Toedtmann (birger.toedtmann@sap.com) worked for
over 15 years in the area of designing and operating secure
telecommunication networks at various companies, before
joining SAP in 2007. Since then he has served customers as
Technology Principal Consultant in the GRC and security
domain, assisting them in securing their SAP landscapes.
Birger also leads SAP Professional Services’s internal security community, a
virtual group providing expert knowledge transfer to all associated consultants.

Follow

More from SAPinsider

Making the Move to SAP A New Development Platform

S/4HANA for Native SAP HANA Identity and Access
Applications Management in Cloud and
Hybrid SAP Landscapes
SAP S/4HANA brings the
technologies that define modern Developers have several options for
While ensuring appropriate user
business to SAP customer developing applications and business
access to your enterprise systems has
landscapes, from cloud computing to content on SAP HANA, such as the
always been a difficult task, it has
consumer-like user experiences, and ABAP 7.5 stack and the analytics
become profoundly more challenging
the latest version — SAP S/4HANA applications supported by SAP
as IT landscapes have grown more
1610 — brings... Business Warehouse (SAP BW)...
complex with changing...

COMMENTS
Please log in to post a comment.

https://sapinsider.wispubs.com/Assets/Articles/2018/September/SPI-Securing-SAP-S4HA... 2/14/2019
A Guide to Securing SAP S/4HANA Page 7 of 7

SAPinsider is published by WIS Publishing, a

division of Wellesley Information Services. SAPinsider SAPinsider Conferences & Seminars
20 Carematrix Drive, Dedham, MA 02026 USA ABOUT US CONTACT US PRESS ROOM ADVERTISE FAQ PRIVACY POLICY SITEMAP
Sales and Customer Service: 1(781)751-8799;
customer@wispubs.com

© 2018 Wellesley Information Services. All rights

reserved.

Online ISSN #2155-2444, Print ISSN #1537-145X

SAP and the SAP logo are trademarks or

registered trademarks of SAP SE in Germany and
other countries.

https://sapinsider.wispubs.com/Assets/Articles/2018/September/SPI-Securing-SAP-S4HA... 2/14/2019